Linux Network Defence Evasion Techniques

all right so hello everyone and welcome to uh bides welcome to Newcastle for those of you traveled a bit far um my talk is going to be about uh Linux Network defense evision so I want to kick things off for the quick agenda you know I just want you know so let you know what what's going to come next so I'm going to give a quick introduction it's you know just to who I am um going to be talking generally about Linux defenses so you know just in general what I've seen in in Linux environments before um and then I'll be talking about specific Technologies in Linux so I'll be discussing a particular uh firewall

called IP tables and then I'll be talking about two major techniques which I've uh researched before and some of them I've actually used in uh testing before and not first one's going to be bypassing the firewall IP tables and then I'll be talking about uh delivering malware to a Target without actually sending it to the Target so just a quick who am I then um currently I'm a penetration tester falling cyber uh those you may have heard of it it's a um it's a security consultancy we provided various Services um before that I used to be an assistant manager at Durham University unofficially penetration testing there so that's a lot of where my experience comes from um worked in previous uh

organizations as a consultant and also have founded a training course for uh Linux penetration testing so the first thing I want to talk about is Linux defenses what exactly do I mean by Linux defenses so there three different types of Linux defenses that I want to get into the first one is going to be network based all right so when I talk about network based what I'm talking about is like first line defenses you know firewalls I'm also talking about prevention systems so some of you may have used them we've got braw we've got Zeke we've got snort and we've got a few others and the purpose of these defenses are basically when a threat comes in the

idea is to block it or to prevent it or even detect it so what would happen is uh threat comes in gets detected alarm is raised and then it's then prevented hopefully prevented by uh somebody on the in the Operation Center secondly what I want to discuss is systems based so what is system based well that is what what it is really is system based security so when it comes to Linux it's built upon a kernel and that kernel has a lot of lot of guts inside it and it also has a lot of flaws inside it so system defenses Focus specifically on how can we secure the Kel how can we prevent very major attacks on Linux

systems um and that also comes into tools like wazu R Hunter one of which is deprecated and then physical Bas um and that is kind of like you know things like um disabling USB ports so when you're in like a data center environment kind of things to do things to consider because if an attacker walks in they've got physical access one of the first things I'm going to try you know taking the wall of an adversary try to plug in uh something into a USB port you know am I going to get access am I going to be able to execute something bya the USB port um is a cabinet unlocked you know can I literally walk up to a server can

I actually execute commands on it is it unprotected and finally buy us some grow passwords so what I mean by this is system password especially grub for those of you who have used Linux before um you'll know about the grub bootloader very easy to spawn a root shell on something like that getting administrative access so one consideration to make is probably password the grub if you don't want to uh end up with a compromise so today's Focus um especially as I said the two techniques I'll be talking about um it's all going to come into the network uh defense evasion site cuz that's generally what you're going to come across when you're engaged in penetration testing you will be

attacking from the network as opposed to having physical access or even system access you know that would be um that would fall into more should we say Niche penetration tests first of all I want to dig a little bit more into IP tables now for those of you who used Linux before you will be aware there's a lot of Technologies out there when it comes to when it comes to Linux you know you've got firewall D you've got um youve got PF sense you've got big IP F5 checkpoint I might pronounce that wrong um there's also my favorite which is IP tables which is now being developed as NF tables and what IP tables is it's a

firewall and what a firewall is as I said first nine of Defense the purpose of it is to prevent any any attacks coming in what kind of attacks am I talking about so what I'm talking about is Discovery attacks any particular uh exotic attacks you know anyone crafting particular Pockets anyone attempted to do a denial of service anyone basically trying to either get into the network or knock it down so just like anything not just a firewall like any technology if it's configured right it's amazing it works really well but if it's not configured right then that can serve two means for us first one being gathering information from a shall we say misconfigured IP

tables instance and we can also use that as a means of Defense evasion which is which is what I want to talk about today so what is what are the issues with IP tables as much as I love IP tables I have to say a few bad things about it um so there are different rule sets with IP tables as fireable you know you've got drop you've got reject you've got mangle you've got all kinds of different um actions which which the fireball can take now depending on the use case of it reject is shall we say the nice one you'll try to connect to a port you'll try to make a connection and reject will

