chisel

• https://ap3x.github.io/posts/pivoting-with-chisel/
• https://vegardw.medium.com/reverse-socks-proxy-using-chisel-the-easy-way-48a78df92f29

# On Kali
> chisel server -p <kali-port> --reverse
# update /etc/proxychains.conf
# comment out `proxy_dns` for nmap to work
socks5 127.0.0.1 <sock-port> 

# On Pivot
# for sock proxy
> chisel client --max-retry-count=1 <kali-ip>:<kali-port> R:<sock-port>:socks  # for socks proxy
# for specific port forwarding
> chisel client --max-retry-count=1 <kali-ip>:<kali-port> R:<kali-mapping-port>:localhost:<target-local-port> # for specific port mapping

Escape org firewall outbound

# On a box inside the org
# edit /etc/proxychains.conf to ensure the correct port is used
# by default, it's the following
socks5 127.0.0.1 1080
# in terminal
> chisel server -p <kali-port> --reverse

# On a server that can access outside internet
# using the default port 1080
> chisel client <server-ip>:<server-port> R:socks
# specifc a port
> chisel client <server-ip>:<server-port> R:<other-port>:socks

ncat

# On Kali
# check /etc/proxychains.conf, defaults set to "tor"
# socks4 	127.0.0.1 9050
http <ip> <port>
# Usage:
> proxychains <cmd>

# On Pivot
# with ssl
> sudo ncat -vvv --listen 443 --proxy-type http --ssl
# without ssl
> ncat -vv --listen 3128 --proxy-type http

nmap

> nmap -p- --min-rate=1000 -T4 <TARGET> -vvv --proxy http://127.0.0.1:8080

squid

• https://www.tecmint.com/install-squid-in-ubuntu/
• https://www.serverlab.ca/tutorials/linux/administration-linux/how-to-set-the-proxy-for-apt-for-ubuntu-18-04/

# On Kali
> apt -y install squid
> /etc/squid/squid.conf
# you can specify which ip is allowed
acl localnet src <intended-ip-source>
http_access deny all -> http_access allow all
> service squid restart

# On Pivot
# create and edit /etc/apt/apt.conf.d/proxy.conf
Acquire::http::Proxy "http://<proxy-ip>:<proxy-port>/";

ssh tunnel

# forward specific ports
> ssh -L <local-map-port1>:<target>:<port1> -L <local-map-port2>:<target>:<port2> <user>@<pivot> -p <port>

# dynamic port forwarding
> ssh -N -D 127.0.0.1:8080 <user>@<pivot>
# dynamic port forwarding specify algorithms
> ssh -N -D 127.0.0.1:8080 -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc <user>@<pivot>

# Dynamic port forwarding through two hops
> ssh -J user1@<pivot1> -D 1080 user2@<pivot2>

sshuttle

# you can specify different algorithms
> sshuttle -e 'ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc' -l 127.0.0.1:8080 -r <user>@<pivot>:<port> -N

tun

• Map a specific subnet to an interface

> ./tun2socks-linux-amd64 -device tun://tun1 -proxy socks5://127.0.0.1:1080
> ip link set tun1 up
> ip route add 192.168.0.0/24 dev tun1

References

• https://nullsweep.com/pivot-cheatsheet-for-pentesters/