Tunneling Cheatsheet

All the methods below are meant to use a pivot host in order to get access to a victim that is not directly accessible.

Windows (native)

Map local port on victim1 in order to target victim2.


 netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport=



Create dynamic SSH tunnel towards remote host using a local port. Usually used with proxychains or other SOCKS proxy. For simplicity the port that the SOCKS proxy will connect to is 9050.

ssh -ND 9050 user@victim

Chain 2 hosts together and make victim2 available via victim 1 using a local port.

ssh -tt -v -L9050:localhost:8157 user@victim1 ssh -t -D 8157 user2@victim2 -p 228

Leave a Reply

Your email address will not be published. Required fields are marked *