Double pivoting with SSH

0

Hello folks

today we will talk about SSH scenarios that I made to be more complex with double pivoting :D, 3 scenarios  will be Explained

so at first, we have

1- attacker to(first- machine SSH Server) to (second-machine SSH Client) to target (Matasploitable)

2- attacker to(first- machine SSH Client) to (second-machine SSH Server) to target (Matasploitable)

3- attacker to(first- machine SSH Server) to (second-machine SSH Server) to target (Matasploitable)

about IP’s of machines

our machine Kali Linux assuming as an attacker has IP = 192.168.40.128

the next win7 is assuming as first pivot point have 2nic first IP is =192.168.40.130 2nd IP is = 192.168.30.130

the next win7 is assuming as second pivot point have 2nic first IP is =192.168.30.131 2nd IP is = 192.168.20.131

and at last, our target metasploitable have only one IP = 192.168.20.128


let’s begin with the first scenario

1- attacker to(first- machine SSH Server) to (second-machine SSH Client) to target (Matasploitable)

I assuming that after exploiting phase and get access on first machine (win7-pc1-first pivot point) and also second machine (win7-pc2-second pivot point) and you need to access port 80 on your target (metasploitable) that in other networks

at first from pc2-2nd-pivot-point

we use remote port forward 🙂

so let’s try to access it from pc1

and now let’s forward the local port that we received on it the port 80 to kali 😀

 

we use remote port forward again 🙂 now let’s check

 

it’s work without a problem 🙂
now we finish the first scenario


let’s start the second scenario

2- attacker to(first- machine SSH Client) to (second-machine SSH Server) to target (Matasploitable)

we start from pc1-first-pivot-point

we use local port forwarding 🙂 

 

 

then we make a remote port forward 🙂

and after this, you get access to port 80

it’s very easy 😀

 


now lets’s go to the third scenario

3- attacker to(first- machine SSH Server) to (second-machine SSH Server) to target (Matasploitable)

at first, let’s connect from attacker  via ssh to a first pivot point that has ssh service 🙂 using option -D (dynamic)

let’s config proxy-chains to use specific port we used in ssh command to connect first pivot point machine

I know there is a machine in other second network so let’s scan it using Nmap

 

ok after discover we found there is SSH service run and already after enumerate we have credentials for it

I used port 1090 so let’s reconfigure proxy-chains

 

and let’s try scan target(metasploitable)

what about if you need access port 80 looks for this tip

here I am finish

in conclusion  

special thanks for EBRAHIM KHADI AND ESLAM MEDHAT

Leave A Reply

Your email address will not be published.