Cookie's Red Team Recipe
test
Testing
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
    • Tools
      • Nuclei
      • GoWitness
    • Reflective DLL Injection
  • Cloud
    • General
      • Enumeration
        • JWT
        • SEC 588
        • Tools and Procedures
      • Containers
        • Docker
        • Kubernetes
    • Azure
      • Discovery
        • Mapping URLS
        • Snaffpoint
      • Initial Access
        • Password Spray
        • Illicit Consent Grant
        • App Service Abuse
          • Insecure File Upload
          • SSTI
          • OS Command Injection
        • Blob Storage
        • Evilginx3
      • Enumeration
        • MG Module
        • Az PowerShell
        • Azure CLI
        • Tokens
        • ROADTools
        • StormSpotter
        • AzureHound
      • Privilege Escalation
        • Automation Account
        • Managed Identity Command Execution
        • Key Vault
        • ARM Templates
        • Function App
      • Lateral Movement
        • Custom Script Extension
        • User Data
        • Pass The PRT
        • Endpoint Manager
        • Dynamic Groups
        • Application Proxy
        • Password Hash Sync
      • Persistance
        • Pass-Through Authentication
        • Seamless SSO
        • Federation
    • AWS
      • Discovery
        • Mapping URLs
        • Authentication
        • Username Harvesting
        • Password Spraying
        • Storage
        • Pacu
      • Enumeration
        • Scanning
        • Copy of Pacu
      • Privilege Escalation
        • Instance Metadata Service
        • Copy of Pacu
      • Lateral Movement
        • Userdata
        • Pacu
        • Callbacks and Shells
      • KMS
      • CI/CD
        • Deployment Pipeline
        • SSRF
        • Lambda
    • GCP
  • OSINT
    • Checklist
  • Web Applications
    • Checklist
    • Web Vulnerabilities
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Enumeration
  • Exploitation
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • Cobalt Strike
      • User Impersonation
        • Pass the Hash
        • Pass the Ticket
        • Overpass the Hash
        • Token Impersonation
        • Token Store
        • Make Token
        • Process Injection
      • Lateral Movement
        • Windows Remote Management
        • PsExec
        • Windows Management Instrumentation (WMI)
        • CoInitializeSecurity
        • DCOM
      • Kerberos
        • Kerberoasting
        • ASREP Roasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Alternate Service Name
        • S4U2Self Abuse
        • Resource-Based Constrained Delegation
        • Shadow Credentials
        • Kerberos Relay Attacks
      • Pivoting
        • SOCKS Proxies
        • Linux Tools For Proxies
        • Windows Tools For Proxies
        • Pivoting with Kerberos
        • Pivoting A Browser
        • Reverse Port Forwards
        • NTLM Relaying
        • Relaying WebDAV
      • AD Certificate Services
        • Find Certificate Authorities
        • Misconfigured Certificate Templates
        • NTLM Relaying to ADCS HTTP Endpoints
        • User & Computer Persistence
      • Group Policy
        • Modify Existing GPO
        • Create & Link a GPO
      • MS SQL Servers
        • MS SQL Impersonation
        • MS SQL Command Execution
        • MS SQL Lateral Movement
        • MS SQL Privilege Escalation
      • Configuration Manager
        • Enumeration
        • Network Access Account Credentials
        • Lateral Movement
      • Domain Dominance
        • Silver Tickets
        • Golden Ticket
        • Diamond Tickets
        • Forged Certificates
      • Forest & Domain Trusts
        • Parent/Child
        • One-Way Inbound
        • One-Way Outbound
      • LAPS (Local Administrator Password Solution)
        • Reading ms-Mcs-AdmPwd
        • Password Expiration Protection
        • LAPS Backdoors
  • Escalation
    • Windows
    • Linux
  • Report
    • Templates
  • Phishing
    • Techniques
      • Jscript
      • Word Document
        • Manual
        • Generated
      • HTML Smuggling
  • C2
    • Cobalt Strike
      • Starting
        • Profile
        • Artifact Kit Changes
        • Resource Kit Changes
        • Start CS as a Service
        • Manual AMSI Bypass
        • Set Anti-Behavioural Detections
        • Generating Payloads
        • Listener Management
        • Prepare For Command Line Detections
      • Tools
        • Application Whitelisting
          • Policy Enumeration
          • Writeable Paths
          • Binaries, Scripts, and Libraries
          • PowerShell CLM
          • Beacon DLL
        • Credentials
          • Credential Manager
          • Scheduled Task Credentials
        • Session Passing
          • Beacon Passing
          • Foreign Listener
          • Spawn & Inject
        • DCSync
        • Extracting Kerberos Tickets
        • Mimikatz
          • NTLM Hashes
          • Kerberos Encryption Keys
          • Security Account Manager
          • Domain Cached Credentials
        • Take Screenshot
        • Evading Windows Defender
          • Artifact Kit
          • Malleable C2
          • Resource Kit
          • AMSI vs Post-Exploitation
          • Manual AMSI Bypasses
          • Behavioural Detections
          • Parent/Child Relationships
          • Command Line Detections
        • Pivot Listeners
    • Sliver
      • Post-Exploitation
        • Proxy
    • Brute Ratel
    • Domains
    • Mythic
Powered by GitBook
On this page
  • Socat
  • IPTABLES as a Redirection Tool
  • Windows Portproxy
  1. Cloud
  2. AWS
  3. Lateral Movement

