Pivoting
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
PORT FORWARDING ("port to port")
Using Metasploit
Target: Most platforms
If you get a meterpreter session on a dual homed machine, or one with multiple network interfaces.
Using PLINK
Target: Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe
to the target machine
Using SOCAT
Target: Linux
Forward your 8083 to 10.39.0.2:443
Using CHISEL
Target: Most platforms
Remote static tunnels "port to port":
Remote tunnels "access IP:PORT you couldn't access before":
Local tunnels "listen on the target for something, and send it to us":
Using netsh
Target: Windows
DYNAMIC Port Forwarding ("one port to any")
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf
Using Metasploit
Target: Most platforms
If you get a meterpreter session on a dual homed machine, or one with multiple network interfaces.
Auto route to IP (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)
Using PLINK
Target: Windows
Using CHISEL
Target: Most platforms
Public key Authentication
With OpenSSH, the authorized keys are by default configured in .ssh/authorized_keys
in the user's home directory. Many OpenSSH versions also look for ssh/authorized_keys2
.
You are able to add options to the authorized key file
Example authorized_keys
file to allow only port forwarding with no shell access
command="cmd"
- Forces a command to be executed when this key is used for authentication. This is also called command restriction or forced command. The effect is to limit the privileges given to the key, and specifying this options is often important for implementing the principle of least privilege. Without this option, the key grants unlimited access as that user, including obtaining shell access.
It is a common error when configuring SFTP file transfers to accidentally omit this option and permit shell access.
from="pattern-list"
- Specifies a source restriction or from-stanza, restricting the set of IP addresses or host names from which the reverse-mapped DNS names from which the key can be used.
The patterns may use * as wildcard, and may specify IP addresses using * or in CIDR address/masklen notation. Only hosts whose IP address or DNS name matches one of the patterns are allowed to use the key.
More than one pattern may be specified by separating them by commas. An exclamation mark ! can be used in front of a pattern to negate it.
no-pty
- Prevents allocation of a pseudo-tty for connections using the key.
no-user-rc
- Disables execution of .ssh/rc when using the key.
no-x11-forwarding
- Prevents X11 forwarding.
References
Last updated