Skip to content

Persistence and Pivoting

Credit goes to Pentestmonkey for the majority of this page, copied here for convenience and completeness sake.

// SSH Tunneling //

// socks proxy\Dynamic // -d //

Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):

Command line:

ssh -D 127.0.0.1:1080 10.0.0.1

~/.ssh/config:

Host 10.0.0.1
DynamicForward 127.0.0.1:1080

You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:

tsocks rdesktop 10.0.0.2

// Local port forward // -l //

Example

The service running on the remote host on TCP port 1521 is accessible by connecting to 10521 on the SSH client system.

Command line:

ssh -L 127.0.0.1:10521:127.0.0.1:1521 user@10.0.0.1

~/.ssh/config:

LocalForward 127.0.0.1:10521 127.0.0.1:1521

// Remote Port Forward // -R //

The SSH server will be able to access TCP port 80 on the SSH client by connecting to 127.0.0.1:8000 on the SSH server.

Command line:

ssh -R 127.0.0.1:8000:127.0.0.1:80 10.0.0.1

~/.ssh/config:

RemoteForward 127.0.0.1:8000 127.0.0.1:80

// Netcat Relays //

Create a FIFO

mknod backpipe p

Listener to Client:

nc -lp <port> 0<backpipe | nc <TarIP> <port> | tee backpipe

Listener-To-Listener:

nc -lp <LocalPort> | 0<backpipe | nc -lp <LocalPort2> | tee backpipe

Client-To-Client:

bc <PrevIP> <port> 0<backpipe | nc <NextIP> <port2> | tee backpipe

File PUSH (client -> listener)

nc -lp <port> > <outfile>
nc -w3 <tarIP> <port> < <infile>

File PULL (listener -> client)

nc -lp <port> < <infile>
nc -w3 <tarIP> <port> > <outfile>