# Pivoting Enumeration ![alt text](https://assets.tryhackme.com/additional/wreath-network/6904b85a9b93.png) ## Lab VPN (OpenVPN) For HTB and similar labs that provide a `.ovpn` key: ```bash sudo openvpn user.ovpn # Wait for "Initialization Sequence Completed" ``` Confirm connectivity: `ifconfig` or `ip a` for a `tun0` interface; `netstat -rn` to see routes (e.g. lab network via tun0). Use the VPN IP (e.g. on tun0) as LHOST for callbacks. Run the VPN from a dedicated VM, not a box used for client work. ## Manual Techniques * There are two main methods encompassed in this area of pentesting: * **Tunnelling/Proxying:** Creating a proxy type connection through a compromised machine in order to route all desired traffic into the targeted network. This could potentially also be tunneled inside another protocol (e.g. SSH tunneling), which can be useful for evading a basic Intrusion Detection System (IDS) or firewall * Port Forwarding: Creating a connection between a local port and a single port on a target, via a compromised host ### Pros and cons * A proxy is good if we want to redirect lots of different kinds of traffic into our target network -- for example, with an nmap scan, or to access multiple ports on multiple different machines. * Port Forwarding tends to be faster and more reliable, but only allows us to access a single port (or a small range) on a target device. * It would be sensible at this point to also start to draw up a layout of the network as you see it * As a general rule, if you have multiple possible entry-points, try to use a Linux/Unix target where possible, as these tend to be easier to pivot from. An outward facing Linux webserver is absolutely ideal. ### Enumeration * There are five possible ways to enumerate a network through a compromised host: * Using material found on the machine. The hosts file or ARP cache, for example * Using pre-installed tools * Using statically compiled tools * Using scripting techniques * Using local tools through a proxy ## Basic Checks * Win and Lin see the arp cache ``` arp -a ``` * Static mapping Lin/Win ``` /etc/hosts C:\Windows\System32\drivers\etc\hosts ``` * Local DNS server (zone transfer?) ``` /etc/resolv.conf ``` * Lin/Win ip address, interfaces, gateway etc ``` ipconfig /all ip addr ``` * Alternative to reading /etc/resolv.conf ``` nmcli dev show ``` #### Proxy Note: * Finally, the dreaded scanning through a proxy. This should be an absolute last resort, as scanning through something like proxychains is very slow, and often limited (you cannot scan UDP ports through a TCP proxy, for example). * The one exception to this rule is when using the Nmap Scripting Engine (NSE), as the scripts library does not come with the statically compiled version of the tool. * As such, you can use a static copy of Nmap to sweep the network and find hosts with open ports, then use your local copy of Nmap through a proxy specifically against the found ports. ## LOL Techniques ### Ping Sweeps Linux bash: ```bash for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done ``` Windows CMD: ``` for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" ``` Windows PowerShell: ```powershell 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"} ``` Meterpreter: ``` meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 ``` ### Routing Table ```bash netstat -r ``` ### View Established Sessions ```bash netstat -antp ``` ### Port Scanning in Bash ```bash for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/lateral-movement/tunneling-pivoting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.