December 13, 2017, 10:22:13 PM
Welcome, Guest. Please login or register.

CMFP (Certified Metasploit Framework Professional) Course is out! http://www.top-hat-sec.com/cmfp.html

Author Topic: Pivoting And Forwarding  (Read 3189 times)

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
Pivoting And Forwarding
« on: January 08, 2017, 11:14:55 PM »
Pivoting And Port Forwarding

Forwarding and Pivoting can be a confusing topic. I still get headache's sometimes trying to keep track of what i did to get to this port, and how im gonna get a reverse shell back to that subnet and whatnot. This is just a quick writeup attempting to show the differences in the main types of forwards and pivots, as well as what works for me.

For the purpose of this tut, im gonna set a few static ip's that ill stick with til the end

LHOST = 192.168.1.1
TARGET = 192.168.1.2
RHOST = 192.168.0.3

############# FORWARDiNG ###################

-f # Backgrounds ssh as well as its output
-N # Don't execute a remote command (shell), just forward the port. If you use this option, you won't be logging into an ssh session also.
-L # Local (Grab a port/service)
-R # Reverse/Remote (Send a port/service)
-D # Dynamic (Pivot)

-Local (-L)
This command will grab the webserver on port 80 of RHOST (which you can't access normally) and forward it to 8888 of localhost, using TARGET as a proxy

$ ssh -f -N -L 8888:192.168.0.3:80 user@192.168.1.2

Now if we curl 127.0.0.1:8888 we get RHOST's webserver

-Reverse (-R)
This does the complete opposite of -L. Instead of grabbing a remote port and binding it to a local interface, it takes a local service/port and sends it to a remote host. Let's say ur testing a network with an XP box. You know it's vulnerable to MS08-067 but 445 and 139 are filtered or blocked by the firewall. You get a limited shell but you really can't do anything with it.

From the TARGET box
$ ssh -f -N -R 44544:127.0.0.1:445 user@192.168.1.1

This is going to open an ssh session from TARGET to our local Kali (or whatever distro) box and bring port 445 along for the ride. Now we can access it's SMB service on 127.0.0.1:44544 and one-click pwn it with MS08.

############ PiVOTiNG #####################

-Dynamic (-D)
Dynamic takes an unused port and forwards it on an application level thru TARGET's ssh server. This mean's instead of grabbing or sending a server, we're basically turning TARGET into a network interface for US.

$ ssh -f -N -D 9999 user@192.168.1.2

This will create a socks proxy on 127.0.0.1:9999, forward it to TARGET's ssh server, and out the other side. Giving us access to any additional resources and subnets that TARGET has access to. Now we can forward any program through the socks proxy with proxychains just like we're on the local network.

-Proxychains(-ng)
https://github.com/rofl0r/proxychains-ng.git

Proxychains is a quick way to send any command or program through a socks or http proxy. I personally like proxychains-ng/proxychains4 because it lets you specify your config file. Generally if i'm workin on something, i create a project folder for it, so i'll just copy the config file into the folder and run it from there. Regular proxychains just uses /etc/proxychains.conf.

If you're using proxychains with a socks proxy like this, just open the config, comment out "Dynamic Chain", uncomment "Strict Chain", scroll to the bottom and edit or create a socks5 proxy so it looks like this
------ SNIP ------
[ProxyList]
# add proxy here ...
socks5    127.0.0.1    44544
------ SNIP ------

Now i can $ proxychains-ng -f proxychains.conf -q nikto -h 192.168.0.3 8080
And it'll forward it through the tunnel to RHOST.
-f tells it to use THIS config file
-q means quiet. it redirects all the proxychains status messages which can get way outta hand when your running any kind of scan.

############### SSHPass & SSHuttle #####################

SSHPass # https://sourceforge.net/projects/sshpass/
is just a simple program that accepts your ssh password so you don't get prompted for it later. It's especially useful for creating bash aliases (IMO)

SSHuttle # https://github.com/apenwarr/sshuttle.git
works more like a vpn than proxy. You tell it what machines and subnets you want to forward through the ssh tunnel, and anything you point at those machines will now be forwarded through the tunnel

$ sshpass -pMYPASSWORD sshuttle -r user@192.168.1.2 192.168.0.0/24 10.0.0.0/24

This will take any future traffic i point at 192.168.0.0/24 or 10.0.0.0/24 subnets and automatically forward them for me. No need for proxychains or anything else. I can just $ curl 192.168.0.3 like i was part of the local subnet

sshpass -p # insert password
sshuttle -r # remote ssh server
(if you need a different ssh port, you enter it like user@192.168.1.2:2222)

