Pivoting and proxychains with MITRE ATT&CK: Example and walkthrough
Keatron Evans shows you how you can use pivoting and proxychains to connect to a protected network in this episode of Cyber Work Applied.
Understanding pivoting with proxychains
Learn how adversaries leverage hardware to pivot into a protected network. Then try it yourself and master these MITRE ATT&CK® techniques in the Infosec Skills cyber range.
Pivoting with Proxychains with MITRE ATT&CK | Free Cyber Work Applied series
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Pivoting with proxychains demo
The edited transcript of the pivoting with proxychains walkthrough video is provided below, separated into each step Keatron covers in the video.
What is pivoting with Proxychains?
(0:00-0:29) Hello, I’m Keatron Evans. I’m going to show you how we use pivoting and proxychains to evade and make it hard to track what we’re doing. This is going to be reflective of the MITRE ATT&CK framework’s T1200 and T1199, which deal with those areas. So let’s go ahead and start the lab.
Why is proxying necessary?
(0:30- 0:48) Part of the reason proxying is necessary is that if someone’s looking through log files or something like that, you don’t want them to be able to see exactly where it is you’re coming from. Being able to set up proxychains is a great way for you to do that. So let’s look at an example.
Pivoting with Proxychains
(0:49-1:42) In this lab, we’re going to first start off by opening a terminal. We’re going to go ahead and do this first command and make a directory.
root@ip-172-20-16-249:/# mkdir ~/lab
Then we’re going to Nmap scan pivot. Now, keep in mind pivot is just a device that we’ve created a record for DNS record for and it goes to a specific IP. We’re just shortening it here by allowing you to scan pivot without having to type out an IP address. So we do that scan.
root@ip-172-20-16-249:/# nmap -p- pivot
As you can see, the range tells us we completed that step. So we’re verifying here that there is an SSH service there, as we can see that port 22 is open.
Scanning the target
(1:43-3:14) So we move on to the next step. We’re going to actually scan a target. So in the previous session, we saw the SSH server. Now we’re going to actually connect to it. It gives us the username “root” and the password “toor” here. So I’m going to run the SSH command to SSH to that device.
root@ip-172-20-16-249:/# ssh root@pivot
I’m going to answer yes to the question and then enter the password “toor.”
One of the things that is really good about this, as you can see the hostname right here, is that we’re connected to this; we’re on this IP. And you’ve changed to another device. Because if you look at the prompt down here, now, you’ve SSH into another device:
So for the new people, it’s important for them to have that visual there. So they can see that they’re now connected to another device. So this is one of the nice touches that we put in here to make sure that we visibly show the learner that they’re actually connected to something else in this step here.
So now what we’re going to do is we’re going to scan the target here. The target is the machine that we actually just SSH from. And all we’re doing at this point is proving that we can reach that machine from the one we just SSH into.
root@ip-272-20-29-57:~# nmap -p- target
So we run that command, we see that it scans and says, yeah, we got some ports open and we’re able to reach that machine. Then it gives us the green check to let us know that we completed that step as well.
Setting up Proxychains
(3:15- 4:58) Now, we get to the meat of this here, which is setting up the actual proxychains. So it says while we could interact with the target web server through SSH, or wget or curl or some of the other command line tools, that’s cumbersome. It’s not really good when you have to do a lot of work doing this stuff. When the volume gets up, that becomes not practical.
So it says we’re going to set up proxychains to proxy our connections through the proxy server. And the first step would be to set up a port forward using SSH. Now, here’s another key thing. And this is where we did a great job of spelling out it says, run this from your Kali machine, not through the SSH connection you made in the previous step, which is where we are now.
So what this tells the learner is that we need to open another terminal so that we’re on our actual Kali machine and not the machine that we just connected to. So it’s actually set up to where it’s really hard for you to misinterpret or mess up the steps here. We tried to make it very friendly for every level of learning even though this is Advanced Adversary Tactics.
So now we’re going to run this SSH command again in our new terminal here:
root@ip-172-20-16-249:/# ssh -d -N -D 9050 root@pivot -4
Alright, it tells us that the password is “toor.” And we do that, and we enter the password “toor” and we’re done with that step.
This basically will forward any requests to port 9050 on the local host to the proxy server with that connection set up. Proxychains can also be configured, which means all the traffic that’s destined for that port will now go out through that proxy. And this is how you set up your basic evasion.
(4:59- 5:43) In this step, it says configuring the proxychains. Basically, what we’re doing here is you’re just verifying. It says open up in a text editor of your choice; you’re verifying that this is actually there. So I’m just going to use nano to open that proxychains file.
root@ip-172-20-16-249:/# nano /etc/proxychains.conf
And verify that towards the bottom it says that the “socks” string is already put there.
We see at the very bottom that the port is correct; it’s the 9050 port. So everything actually lines up there. So I can get out of nano. And we’re good to move on to the next step.
Nmap with Proxychains
(5:44-6:45) Now we’re actually going to Nmap scan using the proxychain. We do that just by invoking it with the proxychain command. So now that the proxychain is configured, let’s test it with Nmap. It can only proxy certain types of packets. In other words, you’re not proxying all your traffic, just traffic that meets that criteria.
Now, in this case, it says we’re going to instruct Nmap to avoid pings; that’s where the -Pn is. And then we’re only going to do a TCP connect scan with the -sT flag there.
root@ip-172-20-16-249:/# proxychains4 nmap -Pn -sT target
Okay, so we go ahead and take this command, and I want to show you something that’s really important. What you see is that it actually went and connected, and we can see that traffic in the terminal here. It shows that we’re actually going through our proxy.
Learning more about Proxychains
(6:46-8:06) Some things that I would recommend you explore is setting up another listener on the other side like Wireshark TCP dump or something like that, and then noticing where these connections are actually coming from. If you subscribe to Infosec Skills and get yourself in this cyber range, even on a practice level, that’s some of the things that you can explore — just go crazy with all the different possibilities of what you can test with proxychains.
You don’t have to ask questions to try to read up on what your traffic looks like if you go through a proxychain. You can show yourself, and that’s one of the brilliant things about this new range.
Alright, so I’m gonna stop it right there. But I encourage you to actually jump into this range specifically with these Advanced Adversary Tactics labs, and practice and prove to yourself that you can do this and you can grasp it. It will be rewarding for you to see what you’re able to accomplish in a relatively short amount of time.
Try this cyber range yourself
Thank you for watching. And if you want to do exercises, just like what I just showed you on your own, and see how these all map to the MITRE ATT&CK framework, then head on over to our free cybersecurity training resources page to create an account and do exactly what you just saw me do.