Skip to main content

Pivoting internal with ProxyChains SSH

 

So we found  our way into some SSH creds for a webserver. Now we want to pivot to the internal network and start some recon.

The problem is our pivot box doesn't have all those fancy hacking tools our attacking machine has on it, and we might not have permission to install them with our current credentials. Also it might raise some red flags if all these hacking tools show up on the webserver..


So how do we get around this?  


Meet my friends SSH tunnel and Proxy Chains.


You might have used SSH tunneling in the past as just a way to visit an internal URL from your external attacking machine.


but we can go even further than that we can use SSH tunneling to create a forwarding port to the  internal network and use all our favorite hacking tools using proxy chains.


We can use a couple of switches with SSH here.


-D allows us to specify a local port to tunnel to this connection, This is important if you are lazy.. use port 9050 because it's the default port for proxychains, which means we don't have to mess with changing the config file for proxy chains.


-N allows us to connect with out immediately dropping us into the SSH session 

-f allows us to background the SSH tunnel so it runs in the background and we have access to our terminal again.

ssh pwnduser@10.10.110.100 -D 9050 -N -f


Now that we have our SSH tunnel running in the background we can just throw proxychains in front of pretty much any command we want to run and it will forward all the traffic from that command over our ssh tunnel and start our recon on the internal network.


if we want to do an nmap scan of a box


we might normally just use "nmap -T4 -p- -Pn 10.10.10.100"


now we just stick proxychains in front of that command


proxychains nmap -T4 -p- -Pn 10.10.10.100


and nmap will send all its traffic over to our compromised webserver to scan the internal network.


pretty cool right?

here is some output of nmap running with proxychains over my SSH tunnel.



its kind a ugly and slow but it works.


A bit of advice if the tool you are using with proxychains has an output option... use it to write the output of the program directly to file instead of trying to decipher and find the output in all the proxychains output.




Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more