> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/ctf-notes/network-pentesting/pivoting.md).

# Pivoting

Tools and Techniques

### SSH

```
# Dynamic ssh-tunnel
ssh -D localhost:9050 -f -N <USER>@<DOMAIN>
# Run commands with proxychains <Command>
# Not all tools are proxy aware
```

## Metasploit

* Socks Proxy

```
Meterpreter> run autoroute -s 172.16.2.0/24
background
use auxiliary/server/socks_proxy
set SRVPORT 9050
run
```

* Portforward

```
# Forward remote port 22 to localhost port 1337
Meterpreter> portfwd add -r 172.16.2.5 -p 22 -L 127.0.0.1 -l 1337
```

## Ligolo-ng

Setup

```
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.1.0/24 dev ligolo
```

* Server

```
./proxy -selfcert
```

* Client

```
./agent -connect <SERVER-IP>:11601 -ignore-cert
```

## sshuttle

Acting as a VPN, we can access hosts without using proxychains.

```
sshuttle [--dns] -vr root@10.10.110.100 0/0 --ssh-cmd 'ssh -i 10.10.110.100/root-id-rsa' -D
```

> Cons: No internet access on HTB

Proxychains don't work with golang binaries as it uses LDPRELOAD to hijack linked library calls, while golang doesn't use them.

Check: [**graftcp**](https://github.com/hmgle/graftcp), [**tun2socks**](https://github.com/xjasonlyu/tun2socks)below

## Chisel

### Installation

```
go install github.com/jpillora/chisel@latest
```

* Server

```
# On attacker machine
./chisel server --reverse --port 54321
```

* Client

```
# On victim machine
./chisel client <SERVER>:54321 R:127.0.0.1:9050:socks
```

The server and Client **must** be the same version

* Reference
  * <https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel>

## Graftcp

`graftcp` can redirect the TCP connection made by the program \[application, script, shell, etc.] to SOCKS5 or HTTP proxy.

Compared with [tsocks](https://linux.die.net/man/8/tsocks), [proxychains](http://proxychains.sourceforge.net/), or [proxychains-ng](https://github.com/rofl0r/proxychains-ng), `graftcp` is not using the [LD\_PRELOAD trick](https://stackoverflow.com/questions/426230/what-is-the-ld-preload-trick) which only works for dynamically linked programs, e.g., [applications built by Go can not be hooked by proxychains-ng](https://github.com/rofl0r/proxychains-ng/issues/199). `graftcp` can trace or modify any given programs connected by [`ptrace(2)`](https://en.wikipedia.org/wiki/Ptrace)

### Installation

```
wget https://github.com/hmgle/graftcp/releases/download/v0.4.0/graftcp_0.4.0-1_amd64.deb
sudo dpkg -i ./graftcp_0.4.0-1_amd64.deb
```

### Usage

```
sudo graftcp-local -socks5 127.0.0.1:9050
graftcp <Program>

# Alternatively
sudo mgraftcp --socks5 127.0.0.1:9050 <Program>
```

Check the [repository](https://github.com/hmgle/graftcp) for more instructions.

## Tun2socks

* Proxy Everything: Handle all network traffic of any internet programs sent by the device through a proxy.
* Proxy Protocols: HTTP/Socks4/Socks5/Shadowsocks with authentication support for remote connections.
* Run Everywhere: Linux/macOS/Windows/FreeBSD/OpenBSD multi-platform support with specific optimization.
* Gateway Mode: Act as a layer three gateway to handle network traffic from other devices in the same network.
* Full IPv6 Support: All functions work in IPv6, tunnel IPv4 connections through IPv6 proxy and vice versa.
* Network Stack: Powered by user-space TCP/IP stack from Google container application kernel [**gVisor**](https://github.com/google/gvisor).

### Installation

```
go install github.com/xjasonlyu/tun2socks/v2@latest
```

### Usage

```
sudo `which tun2socks` -device tun://tun1 -proxy socks5://127.0.0.1:9050
ip link set tun1 up
ip route add <destination network> dev tun1
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://zeyad-abulaban.gitbook.io/notes/ctf-notes/network-pentesting/pivoting.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.