say sorry I I can't connect to you right now because I'm not allowed to drop on the other hand is not so nice you try to connect drop won't say anything it's it's s basically now depending on how you roll this out if you end up sending something like a let's say you configure a particular Port which is facing the internet with a reject Rule now what I'm going to try and do is I'm going to try to port scan Port maybe using nmap net cut whatever you know I choose to use and what I'll get back is an icmp administratively prohibited message well done you've just told me your port is open because you're using reject rules

so now what I can then do is I know that port is open now I'm going to try to do more tailored uh perhaps fishing attacks and I'll know that port is open so what I'll probably then do later on in the attack is uh attempt tunnels or attempt other attempts to you know access our Port now one key uh measure here is as as good as IP tables can be and you can configure it really well all the ipv4 configurations which are used in a lot of infrastructures today don't apply to IPv6 IPv6 is one of those things it may not be used and I know this many people have told me this I've already had this

debate with people who I work with people who I've you know done this kind of thing for and they've always said well IPv6 isn't used well I know it's not used but it's sitting there and it's waiting to be exploited in some means so in terms of exploiting Ip tables I want to present a particular scenario which which was involved in a in a in a penetration test so in this particular test um you need to assume the role that you are already inside the internal Network um youve got basically you've got access and now you want to exploit your particular Port um running on a286 on a technology called influx DB just to give everyone a bit of background what's

influx DB it's a Time seuse database and it can store very various information depends what you put in it so you know you would generally put things like um any kind of data which needs needs to be tracked in terms of time now what needs to be considered is that this device has been issued with firewall rules newon access this port in this particular example I'm talking about IP uh I'm talking about influx DB I could be talking about any other Port it applies to any other Port you know it could apply to secure shell which you can use remote access a horse it can apply to network file share it can apply to any

other Network Port which you can use to communicate with your target um now one thing to consider you can't port scan the target you can't even reach the port why is that because IP tables has been put on IP before and you know it's fireb because you've already run a script well what do you do now well most people in this case would say yeah you know it's fireboard let's move on but there are particular measures that you can can take so when it comes to exploiting something like IP tables you can perform firewall enumeration from a very very basic um a very basic way so you can send particular Network pockets and then you

can judge what is the response uh returned from that packet so is it going to be a one is it going to be a zero is it going to be something else and then we'll know is that particular Port um firewalled or not now in this particular case I use a very specific set of tools so those of you who use Linux you'll know bash I mean I love a bit of bash well it's probably my favorite shell in Linux and it's got a device file which is called Dev TCP on dev TCP you can use it for many purposes you know you can scan ports with it you can drag information in and out of it you can do

a lot of things so what I'm going to what I'm doing essentially what I'm essentially doing here is I am sending a pocket to a Target on a firebol port so I'm going to test a particular port and going to see if it's Firebolt or not now if the port's Firebolt should see code number 124 come back based on sending that particular packet now for those of you who may want to get a bit of a visual idea of it let's take this screenshot for example I've what I've done here is I've flush the IP tables rules so the the fireball is now clean I've done added deliberately added a rule of Port 810 and it's dropping traffic in other words

if I contact this port it's not going to let me in it's not going to say anything it's just going to hang so what I'm going to do is I'm going to run my tool which I showed in the previous screenshot and um it it should say 124 if the port's vibl and then we know IP tables is potentially on this port so now we've been able to to enumerate um that there is IP tables on there so coming back back to the particular scenario um what I'm essentially doing here is I'm trying to reach the host I'm trying to reach that particular Port that I said before I want to attack this port I want to see you know I still want

access even though it's firewall so you can do the brute force method you can constantly try to send nmap packets on the ipv4 channel even though it's firebed I mean you're not going to get very far because as we can see in the screenshot um the state is closed meaning it's not reachable it's not going to say anything and in terms of the setup here um those of you may be wondering why I'm using proxy chains to reach the host um what's actually happening here is I'm using a socks 5 proxy so I'm essentially what I'm doing is I'm connecting to one host and then I'm connecting to the host I'm intending to connect to so I'm essentially rooting

all my traffic through a jump host and that's very helpful so if you are in a penetration test and let's say you don't want to make a mess on the internal Network okay you don't want to install n map everywhere you could easily have the entry point machine as a jump as a jump host set up a dynamic SSH tunnel there and then be able to proxy change all the traffic from outside now when I say outside I mean a machine which is completely connected outside of the network so at this point it's very clear right we can't get any anything out of ipv4 it's very it's limited it's closed it's not saying anything back it's

