Pivoting on Windows – Secure Socket Funneling

Scenario

We’ve just compromise Windows host, after enumerating it and grabbing any credentials/hashes we can, we then discover that this host was multi-homed. (i.e. This host is a member of another network segment.) A quick ipconfig confirms there are indeed 2 networks that this host is a member of.

multi-homed-ipconfig

Question is; How do we now start to explore this other network? … Well we have a number of choices:

  1. Upload some tools to the host to then scan and enumerate the other network.
  2. Use what we have on the host to enumerate ‘Live off the Land’. Powershell scripts to ping sweep, port scan etc.
  3. Use pivoting to utilise the tools we already have on our attack box to proxy through the Windows host to enumerate the other network.

In this post we shall explore the pivoting method, as we can use all our existing tools already available.

Enter the hideously easy tool: SSF or Secure Socket Funneling,

ssf_logo

SSF I stumbled upon on an engagement while hopelessly trying to get plink working on a Windows host. It was easy to setup and worked out of the box. Below I’ll go through and working example.

Setup

In this diagram the machine with the red monitor is our multi-homed box on 2 networks. (192.168.56.110/24 & 10.20.0.10/24) The attacking box is on the same 192.168.56 segment and the new network we are interested in is the 10.20.0.0/24 network. The box in red has two ip addresses, one for each segment.multi-homed

SSF is freely available from here: https://securesocketfunneling.github.io/ssf/#home just download which platforms and architectures you are interseted in. I just grabbed all of them, just in case 😉

With SSF we get a number of files, we are interested in only two of them.

ssf-binaries

ssfd.exe: This is the server portion of this setup
ssf(.exe) : The client end, this one runs on your attacking box.

Note: All commands are run from the command prompt, either PowerShell or CMD.exe and bash in Linux.

Below we have the server portion running on the Windows box in powershell.

> ssfd.exe -p 11111
-p listening port

ssfd-win10

And here is the client end in bash.

# ./ssf -D 2222 -p 11111 192.168.56.102 
-D create dynamic proxy 
-p port listening on server port (ssfd.exe)
ip address of listening server.

ssf-kali

Note: ip address in this image is wrong. 😉
As you can see the two ends create a tunnel and use the default certificates that came with the installation. Feel free to swap these out with your own.

For the final step in this setup we need one more tool: Proxychains.

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies. (shamelessly stolen from the github page for proxychains.)

tldr;  it forces TCP programs to send traffic through a already setup proxy.

We configure the configuration file for proxychains. Output below.

tail /etc/proxychains.conf

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 22222

There are no services to restart with proxychains we can just move straight onto the fun parts!

# proxychains nmap -v -sT -sV -Pn --top-ports=10 10.20.0.100
proxychains nmap -sT -Pn -sV --top-ports=10 10.20.0.100
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-27 00:45 BST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:25-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:445-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:443-<--denied
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:23-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:3389-<--denied
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:22-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:110-<--denied
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:22-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:23-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:25-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:445-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:139-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:80-<><>-OK
Nmap scan report for 10.20.0.100
Host is up (0.072s latency).

PORT     STATE  SERVICE       VERSION
21/tcp   open   ftp           vsftpd 2.3.4
22/tcp   open   ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open   telnet        Linux telnetd
25/tcp   open   smtp          Postfix smtpd
80/tcp   open   http          Apache httpd 2.2.8 ((Ubuntu) DAV/2)
110/tcp  closed pop3
139/tcp  open   netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp  closed https
445/tcp  open   netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3389/tcp closed ms-wbt-server
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.28 seconds

Important Notes! With nmap you need to use -Pn and -sT as proxychains cannot use half connection scans such as SYN. Additionally nmap will fail if you don’t tell it to not trying and ping the target first.
Of course you can use pretty much most programs with proxychains, example:

proxychains ftp 10.20.0.100
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:22222-<><>-10.20.0.100:21-<><>-OK
Connected to 10.20.0.100.
220 (vsFTPd 2.3.4)
Name (10.20.0.100:root):

Summary:
In this post we’ve setup a listening ssfd server on our multi-homed Windows host, connected it with the ssf portion from our attacking box. From here we used proxychains to send traffic down our proxy server out onto the Windows hosts other network segment. And in this case we used nmap to scan for any open ports on just one host. But no reason we cannot scan the entire subnet or even use tools such as nikto for any webservers we may find.

Hope you enjoyed this post.

Have fun!

GRL_UK

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s