Abstract: When attacking a target you should never do it directly from your machine or your detection will be to easy, use proxies or network pivots to obscure your origin. Also after a successful penetration of a network a hacker (good or bad) will immediately search to move horizontally thru the network and use the existing infrastructure to pivot their attacks. Learn various ways to do this and "never" get caught.

1. Obsidis Consortia, Inc.
Pivoting Networks
José L. Quiñones-Borrero, BS
MCP, MCSA, MCT, CEH, CEI, GCIH, GPEN, RHCSA

2. What is OC, Inc?
• Obsidis Consortia, Inc. [OC, Inc.] is a non-profit organization that promotes
security awareness in the community and supports professional
development of security professionals, students and enthusiasts in Puerto
Rico.
• OC, Inc. has develop and is supporting initiatives like the Init6 Security
User Group, Professional Training & Workshops, Network and Security
Systems Simulation Scenarios (Capture the Flag), Security BSides Puerto
Rico Conference and a Community Outreach Program.

3. What is pivoting?
• Webster
– a key player or position; specifically : an offensive position of a player standing
to relay passes, shoot, or provide a screen for teammates
• InfoSec
– Pivoting refers to method used by penetration testers, hackers or security
professionals that uses one system (compromised ) to access (attack) other
systems on the same network or remote networks to avoid detection,
restrictions such as firewall configurations, which may prohibit direct access to
all machines and provide misdirection during an incident investigation.
• Types
– Port Forwarding or Proxies
– Traditional Routing
– VPN/Tunneling
9/11/2013

4. Techniques
• OS Functionality
– Windows RAS
– Linux IP Forwarding
• Tools
– netcat
– ssh
– proxychains
– fpipe
• Exploit Frameworks
– Metasploit
• Dedicated Technologies
– OpenVPN
– PPTP/L2TP
– IPSec
• VM appliance
– OpenWRT/pfSense
9/11/2013

5. Windows
• Routing & Remote Access Service
– sc config RemoteAccess start= demand
– sc start RemoteAccess
– sc query RemoteAccess
• Routing Table
– route PRINT
– route ADD <destination> MASK <mask> <gateway-ip>
METRIC <weight> IF <interface#>
• Fpipe
– fpipe.exe –l <local_port> -r <remote_port>
<remote_ip>
9/11/2013

6. Linux
• Enable Forwarding
– echo 1 /proc/sys/net/ipv4/ip_forward
– sysctl -w net.ipv4.ip_forward=1
• Routing Table
– route add [ip.ad.rr.ss] net [m.a.s.k] gw
[ip.ad.rr.ss]
– route default via [ip.ad.rr.ss]
9/11/2013

7. iptables
• Clear
– iptables –F
• List
– iptables –L
• FORWARD
– iptables -A FORWARD -i eth1 -j ACCEPT
– iptables -A FORWARD -o eth1 -j ACCEPT
9/11/2013

8. Secure Shell
• Remote
– ssh –R remote_port
• Static (redirect a local connection to a remote ip:port)
– ssh –L local_port:remote_ip:remote_port user@host
• ssh –L 10000:10.10.10.10:80 user@host
• Dynamic (socks5)
– ssh –D local_port user@host
• ssh –D 10000 user@host
• Other options
• -f (sent to backgrond)
• -N (prevent execution on remote server)
• -o (send proxy command)
9/11/2013

9. How does Tor works?
• Debian:
• apt-get install tor
• tor &
• Fedora:
• yum install tor
• Tor &
• Listens on 127.0.0.1:9050

10. Proxychains
• Forces TCP applications that don’t support
proxies to go thru them
• Uses proxies in config file:
– /etc/proxychains.conf
– socks4, socks5, http
• Simple to use
– proxychains firefox http://mozilla.com
– proxychains nmap -sT -p 80 1.2.3.4
9/11/2013

11. Netcat
• Server mode
– nc –l –p <local_port>
– nc -nvlp 8000
• Client
– nc remote_ip remote_port
• Relay
– nc –l –p 8000 –c ‘nc remote_host port’
– nc –l –p 8000 –e relay.bat
• SANS netcat cheatsheet
– http://www.sans.org/security-
resources/sec560/netcat_cheat_sheet_v1.pdf
9/11/2013

12. VPN
• Protocols
– PPTP (weakest)
– L2TP/Ipsec
– SSL
• Private VPN service
– VPN service you pay for to protect your information
– VPN providers are bound by its country’s laws
• OpenVPN

13. How a private VPN works

14. Python
• Default Libraries:
– http://voorloopnul.com/blog/a-python-proxy-in-less-than-100-lines-
of-code/
– http://stackoverflow.com/questions/1874331/python-port-
forwarding-multiplexing-server
– http://www.linux-support.com/cms/forward-network-connections-
with-python/
• Using Twisted:
– http://therning.org/magnus/archives/30

15. Metasploit
• Routing thru sessions
– route add [subnet] [netmask] [session-idpr]
• Meterpreter
– portfwd –l [local-port] –p [remote-port] –r
[remote-host]
– route list
– route [add|delete] [subnet] [netmask] [gateway]
9/11/2013

16. Open Discussion …
Q & A

17. Challenge
• Code a port forwarder in python or ruby
– Command line
– Accepts arguments:
• Forwards TCP or UDP
• Local port (listens by default on TCP 8080)
• Source port (optional)
• Remote port
• Remote host
– Cross platform (Windows, Linux, Mac OS X)

18. Please visit us to keep in touch …
www.ObsidisConsortia.org
www.BSidesPR.org
https://www.youtube.com/channel/UCtpOw0dKOIVJu7JZqHx4oQg
https://plus.google.com/u/0/communities/102771209982001396923
https://facebook.com/obsidisconsortia
https://twitter.com/BSidesPR
Affiliates:
www.TalktoanIT.com
www.codefidelio.org
www.darkoperator.com