useless so what we now need to do is we need to use an alternative Communications channel so we need to move on to IPv6 now I know IPv6 is new IPv6 hasn't been utilized much and that's what makes it so so valuable because they're not going to see it coming in terms of in terms of a penetration test so in terms of exploiting Ip tables it's going to happen in three stages two of those stages are going to be Discovery and then then at the end you're going to craft everything together and you're going to cook the final payload so to run you through it what we're first of all going to do we're going to use ipv4

right so we are going to use uh the icmp protocol which is going to be able to uh send send packets to our Target discover that it's alive and then we're going to move on to using other protocols like op and then we're going to use the equivalent of it which is the uh neba Discovery protocol and then at the end we're going to move on to um creating a aplo which is going to talk to our firewall port and we're essentially going to gain access even though it's firewall so that's the objective but we need to we need to reach um we need to conduct certain steps to reach that goal first thing you want to do whenever

you're doing any kind of um any kind of Discovery any kind of reconnaissance one of the one of the things that I've tend to tend to see in especially internet based hosts is do a quick DNS look up what addresses does the does the Target hold do they hold several IP addresses or they are they running on a particular setup like that do they have an IPv6 address I mean if you try to do any DNS lookups on particular hosts then you may actually see um IPv6 addresses you may not in this case I try to do an uh and then a look up and I only came back with ipv4 addresses so in other words that approach failed

couldn't go any further so what we then did well what I then did was send a uh ping packet so most of you have probably used ping before just to see your internet goes down doesn't respond you'll quickly ping youra you'll ping the outside you'll ping Google and you'll see is this working is it not if it is great it'll be working soon if it's not disaster but in this case it's working so you send a ping packet and it's what it's given back so when you send a ping packet that then Associates with the op protocol and what that gives back is uh valuable components of information so it gives back first of all the ma

address which is the physical address of the device that's what we're going to need for our um for our for our stages going forward and we're also going to need the phys iCal Link in terms of where the traffic is going out and what um and that's what we're going to use in in the next uh payloads so talking about a little bit about IPv6 IPv6 is the the solution for ipv4 the the truth is there seems to be that ipv4 we running out of addresses you know there's a shortage well that's what they said um recently but I don't know where we're going to reach a shortage but anyway um as a as a

result you you've then got IPv6 which is the replacement it's it's huge it's I'm not even going to try to pronounce that number cuz it's that big um so that is the replacement now there's one particular component of IPv6 which you can you can utilize within an internal Network in order to perform horse Discovery and that is called link local addressing so link local addressing helps you to identify several hostes in the network using uh multicast addresses and what we get out of this or why we're doing this is to use the NDP protocol nearby Discovery protocol we essentially want to see who's got um who's got a link local address I mean that's the

purpose of it so what we're going to do then is using the node on our internal Network or using the one which we've um started the tunnel over or we've got access to um we're going to use this particular Port uh device and we're going to send um messages we're going to send uh M uh multicast messages to be able to gather um who's got an IPv6 address and who's alive on the network now based on reading it I mean it it to be honest I don't really think it's it's very helpful when you just read it so that's why I've got to got a diagram here so the machine in the middle which is

which has a sort of dark blue tone to it um is that's your attacking horse that's a horse you control you'll then send out messages and what you'll send out is you're going to send out solicitation messages you're going to say IPv6 you know where you at basically and I need to know where you where you're all at so once you send those solicitation messages it works the same as a ping does you'll send out maybe a ping and then the Ping will you know send a message and then you'll get a message back via op but in this case neighbor Discovery protocol is going to turn around and say yes I'm here or the other

host is then going to say yes I'm here as well and then so on and so forth and then the process what then happens for us and and what we're hoping for is our neighbor Discovery protocol table is then getting populated so when that table is getting populated we've now got a list of Link local addresses and we've got a means of alternatively communicating with with our with our Target so in terms of exploiting Ip tables in in an internal Network um that's that's the payload right there so what we're going to use is we're going to use ping six binary within Linux we're going to specify the interface as I said before we need the physical link

so we get the physical link and we put it in here and then we make a call to all notes on the internal Network and we send four packets just for just for Assurance so once we send this payload we then have to perform a little bit of filtering you know when it comes to internal Network testing things can get very messy very quickly those of you in the audience who may have done internal testing before we know for an absolute give it 5 minutes and you've already got a big big mess to to fill up through so what we then do is we will check our neighbor Discovery protocol we will then filter down as I said before we needed

