added cheatsheet

cheatsheets/security/pentesting/network-pivoting.md

@@ -0,0 +1,129 @@
+---
+title: Network Pivoting
+categories: [cheatsheets]
+tags: [pentesting, security]
+---
+
+# Network Pivoting
+
+Example Network:
+
+
+1) Public Network: 10.11.1.0/24
+2) IT Network: 10.1.1.0/24
+3) Own (Attacker) IP: 10
+4) Compromised Host: 10.11.1.251, 10.1.1.248 (two NIC's in both subnets)
+
+**No routing between the subnets**
+
+Goal: Get access to the IT Network, starting from the Attacker PC and using the compromised Host.
+
+
+#### Szenario:
+
+This host was owned via the 10.11.1.0/24 network. Now, the attacker wants to pivot further into the IT Network using the 0wned host.
+
+
+## Method 1: Pivoting using Metasploit
+
+Metasploit has a module for routing network traffic via a exploited meterpreter session: `autoroute`.
+
+Requirement: having a running meterpreter session (Session 1)
+
+```
+msf> use post/multi/manage/autoroute
+msf> set CMD add
+msf> set SUBNET 10.1.1.0
+msf> set NETMASK 255.255.255.0
+msf> run
+```
+
+To print the added routes:
+
+```
+msf> use post/multi/manage/autoroute
+msf> set CMD print
+msf> run
+```
+
+Next, start a metasploit internal socks proxy server with the command:
+
+```
+msf> use auxiliary/server/socks4a
+msf> set RHOSTS SRVHOST 10.11.0.143
+msf> run
+```
+
+the tool `proxychains` can be used to connect to this SOCKS proxy and metasploit will autoredirect the network packets to the created route via the meterpreter.
+For `proxychains` to work, edit the proxy entry in `/etc/proxychains.conf`
+
+```
+sh> vim /etc/proxychains.conf
+
+[ProxyList]
+# add proxy here ...
+# meanwile
+# defaults set to "tor"
+socks4  10.11.0.143 1080  # <- add the IP here
+```
+
+after that, nmap can be used like this:
+
+```
+sh> proxychains nmap -sT -Pn <ip>
+```
+
+## Method 2: Dynamic Port Forwarding with SSH and Proxychains
+
+The `-D` option of SSH is used for that:
+
+```
+ -D [bind_address:]port
+             Specifies a local “dynamic” application-level port forwarding.  This works by allocating
+             a socket to listen to port on the local side, optionally bound to the specified
+             bind_address.  Whenever a connection is made to this port, the connection is forwarded
+             over the secure channel, and the application protocol is then used to determine where to
+             connect to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols are sup‐
+             ported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.
+             Dynamic port forwardings can also be specified in the configuration file.
+
+             IPv6 addresses can be specified by enclosing the address in square brackets.  Only the
+             superuser can forward privileged ports.  By default, the local port is bound in accor‐
+             dance with the GatewayPorts setting.  However, an explicit bind_address may be used to
+             bind the connection to a specific address.  The bind_address of “localhost” indicates
+             that the listening port be bound for local use only, while an empty address or ‘*’ indi‐
+             cates that the port should be available from all interfaces.
+```
+
+Connect to the compromised host with `ssh -D`:
+
+```
+sh> ssh -D 10.11.0.143:1080 root@10.11.1.251
+```
+
+Again, change the proxychains config to the specified host:port:
+
+```
+sh> vim /etc/proxychains.conf
+
+[ProxyList]
+# add proxy here ...
+# meanwile
+# defaults set to "tor"
+socks4  10.11.0.143 1080  # <- add the IP here
+```
+
+after that, nmap can be used like this:
+
+```
+sh> proxychains nmap -sT -Pn <ip>
+```
+
+
+## Method 3: Port Forwarding using a ssh tunnel
+
+
+
+## Resources:
+
+[pentest.blog](https://pentest.blog/explore-hidden-networks-with-double-pivoting/)