Tunneling

SSH

-M Places the SSH client into “Master” mode for connection sharing

-S Create a Slave connection using a previously set up Master connection

-Specifies the location of a control socket for connection sharing

-L Setting up for a future connection (forward tunnel)

-R Reverse tunnel

ssh -M -S /tmp/T1 user@[1st Target IP] -p [Target 1 SSH port] -L [RHP1]:[2nd Target IP]:[Target 2 SSH Port]

ssh -M -S /tmp/T2 user@127.0.0.1 -p [RHP1] -L [RHP2]:[3rd Target IP]:[Target 3 SSH Port]

ssh -M -S /tmp/T3 user@127.0.0.1 -p [RHP2]


Example:

ssh -M -S /tmp/T1 root@10.0.0.1 -p 22 -L 14002:10.0.0.2:22

ssh -M -S /tmp/T2 admin@127.0.0.1 -p 14002 -L 14003:10.0.0.3:22

ssh -M -S /tmp/T3 vyos@127.0.0.1 -p 14003

All these masters are set up and connected

*You can now open a new terminal to T2 above (without opening a separate connection) using -S

ssh -S /tmp/T2 admin@127.0.0.1 -p 14002

Reverse:

ssh -M -S /tmp/T3 vyos@127.0.0.1 -p 14003 -R 14002:0.0.0.0:14002

Nc listener on attack box to receive file from Target 4 : nc -lvpn 14002 > [file.txt]


Banner Grab

When you find a new IP of interest, add the forward connection to your already created master SSH connection

Already created Master: ssh -M -S /tmp/t1 user@[Target 1 IP] -p 22

add the forward: ssh -S /tmp/t1 user@[Target 1 IP] -p 22 -L 14002:[newly found ip]:22

telnet 127.0.0.1 14002

nc -vn 127.0.0.1 14002

ProxyChains

Set up

add -D 9050 (default port) -N -f to end of your SSH commands

qqq

configuration (you can add more): /etc/proxychains.conf

default: socks4 127.0.0.1 9050

Close Proxychains ssh connection

ssh -S /tmp/T1 -O cancel -D 9050 user@127.0.0.1 -p 22

Scanning with Proxychains

proxychains nc -nz [IP] [port range]

proxychains nmap -sT -Pn [IP] [port range]


NetSH

netsh port forwarding:

netsh interface portproxy add v4tov4 listenport=6969 connectaddress=[forwardIP] connectport=22

 -This sets up firewall rule to foward traffic


netsh interface portproxy show all

Listen on ipv4:       Connect to ipv4:

Address     Port      Address     Port

------------  -------   ------------   ------

0.0.0.0      6969     10.169.0.9 22


Create a new forward on Target 2

ssh -S /tmp/t2 -p 14002 -L 14003:10.169.0.9:6969

Then connect to T3 through newly established forward tunnel

ssh -M -S /tmp/t3 [username]@127.0.0.1 -p 14003


Show current portproxy rules

netsh interface portproxy show all

Delete

netsh interface portproxy delete v4tov4 listenport=6969 listenaddress=[forward IP] protocol=tcp

netsh interface portproxy reset

netsh advfirewall firewall delete rule name=""

IPTables Redirection


Prerouting rules:

iptables -A PREROUTING -t nat -s <kalibox> -d <redirIP> -p tcp --dport <targetport> -j DNAT --to-destination <targetIP>:<targetPort>

Explained: if you see anything coming from <kalibox> with the destination <redirIP> destined for <targetport> send it to <targetIP> with <targetPort>


Reverse Translation:

iptables -A PREROUTING -t nat -s <targetIP> -d <redirIP> -p tcp -j DNAT --to-destination <kaliBox>

Explained: if you see anything coming from <targetIP> with the destination <redirIP> send it to <kaliBox>

Note: can specify --to-dport so it’ll just be from a specific port rather than a full take of traffic from the <targetIP>



Postrouting Source IP changes:

Explained: The source IP has not changed yet so you need to add postrouting so it’ll go from <targetIP> to <redirIP> to <kaliBox>

KaliBox to Target:

iptables -A POSTROUTING -t nat -s <kalibox> -d <targetIP> -p tcp -j SNAT --to-source <redirIP>

Explained: Anything coming from the <kalibox> that’s destined for the <targetIP> change the source address to the <redirIP>


Target to KaliBox

iptables -A POSTROUTING -t nat -s <targetIP> -d <kalibox> -p tcp -j SNAT --to-source <redirIP>

Explained: Anything coming from the <targetip> destined for the <kalibox> set the source address to the <redirip>