Start server listener on port 9999, which creates a socks 4 proxy on upon connection from client:

Connect to Server:

Using single zip file mode:

Use proxychains to launch tools through the tunnel

Set following in /etc/proxychains.conf socks4 1080


On Attack box:

On Victim:




git clone https://github.com/jpillora/chisel.git
go build

From Kali:

From Victim:


Bind method:

On the DMZ / target Box, we run a simple listener to client relay:

Now, if the attacker connects to port 1521 of the DMZ Box, his connection will infact be routed to port 1521 of the internal server running Oracle. Hence interaction with the db is possible which was previously inaccessible.

Reverse method:

This time we’ll use listener to listener and client to client relays in netcat to Reverse Connect to attacker’s box. This method comprises of two parts –
a) Establish a client to client relay on the DMZ box that connects to both the attacker’s box on port 80 and the internal.db.srv box on port 1521.
b) Establish a listener to listener relay that binds to both port 80 and port 1521 on the attacker’s box. Steps (must be done in the following order)-

  1. On the attacker’s Linux Box, we run a listener to listener relay,

2.While on the DMZ Box, we run a client to client relay,


Reverse On our attacking machine, we setup a listener-to-listener relay using the following command:

At this point, we’ll have port 10000 listening on our machine. On the web server we execute the following command:

Ncat: Version 5.51
Ncat: Connected to
Ncat: Version 5.51
Ncat: Connected to


This tells ncat to connect to our ncat instance listening on port 10000, and then to connect to port 10000 on the target. This completes the setup, and data from our machine will flow through the web server and to the target. Note that the syntax for executing the client-to-client relay on the pivot is the same, regardless of whether it’s a Linux, Windows, or OS X machine. There’s nothing else that needs to be done, such as creating a pipe. Compare it to the technique that uses traditional netcat to see the difference. We can now execute our exploit. Keep in mind that we need to send it to port 10000 on our machine:

./exploit.py 10000
[+] sending payload of length 1479 [+] done


With the exploit sent, we can now terminate the ncat relays. Assuming the exploit worked, a bind shell should be listening on 4444 on the target. In order to access it, we once again setup ncat relays, only this time we’ll specify port 4444. On our machine we run the following command:

On the web server, we setup the client-to-client relay:

Ncat: Version 5.51
Ncat: Connected to
Ncat: Version 5.51
Ncat: Connected to

Using netcat (or ncat), we can connect to port 4444 on our machine to get a remote shell on the target:


Reverse SSH Tunneling

Local SSH Tunneling

Connect to https://localhost:4443

SSH as a SOCKS Proxy

Set your web browser to use localhost on port 8888 as SOCKS Proxy, and all your HTTP/HTTPS requests will go through the SSH tunnel. Or use Proxychains to execute tools over the Proxy connection.

Metasploit Meterpreter

Create portforwarding via Meterpreter session.

Create socks proxy via Meterpreter, then use Proxychains to run tools through the tunnel to target.

Tagged on: