Pivoting

My thanks to Muirlandoracle, creator of the Wreath lab, which allows for beginners to easily practice all the methods displayed below.

Pivoting is a vital notion which involves routing traffic through a previously compromised host in order to access subnets our attacker machine does not have any direct access to in the first place (see the mspaint masterpiece below for a visual representation). It can be done in multiple ways, and as I am learning said ways, I will keep regularly updating this page.

Graphic design is my passion.

I will be using the above nomenclature (Attacker, Host 1, and Host 2) as placeholders in the commands of this section

SSH Local Port Forwarding

Allows us to map one of our local ports on 127.0.0.1 to one of Host 2's ports, routing the traffic through Host 1 using ssh.

ssh -L [user]@[Host 1] [Attacker]:[Attacker port]:[Host 2]:[Host 2 port]

It is however pretty restrictive since the traffic is strictly from port to port.

SSH Dynamic Port Forwarding

Allows us to open a port on Host 1, which will then behave as a socks proxy server and thus give us acess to the second subnet.

ssh [user]@[Host 1] -D [Attacker]:[Attacker port]

Sshuttle

A proxy solution over ssh, which automatically creates the necessary routing rules via iptables.

sshuttle -r [user]@[Host 1] [Host 2 subnet]/CIDR

Metasploit's proxy_socks (assumes an existing meterpreter shell)

First off, launch Metasploit's auxiliary proxy server while in the msfconsole ;

msf6 auxiliary(server/socks_proxy) > use auxiliary/server/socks_proxy

Adapt the options at your convenience if need be . In my case, I chose to use port 1081, and a SOCKS4a proxy . Then run it.

Then edit your proxychains in /etc/proxychains.conf settings accordingly (in my case, a socks4a socket)

Be wary if you're using a socks4a proxy, proxychain's syntax doesn't include the 'a' .

Always keep in mind that some tools don't always work properly (or at all) . As an example, nmap is notoriously finicky when using it via proxy ; you may want to add the -Pn (skip host discovery confirmation) and -sT (TCP scan, since UDP scans simply don't work).

socat

Port Forwarding

To be executed from the compromised host 192.16.1.2 ; it will forward anything that comes through the specified port (33006) on this machine , to the target machine (172.16.1.2)'s 3306 port.

./socat tcp-l:[compromised machine port],fork,reuseaddr tcp:172.16.1.2:3306 &

Quiet port forwarding

The previous method opens up a port on the compromised server, which could potentially be spotted by anyone checking up on it. Hence why it pays to know a slightly quieter method of port forwarding with socat. This method doesn't require opening up a port externally on the compromised server.

From our attacking machine (192.168.1.1)

socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &

Which opens port 8000 and 8001 ; what will into one will come out of the other, hence why the fork and reuseaddr options are used, in order to allow more than one connection using this port forward

From our compormised relay server (192.16.1.2)

socat tcp:192.16.1.1:8001 tcp:172.16.1.2:80,fork &

This will create a connection between port 8000 on our attacking machine, and the open port of our final target (80 in this case). In order to access said target port, we'd have to go localhost:8000.

Thus, this method achieves pretty much the same thing as the previous Port Forward technique, albeit by not opening any ports on our relay server. Should we need to close the various socat relays, we can use the jobs command, grab the PID of the relevant relay, and kill it.

Chisel

The chisel binary (which, like socat, can be statically compiled and exported unto a target system) has two main modes : client, and server.

SOCKS proxies

Reverse SOCKS proxy

A revererse SOCKS proxy connects back from a compromised machine to a listener waiting on our attacking machine

From our attacking machine (192.168.1.1)

chisel server -p 6666 --reverse &

This simply sets up a listener on port 6666.

From our compromised machine (192.168.1.2)

chisel client 192.168.1.1:6666 R:socks &

This connects back to our previously deployed listener. Please note that the actual proxy will be opened on localhost:1080.

Forward SOCKS proxy

A forward SOCKS proxy is pretty self-explanatory, but used less than it's reverse counterparts, as firewalls are more stringent with inbound traffic than outbound traffic.

From our compromised machine (192.168.1.2)

chisel server -p 6666 --socks5

From our attacker machine (192.168.1.1)

chisel client 192.168.1.2:6666 1337:socks

Important note regarding proxychains

Remember that when using proxies, proxychains has to be used in order to use tools through them. In the case of a REVERSE SOCKS proxy, the proxychains conf file, which can be created from scratch in our current directory, would look like this, since port 1080 is automatically used for those, regardless of the port you actually specified :

[ProxyList]
#add proxy here ...
#meanwhile
#defaults set to "tor"
socks5 127.0.0.1 1080

If we were using a FORWARD SOCKS proxy :

[ProxyList]
#add proxy here ...
#meanwhile
#defaults set to "tor"
socks5 127.0.0.1 1337

Chisel uses SOCKS5 proxies, hence the socks5 at the beginning of the line.

PreviousHash crackingNextTypes of Web Vulnerabilities

Last updated

Was this helpful?