A good guide for pivoting: https://artkond.com/2017/03/23/pivoting-guide/

https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6

Metasploit

Autoroute

Can be used on a meterpreter shell

add route

use post/multi/manage/autoroute 
msf5 post(multi/manage/autoroute) > show options  
Module options (post/multi/manage/autoroute): 
   Name     Current Setting  Required  Description 
   ----     ---------------  --------  ----------- 
   CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default) 
   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24" 
   SESSION                   yes       The session to run this module on. 
   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0) 
meterpreter > run autoroute -s 192.73.79.3 
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. 
[!] Example: run post/multi/manage/autoroute OPTION=value [...] 
[*] Adding a route to 192.73.79.3/255.255.255.0... 
[+] Added route to 192.73.79.3/255.255.255.0 via 192.53.57.3 
[*] Use the -p option to list all active routes 

print routes

msf5 post(multi/manage/autoroute) > run 
[!] SESSION may not be compatible with this module. 
[*] Running module against 192.53.57.3 
IPv4 Active Routing Table 
========================= 
   Subnet             Netmask            Gateway 
   ------             -------            ------- 
   192.73.79.3        255.255.255.0      Session 2 

Port scan

use auxiliary/scanner/portscan/tcp 
msf5 post(multi/manage/autoroute) > use auxiliary/scanner/portscan/tcp  
msf5 auxiliary(scanner/portscan/tcp) > show options  
Module options (auxiliary/scanner/portscan/tcp): 
   Name         Current Setting  Required  Description 
   ----         ---------------  --------  ----------- 
   CONCURRENCY  10               yes       The number of concurrent ports to check per host 
   DELAY        0                yes       The delay between connections, per thread, in milliseconds 
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. 
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900) 
   RHOSTS                        yes       The target address range or CIDR identifier 
   THREADS      1                yes       The number of concurrent threads 
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds 
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.73.79.3 
rhosts => 192.73.79.3 
msf5 auxiliary(scanner/portscan/tcp) > set threads 10 
threads => 10 
msf5 auxiliary(scanner/portscan/tcp) > run 
[+] 192.73.79.3:          - 192.73.79.3:139 - TCP OPEN 
[+] 192.73.79.3:          - 192.73.79.3:445 - TCP OPEN 
[*] 192.73.79.3:          - Scanned 1 of 1 hosts (100% complete) 

Portfwd

Add port forward

meterpreter > portfwd add –l 3389 –p 3389 –r [target host]

• add will add the port forwarding to the list and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console, making it available to any terminal session.
• -l 3389 is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used.
• -p 3389 is the destination port on our targeting host.
• -r [target host] is the our targeted system’s IP or hostname.

Delete