particular postive information we needed an IP address Mac address physical link what we're going to do now get the IP address get the MAC address and these are the two things that we want to filter out from our DEA Discovery table and as you can see we now have the link local IPv6 address so we are now able to communicate with this host using link local IPv6 addressing so so what is the point in that I mean why why go through all this TR trouble so in terms of going through all this trouble as I said before you essentially want to reach a particular port a particular service which was firewall blocked right now using this

technique and using this payload we're now going to communicate with that service we're now going to gain access to that service and we are going to be able to talk to it so the payload as it as as you see we will um start a call to the via the link local IP address um ip6 address and then we will use the interface name so the physical link available on our machine that's where the traffic goes out and that's what is going to be used to talk to everyone else we then use our port number our Target Port number and then we do someand logic so what we basically say is if this first part works then if this

first part works and this needs to work as well so that's why we end up getting port is open so yeah so it's now now it's exploit time um image is a little small apologies about that but on the on the top on the right on the top you will notice first of all I'm going to do a port scan on the device via the link local address and I'm going to say and port is open what do you know port's open because I've done it through the link local address what I then did was I used the same uh link local address tried to reach the blocked port and I came up with a um a message unable to

pass authentication credentials so to give you all bit of bit of a um bit of a background here the instance was backed up with credentials which is good that's blocked me out but the point is I've managed to overcome one layer of Defense so I'm now able to access this particular service and now from this point what I can now do is be able to you know perhaps write a password cracker be able to crack these credentials and gain access into influx DB so IP tables in this case as good as it might be it's about as use is about as useful as that yellow gate you see all you need to do is Step left or step

right move forward and that's it Gates defeated and that's because we've managed to use IPv6 as our um as a as our approach to communicate with the host now a bit of bonus knowledge here uh something that I've that I've done in the past is VLAN hopping depending on how the Network's connected you will see some networks are connected all as one so you know link local addressing flies about very widely and as a result if you keep an eye on it you might even be able to hop into very restricted areas so vlans those you who maybe wonder what are vlans well they are virtual local area networks they are different uh segments of a network and you can split

them in uh for for specific purposes so you can have what we call a user land VLAN a user land VLAN would be for low privilege users do your job and that's it and then you've got management Vons you know those are for administrators people who manage the infrastructure using this technique you can go from user to management because of the fact that you're us an IPv6 link local addressing it's it's one of those techniques it it helps you to do that to give you a bit of a bit of a visual example you've um got the attacker on the left who's going to use their machine that they've owned inside the network they then send a message to the

other side but they can't do that VI ipv4 because it's all vand you know VLAN 10 V and 20 those two are not meant to see each other those two AR meant to talk so as a result what we then do is we take an alternative route we choose the IPv6 route and then depending on depending on this management machine here if it's got a link local address if it's got an address which is actually running uh and it's active and it's working on the network well then you've basically managed to infiltrate the management Von so what would you do from there let's just say Port 22 secure shell is open on this management machine

you could then form a password crack you could gain access into this machine and I would never recommend to any penetration tester to do this you don't uh drop all the configurations and the entire network is down I mean in a penetration test you would actually report this immediately because it's a critical finding so that is technique number one um I'm going to move on to technique number two which is going to be fess malware delivery so this is a bit more a bit more wider it's a bit more elaborate it's not very specific to um IPv6 and and I'm going to discuss this a little bit so generally when it comes to delivering mware to a Target when it

comes to you know General penetration testing what you can end up with is when an attacker wants to deliver something they'll drop it right on the disc I mean it's natural of course you're going to drop it on the disc where else are you going to drop it you need to put it somewhere but the problem with that is you know you've got Security operation centers you've got others who may be monitoring the network you've got defenses which may be uh actively listening and they could easily catch that you're you're doing something um malicious and there you go you've now been burnt in terms of the penetration test or if you're red teaming and you

get burnt well then that's not going to be very good now is it because the point is to remain stealthy but but in this case you've uh you've been burnt in other words you've been detected so to speak so how does Fess mware delivery work while it uses again it uses a Linux kernel and it uses a particular component and that is called MFD create now MFD create especially for attackers those who are penetration testers is is very useful without repeating exactly what it says I'll try to paraphrase what it essentially means is the way you could normally work in a file the normal file system so you know you would you know be able to write to a file you'd be

