Pivoting with hidden-portforwarding and Chisel
Last updated
Last updated
At this point, Victim1 is already compromised. In order to reach Victim2 (the network-isolated machine), we will use Victim1 as a pivot. To achieve our goal, we will use hidden-portforwarding together with Chisel.
As shown in the following illustration, the victim will publish a Hidden Service that routes TCP traffic to the Chisel Server (running in the pivot). Once the Chisel server is reached from the Chisel client, an SOCKS5+HTTP tunnel is established so that we can send packets through it.
As described in the Chisel documentation, we can start the Chisel server as a SOCKS5 proxy by executing the following command:
Now Chisel server is ready to get connections from the Chisel client.
In order to reach the Chisel Server from the Chisel Client preserving the anonimity, we will use hidden-portforwarding. This tool will allow us to redirect TCP packets from a new Hidden Service to the TCP port where Chisel Server is listening.
The tool will need to receive:
1) the -data-dir parameter to preserve the onion address,
2) the -hidden-port parameter with the port you want for the Hidden Service and
3) the -forward parameter with the TCP socket you want to send traffix to.
Using -data-dir parameter is specially important here. It will contain the keys for the Hidden Service so that the onion address doesn't change. If not specified, each execution will create a different Hidden Service.
Now that Chisel Server is reachable though the hidden-portforwarding tool, we will connect from Chisel Client. We can set the --proxy parameter to use the Tor instance proxy:
Now, Chisel Client is serving a SOCKS5 proxy on 1080 port that will route traffic to the Chisel Server:
In order to connect to the SOCKS5 proxy that Chisel Client serves, we will use proxychains4:
Now, let's try a simple port scanning against Victim2:
Every packet will go through a SOCKS5 proxy over the Tor network. Traffic intensive tools, such as nmap, will decrease their performance significantly due to the high latency. You should try to run this tools directly from pivot; for example, by using static compiled versions of these tools.
