Target Pivoting with Proxychains
Create an SSH tunnel to reach remote networks through your Target
Setup
I created a lab with Kali Linux, a Win10 client as the target and a Linux webserver.
Kali can only reach the Win10 client and not the webserver. The Win10 client has two NICs and can reach the webserver. Our goal is to use the Win10 client as Proxy to get to the Webserver.
For the webserver I installed apache2 and edited the index page.
sudo apt install apache2
systemctl start apache2
systemctl enable apache2
vim /var/www/html/index.html
Proxychains
Proxychains is a tool to redirect connections through SOCKS4a/5 or HTTP proxies. It Is already installed and configured so we don't have to configure anything when using Kali. We can verify with cat /etc/proxychains4.conf that our localhost is listening for a socks connection.
SSH Tunneling
First we will use the NMAP command nmap -sS -sV -p 22 10.0.0.101 to check if the target has SSH enabled.
The target runs an OpenSSH Server so we can use the Hydra command hydra -L usernames.txt -P passwords.txt 10.0.0.101 ssh to bruteforce the SSH credentials.
We found the username adam and the password Cisco123. We can use the credentials now and bind our proxy port 9050 to the SSH Session with the command ssh -l adam 10.0.0.101 -D 9050.
Open a new tab and check with the command netstat -antp if the proxy is running.
Perfect! We can now issue proxychains curl 10.0.10.20 and get a response form the webserver on the other network. Be aware that you can't ping through the proxy since it runs on the transport layer and ping is ICMP which is on the network layer.
You can also issue proxychains firefox 10.0.10.20 to open the webserver in firefox through the proxy.
You can use your target now for example to scan the remote network with nmap proxychains nmap -sT -Pn 10.0.10.20.
Thanks for reading my article. If you have any questions or recommendations you can message me via arvednetblog@gmail.com.