SANS Penetration Testing

Pen Test Poster: "White Board" - CMD.exe - C:\> netsh interface

Board Elements_clean_CMD.exe KUNG-FU! 2

By Matthew Toussain, Grant Curell

 

The pivot. Many intrusion campaigns follow a similar modus operandi. Attack the publicly available DMZ. Gain access to an initial target and leverage that access to pivot into the internal network. Now seize the objective. On Linux systems, Secure Shell (ssh) natively supports socks proxying. We can use this to bounce our tools off of a compromised host. This has two powerful use cases: attribution and pivoting. In the first case, sophisticated attackers and nation state threats often hop through an infrastructure of pre-compromised hosts to hide their true source or to perform misattribution (framing someone else for your attack). For penetration testers the latter use case, pivoting, tends to prove more useful. Specifically, leveraging an attack beachhead to further an ongoing intrusion campaign is standard and essential tradecraft. As mentioned on Linux this is often quite simple, but what about Windows?

 

Pivoting through Windows is often accomplished through specialized tunneling applications. Pivoting and port forwarding, for instance, are capabilities built directly into the popular Metasploit meterpreter. Nevertheless, more advanced attackers often rely on native system components in order to evade detection. In this post we will examine inherent Windows mechanisms to accomplish network pivoting.

 

Methods Covered in this Section:

netsh IPv4 to IPv6 port conversion for a remote computer:

netsh interface portproxy add v4tov6 listenport=8888 listenaddress=0.0.0.0 connectport=80 connectaddress=2000::1:215:5dff:fe01:247

netsh IPv4 port to another IPv4 port on the same host:

netsh interface portproxy add v4tov4 listenport=9999 listenaddress=0.0.0.0 connectport=445 connectaddress=192.168.1.112

netsh ipconfig:

netsh interface ipv4 show addresses

 

The network shell or netsh is a Windows command-line utility that was included in Microsoft operating systems beginning with Windows 2000. Its focus is command-line configuration of network utilities, but netsh encompasses a wide range of dynamic functions.

 

The Netsh Interface Portproxy provides command-line connection proxying between systems with direct IPv4 to IPv6 translation built in. This sounds a bit like tunneling, right? It is, from the DMZ host execute:

 

netsh IPv4 to IPv6 port conversion for a remote computer:

netsh interface portproxy add v4tov6 listenport=8888 listenaddress=0.0.0.0 connectport=80 connectaddress=2000::1:215:5dff:fe01:247

 

Now that we have a proxy established on our beachhead, all traffic directed to the compromised host on port 8888 is redirected over IPv6 to the internal target on port 80. Connecting to the DMZ target on port 8888 with our web browser reveals a web application running on the internal target.

netsh_interface_01

 

Command Breakdown

On pivot location:

netsh interface portproxy add v4tov6 listenport=8888 listenaddress=0.0.0.0 connectport=445 connectaddress=2000::1:21f7:fe55:df97:375e

1. netsh - Command line tool for manipulating network interfaces
2. interface - Allows a user to manipulate an interface's contexts (TCP/IP v4/6)
3. portproxy - Establishes a proxy between IPv4 and IPv6 networks and applications.
4. add - Adds an interface to the machine
5. v4tov6 - Translate received IPv4 traffic to IPv6
6. listenport - port to listen on
7. listenaddress - address to listen on
8. connectport - port to connect to
9. connectaddress - address to connect to

 

Netsh also allows a user to forward traffic within the same host. This may be helpful in the case of NAT where a firewall device permits one port inbound but you need to target a service listening on another port. This case often exists in the case of DMZ webservers where HTTP (port 80) is allowed inbound, but traffic from the MySQL or MSSQL databases (port 3306/1433) is restricted.

 

netsh IPv4 port to another IPv4 port on the same host:
netsh interface portproxy add v4tov4 listenport=9999 listenaddress=0.0.0.0 connectport=445 connectaddress=172.16.1.101

 

To verify that the portproxy is performing correctly we can Nmap port 9999 and observe the SMB (port 445) response traffic. Nice!

netsh_interface_02

 

Bonus - Netsh ipconfig

The Windows ipconfig command provides network interface configuration details, but not always in the most convenient fashion. Netsh provides an alternative method.

 

netsh ipconfig:
netsh interface ipv4 show addresses

netsh_interface_03

 

Additionally, netsh also provides a remote administration functionality if the Windows Remote Registry Service is running.

 

Anywhere with IP reachability to target machine:

netsh -r 192.168.1.103 -u entsim\administrator -p P@ssw0rd!

 

-r - The remote machine to connect to
-u - An administrator's username
-p - password

 

If netsh successfully connects, users may use an interactive netsh prompt to work with netsh as if they had shell on the target!

 

Print Your Own:

Get all of the CMD.exe tips from the SANS Pen Test Poster: "White Board of Awesome Command Line Kung-Fu!"

Board Elements_fung-fu

PDF: https://blogs.sans.org/pen-testing/files/2017/03/Board-Elements_fung-fu.p

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event - 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen
kringle_02

Post a Comment






Captcha


* Indicates a required field.