common guides to pen test pivoting and tunneling (or tunnelling)

Tunneling and pivoting through a network can be a slightly mind-bending experience at first. I did plenty of this during my time in the PWK labs, and the guide, Explore Hidden Networks With Double Pivoting, proved to be very useful. Likewise, A Red Teamer’s guide to pivoting, looks like an excellent resource, largely if you have root access already and need a better way to get back out. (Edited to add this new one: https://nullsweep.com/pivot-cheatsheet-for-pentesters/)

As a bonus, the second link also includes some shell upgrading techniques at the end.

Other links:
http://www.doomedraven.com/2013/05/ssh-gymnastics-and-tunneling-with.html
http://blog.knapsy.com/blog/2014/11/05/kvasir-vm-writeup/

For my time in the labs, I started out using single hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:

ssh root@10.81.1.250 -L 81:10.71.1.28:80

Later on, I learned to do more dynamic SSH forwards with proxychains:

PROXYCHAINS

I used a dynamic ssh tunnel via John:
ssh -f -N -D 127.0.0.1:9050 j0hn@10.11.1.252 -p 22000
Tested with :
proxychains nmap 10.2.2.15 -sT -Pn

ssh -f -N -D 127.0.0.1:9050 sean@10.11.1.251
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D 127.0.0.1:9055 root@10.1.1.1 -p 222
leafpad /etc/proxychains.conf
proxychains ssh luigi@10.3.3.88

And even later, I did double pivoting using proxychains:

ssh -tt -L8080:localhost:8157 sean@10.11.1.251 ssh -t -D 8157 mario@10.1.1.1 -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 127.0.0.1 8080

One thought on “common guides to pen test pivoting and tunneling (or tunnelling)

Leave a Reply

Your email address will not be published. Required fields are marked *