Double pivoting – proxychains.conf – why should I use 2 entries?
I am studying pivoting and I had a question related to double pivoting.
Reading various blogs, I read that it is a common (but not always used) practice to define two entries in the /etc/proxychains.conf
file when performing double pivoting.
For example, in this article there are 4 machines:
attack <--> jumpbox1.local <--> jumpbox2.local <--> destbox.local
and the purpose is to reach destbox.local
from attack
.
So in the article, with SSH, 2 ports are opened: the 8888 on the attack's localhost
and the 9999 on the jumpbox1.local's localhost
.
attack:~$ ssh -f -N -D 127.0.0.1:8888 user@jumpbox1.local
attack:~$ ssh user@jumpbox1.local 'ssh -f -N -D 127.0.0.1:9999 user@jumpbox2.local'
Figuring out how encapsulation might work, I imagine something like this:
And so far it makes sense.
However, when double pivoting is done with Metasploit the process is this (as described in this article):
use auxiliary/server/socks4a
set SRVHOST 172.16.0.20
set SRVPORT 1080
run
use auxiliary/server/socks4a
set SRVHOST 172.16.0.20
set SRVPORT 1081
run
and the proxychains.conf
file is as follows:
root@kali:~# cat /etc/proxychains.conf
dynamic_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
socks4 172.16.0.20 1080 # First Pivot
socks4 172.16.0.20 1081 # Second Pivot
But in this case, the socks proxies are both on the attacker's machine (172.16.0.20) and there are not 2 proxies on 2 different machines as in the first example. So I don't understand the point of adding the second entry. In addition it seems that even without the second entry, the last machine is reached from the attacker's machine.
Can anyone clarify this doubt for me, thank you very much!