Pivoting
What You Will Learn
- What pivoting is and why it’s needed during penetration tests
- The difference between port forwarding and tunneling/proxying
- How to enumerate a network from a compromised machine
- How to use SSH and Socat for port forwarding
- How to transfer files to and from a compromised host
During a penetration test, there is a probability that the machine you compromised is on a network — connected to different machines. Pivoting is extending your reach to these other machines on the network, either to compromise them or to access services you cannot reach directly. A company may have a private internal network that is inaccessible to anyone from the internet. Compromising a machine linked to these private computers can allow you to access those internal services.
Ports
https://cybernews.com/what-is-vpn/port-forwarding/
Port Forwarding
Port forwarding is a technique used to allow external devices to access computer services on private networks. It redirects traffic coming into or leaving a port.
Two Types
- Tunneling/Proxying
- Port Forwarding
Enumeration
arp -a # list ARP cache of the machine
cat /etc/hosts # check locally configured host-to-domain-name mappings
type C:\Windows\System32\drivers\etc\hosts # for Windows
Check the DNS Servers
nmcli dev show # Linux
ipconfig /all # Windows
SSH Tunneling/Proxying
Forward Port Forwarding
ssh -L <port to open on attacker>:<internal IP>:<internal port> <compromised machine ssh> -fN
This opens a port on your attacking machine that forwards all traffic to the internal IP and port through the compromised machine.
Dynamic Port Forwarding (SOCKS Proxy)
ssh -D 1080 user@<compromised machine> -fN
This creates a SOCKS proxy on port 1080. You can then route tools through it using proxychains.
# Configure proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT <internal_IP>
File Transfer
# Copy a directory recursively
scp -r user@remote_host:/path/to/remote/directory /path/to/local/destination
# Copy a single file
scp user@remote_host:/path/to/remote/file /path/to/local/destination
SOCAT
The quick and easy way to set up a port forward with Socat is to open a listening port on the compromised server and redirect whatever comes into it to the target server.
# Forward traffic from port 8080 on the compromised host to an internal target
socat TCP-LISTEN:8080,fork TCP:<internal_IP>:<internal_port>