⭕Other Tools

plink (windows)

plink.exe -l root -R 445:127.0.0.1:445 YOURIPADDRESS

Ncat

# Ncat =/= netcat
# Enhanced version, developped by nmap dev and often packaged with
# Ciphered connexion, IP restriction
# To pivot, needed on both attacker and pivot machine

# Attacker (broker == accept multiple connexions)
$ ncat -lv --broker --max-conns 2

# Pivot
# We connect to attacker and target
$ ncat -v 192.168.2.149 31337 -c 'ncat -v 10.42.42.2 80'

PivoteSuite

# Similar features to other tools but support multilevel pivot
# Like Metasploit

# "Remote" local port forwarding
# On the pivot
$ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.2.105 --server-port=8080

# "Remote" dynamic port forwarding
$ pivotsuite -S -F --server-option=SP --server-ip=192.168.2.105 --server-port=8080

RINETD

 sudo apt install rinetd

edit the config file:

nano /etc/rinetd.conf

service rinetd restart

bind address is attacker machine bind port is the listening incoming port connectaddress is the address to forward the traffic to and connectport is the target port.

Other Resources

• NetworkPivotingTechniques

• Abachy's Port Forwarding Guide

• http://woshub.com/port-forwarding-in-windows/

• https://www.offensive-security.com/metasploit-unleashed/portfwd/

• https://pentest.blog/explore-hidden-networks-with-double-pivoting/

• https://fumenoid.github.io/posts/port-forwarding

• https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

• https://www.offensive-security.com/metasploit-unleashed/proxytunnels/

• https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html

• https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-icmp-tunneling-to-own-your-network/

• https://xapax.github.io/security/#random_tips_and_tricks/port_forwarding_and_tunneling/

• https://xapax.github.io/security/#random_tips_and_tricks/pivoting/

Other Tools

• PivotSuite - PivotSuite is a portable, platform independent and powerful network pivoting toolkit, Which helps Red Teamers / Penetration Testers to use a compromised system to move around inside a network.

• Modaliska - Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client.

• Iodine - This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.

• Mallory - HTTP/HTTPS proxy over SSH.

• Pivotnacci - Pivot into the internal network by deploying HTTP agents.

• PacketWhisper - PacketWhisper: Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography. Avoid the problems associated with typical DNS exfiltration methods. Transfer data between systems without the communicating devices directly connecting to each other or to a common endpoint. No need to control a DNS Name Server.

• chisel - This package contains a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

• cryptcat - Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted.

• dns2tcp - dns2tcp is a set of tools to encapsulate a TCP session in DNS packets. This type of encapsulation generates smaller packets than IP-over-DNS, improving throughput.

• dnschef - DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts.

• iodine - This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.

• miredo - A client for the Teredo IPV6 tunneling protocol.

• nextnet - This package contains a pivot point discovery tool written in Go.

• redsocks - Redsocks is a daemon running on the local system, that will transparently tunnel any TCP connection via a remote SOCKS4, SOCKS5 or HTTP proxy server.

• sslh - sslh lets one accept HTTPS, SSH, OpenVPN, tinc and XMPP connections on the same port. This makes it possible to connect to any of these servers on port 443 (e.g. from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port