Pivoting and double pivoting
In this section, we explore how to set up a SOCKS4a proxy using Metasploit and configure Proxychains4 to route traffic through your proxy. We will explore pivoting and double pivoting
Setting Up SOCKS4a Proxy and Proxychains
Configure Metasploit's SOCKS4a Proxy Service:
This command sets up a SOCKS4a proxy server on port 9050 using Metasploit.
Configure Proxychains4:
Edit the Proxychains configuration file to ensure it routes through the SOCKS5 proxy on localhost at port 9050.
Verify Proxy Service and Use Proxychains with Nmap
Verify the Process Running:
Use
netstatto verify the proxy service is running on the desired port.Scan Network via Proxychains Using Nmap:
Use Proxychains with Nmap to scan a target machine through the proxy.
Pivoting and Network Scanning
Set Up Autoroute via Metasploit Session:
Configure autoroute for a Metasploit session to route traffic through a compromised machine's subnet.
Enumeration and Remote Desktop Protocol (RDP) via proxychains
Run Enumeration with Proxychains:
Use Proxychains to run the
enum4linuxscript, targeting a specific machine for enumeration.Use RDP via Proxychains:
Connect to a machine using Remote Desktop Protocol through Proxychains.
SSH Port Forwarding
Perform Multiple Local Port Forwardings with SSH:
Forward multiple ports from a target machine to the local machine using an SSH connection.
Perform Simple Port Forwarding:
Forward port 80 of the target host (172.16.0.10) to port 8000 on the local machine, running SSH in the background with
-fN.
Reverse Shell and Port Forwarding with Metasploit via pivoting
This guide demonstrates how to set up a remote port forwarding configuration and generate a Meterpreter payload for penetration testing.
Remote Port Forwarding Setup:
Use SSH to set up remote port forwarding. This enables rerouting connections from a remote server to a local service.
Now, forward traffic to another internal pivot host by specifying the internal IP and desired port:
Generate Meterpreter Payload:
Create a reverse HTTPS Meterpreter payload using
msfvenom. This payload should connect back to your pivot host's internal IP.
Note: Ensure you replace <InternalIPPivotHost> and <TargetIP> with actual IP addresses. Remember to set the internal IP of the pivot host as LHOST during the payload creation.
Metasploit Commands for Port Forwarding:
portfwd: Port forward a port from the remote machine.route: Manage routes within Metasploit.arp: View or manipulate the ARP cache.getproxy: Create a proxy within Metasploit.
Reverse port forwarding
To implement reverse port forwarding when you have a shell on a machine but no SSH access, follow these steps. This technique allows the target machine to open a tunnel back to your attacking system. Reverse port forward is useful for machines where you have a shell but no SSH. You can then make a reverse port forward by having the tunnel created from the target to you attacking box.
Explanation: This command creates a private and public SSH key pair, essential for secure connections.
Explanation: This restriction ensures the key is only used for port forwarding, preventing shell access to your attacking machine.
Explanation: Use this command to ensure the SSH service is running correctly on your system.
Explanation: Replace [PID] with the process ID of the SSH connection you wish to terminate.
Explanation: This command creates a reverse port forwarding from port 22 of the remote machine (172.16.0.100) to port 2222 of your local machine, using the keyfile id_rsa. The -fN option backgrounds the session after setting up the tunnel. This sets up a tunnel from the target's port 22 to your local machine's port 2222.
Discover hosts through a pivot using Living Of The Land tools
This is useful if the target does not have nmap installed of if you do not want to make a lot of noises while scanning the internal network. We can use Living Of The Land tools that are build in.
Linux: Discovering Live Hosts on a Network:
This Bash one-liner will ping each IP address in the range of 192.168.1.1 to 192.168.1.255, reporting back any live hosts that respond to the ping.
Linux : Scanning Open Ports on a Target:
This command will attempt to connect to each port from 1 to 65535 on the target IP (192.168.1.1) and will report any open ports.
Pivoting and double pivoting (SSH Dynamic port forwarding)
To configure SSH dynamic port forwarding, use the following commands:
Edit the /etc/proxychains.conf
Add the following line to create a proxychain on your localhost on port 1080
Initiate Dynamic Port Forwarding
To set up dynamic port forwarding over SSH, use the following command. This example listens on port 1080 and forwards traffic through the specified username@hostname:
This command establishes an SSH tunnel that acts as a SOCKS proxy, allowing you to route traffic securely.
Add Options for Background Operation
To run the SSH session in the background, which is useful for maintaining the tunnel without keeping an active terminal session open, use the
-foption:-f: Requests SSH to go to the background just before command execution.-C: Enables compression of data, if possible.-q: Quiet mode; suppresses most warning and diagnostic messages.-N: Tells SSH not to execute a remote command, useful for just forwarding ports.
Proxychains <TOOL>
Once the tunnel is established we can use proxychains with our favorite tool to reach the internal network
Splink.exe - Windows only
Plink.exe is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers; however, it is still a very useful tool, so we will cover it here.
2. Example of Reverse Port Forwarding
3. Convert SSH Key for Plink
4. Install putty-tools on Kali Linux
These commands cover the process of setting up reverse port forwarding using plink.exe, converting SSH keys for use with Plink, and installing necessary tools on Kali Linux.
Last updated