able to save a file be able to delete a file in the same way you can use mft create to be able to talk to files in memory be able to delete files in memory be able to append to files in memory so as a result it's a little more sneakier because you're not actually dropping anything on the disc you're actually putting it in in memory so Fest payloads and sort of like the the actual contents that were that that would be uh involved in the exploitation phase they can be done using various techniques and various methods now based on the research conducted and based on the findings of others you can do this in two different

ways the first one is cord packing which in my opinion is amazing it's portable it's clean and it's much more it's much more useful because you can use wider payloads with it so what you would essentially do is you would get malicious binary you would get some a piece of malware you pack it up and you would send it over the network using uh secure shell pipes I'll explain soon what I mean by secure shell pipe what to give you a rough idea what I essentially mean is we'll get some data from our side and we'll send it across to the Target over the network we're not going to put anything on the disc we're going

to do it over the network thanks to the capabilities of of SSH and the second technique which um which I've actually utilized in this in this presentation is hosting the payload on an HTTP server and having uh a command well the HTTP server would be a command and control a command and control would be a machine owned by the ataka it's the machine which an ataka can use to be able to uh um communicate with with their targets and be able to um do a lot of things so how we're going to connect and how everything is going to happen it's going to use something called a dropper payload so a dropper you may have those of you who are a

little bit into the the malware scene you may know that a dropper is essentially it takes a a piece of contents and it drops it into the into the network so our approach you got the attacker who is actually going to be hosting the command and control server now on the command and control they are hosting a payload this payload can be absolutely anything it can be to scan ports within the network in other words gather information it can be a specific piece of mware to gain administrative access it could be never seen this before but I imagine someone's probably uh going to try it at some point you know maybe even use put Ransom way on there and be able

to deliver it into uh into a network so what we do is we will have our our drop a payload which is going to be a python script and what that's going to do is just going to make contact to our HTTP server it's actually going to go to the payload it's going to grab it out and it's going to drop it into the network without actually storing anything on disk which is in a way that is a lot more it's it's a lot more dangerous because in the it's in the sense that those uh defenses which are supposed to be which are supposed to be uh watching on the disc are not going to see anything cuz it's

all being put in on memory so as a result as what what you see here is the payload gets dropped in it gets executed on a well executed on what should be a non-executable file system and as a result the target machine has absolutely no traces of the offensive tools except for being stored in memory so now we do a little bit of preparation we prepare our attack we get everything ready from our site so you got the attacka on the left and what uh I'm doing in this in this case I'm using what we call an enro instance Andro is one of those really useful tools where you may have a um you may have a

particular service that you want to expose to the internet in my case I want to expose a a web server this is where the payload is going to be hosted this is where I want to actually um I want I want to actually contact this particular um I want to contact this web server so it needs to be exposed somehow so as we see here on on the right hand side um the nro instance is active it's listening and you've got the link ready ready to go so exposing Port 880 via the wide area network using enro so now we're going to take a bit of a dive into python the python is a programming

language and what you're seeing right now is actually code which is serve to be which is meant to be doing something something malicious so let's let's kind of go over it so what it's going to do it's going to grab what we what I said before it's going to make a system called to Linux it's going to make a MFD cre create instance it's going to say right I need MFD create and I also want to grab what we call the process identification number in other words the PID so once it makes a call to mftd uh it actually creates a file which we're going to use what then happens in this case what I've done is I've written what we call a

function so this piece of code is designed to be reusable I can use this in in many situations I don't need to cater it for one situation I can use it for many as long as it as long as I give it a web- based URL so from this point once I've actually called the file I'm then going to take all that data and I'm going to read I'm going basically I'm going to take all the data from the web server I'm going to read all this data into the target so where we actually do this is we do this in the proc file system so as we see see with the the line which says

with open what we actually do here is we spawn a file inside what should be a non-executable file system we then insert our payload into this file system and we need two particular components for that in order to refer to the file in order to have a reference to it we first of all need the process ID process ID is one component and we need the name of the file without these two we can't actually make any contact so we need these two we put them in and then the response is written once the response is written this is why I don't quite like the approach here this is why I believe it can be made more efficient now if you

