Pivoting & Lateral Movement
Sometimes we just can't get access to the thing that we need to exploit.
When that happens we need to know the different ways in which we can get around this little hurdle, as there is always a way.
The question on StackExchange that spawned this post
SOCAT
Python
Not something you want to code yourself with any kind of time contraints, but it's totally possible.
Best choice is to use an existing library like sshtunnel which you can use to do things like the following (which forwards a Vagrant server to the local MySQL port):
from sshtunnel import open_tunnel
from time import sleep
with open_tunnel(
('localhost', 2222),
ssh_username="vagrant",
ssh_password="vagrant",
remote_bind_address=('127.0.0.1', 3306)
) as server:
print(server.local_bind_port)
while True:
# press Ctrl-C for stopping
sleep(1)
print('FINISH!')
Putty
Basically SSH for Windows. Usually the most interaction we'll have with this is when we find one of it's keys (.ppk) laying around on a machine.
With that being said...
Convert Putty key to SSH key:
puttygen id_dsa.ppk -O private-openssh -o id_dsa
puttygen id_dsa.ppk -O public-openssh -o id_dsa.pub
Sometimes Putty also has passwords left in the registry:
Plink
For this to work we need to make sure SSH is turned on.
The on the target machine we can do the following:
(Could come in handy if we have SMB creds for an admin but we can't access SMB remotely)
Metasploit
In a meterpreter session:
Now on our host machine we can scan the IT network:
Chisel
Chisel is an awesome tool that is more than capable of turning what feels like a lost cause into a system own.
On the host:
That will setup a connection to 1337, which will then forward port 1234 to localhost:
SSH
Local Foward:
Remote Forward
Dynamic tunneling
This creates a dynamic tunnel over port 9000 using SOCKS(4a)