Tunneling
Tunneling
Chisel
- https://github.com/jpillora/chisel
- Go
- can be build cross platform
- Create a tunnel between bounce and VM, then propagate our socks in it
- DON’T OPEN A LISTENING PORT, make a connect back from the VM to our bounce
On the bounce:
(bounce)$ ./chisel server -p 443 --reverse --auth "<user:password>"
On the VM (client):
C:/> chisel client --auth "<user:password>" --proxy http://webcache.groupe.client.fr:3128 BOUNCE_IP:443 R:1080:socks
On the bounce we can check if it’s working:
(bounce)$ curl -k https://internal.hostname.client.fr/ --proxy socks5://127.0.0.1:1080
Then propagate the socks:
(laptop)$ ssh -N -L 1081:localhost:1080 user@bounce
Now we can use socks5:1081 on our laptop.
It could be a good idea to limit the access to the bounce by IP filtering:
# We support chain INPUT policy = DROP
iptables -I INPUT -s EXTERNAL_IP_VM_CLIENT -p tcp --dport 443 -j ACCEPT
Specify user&password
chisel client --proxy http://user:password@proxy:8080 <other_options> <ip_server_chisel>:<port_server_chisel> <conf>
In case password contains special chars: #,{,},[,],§,?,! etc. Encode it using hex code:
!=> %21?=> %3F&=> %5B- and so on
SSF
- https://github.com/securesocketfunneling/ssf
- C++
- support a nice and complete configuration file
- Need windows machine to build exe file (require some prebuilt: openssl, boost, etc.)
Change proxy if GUI is not allowed
$regKey="HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
# commençons par afficher les valeurs du proxy actuellement paramétré
Get-ItemProperty -path $regKey ProxyServer
Get-ItemProperty -path $regKey ProxyEnable
# dans le cas d'exemple, les valeurs retournées sont :
# ProxyServer = http://webcache.groupe.client.fr:3128
# ProxyServer = 1
# On peut redéfinir le proxy pour passer par Burp
Set-ItemProperty -path $regKey ProxyServer -value "http://127.0.0.1:8080"
# À ce stade, les requêtes devraient apparaitre dans Burp Proxy
# À la fin de l'audit, on peut remettre la valeur initiale du proxy
Set-ItemProperty -path $regKey ProxyServer -value "http://webcache.groupe.client.fr:3128"