• Stars
    star
    119
  • Rank 297,930 (Top 6 %)
  • Language
    C++
  • License
    BSD 2-Clause "Sim...
  • Created over 5 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tool for injecting a "TCP Relay" managed assembly into unmanaged processes

TCPRelayInjecter

UPDATE : You should check a more recent version of the TCPRelayInjecter that uses a different (simpler) technique of DLLinjection as well as supports 32 and 64 bits target processes TCPRelayInjecter2

Author: Arno0x.

This project is heavily based on SharpNeedle.

The tool is used to inject a "TCP Forwarder" managed assembly (TCPRelay.dll) into an unmanaged 32 bits process.

Note: TCPRelayInjecter only supports 32-bits target processes and only relays TCP connections.

Background and context

I created this tool in order to bypass Windows local firewall rules preventing some inbound connections I needed (in order to perform some relay and/or get a MiTM position). As a non-privileged user, firewall rules could not be modified or added.

The idea is to find a process running as the same standard (non-privileged) user AND allowed to receive any network connection, or at least the ones we need: netsh advfirewall firewall show rule name=all

From there we just have to inject a TCP Forwarder assembly in it, passing it some arguments like a local port to listen to, a destination port and an optionnal destination IP to forward the traffic to.

Compile

Open the TCPRelayInjecter.sln file with Visual Studio, compile the solution. Tested and working with Visual Studio Community 2019.

Usage

Prior to running the tool, ensure the 3 binary files are in the same path:

  • TcpRelayInjecter.exe
  • Bootstrapper.dll
  • TCPRelay.dll

Then use the following command line:

TcpRelayInjecter.exe <target_process_name> <listening_port> <destination_port> [destination_IP]

  • target_process_name: The name of the executable we want to inject the TCP Forwarder into
  • listening_port: the TCP port to use for listening for inbound connections
  • destination_port: the TCP port to which forward the traffic (typically another process would be listening on that port)
  • destination_IP: Optionnal, the destination IP to which forward the traffic, if not specified, defaults to localhost

License

Just as requested by the SharpNeedle project, this project is released under the 2-clause BSD license.

More Repositories

1

DNSExfiltrator

Data exfiltration over DNS request covert channel
JavaScript
802
star
2

EmbedInHTML

Embed and hide any file in an HTML file
HTML
462
star
3

PowerShellScripts

Collection of PowerShell scripts
PowerShell
434
star
4

ShellcodeWrapper

Shellcode wrapper with encryption for multiple target languages
Python
410
star
5

WSC2

A WebSocket C2 Tool
Python
366
star
6

CSharpScripts

Collection of C# scripts
C#
326
star
7

NtlmRelayToEWS

ntlm relay attack to Exchange Web Services
Python
325
star
8

DivertTCPconn

A TCP packet diverter for Windows platform
C
275
star
9

DBC2

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.
PowerShell
269
star
10

DNSDelivery

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.
PowerShell
148
star
11

TwoFactorAuth

Two Factor Authentication web portal written in PHP
PHP
119
star
12

WebDavC2

A WebDAV PROPFIND C2 tool
Python
116
star
13

ObfuscateCactusTorch

When CactusTorch meets WebDavDelivery and obfuscation
Python
64
star
14

TCPRelayInjecter2

Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
C#
62
star
15

ReflectiveDnsExfiltrator

Data exfiltration using reflective DNS resolution covert channel
JavaScript
54
star
16

WebDavDelivery

A WebDAV PROPFIND covert channel to deliver payloads
Visual Basic
53
star
17

TermGate

A web application for running shell commands interactively on your server
PHP
21
star
18

BluecoatURLFilteringBypass

Bluecoat proxies URL filtering bypass PoC
JavaScript
14
star
19

MOBACMapsSources

Mobile Atlas Creator Additionnal map sources
11
star
20

NmapScripts

Collection of Nmap scripts
Lua
11
star
21

MultibyteEncodedShellcode

An AV evasion technique using multibyte xor encoding of shellcode
9
star
22

Docker-Dnscat2

Dockerfile and ressources for Dnscat2
Shell
8
star
23

GimmeTheFile

Proof of concept for bypassing corporate web proxies filtering and antiviruses
PHP
8
star
24

DeliverXLLviaHTML

Deliver encrypted XLL embeded in HTML file
7
star
25

Docker-Socator

Dockerfile and ressources for Socat + Tor
Shell
7
star
26

ShellScripts

Collection of shell scripts
Shell
6
star
27

HttpProxy

A simple HttpProxy for NodeJS
JavaScript
6
star
28

Docker-Cryptpad

Dockerfile and ressources for CryptPad application
JavaScript
5
star
29

Docker-DBC2

Dockerfile and ressources for DBC2
1
star
30

Docker-Koadic

Dockerfile and ressources for Koadic
1
star