search
githubEdit

Pivoting

hashtag
Network setup

The following sections rely on this network setup.

┌──────────────┐          ┌──────────────┐            ┌──────────────┐
│ attacking    │          │ compromised  │            │ target       │
│ machine      │          │ machine      │            │ machine      │
│ (local)      │          │ (pivot)      │            │ (target)     │
│              │          │              │            │              │
│  10.10.10.2 ◄┼──public──┼► 10.10.10.5  │            │              │
│              │          │              │            │              │
│              │          │  172.16.0.5 ◄┼──internal──┼► 172.16.0.10 │
│              │          │              │            │              │
└──────────────┘          └──────────────┘            └──────────────┘
Machine name
Short name
User

Attacking Machine

local

me

Compromised Machine

pivot

victim

Target Machine

target

-

hashtag
SSH

hashtag
Common options

option
description

-L

Forward connection (Local port forwarding)

-R

Reverse connection (Remote port forwarding)

-D

Socks proxy (Dynamic port forwarding)

-f

Immediately background the shell

-N

Only establish the connection, don't execute any commands

hashtag
Forward connection (Local port forwarding)

Setup a local port forward to the target.

Execute command

hashtag
Reverse connection (Remote port forwarding)

As we will connect back from the target (network) to our own machine, we need to take some precautions to ensure our safety.

  1. Generate a new ssh key pair

  1. Add public key to authorized_keys with following restrictions

  1. Check ssh server status

  1. Start ssh server (if not already running)

  1. Copy the private key over to the pivot ⚠️ Normally we would never give away our private key, but that's why we're using a new throwaway key pair here! ⚠️

Setup a remote port forward from the pivot.

Execute command (example)

hashtag
Socks proxy (Dynamic port forwarding)

Setup a proxy that forwards any tcp port to any target.

proxychains.conf (see also below)

Execute command (example)

hashtag
Socks proxy (reverse)

hashtag
Chisel

A fast TCP/UDP tunnel over HTTP GitHub - jpillora/chiselarrow-up-right

hashtag
Port forwarding

Start server (local)

Start client (pivot)

Execute command (example)

hashtag
SOCKS proxy

Start server (local)

Start client (pivot)

Note: <socks-port> defaults to 1080, if left out.

Execute command (example)

hashtag
Double pivot (via SOCKS proxies)

Start server (local)

Start client (pivot1)

Start another server (pivot1)

Start another client (pivot2)

Add another proxy to proxychains.conf (more details on proxychains, see below)

Execute command (example)

hashtag
Verify

E.g.

hashtag
proxychains

A tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. GitHub - haad/proxychains: proxychainsarrow-up-right

hashtag
Config file

Proxychains looks for configuration in the following order:

  1. Env

  2. -f proxychains.conf

  3. ./proxychains.conf

  4. ~/.proxychains/proxychains.conf

  5. /etc/proxychains.conf

Run command via proxychains

hashtag
Burp Suite

To use Burp Suite in this setup, just configure the socks proxy there.

Project options or User optionsSOCKS Proxy☑️ Use SOCKS Proxy

  • SOCKS proxy host: 127.0.0.1

  • SOCKS proxy port: 1080

⚠️ Keep your browser pointing to Burp Suites' proxy as usual! ⚠️

hashtag
Foxy Proxy

See Firefox extensions

PreviousLootNextStandalone Tools

Last updated