Sign in Subscribe
Red Teaming

Tunneling and Pivoting through cyber ether

fuffsec

2 min read
wolfy

After a Red Teamer (RT) get into a network via any vulnerability. The RT wants to access all the network accessible by the compromised host.

Here, the lateral movement and expansion depends on how well the RT understands the Pivoting phase of the exploitation.

Let's Hack

Check for network config

#Windows
ipconfig /all
route print

#Linux
ifconfig
ifconfig -a
Imagine this network

Port forwarding

If you forward traffic from port A to port B, it is called "Port forwarding".

From the above diagram, we see that the firewall prevents certain actions. if we want to access the port 21 on VM-1 and it is blocked by the firewall. The, we can use the port 80 of VM-1 that is allowed by firewall and forward the traffic to port 21.

vm-1/80 -———> vm-1/21

you can also forward the vm-1 ports to vm-2 ports

vm-1/80 ——> vm-2/22
socat -ddd TCP-LISTEN:80,fork TCP:<vm-2 IP>:22

socat -ddd TCP-LISTEN:80,fork TCP:127.0.0.1:22

SSH Tunneling - Port forwarding with SSH

why use SSH:

  • To encrypt traffic that uses unencrypted protocols.
  • To bypass firewall rules.

Types:

  1. Local port forwarding
  2. Remote port forwarding
  3. Dynamic port forwarding

Local port forwarding

ssh username@<remote-machine> -L localport:target-ip:target-port

SYNTAX

ssh -L 8080:www.facebook.com:80 localhost

It tells SSH to listen on port 8080 on the local machine (localhost), and forward all the connections it receives on this port to www.facebook.com on port 80 through the SSH server.

Remote port forwarding

ssh <gateway> -R <remote port to bind>:<local host>:<local port>

SYNTAX

Use case:

Imagine that you have compromised VM-1 with a really crappy shell, and that machine has like MYSQL running but it is only accessible for localhost.

Dynamic port forwarding

This can be used to dynamically forward all traffic through a specific p.

# Connect to the machine we want to pivot from
ssh -D 9050 user@vm-1

# edit proxychains config
nano /etc/proxychains.conf

# connect with proxy chain
proxychains nc vm-2 21

*I am a noob. Feel free to correct any mistakes :) (Let's learn together) ✌️

References

  1. 📹 https://www.youtube.com/watch?v=c0XiaNAkjJA
  2. 🍬 http://ways2hack.com/how-to-do-pivoting-attack/
  3. 📖 https://d00mfist.gitbooks.io/ctf/content/port_forwarding_and_tunneling.html