2.5.1 Pivoting Guidelines
What is Pivoting?
Imagine an attacker gains access to one system in a network, like a thief entering a house through an unlocked window. This initial foothold allows them to "pivot" within the network, using the compromised system as a stepping stone.
By exploiting weaknesses and leveraging shared resources, they can move laterally, bypassing security measures like firewalls, just like the thief using a hidden key to access other rooms. This allows them to reach and potentially control additional systems, gaining access to more valuable resources or information within the network. While malicious actors use this technique for harmful purposes, ethical hackers (pen-testers) also employ pivoting to assess network security vulnerabilities.
Network schema
Attacker Machine (Kali Linux)
10.10.10.4 (kali_nat1)
Target 1 (Ubuntu)
10.10.10.5 (t1_nat1)
20.20.20.7 (t1_nat2)
Target 2 (Ubuntu)
20.20.20.4 (t2_nat2)
30.30.30.5 (t2_nat3)
Target 3 (Ubuntu)
30.30.30.4 (t3_nat3)
For each targets we can create a simple index.html file, to differenciate each and host it on port 80 using python:
Reconnaissance
We talk about pivoting when, after having exploited a victim machine, we find another internal network inside it. Therefore it is necessary to know the context well in the ways illustrated below.
Hosts Discovery on internal network
Once we have found the internal hosts we can do 3 things:
Do an arp-scan on localnet
Create a bash script to find open ports of the new IP
Upload a portable nmap binary
ARP-Scan
Execute an arp-scan for host discovering in localnet:
Host and Port Discovery using scripts
Host Discovery
Linux
for i in $(seq 254)
-> do cicle 254 times, using i as cycle iterator
ping 10.0.2.${i} -c1 W1 &
-> do ping request at current IP (based on iterator value) sending only 1 packet (-c1), with 1 sec of timeout(-W1), all in background (&).
do
anddone
-> delimiter the beginning and the ending of code block for which iteration
| grep from
-> filter output of last commands displaying only output that contains answers received at ping request
We can use this similar solution:
Windows
Open Ports Discovery
Linux
Windows
Host and Port Discovery using Nmap binary
Simulating that we've access to first victim machine using SSH protocol, we need to download a portable scanning program (as nmap) on our attacker machine (kali) and transfer it on victim machine via SSH.
Go to this github repo, that contains more useful static binary resources (nmap, python, socat, netcat, etc) and copy following URL:
https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap
download it on our attacker machine (Kali), assign exe privilege:
and copy binary to victim machina via SSH:
or using hosting it on a python web server and downloading it on victim machine:
Now, we've transferred nmap on victim/pivot machine and we can run it there:
Pivoting phase
Now, we've scanning tool (bash script or nmap) to discover network and other subnets of victim/pivot machine, but we can't do a simple ping or scan to IP regarding external subnets from our attacker machine (kali).
To give a link between attacker machine and external iPs we need to using pivoting techniques.
Tools for Pivoting
Metasploit (auxiliary/server/socks_proxy)
Logolo-ng
Netsh
Chisel
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
We are going to use Chisel to help us reach Target machine from our Attacker machine.
We also need to install proxychains, if it is not already installed on our Attacker machine, by running the following command.
Access to Target X (we'll do it for target 1, 2 and 3):
In our case we're accessing through machines via SSH and using following credentials: ubuntu:ubuntu
Now, we've Chisel on our Kali attacker machine (server), and we need to transfer it to victim machine target1 (client) for establish a connection.
Do it using a Python HTTP Server on port 80, on our attacker machine and download it on attacker machine:
or transferring using SSH via:
or transferring using Curl:
Finally, we can establish connection between attacker (Kali) and victim using chisel (Target 1):
Attacker Machine / Server
Solution 1 (i suggest it)
Solution 2
PORT = port for the Chisel traffic
socks5 = to setup a SOCKS5 proxy
reverse = to tell Chisel to wait for a connection from a client
Victim Machine / Client
Solution 1(i suggest it)
Via socks5 bring us all ports:
Solution 2
Bringing only one port which would be like this:
Solution 3
IP = The IP address of your Chisel server
PORT = The port you set on your Chisel sever
R:socks = enables the reverse SOCKS proxy
The connection will have been opened on the local port of our machine through 1080.
Rename terminal tabs is a best practies to facilitate understanding!
Setting Proxychains
First, check that you have proxychains↗ installed. It comes preinstalled in Kali Linux or Parrot. With root privileges edit the file /etc/proxychains4.conf
. At the bottom, you should add the following line:
Now we can talk directly with attacker machine and do a scan preceding proxychains -q
before every command. The -q
is for quiet mode since most attackers won’t need verbose proxy traffic.
