Movement, Redirection, Data Transfer

CCTC - Networking

Outcomes


SKILL CCNE005: Define the principles of tunneling network traffic

SKILL CCNE006: Identify fundamentals of secure shell protocol & port forwarding

SKILL CCNE007: Perform network traffic redirection

SKILL CCNE008: Perform file transfers





Sending Files to Remote using SCP


  • Copying "file1.txt" from the local client to a remote client.
  • Executed on the Client


scp file1.txt username@10.0.0.2:/directory/path

Receiving Files from Remote using SCP


  • Copy "file2.txt" from a remote client to the local client
  • Executed on the Client


scp username@10.0.0.2:file2.txt/directory/path

Covert Channels


- Protocol Headers: modulation, manipulation, options


- Data Field


Example: ICMP allows you to write hex to the data portions with (-p) switch



BOTNET (Another Covert Channel)


- Master/Zombies

- Used for: Spam, DDOS, Spyware, Virus, Clickfraud

- Notorious Examples: Conflicker, Zeus, TDL-4 (Alureon)

- Commonly used protocol for C2: HTTP, IRC, UDP, DNS over TCP




Nothing to see here...Just DNS packets...

(Obj. 12.6 Describe protocol swapping)


- DNSCAT2 is just one of many

- Most often, common protocols are used to hide devious actions

- Common Botnet C2 protocols are also popular choices for programs that provide protocol swapping



Data Exfiltration


Covertness = function of Capacity of the Medium/Transmission Rate

Most common methods of data exfiltration: HTTPS/HTTPS, DNS, FTP, RDP, SMTP/email, SMB, TOR

Techniques to help obfuscate the exfiltration: Compression, Encoding, Encryption



File Transfer Basics


Stdin (channel 0) / Stdout (channel 1)

Pipes
- Fifo in nature
- Can live longer than the process it facilitates
- Can use it for a pass-through in data transfers


Client vs. Listener


Netcat

Netcat: Client to Listener file transfer

Client(sends file): nc 10.0.0.2 9001 < file.txt

Listener (receive file): nc -l -p 9001 > newfile.txt

Netcat

Netcat: Listener to Client file transfer

Listener(sends file): nc -l -p 9001 < file.txt

Client (receive file): nc 10.0.0.2 9001 > newfile.txt

File Trasfer Activity

Netcat Relays

On Client Relay:
mknod mypipe p
nc 10.0.0.3 9002 0 < mypipe | nc 10.0.0.1. 9001 | tee mypipe

On Listener2 (sends info):
nc -l -p 9002 < infile.txt

On Listener1 (receives info):
nc -l -p 9001 > outfile.txt

Writes the output both to the screen (stdout) and to the named pipe (mypipe)

Netcat Relays Activity

FPIPE & Redirectors

- FPIPE is a port/stream redirector commonly used for windows systems. It can create a TCP or UDP stream with a source port of your choice.
This is useful for getting past the firewall that allow traffic with source ports of say 22, to connect with internal servers.

- Redirectors can be used to change source/destination port information IOT mask origin or subvert security measures

Getting Around the Pesky Firewall


Imagine that you are at work, but you wanted to do non-work related activities. Your company firewall prevents you from accessing a website you want to browse to (gambling.com). SSH is allowed from the inside of the network outbound because the IT staff must do remote administration of devices at branch offices.

Local Port Forwarding


ssh -L 9001:209.0.0.1:80 home@190.10.0.1 -NT


Local Port Forwarding with IPv6

- The major difference with IPv6 ssh tunneling is that the colon in the IPv6 address must be understood as part of the address field (not the colon to specify the port info); this is done by enclosing the address in square brackets which must then be escaped with backslashes:

ssh -L 9001:\2001:DEAD:BEEF::1\}80 user@2001:1234:1234::1

(For link-local address(fe80::0 range) specify the interface following the SSH GWY)


Tunnel within a Tunnel

Someone from the Security team noticed all the SSH traffic destined to your Home SSH Server and blocked it in the firewall. Luckily, they can't block all SSH due to operational requirements; you can just used a different server. However, you don't control this server so you account won't allow you to open a terminal session. Using the "-NT" switches allows you to establish a tunnel, without opening a remote terminal session on the new SSH server. You need to SSH to your home server to SCP some files you need.

Tunnel Inception

Why stop there...lets add another tunnel!



SSH Tunneling

What if access polices prevented you from getting to your Home machine from the first gateway, but you could pivot into a second SSH server, then to the Target? Try two levels of SSH tunneling (Tunnel inception)


Dynamic Port Forwarding

Dynamic port forwarding over an SSH tunnel
Needs a "wrapper" to specify the endpoint. This can be proxy settings in your browser, or a program like Proxychains (Proxychains uses port 9050 by default but it can be changed/added to in the .conf file)

ProxyChains

Run TCP/IP based application on your host machine through proxychains: the SSH forwarding allows you to access MANY (dynamic) target ports



Local and Dynamic Port Forwarding Activity

Remote Port Forwarding (Reverse SSH Tunnel)

Inside host initiates the tunnel to tell the remote host where to forward its port to (through the tunnel)


Local and Remote SSH Tunneling

Inside initiates the tunnel to tell the remote host where to forward its local port to (through the tunnel)
Home initiates a tunnel to forward its local port to meet up with the port of the pivot that is receiving the forward Web page

Remote Port Forwarding Activity