pivoting networks - cssig presentation
DESCRIPTION
Abstract: When attacking a target you should never do it directly from your machine or your detection will be to easy, use proxies or network pivots to obscure your origin. Also after a successful penetration of a network a hacker (good or bad) will immediately search to move horizontally thru the network and use the existing infrastructure to pivot their attacks. Learn various ways to do this and "never" get caught.TRANSCRIPT
Obsidis Consortia, Inc.Pivoting Networks
José L. Quiñones-Borrero, BSMCP, MCSA, MCT, CEH, CEI, GCIH, GPEN, RHCSA
What is OC, Inc?
• Obsidis Consortia, Inc. [OC, Inc.] is a non-profit organization that promotes security awareness in the community and supports professional development of security professionals, students and enthusiasts in Puerto Rico.
• OC, Inc. has develop and is supporting initiatives like the Init6 Security User Group, Professional Training & Workshops, Network and Security Systems Simulation Scenarios (Capture the Flag), Security BSides Puerto Rico Conference and a Community Outreach Program.
What is pivoting?• Webster
– a key player or position; specifically : an offensive position of a player standing to relay passes, shoot, or provide a screen for teammates
• InfoSec– Pivoting refers to method used by penetration testers, hackers or security
professionals that uses one system (compromised ) to access (attack) other systems on the same network or remote networks to avoid detection, restrictions such as firewall configurations, which may prohibit direct access to all machines and provide misdirection during an incident investigation.
• Types– Port Forwarding or Proxies– Traditional Routing– VPN/Tunneling
04/10/2023
Techniques• OS Functionality– Windows RAS– Linux IP Forwarding
• Tools– netcat– ssh– proxychains– fpipe
• Exploit Frameworks– Metasploit
• Dedicated Technologies– OpenVPN– PPTP/L2TP– IPSec
• VM appliance– OpenWRT/pfSense
04/10/2023
Windows• Routing & Remote Access Service
– sc config RemoteAccess start= demand– sc start RemoteAccess– sc query RemoteAccess
• Routing Table– route PRINT– route ADD <destination> MASK <mask> <gateway-ip>
METRIC <weight> IF <interface#>
• Fpipe– fpipe.exe –l <local_port> -r <remote_port> <remote_ip>
04/10/2023
Linux• Enable Forwarding– echo 1 /proc/sys/net/ipv4/ip_forward– sysctl -w net.ipv4.ip_forward=1
• Routing Table– route add [ip.ad.rr.ss] net [m.a.s.k] gw [ip.ad.rr.ss]
– route default via [ip.ad.rr.ss]
04/10/2023
iptables• Clear– iptables –F
• List– iptables –L
• FORWARD– iptables -A FORWARD -i eth1 -j ACCEPT – iptables -A FORWARD -o eth1 -j ACCEPT
04/10/2023
Secure Shell• Remote
– ssh –R remote_port
• Static (redirect a local connection to a remote ip:port)– ssh –L local_port:remote_ip:remote_port user@host
• ssh –L 10000:10.10.10.10:80 user@host
• Dynamic (socks5)– ssh –D local_port user@host
• ssh –D 10000 user@host
• Other options• -f (sent to backgrond)• -N (prevent execution on remote server)• -o (send proxy command)
04/10/2023
How does Tor works?
• Debian:• apt-get install tor• tor &
• Fedora:• yum install tor• Tor &
• Listens on 127.0.0.1:9050
Proxychains• Forces TCP applications that don’t support proxies
to go thru them• Uses proxies in config file:– /etc/proxychains.conf– socks4, socks5, http
• Simple to use– proxychains firefox http://mozilla.com– proxychains nmap -sT -p 80 1.2.3.4
04/10/2023
Netcat• Server mode
– nc –l –p <local_port>– nc -nvlp 8000
• Client – nc remote_ip remote_port
• Relay– nc –l –p 8000 –c ‘nc remote_host port’– nc –l –p 8000 –e relay.bat
• SANS netcat cheatsheet– http://
www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
04/10/2023
VPN• Protocols– PPTP (weakest)– L2TP/Ipsec– SSL
• Private VPN service– VPN service you pay for to protect your information– VPN providers are bound by its country’s laws
• OpenVPN
How a private VPN works
Python• Default Libraries:
– http://voorloopnul.com/blog/a-python-proxy-in-less-than-100-lines-of-code/
– http://stackoverflow.com/questions/1874331/python-port-forwarding-multiplexing-server
– http://www.linux-support.com/cms/forward-network-connections-with-python/
• Using Twisted:– http://therning.org/magnus/archives/30
Metasploit• Routing thru sessions
– route add [subnet] [netmask] [session-idpr]
• Meterpreter– portfwd –l [local-port] –p [remote-port] –r [remote-host]
– route list– route [add|delete] [subnet] [netmask] [gateway]
04/10/2023
Open Discussion …
Q & A
Challenge• Code a port forwarder in python or ruby– Command line– Accepts arguments:
• Forwards TCP or UDP • Local port (listens by default on TCP 8080)• Source port (optional)• Remote port• Remote host
– Cross platform (Windows, Linux, Mac OS X)
Please visit us to keep in touch …www.ObsidisConsortia.org
www.BSidesPR.org
https://www.youtube.com/channel/UCtpOw0dKOIVJu7JZqHx4oQghttps://plus.google.com/u/0/communities/102771209982001396923
https://facebook.com/obsidisconsortiahttps://twitter.com/BSidesPR
Affiliates:www.TalktoanIT.comwww.codefidelio.org
www.darkoperator.com