notice where the OS system call is being made Python 3 is being launched on the other side now this is an assumption what makes you think Python 3 is actually on the other side what makes you think Python 3 is even installed if Python 3 is not installed this whole attack has gone right in the bin so we now you could now think of ways to make this a little bit more flexible a little bit more portable so that you don't need Python 3 but in this case if you if python three is definitely on the other side you can confirm this either through social engineering or other means um you can you can go ahead and use this

but it can't be improved so what we then do is we send off payload right so what we do is we will run this big massive blocker code into one line where we're going to grab the payload we're going to read it and we're going to drop it into our network over what we call an SSH pipe so now is execution time so now that you've done the preparation now that you've got the payload ready it's now time to go in and actually do the execution of it so some things to consider here we can't leave any traces on the target disc I mean that's the point of it right it's fileless if you leave a trace on the target disc then

you've dropped a file it's no longer fileless you know it's it's pointless that in that in that sense so what we then do is as of a term that I've constantly been seen uh in for the past 5 minutes or so is using SSH pipes to deliver our payload so we essentially going to use secure shell protocol to transfer some data over for us uh in this case um we're going to execute a remote command on the other side Python and then uh then we're making the Assumption Python 3 is on the other side if it's not trouble but in this case it is it works but that's that's something to to to consider to improve so from

this point what what now happens is our dropper puts the uh payload into uh random access memory and it's now sitting in memory now it's not sitting on the disc so if you were to perhaps run any defenses you want to try and find the malware well good luck because it's not on the disc it's sitting in memory so now let's actually look a little bit into what I'm talking about those of you wondering why I've um put a big red ball there that's just to uh maintain privacy of particular horse names particular information which uh isn't isn't meant to be disclosed um so what we'll do is we'll get our drop up here Lord that piece of cord that you

saw before we will have that output and what we'll then do is we'll use that character that kind of looks like this we're going to use that and what that's called that's a pipe right there so what we're doing is we're getting this this out output from here and we're serving it as input into the SSH call so what we're basically saying is take that input send it to the Target who I want to connect to and then run the remote command of Python 3 and then as a result I've then done Port scanning so now I can see 22 is open triple 1's open 443 is open and that then informs me further what I can do what I can perhaps not do

but what's been the point of this well you could have dropped the uh you could have dropped the malware into the disc someone could have caught it and then you would have got it if you were on a penetration test you would have got an email saying yeah we've just found that file games over um but in this case nothing's being found or nothing should be found because it's in memory so as I said what's the point why do it what is the purpose of using fireless malware delivery well one of the first things I've keep kept saying is Security operation centers and host intrusion detection systems the two things which are going to catch you

especially if you're going to dump a payload on the disc someone could be watching the machine actively someone could be logged in if they see what we call a malicious file that's probably going to get deleted and your connection might even get removed so we don't want that what one when we would generally do that is using regular living off the land practices where we would perhaps write a script on the target environment but that's not going to be so useful for AIA because let's remember someone could be watching us now another use case of Fess malware delivery let's say you've got a particular file system which isn't meant to execute anything so you know those of

you who are Linux users s adment you will you know see like no exac on some file systems that you can't execute stuff but in this case we can bypass the no EXA flag completely because of the way the way the attack works and and finally the other good thing about this you don't need to go around deleting files shading files doing all that doing all that handy work it's all stored in memory once it restarts that's it once it restarts it's gone it's it's in memory it's been flushed out unless of course someone wants to recover the contents out of Ram or manage to get it soon enough but that that's another topic entirely now let's consider the scenario

a little differently now so far I've been attacking a host which is reachable over the internet right cuz we've been making contact to web servers we've been doing and everything pretty it's been it's been pretty good so far but if the target is an internal host then everything that you just saw gone it's not useful anymore and the reason for that if you've got a host inside the network they can't reach the web server and if they can't reach the web server I can't reach that Target well then it's game over there isn't it I can't really do much there so in in in that case you need to think about the strategy a little bit better

now so what are the problems with our approach why why is it so bad um what causes a problem if it's an internal horse the first thing being the server can't be contacted from from the from the edge we want to send a payload direct to our internal machine that internal machine hasn't got internet it's probably plugged in to an internal domain controller plugged in perhaps to an internal server which so it's not meant to be exposed to the internet if we try to contact the outside it's not going to know where to go secondly you're not yet root when it comes to theux penetration testing privilege escalation can sometimes be be be rare because of in some environments things

