[SSH Tunneling] Pivoting over networks

 Hi everyone,

To day i'm going ot teach you about three exercises that increment progressively the complexity, of pivoting technique over adjacent networks.

[Stept one easy level]

The initial network map is the following:

- We should perform one hop over the network for access from attacker machine to the target server

On the previous scenario i perform a simple SSH tunnel with a port forwarding  that allow the attaker machine connect to the target server using rdesktop protocol as you can see on my following video.

[Stept two medium level (2 hops)]

Second scenario with two jumps over the network:

On the previous scenario i perform a couple of SSH tunnels with a port forwarding  that allow the attaker machine connect to the target server using rdesktop protocol as you can see on my following video.

[Step3 hard level]

The third scenario is using a Dynamic tunnel and reverse port forwarding connection, this option allow us configure a proxychains software on the attacker machine that allow us execute an port scann with nmap over the target system:

_dynamic tunnel at local on pawned machine:

Reverse tunnel to attacker machine:

Listen port at local on attacker machine :

Proxychains configuration:

└─$ cat /etc/proxychains4.conf| grep socks

#            socks5 192.168.67.78 1080 lamer secret

# socks4 192.168.1.49 1080

#       proxy types: http, socks4, socks5

#        ( auth types supported: "basic"-http  "user/pass"-socks )

socks4 127.0.0.1 9051

NMAP port scanning example using porxychains:

──(kali㉿kali)-[~]

└─$ proxychains nmap -sT  -p 53,80,88,135,139,445,464,593,636,3389 192.168.1.48                            130 ⨯

[proxychains] config file found: /etc/proxychains4.conf

[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4

[proxychains] DLL init: proxychains-ng 4.14

Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-07 08:18 EST

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:80  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:139  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:445  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:3389  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:53  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:135  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:80  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:636  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:464  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:593  ...  OK

[proxychains] Strict chain  ...  127.0.0.1:9051  ...  192.168.1.48:88  ...  OK

Nmap scan report for 192.168.1.48

Host is up (0.0045s latency).

PORT     STATE SERVICE

53/tcp   open  domain

80/tcp   open  http

88/tcp   open  kerberos-sec

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

464/tcp  open  kpasswd5

593/tcp  open  http-rpc-epmap

636/tcp  open  ldapssl

3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 13.10 seconds

Rdesktop connection to the target machine:

[Finally scenario] hard level 2 SSH connections + SSH tunneling Dynamic + SSH tunneling Reverse +SSH tunneling portforwarding + proxychains

And this is all for this post, enjoy !! and wee keep in touch.

f0ns1!!

 

PHISING credentials exersice with EVIL-SSDP tool over SSDP protocol

 Hi everyone!.

I explain the exercise and perform a couple of attacks using a scanner and backup device on the following video:

I hope that you enjoy with the video and learn about this protocol.

Regards, f0ns1 We keep in touch ;)