Pivoting
This article will go through ways to use a windows machine as a proxy and ways to pivot through the network.
But why would we do a thing like this in the first place? Well, the pros are:
Bypass command line logging
No execution on the host, EDRs don't have telemetry over this
We touch less hosts
But the cons are:
You lose being in context of the windows user due to the fact that you don't have the privilege of windows SSO.(Need credentials)
Let's look at some ways technologies we can use to pivot.(C2 Frameworks like metasploit and cobalt strike have multiple guides on how to do so.)
Once you are in the network, you can use tools like Impacket and RPCclinet to gain info and move laterally throughout the network.
SSHuttle
This can create a VPN connection with only VPN access on the host. Note that the only requirement this needs is for python to be installed.
The below will forward all traffic.
Firewalls
Windows Firewall can to proxy connections similarly to iptables redirectors.
Proxychains for Windows
To pivot a windows operator machine into the target network, this can be used in conjunction with a socks proxy.
Rpivot
This tunnels traffic into internal networks via socks4proxy in python with only the standard library. This supports NTLM proxy authentication with username or NTLM hashes:
Server (Attacker box)
Client (Compromised box)
Through corporate proxy
Passing the hash
Last updated