Scenario
We’ve just compromise Windows host, after enumerating it and grabbing any credentials/hashes we can, we then discover that this host was multi-homed. (i.e. This host is a member of another network segment.) A quick ipconfig confirms there are indeed 2 networks that this host is a member of.
Question is; How do we now start to explore this other network? … Well we have a number of choices:
- Upload some tools to the host to then scan and enumerate the other network.
- Use what we have on the host to enumerate ‘Live off the Land’. Powershell scripts to ping sweep, port scan etc.
- Use pivoting to utilise the tools we already have on our attack box to proxy through the Windows host to enumerate the other network.
In this post we shall explore the pivoting method, as we can use all our existing tools already available.
Enter the hideously easy tool: SSF or Secure Socket Funneling,
SSF I stumbled upon on an engagement while hopelessly trying to get plink working on a Windows host. It was easy to setup and worked out of the box. Below I’ll go through and working example.
Setup
In this diagram the machine with the red monitor is our multi-homed box on 2 networks. (192.168.56.110/24 & 10.20.0.10/24) The attacking box is on the same 192.168.56 segment and the new network we are interested in is the 10.20.0.0/24 network. The box in red has two ip addresses, one for each segment.
SSF is freely available from here: https://securesocketfunneling.github.io/ssf/#home just download which platforms and architectures you are interseted in. I just grabbed all of them, just in case 😉
With SSF we get a number of files, we are interested in only two of them.
ssfd.exe: This is the server portion of this setup
ssf(.exe) : The client end, this one runs on your attacking box.
Note: All commands are run from the command prompt, either PowerShell or CMD.exe and bash in Linux.
Below we have the server portion running on the Windows box in powershell.
> ssfd.exe -p 11111 -p listening port
And here is the client end in bash.
# ./ssf -D 2222 -p 11111 192.168.56.102 -D create dynamic proxy -p port listening on server port (ssfd.exe) ip address of listening server.
Note: ip address in this image is wrong. 😉
As you can see the two ends create a tunnel and use the default certificates that came with the installation. Feel free to swap these out with your own.
For the final step in this setup we need one more tool: Proxychains.
ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies. (shamelessly stolen from the github page for proxychains.)
tldr;Â it forces TCP programs to send traffic through a already setup proxy.
We configure the configuration file for proxychains. Output below.
tail /etc/proxychains.conf [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 22222
There are no services to restart with proxychains we can just move straight onto the fun parts!
# proxychains nmap -v -sT -sV -Pn --top-ports=10 10.20.0.100
proxychains nmap -sT -Pn -sV --top-ports=10 10.20.0.100 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-27 00:45 BST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:25-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:445-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:443-<--denied |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:23-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:3389-<--denied |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:22-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:110-<--denied |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:22-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:23-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:25-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:445-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK Nmap scan report for 10.20.0.100 Host is up (0.072s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 110/tcp closed pop3 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp closed https 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3389/tcp closed ms-wbt-server Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.28 seconds
Important Notes! With nmap you need to use -Pn and -sT as proxychains cannot use half connection scans such as SYN. Additionally nmap will fail if you don’t tell it to not trying and ping the target first.
Of course you can use pretty much most programs with proxychains, example:
proxychains ftp 10.20.0.100 ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK Connected to 10.20.0.100. 220 (vsFTPd 2.3.4) Name (10.20.0.100:root):
Summary:
In this post we’ve setup a listening ssfd server on our multi-homed Windows host, connected it with the ssf portion from our attacking box. From here we used proxychains to send traffic down our proxy server out onto the Windows hosts other network segment. And in this case we used nmap to scan for any open ports on just one host. But no reason we cannot scan the entire subnet or even use tools such as nikto for any webservers we may find.
Hope you enjoyed this post.
Have fun!
GRL_UK