// notes/ Pivoting & Tunneling
🚀
Pivoting Eumeration
1. Enumerate material found on the machine. 
#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/pivoting_eumeration ↗Eumeration
- Enumerate material found on the machine.
- Use pre-installed tools on the machine
- Use statically compiled tools
- Use scripting techniques
- Use local tools through a proxy (last resort ; very slow)
Check arp cache, static mappings, local DNS servers and interfaces (Linux)
code
01arp -a02cat /etc/hosts03cat /etc/resolv.conf04ip aCheck arp cache, static mappings and interfaces (Windows)
code
01arp -a02type C:\Windows\System32\drivers\etc\hosts03ipconfig /allNmap scan after pivot
code
01proxychains -q nmap -sT -Pn -p 21,80,443 172.16.6.240 172.16.6.241 172.16.6.254Living Off the Land (LotL)
Start off with uploading nmap and scanning the network from the compromised server
bash
$./nmap -sn 10.200.72.0/24 -oN hostsBash one-liner ping sweep
bash
$for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); doneBash one-liner port scan
bash
$for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; doneWindows ping sweep tools
code
01for /L %i in (1,1,255) do @ping -n 1 -w 200 172.16.2.%i > nul && echo 172.16.2.%i is up.code
0121,22,23,80,443,1433,3306,445,53,8080,1512,25,110,389,636,135,143,3389 | ForEach-Object { Test-NetConnection -ComputerName 172.16.171.14 -Port $_ -InformationLevel Quiet } | Where-Object { $_.TcpTestSucceeded }