redteamoperations / pivotsuite Goto Github PK

If I try to establish a local port forwarding

If i run one of those three command on the compromised machine

$ pivotsuite -S -F --server-option=PF --server-ip=192.168.1.80 --server-port=8080
$ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.1.80 --server-port=8080
$ pivotsuite -S -F --server-option=PF --remote-ip=10.42.42.2 --remote-port=80 --server-ip=192.168.1.80 --server-port=8080

And the on the attacker machine:

$ pivotsuite -C -O PF -L --local-ip=127.0.0.1 --local-port=6666 --remote-ip=10.42.42.2 --remote-port=80 --server-ip=192.168.1.80 --server-port=8080

It display as if it was working. But when I tried to connect :

$ curl --head http://127.0.0.1:6666
curl: (7) Failed to connect to 127.0.0.1 port 6666: Connection refused

If i check no port is opened on my machine ss -nlp | grep 6666.

I did forwarding/tunneling hundred of times with ssh, sshuttle, regeorg, neo-regeorg, chisel, rpivot, ncat, metasploit, tunna, etc. but can't make a simple local port forwarding with PivotSuite.

Hello, and thank you for this great tool.

On the server-side, I run the following command:

python pivotsuite.py -S -W

On the client-side, I run the following command:

python pivotsuite.py -C -O SP --server-ip IP --server-port PORT

That's the IP and PORT, I replaced the ip and server port(7777).
After the connection, the following message is displayed:

DEBUG - [+] Client IP Client:44828 Connected
DEBUG - [+] Configure ProxyChains 0.0.0.0:1701 ==>> HOST IP Client

In the proxychains.conf file, in the last line, I added the following command:

socks5 127.0.0.1 1701

I added the following line in the client.py file to display the output:(line11: print(data , client.send(data)))

def exchange_loop(client, remote):

    while True:

        # wait until client or remote is available for read
        r, w, e = select.select([client, remote], [], [])
        if client in r:
            data = client.recv(4096)
        if remote.send(data) <= 0:
                break
        if remote in r:
            data = remote.recv(4096)
            print(data , client.send(data))
            if client.send(data) <= 0:
                break

After executing the command, it shows the closed port and the client connection is disconnected:

root@ubuntu:~# proxychains nmap -Pn -p 80 scanme.nmap.org
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-23 02:32 EDT
|DNS-request| scanme.nmap.org
|S-chain|-<>-127.0.0.1:1701-<><>-4.2.2.2:53-<><>-OK
|DNS-response| scanme.nmap.org is 45.33.32.156
45.33.32.156/0 looks like an IPv6 target specification -- you have to use the -6 option.
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.15 seconds

The following message is displayed in the client console:

No handlers could be found for logger "root"
('\x00<\xa22\x81\x80\x00\x01\x00\x01\x00\x00\x00\x01\x06scanme\x04nmap\x03org\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x0e\x10\x00\x04-! \x9c\x00\x00) \x00\x00\x00\x00\x00\x00\x00', 62)
('\x00<\xa22\x81\x80\x00\x01\x00\x01\x00\x00\x00\x01\x06scanme\x04nmap\x03org\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x0e\x10\x00\x04-! \x9c\x00\x00) \x00\x00\x00\x00\x00\x00\x00', 62)
('', 0)

And the connection is disconnected.

Issue

optparse is deprecated in both python 2 and 3

Idea

Replace it with argparse for stdlib only requirement only.

Reverse dynamic port forwarding as showcased here https://github.com/RedTeamOperations/PivotSuite#case-2--reverse-tcp-tunneling ignore --local-ip and --local-port so the server (attacker machine) always take a random port and take the address 0.0.0.0 and so exposing publicly the proxy on all interfaces.

One should be allowed to set --local-ip and --local-port on client side and the server should use them.

Problem n°1

In PivotSuite Server Options: there are no --remote-ip or --remote-port but in Case 1 : (Forward TCP Tunneling) b you put as an example

$ python pivotsuite.py -S -F --server-option PF --network-protocol T/U --remote-ip IP --remote-port PORT --server-ip IP (local-ip) --server-port PORT (local-port)

So is --remote-ip the same option as --forward-ip because the description is Remote Host Port for Port Forwarding ?

Update I checked and they do exactly the same thing.

Problem n°2

Why is there position argument for server ip and port because most of the time you're forced to used --server-ip and --server-port because the positional arguments are ignored.

$ Usage: pivotsuite [options] SERVER-IP SERVER-PORT

Example of command where you can't use positional arguments

$ python pivotsuite.py -S -F --server-option PF --network-protocol T/U --remote-ip IP --remote-port PORT --server-ip IP (local-ip) --server-port PORT (local-port)

Example when positional arguments are not respected :

$ pivotsuite -S -W 192.168.1.55 8080
2019-09-05 16:13:06,553 - DEBUG - [*] PivotSuite TCP Server LISTEN On 0.0.0.0:7777 For Reverse TCP Connection

When using this in Forward mode (Server in Victim), I run an nmap and the response it gives is "port open", even when the port is closed.
Is there a way to return whether the port is open or closed?
Thank you