SKILL CCNE005: Define the principles of tunneling network traffic
SKILL CCNE006: Identify fundamentals of secure shell protocol & port forwarding
SKILL CCNE007: Perform network traffic redirection
SKILL CCNE008: Perform file transfers
scp file1.txt username@10.0.0.2:/directory/path
scp username@10.0.0.2:file2.txt/directory/path
- Protocol Headers: modulation, manipulation, options
- Data Field
Example: ICMP allows you to write hex to the data portions with (-p) switch
- Master/Zombies
- Used for: Spam, DDOS, Spyware, Virus, Clickfraud
- Notorious Examples: Conflicker, Zeus, TDL-4 (Alureon)
- Commonly used protocol for C2: HTTP, IRC, UDP, DNS over TCP
(Obj. 12.6 Describe protocol swapping)
- DNSCAT2 is just one of many
- Most often, common protocols are used to hide devious actions
- Common Botnet C2 protocols are also popular choices for programs that provide protocol swapping
Covertness = function of Capacity of the Medium/Transmission Rate
Most common methods of data exfiltration: HTTPS/HTTPS, DNS, FTP, RDP, SMTP/email, SMB, TOR
Techniques to help obfuscate the exfiltration: Compression, Encoding, Encryption
Stdin (channel 0) / Stdout (channel 1)
Pipes
- Fifo in nature
- Can live longer than the process it facilitates
- Can use it for a pass-through in data transfers
Client vs. Listener
Netcat: Client to Listener file transfer
Client(sends file): nc 10.0.0.2 9001 < file.txt
Listener (receive file): nc -l -p 9001 > newfile.txt
Netcat: Listener to Client file transfer
Listener(sends file): nc -l -p 9001 < file.txt
Client (receive file): nc 10.0.0.2 9001 > newfile.txt
On Client Relay:
mknod mypipe p
nc 10.0.0.3 9002 0 < mypipe | nc 10.0.0.1. 9001 | tee mypipe
On Listener2 (sends info):
nc -l -p 9002 < infile.txt
On Listener1 (receives info):
nc -l -p 9001 > outfile.txt
Writes the output both to the screen (stdout) and to the named pipe (mypipe)
- FPIPE is a port/stream redirector commonly used for windows systems. It can create a TCP or UDP stream with a source port of your choice.
This is useful for getting past the firewall that allow traffic with source ports of say 22, to connect with internal servers.
- Redirectors can be used to change source/destination port information IOT mask origin or subvert security measures
Imagine that you are at work, but you wanted to do non-work related activities. Your company firewall prevents you from accessing a website you want to browse to (gambling.com). SSH is allowed from the inside of the network outbound because the IT staff must do remote administration of devices at branch offices.
ssh -L 9001:209.0.0.1:80 home@190.10.0.1 -NT
- The major difference with IPv6 ssh tunneling is that the colon in the IPv6 address must be understood as part of the address field (not the colon to specify the port info); this is done by enclosing the address in square brackets which must then be escaped with backslashes:
ssh -L 9001:\2001:DEAD:BEEF::1\}80 user@2001:1234:1234::1
(For link-local address(fe80::0 range) specify the interface following the SSH GWY)
Someone from the Security team noticed all the SSH traffic destined to your Home SSH Server and blocked it in the firewall. Luckily, they can't block all SSH due to operational requirements; you can just used a different server. However, you don't control this server so you account won't allow you to open a terminal session. Using the "-NT" switches allows you to establish a tunnel, without opening a remote terminal session on the new SSH server. You need to SSH to your home server to SCP some files you need.
Why stop there...lets add another tunnel!
What if access polices prevented you from getting to your Home machine from the first gateway, but you could pivot into a second SSH server, then to the Target? Try two levels of SSH tunneling (Tunnel inception)
Dynamic port forwarding over an SSH tunnel
Needs a "wrapper" to specify the endpoint. This can be proxy settings in your browser, or a program like Proxychains (Proxychains uses port 9050 by default but it can be changed/added to in the .conf file)
Run TCP/IP based application on your host machine through proxychains: the SSH forwarding allows you to access MANY (dynamic) target ports
Inside host initiates the tunnel to tell the remote host where to forward its port to (through the tunnel)
Inside initiates the tunnel to tell the remote host where to forward its local port to (through the tunnel)
Home initiates a tunnel to forward its local port to meet up with the port of the pivot that is receiving the forward Web page