The traffic flows into port 1080 on your machine and out on your jump host, which has established a connection back to your listener on the port you specified when executing chisel server
.
Setting Proxy (browser use)
If we want to set proxy to see webpage using browser, we need to configure a proxy.
Foxy Proxy
We can use an extension for browser such as Foxy Proxy.
Install version for dedicated browser (Firefox, Chrome, etc)
Add Proxy -> Proxy Type: SOCKS5, Proxy IP address: 127.0.0.1, Port: <Listening_Attacker_Port> and save
Turn on FoxyProxy an go on website directly using IP pivot machine.
Use of proxychains
Checking network interface (ip a
) on target 1, we can discover an host with <t2_nat2> IP and reach out it only using proxychains before commands:
Without use of proxychains (on terminal) and proxy (on browser) we can't reach out victim machine!
Now using Kali attacker machine we can see hosts on second network interface 20.20.20.0/24
(present on target 1 and 2).
and we can see that's third network interface 30.30.30.0/24 (target 3 -> <t2_nat3>.
Socat
Good, but the matter is that Kali attacker machine isn't reachable by target2:
Bad situation in a PT, where we need to spawn a reverse shell. To solve this problem a tool called Socat
comes in handy.
We are going to use Socat to help us reach Attacker machine from our Target/Victim machine and spawn a shell.
Now, we've a reverse connection, and if we listening on Kali machine using on port 111 and we spawn a reverse shell on target 2 (using Target 2's IP of 2nd net interface in common between target 1 and 2), we obtain a target 2 session on Kali machine.
All right! We stop listening on the Kali and to reach the third machine, we've to do the same procedure.
_______________________________________
We need Chisel and Socat on target 2, then we transfer it as always, but using target 1 machine and not Kali.
Then, we need to open a new tunnel connection on Kali machine, therefore we execute a 2nd session of target 1 on a different port of socks5.
Setting proxychains
With root privileges edit the file /etc/proxychains4.conf
. At the bottom, you should add the following line:
If we'll give an error during next connections, we need to insert line to the top line of the previous request (as photo) or if "dynamic_chain" option is commented out and strict_chain" option is uncommented.
Execute socat on target 1 using a different port on listening and attacker machine IP and Port:
while we execute chisel on target 2 (using Target 1's IP of 2nd net interface in common between target 1 and 2, in addition we specify proxychains socks port: with R:5555:socks):
well done, we obtained a new session tunnel on Kali:
Now, we've visibility with the target 3.
of course, to see webpage via browser we need to reconfigure proxy settings or foxy proxy.
Very good, we can access to target 3 using: proxychains ssh ubuntu@
<t3_nat3>
But we've always the same problem, we can't reach out kali from target 3 and spawn a rev shell.
We can solve it establish a new session of socat on target 2, which will establish a connection starting from machine 2, passing through 1, until arriving at kali.
Reverse Shell
We create a bash reverse shell using target 2 IP machine (on the same subnet of target 3), and listening on kali machine using netcat:
Great, we're in target 3 machine!
In addition, we can use this tool to create a powershell reverse shell for Windows machine to communicate back to attacker machine (kali).
it generates a reverse shell payload on execute on windows victim machine using powershell.
It permits us to obtain a reverse shell connection with windows victim machine on our attacker kali machine.
Metasploit
Pivoting
Port Forwarding
_________________________________
Metasploit
Port forward with metasploit
We can also forward ports using metasploit. Say that the compromised machine is running services that are only accessible from within the network, from within that machine. To access that port we can do this in meterpreter:
Now we can access this port on our machine locally like this.
Ping-sweep the network
First we want to scan the network to see what devices we can target. In this example we already have a meterpreter shell on a windows machine with SYSTEM-privileges.
This command will output all the devices on the netowork.
Scan each host
Now that we have a list of all available machines. We want to portscan them.
We will to that portscan through metasploit. Using this module:
If we run that module now it will only scan machines in the network we are already on. So first we need to connect us into the second network.
On the already pwn machine we do
Now we add the second network as a new route in metasploit. First we background our session, and then do this:
Now we can run our portscanning module:
Attack a specific port
In order to attack a specific port we need to forwards it like this
Chisel
socks
Port forwarding
Socat
Bind shell
Reverse shell
Port2Port
Port2Port through socks
Netsh
Netsh is a built-in Windows CLI binary which amongst other things can be used to port forward. This example will listen on 10.55.1.21 interface on port 5446 and will forward requests hitting 5446 off to 10.55.1.20 port 5985.
You can also use netsh to open ports on the firewall, which you may need to do when you smash open one of these ports.
Other resources
It's more suggested do Wreath THM Room and follow this article
Last updated