# Pivoting ## Network setup The following sections rely on this network setup. ``` ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ attacking │ │ compromised │ │ target │ │ machine │ │ machine │ │ machine │ │ (local) │ │ (pivot) │ │ (target) │ │ │ │ │ │ │ │ 10.10.10.2 ◄┼──public──┼► 10.10.10.5 │ │ │ │ │ │ │ │ │ │ │ │ 172.16.0.5 ◄┼──internal──┼► 172.16.0.10 │ │ │ │ │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ ``` | Machine name | Short name | User | | ------------------- | ---------- | ------ | | Attacking Machine | local | me | | Compromised Machine | pivot | victim | | Target Machine | target | - | ## SSH ### Common options | option | description | | ------ | --------------------------------------------------------- | | `-L` | Forward connection (**L**ocal port forwarding) | | `-R` | Reverse connection (**R**emote port forwarding) | | `-D` | Socks proxy (**D**ynamic port forwarding) | | `-f` | Immediately background the shell | | `-N` | Only establish the connection, don't execute any commands | ### Forward connection (Local port forwarding) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ssh -L 1337:172.16.0.10:80 │ │ ├──────────────────────────────►│ │ │ │ │ │nc 127.0.0.1 1337 │ │ ├──────────────────────────────►│ 80 │ │ ├──────────────────►│ │ │ │ ``` Setup a local port forward to the target. ```bash ssh -L 1337:172.16.0.10:80 victim@10.10.10.5 ``` Execute command ```bash # Example nc 127.0.0.1 1337 ``` ### Reverse connection (Remote port forwarding) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ ssh -R 1337:172.16.0.10:80│ │ │◄──────────────────────────────┤ │ │ │ │ │nc 127.0.0.1 1337 │ │ ├──────────────────────────────►│ 80 │ │ ├──────────────────►│ │ │ │ ``` As we will connect back from the target (network) to our own machine, we need to take some precautions to ensure our safety. 1. Generate a new ssh key pair ```bash ssh-keygen ``` 1. Add public key to `authorized_keys` with following restrictions ```bash from="",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ``` 1. Check ssh server status ```bash sudo systemctl status ssh ``` 1. Start ssh server (if not already running) ```bash sudo systemctl start ssh ``` 1. Copy the private key over to the pivot\ ⚠️ Normally we would never give away our private key, but that's why we're using a new throwaway key pair here! ⚠️ Setup a remote port forward from the pivot. ```bash ssh -R 1337:172.16.0.10:80 me@10.10.10.2 -i throwaway-key ``` Execute command (example) ```bash nc 127.0.0.1 1337 ``` ### Socks proxy (Dynamic port forwarding) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ssh -D 1337 [...] │ │ ├────────────────────────────────►│ │ │ │ │ │proxychains nc 172.16.0.10 any │ │ ├────────────────────────────────►│ any │ │ ├──────────────────►│ │ │ │ ``` Setup a proxy that forwards any tcp port to any target. ```bash ssh -D 1337 victim@10.10.10.5 ``` proxychains.conf (see also below) ```bash socks5 127.0.0.1 1337 ``` Execute command (example) ```bash proxychains nc 172.16.0.10 80 ``` ### Socks proxy (reverse) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ ssh -R 1337 [...]│ │ │◄────────────────────────────────┤ │ │ │ │ │proxychains nc 172.16.0.10 any │ │ ├────────────────────────────────►│ any │ │ ├──────────────────►│ │ │ │ ``` ```bash ssh -R 1337 me@10.10.10.2 -i throwaway-key ``` ## Chisel > A fast TCP/UDP tunnel over HTTP\ > [GitHub - jpillora/chisel](https://github.com/jpillora/chisel) ### Port forwarding ``` ┌────────┐ ┌────────┐ ┌────────┐ │ local │ │ pivot │ │ target │ │ │ │ │ │ │ │ 9000 ◄┼──chisel───────────┼► 9000 │ │ │ │ │ │ │ │ │ │ 9001 ─┼──port-forwarding──┼────────┼───┼► 80 │ │ │ │ │ │ │ └────────┘ └────────┘ └────────┘ ``` ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │./chisel server -p 9000 -reverse │ │ ├──┐ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ ./chisel client 10.10.10.2:9000 [...]