Certification

OSCP notes dump: #PIVOT

Philipp Fragstein

2 min read
Photo by 愚木混株 cdd20 / Unsplash

Welcome to this blog post about pivoting! Pivoting is an essential skill that every professional penetration tester should master. It involves using compromised systems as a jumping-off point to access other systems on the network. In other words, it's a technique for moving laterally within a network to reach high-value targets.

Pivoting is particularly useful when you encounter a network with multiple layers of security controls. For example, if you manage to gain access to a low-level system on the network but cannot reach your intended target, you may be able to pivot through intermediate systems to reach your goal.

*NIX

port forwarding tool rinetd

# 1. Configure rinetd by editing the configuration file /etc/rinetd.conf. The file should contain a list of mappings that redirect traffic from a specific port on the compromised system to another port on a different system on the network. Each mapping should be on a separate line and should have the following format:

bindaddress bindport connectaddress connectport

# 2. For example, the following mapping redirects traffic from port 80 on the compromised system to port 8080 on a different system with IP address 192.168.1.100:

0.0.0.0 80 192.168.1.100 8080

# 3. Start rinetd by running the following command:

sudo service rinetd start

ssh local port forwarding

# initiated from the attackers box. listening on 127.0.0.1:445 and redirects traffic over 10.11.0.128 to 192.168.1.110:445
kali@kali:~$ sudo ssh -N -L 0.0.0.0:445:192.168.1.110:445 
student@10.11.0.128

ssh remote port forwarding

# in case inbound SSH traffic is not allowed. 
# initiated from the victims box binding port tcp/2221 on the attackers box and redirecting connections from this port to 127.0.0.1:3306
student@debian:~$ ssh -N -R 10.11.0.4:2221:127.0.0.1:3306 kali@10.11.0.4

ssh dynmamic port forwarding 

# setting up a “socks4 proxy" to avoid creating tunnels for each point to point communication. This allows the communication to multiple hosts/ports.
# when NMAP notice that only "connect scans" are allowed

kali@kali:~$ sudo ssh -N -D 127.0.0.1:8080 student@10.11.0.128

kali@kali:~$ cat /etc/proxychains.conf
...
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"socks4
127.0.0.1 8080

kali@kali:~$ sudo proxychains nmap --top-ports=20 -sT -Pn 192.168.1.1

Windows

plink.exe

# remote port forwarding technique using SSH
C:\Tools\port_redirection_and_tunneling> cmd.exe /c echo y | plink.exe -ssh -l kali -pw ilak -R 10.11.0.4:1234:127.0.0.1:3306 10.11.0.4

# netsh
# In this example, we will use the netsh ( interface ) context to add an IPv4-to-IPv4 ( v4tov4 ) proxy ( portproxy ) listening on 10.11.0.22 ( listenaddress=10.11.0.22 ), port 4455 ( listenport=4455 ) that will forward to the Windows 2016 Server ( connectaddress=192.168.1.110 ) on port 445 ( connectport=445 ):
C:\Windows\system32> netsh interface portproxy add v4tov4 listenport=4455 listenaddress=192.168.210.10 connectport=445 connectaddress=172.16.210.5

# allow inbound traffic
C:\Windows\system32> netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=10.11.0.22 localport=4455 action=allow