pivotnacci: Pivot into the internal network by deploying HTTP agents
pivotnacci
Pivot into the internal network by deploying HTTP agents. Pivotnacci allows you to create a socks server that communicates with HTTP agents. The architecture looks like the following:
This tool was inspired by the great reGeorg. However, it includes some improvements:
- Support for balanced servers
- Customizable polling interval, useful to reduce detection rates
- Auto drop connections closed by a server
- Modular and cleaner code
- Installation through pip
- Password-protected agents
Supported socks protocols
- Socks 4
- Socks 5
- No authentication
- User password
- GSSAPI
Install
pip3 install pivotnacci
Use
- Upload the required agent (php, jsp or aspx) to a webserver
- Start the socks server once the agent is deployed
- Configure proxychains or any other proxy client (the default listening port for pivotnacci socks server is 1080)
Example
Using an agent with password s3cr3t (AGENT_PASSWORD variable must be modified at the agent side as well):
pivotnacci https://domain.com/agent.php --password "s3cr3t"
Using a custom HTTP Host header and a custom CustomAgent User-Agent:
pivotnacci https://domain.com/agent.jsp -H 'Host: vhost.domain.com' -A 'CustomAgent'
Setting a different agent message 418 I’m a teapot (ACK_MESSAGE variable must be modified at the agent side as well):
pivotnacci https://domain.com/agent.aspx --ack-message "418 I'm a teapot"
Reduce detection rate (e.g. WAF) by setting the polling interval to 2 seconds:
pivotnacci https://domain.com/agent.php --polling-interval 2000
Copyright (C) 2020 Eloy Pérez (@Zer1t0) [ www.blackarrow.net – www.tarlogic.com ]
