Pwning with Portals: How Rick Sanchez Dumps DITs

Pivoting, you know what it is, but are you using it as much as you could?

Some info about how I've been using pivoting on pentesting engagements to almost completely replace my use of and reliance on native C2 functionality

Consider this scenario: you have just sent a phishing email to a target, the stars align, and you’ve obtained a shell back. You have internal access to the target’s network and now you want to begin establishing persistence, move laterally, and do the voodoo that you do. Let’s take a pretty standard enumeration tactic, maybe you want to kerberoast the domain of the target. A couple potential options await you, what follows is by no means an exhaustive list:

Use tooling contained within whatever RAT (C2,implant,payload) you are using assuming this functionality exists natively

Drop a script/binary onto the infected host's disk and run it from there, probably going to be a powershell script

Download a binary or script to the host via some other method, maybe using a LOLbin like certutil

Powershell IEX

At a glance, there are some obvious pros and cons to each of these techniques that stand out, and they can all be effective in their own way. But there is a completely underrated alternative that can be used for pretty much any network based attack. Generally pivoting is brought up and used when you’ve no other options to access a segment, such as a jumpbox or any other dual-homed host on an "internal" engagment, but pivoting can be useful in the early stages of a red team assessment as well as internals. Pivoting is not only useful as a means by which to access otherwise inaccessible subnets within a private network, but also as a means to expand your testing capabilities externally. As you will soon see, I will be pushing this technique to it’s limits in order to obtain the coveted, powershell-through-socks state.

There’s nothing wrong with the methods I've listed up there funcionally, and in some couple ways (I’ll get to later) they can even be better. However a target’s security posture will vary a great deal, and in a lot of environments, the LAST thing you want to do is drop a binary to disk, or run powershell (becoming more and more dangerous). This sucks because powershell can do a lot of bad stuff really well, and binz are "fun 2 run", but with network pivoting we may be able to have our cake and eat it too.,

Not just a gimmick to get around your client’s web filter while on-site

Cool story you may not have heard: You can perform basically ALL network-based attacks to a client’s network externally (i.e. through a C2).



Positive implications:



You do not have to drop any files to disk

You do not need to be so picky with your C2 choice, which means more potential avenues of attack

You do not need to spend time writing custom functionality for each and every attack you use for the payload you are using

You do not need to run powershell on the infected host, which is a basically a blue team christmas tree right now in 2020

In fact, you don't need to run anything other than your initial payload on the host everything after that is just smoke in the wires

A lot more network traffic is generated unless you babysit the polling interval (more on this below)

Without a very special payload, you will not be able to leverage the authentication material present in the payload's process to perform attacks as the compromised user

If you hate linux you are going to have a bad time, but if this is the case, then it sounds as though you're already having a bad time and just don't realize it

Y s0 negative?

Let me address these negative aspects in a little more detail. The first of the drawbacks to pivoting like a zumba instructor is that in order for a stable stream of data to be exchanged, the polling interval needs to be set to 0. However if you only turn your interval to “interactive” when you’re performing these relevant attacks, then this issue shouldn’t be an... issue. This seems like a pain but if you already have your initial enumeration and persistence procedures scripted for rapid execution then this is a non-issue and you can turn the polling to interactive, do your thing, then knock it back to whatever makes you feel comfortable. It's generally good practice to have these sorts of things in order this way for any red team engagement.

The second issue I've listed is that when an unsuspecting user opens your generous gift and unleashes doom & gloom on their company’s network, your payload is run by the user and obtains their sweet sweet privileges. With these privileges, your payload is able to perform attacks and make queries as (presumably) an authenticated domain user, even if you’ve yet to obtain the user’s plain-text credentials. With these magic powers, your process can run kerberoast, query users from AD, or just whatever a normal (presumably unprivileged) user would be able perform without entering any credentials. Now if you were to write a payload that allowed you to leverage these same privileges for proxied requests, then this could also be avoided. Otherwise, you are basically waiting until you get some valid user credentials. Though in the case you are going to be phishing them, maybe ask for creds too, or just phish someone else. The third issue is not so much an issue with the technique, more with the limitation of available tools and their compatibilty for doing these sorts of attack from a Windows host. So as it usually is in this line of work, the issue lies Winderp. I recommend debian. But you can do most of this with a linux VM, except maybe the last part, though I'll touch on that.

Thinking with portals

Finally I’m getting to the actual technique. Pivoting is all about tunnels, more specifically, socks tunnels, even more specifically: dynamic or reverse dynamic socks tunnels. In case it's been a while here's a short breakdown.

Dynamic socks tunnels: ssh -D 8888 user@host This is a normal (non reverse) socks, tunnel, you’ve seen it before. It will bind to your local port 8888 and forward all traffic you send to it to the SSH server so the SSH server can send it on your behalf.

The one you may not know about notice I did not put any IPs, I just used a port: ssh -R 8888 user@host

And it’s bidirectional, pinky swear, check it out:

What’s the difference here? The client/victim is basically giving the remote server a means by which the remote server can proxy IT’s traffic through the client/victim/payload/whatever’s system, i.e. access to it’s own network.

Why does a linux ssh client matter? There is a signed, OpenSSH Windows executable that contains the exact same functionality (link below), starting to get good? The SSH client is not the only method by which to facilitate this sort of maneuverability. Here are some additional options off the top of my head:

Cobalstrike's "socks" command which binds the specified port on the system that the teamserver runs on

Rpivot

OpenSSH Windows

Possibly more, that I do not know about, google is your friend

If you don’t like any of those options, the socks protocol is not super complicated, basically a few extra bytes of metadata: Socks5 RFC, now you can implement it into anything.

Cool how do I use it?

You’ve already seen one example, proxychains, you probably already knew about that one though. Below i’ll show you that it can work with basically anything else, even the entire impacket suite:

Portal shellz (Cloud host with a shell on a VM on home network):



Dumping the DIT like rick sanchez:



While I could go into detail on how to apply this directly to a specific C2, that isn't what this post is about, pivoting is a networking concept that supercedes a single brand of C2 so I want to keep this general. Instead I'll try to go into a bit more detail on how to conceptually apply this to an engagement, since I know most people are not huge fans of networking.