The shades of tunneling

Solution of common pivoting problems during a Penetration Test

Karol Mazurek

--

INTRODUCTION

During penetration testing, you may encounter the scenario when you want to be able to pivot through one of the compromised hosts to gain access to other systems in the internal network and continue testing.
In this article, you will be guided through 3 scenarios of pivoting, and you will learn different tools and techniques that can help you achieve this goal.

SCENARIO I

You had gained root privilege over the Linux Server and conducted a host discovery in the internal network that only the compromised host has access to. Now you want to pivot through this host. How to do it quickly?

1.1. SSH & PROXYCHAINS

  • One way to achieve this goal is by using SSH dynamic port forwarding, which establishes a secure channel between an SSH client and SSH server.
  • It listens on a local port, and anything sent to this port is forwarded through the SSH tunnel to the SSH server, which determines where to send the traffic.
  • SSH functions as a SOCKS4 or SOCKS5 proxy server.
SSH dynamic port forwarding
### ON YOUR MACHINE (10.10.10.1)
#
CREATE A DIRECTORY FOR MANAGING KEYS
mkdir piv_keys && chmod 700 piv_keys
# GENERATE NEW SSH KEY
ssh-keygen -f piv_keys/id_rsa_1
# COPY PUBLIC KEY CONTENT TO CLIPBOARD
cat piv_keys/id_rsa_1 | clip.exe # OR JUST CAT AND COPY
### ON A COMPROMISED MACHINE (10.10.10.2)
# ADD YOUR SSH PUBLIC KEY TO authorized_keys
echo "ssh-rsa AAAA...[REDACTED]..." >> /root/.ssh/authorized_keys
### ON YOUR HOST (10.10.10.1)
# START SSH DYNAMIC PORT FORWARDING
ssh -D 9999 -f -N root@10.10.10.2 -i piv_keys/id_rsa_1

There are many ways for programs to interact with the SOCKS proxy server.
For example, you can configure the web browser to use it…

--

--