are very heavily patched things are very heavily updated you're not yet root you can't manipulate network connections and even if you were root you'd need to know the exact address of the device to get an internet connection so there's there's a lot playing on that second point you need to there there needs to be a lot of NE toel before you can even consider that and finally we could cheat a little bit we could actually deliver the payload to an entry point machine and then we can easily Just Launch the attack from the entry point machine but then again it it's completely it's completely useless at that point it's no longer Fess malware delivery and the

reason I say that is because you've just put a file inside the target the targets infrastructure and you've you know it's no longer Fess is the point I'm trying to make so what's the solution what do we what is the solution in order to um get into the internal host what are we exactly going to do as I mentioned before you do see a red ball that's just to reduct particular names just to um make this a little bit Anonymous as uh some of the actions taken were we're on a we're on a real penetration test um what we do is we do a reverse SSH tunnel reverse SSH tunnel is I mean to to put it in put it in more

understandable terms SSH is secure shell it's a protocol which you can use to remotely access other hosts what we do with the reverse tunnel we take a service on our side and we deliver it to anywhere else where we also have SS access something to consider here when I said before you've got internal access in this in case you've got internal access via SSH ssh is one of those utilities you can use it for a lot of things and what we're going to do here we are hosting a python server as you may have seen we hosting a python server on at80 we now need to give that to our Target on the internal side so they can

talk to it on the on the inside so what we do is we go from our site and then we will actually deliver this to the other site now to Enlighten a little bit more give provide a little more clear light on these commands what what's going on here well SS minus FN this is pretty important those of you who are s admins Network admins if you're using SSH one thing i' always recommend never enable command execution on your tunnels if you're going to enable command execution a third party someone else and malicious Insider can easily start using your connection and start launching commands so what this will do is is backround the tunnel this is going to disable command

execution and then we get into the main the main part of this of this payload we will take our python server we'll deliver it to the other side that that's where we that's where we want it to be accessed and then of course the minus J which is um what we call the jum poost so first what it essentially means is you've got you've got three three devices here you've got yourself who is sitting on the outside your you're connected to the internet you have an internet connection you're reaching your target via internet number one number two is the machine which you use to enter the internal Network number two number three is this machine that we

want to reach so using this payload and using the jump proxy what we're essentially doing is uh payload starts from here jumps to here and then jumps to here which is why we use minus J cuz we go from 1 2 3 tunnels being formed and now we have Direct Communications from ourself to the Target using SSH so then let's do let's do a quick check right so I've done a quick check on on the on the remote side just to confirm can I actually Reach This Server can I actually pull this off yes I can being logged into the other side what I've done is I've first of all checked is the process life is it open is the

port available yes it is can I reach the server so do a quick what we call cod in other words make a quick HTTP request reach the server and then um start over all right okay try to be quick um so then what we do is we will run our payload using the jump hosts and then we will um be able to see what what ports are open we've managed to do this on an internal lost now a quick something to quickly consider is the the thing that with the big change that we've made is to go from an internal go from a web server we've now made the host internally available on 127 uh 001 18080 because of the the

tunnel so somethingone to quickly consider is how do we protect ourselves as Defenders um from an offensive perspective this is all very good right you can be able to hide from the the dis but one thing you can't do is you can't hide from the network you're still leaving a trace you're still leaving information leakage someone who is on the defensive side will be able to see this and be sure they will knock you off and they will say yeah I've got you now so that's the end um is there any questions from anyone well Round of Applause first thank you very much did you sit over there so that i' would have to walk further no

[Music] yeah hi very interesting thank you um curious about the VLAN hopping example you said you could use that to get a secure shell on a destination machine yeah not sure how you're achieving that cuz as an attacker you can create the packets of the double encapsulation with both vlands but the remote machine doesn't do that so the packets don't get back to you depends on how the network can fig really I mean in a previous in a previous engagement I was able to reach a particular host which had SSH open which is which is why I mentioned you can perhaps hop a v on that's based on previous experience but again comes down to the way you've said it depends on how

the Network's configured if the network is configured strangely enough yeah you can't reach it but if of course if the network is well configured then no you can't is that is that all right yes it's V hoppings always seem like a oneway street because while you can double encapsulate your remote machine behaves and doesn't apply the second encapsulation it get stripped out and back across that same well the only answer I can probably give is the network was convoluted enough in the background in order for that to happen any other questions well if not let's give a keep a massive Round of Applause thank you everyone