During an Internal Penetration Testing Engagement that is being conducted remotely through a VPN connection, your best option is to setup a e.g. Kali Linux VM (implant) in the client’s network and access it through ssh in order to perform all of your security tests properly without any restrictions.
In this blog post we will demonstrate how to tunnel the http and https traffic through the ssh connection in order to visit any web application, accessible only through the Kali Linux VM implant, using your local web browser.
Pivoting refers to a method used by penetration testers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, if an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping.
Pivoting can further be distinguished into proxy pivoting and VPN pivoting. Proxy pivoting generally describes the practice of channeling traffic through a compromised target using a proxy payload on the machine and launching attacks from the computer. This type of pivoting is restricted to certain TCP and UDP ports that are supported by the proxy.
VPN pivoting enables the attacker to create an encrypted layer to tunnel into the compromised machine to route any network traffic through that target machine, for example, to run a vulnerability scan on the internal network through the compromised machine, effectively giving the attacker full network access as if they were behind the firewall.
Typically, the proxy or VPN applications enabling pivoting are executed on the target computer as the payload (software) of an exploit.
Pivoting is usually done by infiltrating a part of a network infrastructure (as an example, a vulnerable printer or thermostat) and using a scanner to find other devices connected to attack them. By attacking a vulnerable piece of networking, an attacker could infect most or all of a network and gain complete control.
Create the tunnel
ssh -D localhost:8181 <username>@<kali-linux-vm-implant-ip-addr>
Setup Firefox Browser
- Open Firefox.
- Goto Options (about:preferences in URL bar).
- Open Network Settings.
- Select “Manual proxy Configuration”.
- Configure the SOCKS Host and Port parameters.
- Open Firefox config (about:config in URL bar).
- Set “network.proxy.socks_remote_dns” to True to avoid any DNS leaks.
- Set “media.peerconnection.enabled” to False to avoid WebRTC leaks.