│ │ │◄───────────────────────────────────────────┤ │ │ │ │ │nc 172.16.0.10 9001 │ │ ├───────────────────────────────────────────►│ 80 │ │ ├──────────────────►│ │ │ │ ``` Start server (local) ```bash ./chisel server -p 9000 -reverse ``` Start client (pivot) ```bash ./chisel client 10.10.10.2:9000 R:127.0.0.1:9001:172.16.0.10:80 ``` Execute command (example) ```bash nc 172.16.0.10 9001 ``` ### SOCKS proxy ``` ┌────────┐ ┌────────┐ ┌────────┐ │ local │ │ pivot │ │ target │ │ │ │ │ │ │ │ 9000 ◄┼──chisel───────────┼► 9000 │ │ │ │ │ │ │ │ │ │ 1080 ─┼──SOCKS─proxy──────┼────────┼───┼► any │ │ │ │ │ │ │ └────────┘ └────────┘ └────────┘ ``` ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │./chisel server -p 9000 -reverse │ │ ├──┐ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ ./chisel client 10.10.10.2:9000 R:socks│ │ │◄───────────────────────────────────────────┤ │ │ │ │ │proxychains nc 172.16.0.10 any │ │ ├───────────────────────────────────────────►│ any │ │ ├──────────────────►│ │ │ │ ``` Start server (local) ```bash ./chisel server -p 9000 -reverse ``` Start client (pivot) ```bash ./chisel client 10.10.10.2:9000 R:socks ``` Note: `` defaults to 1080, if left out. Execute command (example) ```bash proxychains nc 172.16.0.10 80 ``` ### Double pivot (via SOCKS proxies) ``` ┌─subnet1───────────────────────────┐┌─subnet2───────────────────┐┌─subnet3───────────────┐ │ ││ ││ │ │ ┌─local──┐ ┌─pivot1─┐ ┌─pivot2─┐ ┌─target─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ 9000 ◄├──chisel───────────┤► 9000 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 9001 ◄├──chisel───────────┤► 9001 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 1080 ─┼──SOCKS─proxy──────┼────────┼─► any │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 1081 ─┼───────────────────┼────────┼──SOCKS─proxy──────┼────────┼─► any │ │ │ │ │ │ │ │ │ │ │ │ │ │ └────────┘ └────────┘ └────────┘ └────────┘ │ │ ││ ││ │ └───────────────────────────────────┘└───────────────────────────┘└───────────────────────┘ ``` ``` ┌─subnet1───────────────────────────────────────┐┌─subnet2───────────────────────────────────┐┌─subnet3───────────────┐ local pivot pivot2 target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.1.20 172.16.0.5 172.16.1.10 │ │ │ │ │ │ │ │ │./chisel server -p 9000 -reverse │ │ │ ├──┐ │ │ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ │ │ ./chisel client 10.10.10.2:9000 R:socks│ │ │ │◄───────────────────────────────────────────┤ │ │ │ │ │ │ │ │./chisel server -p 9001 -reverse │ │ │ ├──┐ │ │ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ │ │ ./chisel client 172.16.0.5:9001 R:socks│ │ │ │◄───────────────────────────────────────────┤ │ │ │ │ │ │ │ │ │ │ │ │ │ │proxychains nc any │ │ │ ├───────────────────────────────────────────►│ any │ │ │ ├───────────────────────────────────────────►│ any │ │ │ ├──────────────────►│ │ │ │ │ ``` Start server (local) ```bash ./chisel server -p 9000 -reverse ``` Start client (pivot1) ```bash ./chisel client 10.10.10.2:9000 R:socks ``` Start another server (pivot1) ```bash ./chisel server -p 9001 -reverse ``` Start another client (pivot2) ```bash ./chisel client 172.16.0.5:9001 R:socks ``` Add another proxy to `proxychains.conf` (more details on proxychains, see below) ```bash socks5 127.0.0.1 1080 socks5 127.0.0.1 1081 ``` Execute command (example) ```bash proxychains nc 172.16.1.20 80 ``` ## Verify ```bash netstat -tulpn ``` E.g. ``` [...] Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 50883/ssh tcp6 0 0 ::1:1337 :::* LISTEN 50883/ssh [...] ``` ## proxychains > A tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy.\ > [GitHub - haad/proxychains: proxychains](https://github.com/haad/proxychains) ### Config file Proxychains looks for configuration in the following order: 1. Env 2. `-f proxychains.conf` 3. `./proxychains.conf` 4. `~/.proxychains/proxychains.conf` 5. `/etc/proxychains.conf` ``` socks5 127.0.0.1 1080 ``` Run command via proxychains ```bash proxychains ``` ## Burp Suite To use Burp Suite in this setup, just configure the socks proxy there. `Project options` or `User options` → `SOCKS Proxy` → `☑️ Use SOCKS Proxy` * `SOCKS proxy host:` `127.0.0.1` * `SOCKS proxy port:` `1080` ⚠️ Keep your browser pointing to Burp Suites' proxy as usual! ⚠️ ## Foxy Proxy See [Firefox extensions](/the-pentesters-cheat-sheet/misc/firefox-extensions.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/post-exploitation/02-pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.