############### NATIVE FORWARDING ######################

-Windows

$ netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=10.1.1.24

This will set windows to listen on 8080 and redirect all traffic to 10.1.1.24 on 3389. You need admin privileges on the windows box to do this, and also you can use v6tov4 and v4tov6

-Linux

On Victim
$ mknod backpipe p
$ nc -l -p 8080 0<backpipe | nc 10.1.1.24 3389 | tee backpipe

This will do the same. Creates a listener on port 8080, and forwards all incoming traffic to 10.1.1.24 on port 3389 (RDP)

############# METASPLOIT ######################

So there's a cpl different ways to go about this depending on whether you created your tunnel inside metasploit or not

If you made it with standard ssh or sshuttle......
Most exploits and alot of the scanners inside metasploit offer "Proxies" as an option. Sometimes you gotta "Show Advanced" to see it. If i had a dynamic forward setup, I would
$ set proxies socks5:127.0.0.1:44544
$ set ReverseAllowProxy True
^^^^ Reverse shells won't connect back through a proxy, this attempts to give them directions back home to connect to your ip address.

Another way would be to skip the proxy, forward the remote port that you need to your local port 8888 with -L, and

$ set RHOST 127.0.0.1
$ set RPORT 8888

Another way would be to just proxychains the msfconsole.

Or you can just use sshuttle, this forwards everything including metasploit.

<><><><><>

On the flipside, Metasploit is also great at creating tunnels.

If instead of ssh creds, you have a meterpreter shell, this options perfect
If you're meterpreter session is Session 1 for instance. Inside metasploit, do

$ route add 192.168.0.0 255.255.255.0 1

that will forward all metasploit traffic pointed at 192.168.0.0/24 through Session 1.

You can also make this happen automatically by loading the auto_add_route plugin ($ load auto_add_route)
This will automatically check the subnets in ur new meterp shells and forward traffic through it if you can't already reach it.

Meterpreter also offers portfwd as an option inside the shell. The syntax is pretty much the same as with SSH.

And if you need to access your metasploit pivots/forwards outside of metasploit.....

$ use auxiliary/server/socks4a
$ set srvhost 127.0.0.1
$ set srvport 1080
$ run

This will create a socks4 proxy on 127.0.0.1:1080 outside of metasploit that uses the routes and forward's that you configured inside it. Just use proxychains like before



Anyway, that's all i got. Hope this is helpful to some1

Offline H4v0K

  • Administrator
  • Elite
  • *****
  • Posts: 1020
  • Internets: +986/-1
Re: Pivoting And Forwarding
« Reply #1 on: January 09, 2017, 04:42:07 AM »
Very nice +1 Sir

Offline Amonsec

  • Top Hat Member
  • Prospect
  • ********
  • Posts: 49
  • Internets: +36/-0
  • 1336 working to become 1337
Re: Pivoting And Forwarding
« Reply #2 on: January 09, 2017, 05:57:35 AM »
Holly molly! Awesome work dude. +1
"A computer is only as good as it's user" - R4V3N
OSCP (2017)

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
Re: Pivoting And Forwarding
« Reply #3 on: January 09, 2017, 06:17:17 AM »
Thanx guys.  Glad you like it :)

Offline GalaxyNinja

  • Global Moderator
  • Elite
  • *****
  • Posts: 1732
  • Internets: +96/-0
  • My password is **********
Re: Pivoting And Forwarding
« Reply #4 on: January 13, 2017, 03:30:06 AM »
Awesome Tutorial Grey-Matter! +5 (because I can)  ;) :)
A computer is only as strong as its user! -R4v3n

Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 191
  • Internets: +1338/-0
  • Grumpy Old Man with Mounds of Salt
Re: Pivoting And Forwarding
« Reply #5 on: January 14, 2017, 08:13:22 AM »
I logged in only to say fuck yea man. Nicely done!!
The quieter you become, the more you are unlikely to sound stupid.

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Re: Pivoting And Forwarding
« Reply #6 on: February 01, 2017, 03:29:03 PM »
Grey, this is an awesome post.


However....

Now you have shown your capabilities in the awesome posting section... POST MOAR! :D

Nice job man, awesome post and great information for us learning the ways of teh pivot..
« Last Edit: February 01, 2017, 05:57:06 PM by Gingerbread Man »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline w33nd0x

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 113
  • Internets: +19/-0
Re: Pivoting And Forwarding
« Reply #7 on: February 02, 2017, 07:14:33 PM »
Awesome post there sir!