Tunneling Techniques

Overview

Tunneling techniques allow attackers to route traffic through compromised hosts to access segmented networks. Multiple protocols can be used including SSH, HTTP, DNS, ICMP, and SOCKS proxies, each with different evasion properties.

The choice of tunneling protocol depends on egress filtering restrictions and available tools on the compromised host.

Category: Pivoting & Tunneling — Network pivoting and tunneling techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Tunneling Techniques:

ssh -D 9050 user@jumphost

chisel client jumphost:8000 R:1080:socks

chisel server -p 8000 --reverse

proxychains nmap -sT -sV -p 80,443,445 internal-server

socat TCP-LISTEN:1234,fork TCP:internal-server:80

plink.exe -l user -pw pass -R 1080:localhost:1080 target.com

dnscat2-server

python3 tunnel.py

sshuttle -r user@jumphost 192.168.0.0/16

Tools & Techniques

Recommended tools for Tunneling Techniques:

• SSHuttle: VPN-like full tunnel over SSH
• Chisel: HTTP/WebSocket tunneling
• Socat: bidirectional port forwarding
• Proxychains: force tools through proxy
• dnscat2: DNS tunneling for egress bypass
• SSH -L/-R/-D: port forwarding and SOCKS proxy
• Plink: Windows SSH tunneling client

Prevention & Mitigation

Security recommendations to prevent Tunneling Techniques:

• Inspect and filter outbound traffic at the perimeter
• Deploy next-generation firewalls with application inspection
• Monitor for DNS tunneling indicators (unusual DNS queries)
• Use TLS inspection for non-bypassable traffic filtering

References

Additional resources:

• https://book.hacktricks.xyz/tunneling-and-port-forwarding
• https://github.com/apenwarr/sshuttle
• https://github.com/jpillora/chisel
• https://github.com/iagox86/dnscat2