Cheat sheets

Checking for NICs/Network adapters

One key defining characteristic of a router is that it has a routing table, which it utilizes to forward traffic based on the destination IP address.

Linux and MacOS

ifconfig
ip -br addr

windows

ipconfig

Routing

One key defining characteristic of a router is that it has a routing table, which it utilizes to forward traffic based on the destination IP address.
When looking to pivot, it can be helpful to look at the machines routing table to identify which networks we may be able to reach or which routes we may need to add.

viewing the routing table

Linux, MacOS

netstat -r
ip route

windows

netstat -r

Executing a Local Port forward SSH

accessing a MySQL server via port forwarding via SSH

ssh -L <localPort>:<localHost>:<targetPort> target@<targetIP>
ssh -L 1234:localhost:3306 ubuntu@10.129.3.2

-L: tells the SSH client to request the SSH server to forward all the data we send via (our local) port 1234 to localhost:3306 (being the target machine and target port)
By doing this we should be able to access the MySQL service via our local port 1234

If we wanted to forward multiple ports from the target server to our localhost, we can do so by including the local:server:port argument for example

ssh -L 1234:localhost:3309 -L 4321:localhost:80 ubuntu@10.129.3.2

Setting up a pivot

Enabling Dynamic Port Forwarding with SSH

ssh -D 9050 ubuntu@10.129.202.12

-D: argument requests the SSH server to enable dynamic port forwarding

Once we have this set up and connected to the target machine, we need proxychains to direct our TCP traffic through to the target machine

to do this we need to add an entry to our /etc/proxychains.conf file

# defaults set to "tor"
socks4 	127.0.0.1 9050

we can see our entry points to our localhost and port 9050, the same port we specified for port forwarding

now when we specify Nmap with proxychains, it will route all the packets of Nmap through our local port 9050, where our SSH client is listening, which in turn will forward the packets to say a internal subnet

proxychains nmap -v -sn <internalSubNet>

we can only perform full TCP connect scans over proxychains
Host alive check may not against Window's targets because Windows Defender firewall blocks ICMP

xfreerdp with proxychains

example

proxychains xfreerdp /v:172.16.5.2 /u:victor /p:password!

Remote/Reverse Port Forwarding with SSH

used to expose services from a remote machine to our local machine securely, think of it like creating a reverse tunnel from the remote machine to our local machine
The remote server establishes a tunnel back to the local machine, allowing external systems to connect to the specified port on the remote server, which then is forwarded to our local machine

ssh -R <IPofInternalNetwork>:<PortWeSpecifiedForCallBack>:<attackHost>:<attackHostPort> ubuntu@10.129.15.50 -vN
ssh -R 172.16.5.129:9000:0.0.0.0:1234 ubuntu@10.129.15.50 -vN

ping sweep

Linux

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done

CMD (windows)

for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

PowerShell

1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

socat

being executed on the pivot host

socat TCP4-LISTEN:8080,fork TCP4:<localIP>:<localPort>
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

will listen on localhost port 8080, then redirect traffic back to our local machine on port 80

PreviousBranching out our tunnels NextTransferring Files

Last updated 2 years ago