Callbacks and Shells

Socat

Socat’s syntax can be very complex. Even when trying to write a file, the options can be overwhelming. We have decided instead to provide a simple list of socat options that can be multi-purposed to illustrate the possibility of using the tool.

socat –d –d tcp4-listen:8080,reuseaddr,fork TCP4:1.2.3.4:80

This set of options will perform the following actions:

• -d –d: Suppress debug output on the screen.

• tpc4-listen:8080: Listen on ipv4 tcp port 8080.

• reuseaddr,fork: Make the system multi-threaded.

• TCP4:1.2.3.4:80: Redirect the traffic to a TCP IPv4 address 1.2.3.4 on port 80.

Another interesting option is:

socat openssl-listen:8443,reuseaddr,cert=cert.pem,verify=0,fork stdio

• openssl-listen:8443: This listens on 8443 and performs a TLS handshake on connect.

• reuseaddr,cert=cert.pem,verify=0,fork: This takes the communication and provides a certificate using the cert.pem file and turns off certificate verification so that self-signed certificates can be used. • stdio: Here, it is used as the destination, and since it’s a standard redirection out to the screen, you will be displaying the results on the standard out of the terminal.

For file serving, you need a client and server component.

Server: socat -u FILE:filename TCP-LISTEN:1234,reuseaddr

• FILE:filename is the source address.

• TCP-LISTEN:1234 is the destination address so that the file is services on connect. Client: socat -u TCP:1.2.3.4:1234 OPEN:filename.dat,create,trunc

• OPEN:filename.dat: This is the destination of the connection as we are going to be opening a file.

• create,trunc: This is where it may be confusing; while create should create a file, it will not overwrite a file without the keyword trunc. If you don't specify the trunc system call, then you will be in a file append mode.

IPTABLES as a Redirection Tool

Linux iptables, and its successor nftables, has the capability to perform a destination NAT iptables connection. To successfully set up Linux as a router, you must enable ipv4 forwarding in the kernel: 

$ sudo sysctl net.ipv4.ip_forward=1 # This is temporary
$ echo "net.ipv4.ip_forward = 1" >> /etc/systctl.conf # Permanent

• Then you must specify redirection

iptables -t nat –A PREROUTING –p tcp –dport 1234 –j DNAT --to-destination 1.2.3.4:8080

Linux has two options for redirections: iptables and its successor, nftables. We will focus on iptables as nftables are not widely used. Iptables can be configured to redirect inbound ports to a specific destination port using Network Address Translations (NAT). To make this possible, there are a few options that we need to enable. The first one is to turn on the kernel’s IP forwarding capability by using sysctl for a temporary solution or permanently modify it using the sysctl.conf file. Once this is done, the following can be put into iptables to perform destination NAT: #iptables:

• #-I inserts a value, in this case the INPUT table and, if accepted, jumps to the ACCEPT area

• iptables -I INPUT -p tcp -m tcp --dport 1234 -j ACCEPT

• #-t specifies the NAT table, and this rule APPENDS to PREROUTING tables a rule for destination port 1234 Jumping to the Dynamic NAT table and redirecting output to 1.2.3.4 on port 8080

• iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 1.2.3.4:8080

• # The next section in the NAT table appends to POSTROUTING and adds MASQUERADE, which basically is a PAT

• iptables -t nat -A POSTROUTING -j MASQUERADE

• # The last two rules inserts to the FORWARD tables and forwards all of the remaining traffic • iptables -I FORWARD -j ACCEPT

• iptables -P FORWARD ACCEPT

Windows Portproxy

Microsoft Windows in 2000 and above has a special interface that can be used to redirect ports. Windows netsh allows for the configuration of the portproxy interface. Portproxy can be used to forward one port to a specific host and port. To configure the netsh interface:

C:> netsh interface portproxy add v4tov4 listenport=1234 connectport=8080 connectaddress=1.2.3.4

Once the interface is configured, any packets that come in on port 1234 will be redirected to host 1.2.3.4 on port 8080. To view any existing portproxy, you can use:

C:> netsh interface portproxy show all

From a forensics point of view, the connections that originated to or from the portproxy will appear as if they are coming from the svchost.exe process, which may not show up as a malicious process in many of the EDR tools. The specific svchost.exe process will show up as:

• Service Name: iphlpsvc

• Display Name: IP Helper

• Binary Path: svchost.exe –k NetSvcs

This will make standard detections harder without executing the netsh command. 56 hide0

PreviousPacuNextKMS

Last updated 2 months ago

• TCP:1.2.3.4 In this case, it’s the connection we are making to get the file. 51 hide01.ir Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit

🔢