-
-
Notifications
You must be signed in to change notification settings - Fork 121
08 ‐ Working Over Proxifier
This document is for working from non-domain joined systems which do not havea direct line of sight to the target network (Proxifier / SSH Tunnel etc..). For working from non-domain joined systems that DO have a direct line of sight to the target network, please see the Wiki page Link
PsMapExec supports working from a non-domain joined machine. Setup is required to ensure the system can communicate correctly over the domain and through Kerberos. PsMapExec will detect when operating from a non-domain joined machine and will prompt you through a wizard to configure the system for domain communication.
This document assumes the operator is intending to run PsMapExec from a non-Domain Joined machine through proxifier into a SSH tunnel.
Workstation -> Proxifer -> SSH Tunnel -> Internal Network
- Running PsMapExec as a Local Administrator
- Valid IP address assigned to the preferred network adapter
- Proxifier installed
- Connectivity to a NUC / SSH Tunnel
- Configure Proxifier for a new Proxy Server: 127.0.0.1:1080 SOCKSv5
- Import the rule below. Ensuring to change the target domain and subnets etc..
- Change the IP of the SSH rule to point to the SSH Tunnel / NUC
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxifierProfile version="102" platform="Windows" product_id="0" product_minver="400">
<Options>
<Resolve>
<AutoModeDetection enabled="false" />
<ViaProxy enabled="true" />
<BlockNonATypes enabled="false" />
<ExclusionList OnlyFromListMode="true">*sevenkingdoms.local</ExclusionList>
<DnsUdpMode>0</DnsUdpMode>
</Resolve>
<Encryption mode="disabled" />
<ConnectionLoopDetection enabled="true" resolve="true" />
<Udp mode="mode_bypass" />
<LeakPreventionMode enabled="false" />
<ProcessOtherUsers enabled="true" />
<ProcessServices enabled="true" />
<HandleDirectConnections enabled="false" />
<HttpProxiesSupport enabled="false" />
</Options>
<ProxyList>
<Proxy id="100" type="SOCKS5">
<Options>48</Options>
<Port>1080</Port>
<Address>127.0.0.1</Address>
</Proxy>
</ProxyList>
<ChainList />
<RuleList>
<Rule enabled="true">
<Action type="Direct" />
<Targets>localhost; 127.0.0.1; %ComputerName%; ::1</Targets>
<Name>Localhost</Name>
</Rule>
<Rule enabled="true">
<Action type="Direct" />
<Targets>192.168.200.30</Targets>
<Applications>ssh.exe</Applications>
<Name>SSH</Name>
</Rule>
<Rule enabled="true">
<Action type="Proxy">100</Action>
<Targets>*sevenkingdoms.local;192.168.56.*</Targets>
<Name>Any</Name>
</Rule>
<Rule enabled="true">
<Action type="Direct" />
<Name>Default</Name>
</Rule>
</RuleList>
</ProxifierProfile>
- Open Proxifier
- View -> Service Manager
- Install
- Import configuration from profile to service (The modified profile above)
- Restart the service
ssh -D 1080 [email protected]
Invoke-ConfigureNetworking -Domain "sevenkingdoms.local" -DC-IP "192.168.56.10" -DCHostName "kingslanding"Reboot the system, connect to the SSH tunnel and ensure Proxifier is running as a service.
Ensure PsMapExec is run as an administrator to start populating the Hosts file, after completion you are ready to go.
Ensuring the -DomainController parameter is used when working over proxifier is strongly suggested.
PsMapExec [Method] -Targets [Targets] -Domain "sevenkingdoms.local" -DomainController "192.168.56.10" -Username "admin_1" -Password "Password123"If the above is flakey for computer object collection, run the command Clear-Databases and run again.
If the above step is still unreliable for domain communication start a runas session with a domain user. In most cases, this will work.
# Run in an adminstrator shell
runas.exe /netonly /noprofile /user:sevenkingdoms.local\moe powershell