Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. And welcome to the Oasis Speakers Episode number 24 Channel in My name is Alejandro Gonna and I'll be your instructor for today's session.
00:11
The learning objectives is to understand the concepts behind this attack and applied the next to implement this attack. So let's get down to business, shall we?
00:22
Well, previously we saw some such time alone techniques, but we will dive deeper into this technique. You know, basically there are three types of s h tiling.
00:35
Well, I will be describing why by one by one, but three main types are local for forward and
00:42
reverse pour forward in and dynamic board forward. And, uh,
00:50
let me give you scenarios so you can better understand that applicability of each ah type of tunnel and you know, you can understand it better let me start by saying that you can actually you have to actually create unnecessary channel.
01:07
It means that you have actually have to have a nest, each client
01:11
and an estate server in order for this to work. So for this scenario, we have our
01:19
or lead column Shin, which is the client, and let me just drag this out So you can understand it better. We have our window stained machine which has, you know, this I p and you know it will be our sssh server.
01:34
So let me get get this out of the way. I will be dry in this, that this screen and you know the system so you can actually see the results from each scenario. So let's say that let me give, you should marry outside the year award or, you know, a to university and want to connect to the server outside the Internet.
01:53
Unfortunately for this scenario, firewall, where you're located is blocking the connection are actually blocking that port. You can treat that the fire will into thinking that you're actually want to connect to another port. For this scenario, let's say a 1 81
02:09
eso fire will Doesn't blood that connection For example, the firewall this actually blocking the FTP connection port port, anyone? I'm starting to anyone
02:20
and you know, you actually want to connect that back to your Maybe your home server, your home FTP server,
02:27
eso. In this case, our home server will be the Windows machine and our, you know, work or the university computer will be your column Mission. So I just type sssh
02:38
dash l for local poor forward and then report that I want to connect to, you know, the Newport anyone? Anyone? The one that is not blocked by the firewall in this scenario, then the remote mission I p. Or the machine where I want to connect you to stand that,
02:55
uh and then, um,
02:59
the ap that it's actually blocked. I mean, this is what I'm saying is that every time I connect to my local host in the sport forward any connection to that port?
03:08
True, off course, the s S H tunnel. So it means I have to first create unnecessary connection. So
03:15
I put the user name
03:17
and the server
03:22
and requested credentials
03:24
before ice hit. Enter. Let me just show you this. Um, that's that
03:31
dash
03:34
grip. It wanted one. Nothing is actually listening. The left port. So if I did this, I create hopes
03:45
if I created the connection. You know, as you can see in my Windows machine
03:52
if I create the connection, uh,
03:54
it means that I'm already created a tunnel on Mrs s Donald. And you know, if I go here, uh, port 81 81 is over. It'll listen. And so, uh,
04:05
remember that the command was actually redirecting. Whatever I hit, I entered to the port. Anyone? Anyone on my local machine in the column mission
04:15
to the port to anyone. So let me just ftp to that.
04:25
I'm sorry.
04:28
Port anyone? Anyone. So it's actually something that is actually sitting here, so I just type
04:34
and puzzle required.
04:36
And boom. There you go. User lucked in remote.
04:42
You know, I don't have
04:45
you can actually you know, this is throwing errors, but that doesn't matter. The point is that
04:49
I'm actually connected to the windows machine to port 81 81.
04:55
If I If I actually exit this
04:59
and kill that tunnel,
05:03
I can't. Of course, nothing is Listen anymore time. Wait,
05:09
it's not listening. So if I go to have to be here, you know, connection refused because there's nothing listening in there. So that's how local poor forwarding that works.
05:19
Kind of in a nutshell. If you want,
05:23
uh, we have reverse port forwarding, which is another type. You can do the same but back ports. I don't know if that makes sense. You guys But, you know, let me give you scenario. Maybe you want to continue working from home, But you don't really want to take the computer with you.
05:40
Eso you in this case, remember these Wes or or work? This Carolina's was reward machine,
05:46
and this Windows machine was our home machine. So
05:51
right now I want to leave work, and I want to continue working on some stuff from home. But I don't want to take the machine or, you know, I don't wanna go with machine, especially if it's not. I lapped up. Um,
06:03
but we can use the brewer reverse port for Britain s Oh, maybe in this scenario, let's say I want to continue using the Honorable Men Ability scanner or continue using mobile in it. At least Connor managing our building abilities. Kinder.
06:20
We first have to start up and dust. Remember, we sell up and buy sensible inability scanner. Upton Bus service start.
06:30
You know it will start, and it will tell us to to go to port. I believe it's 93 90.
06:35
Um,
06:38
so but these will be available only for local machine
06:42
that it's united to Okay,
06:44
Uh, so what happens if I actually go to, uh, you know, I look in and everything's working as expected, but what happens if I again want to live work and I want to go there? Continue working from home? I can just type. Um
07:01
let me just grab the command here. Oh, but maybe wait. You know this. Just so you know, if I type here in and type up, you know, nets up, nets that and find the poor, Let's say, uh, I don't know the same anyone Anyone?
07:17
Nothing will release in any. Here. I just want to show you this. You can see the results from running that other command.
07:25
So again, a sage dash art this case for the more remote or rivers pour forbidding anyone? Anyone to wonder what I just type in the Windows mission. In this case, I wanted to forward the traffic back to this machine, this Kali machine.
07:45
So I just type
07:46
You could just type local host
07:48
local holes, which will be, you know, they won t reverse traffic to and then poured 93 93 92
07:59
which will be the one that is actually listening here. 93 92 you know, again, my credentials,
08:07
which will be, you know, the, uh the creation from from the Windows machine, you know? And, you know, I tell the pas alert
08:16
and I'm connected. So let me just grab the machine, the windows machine here, and just typed exact same command. As you can see, there's actually a poor listening here. Ah, and I can actually connect to the force. Let's let's continues in this one's mission. Let me
08:33
put a little bit bigger here, and I can actually go to, you know,
08:39
use this machine connected this machine a port. Uh, anyone? Anyone, So
08:48
Nope. Sorry
08:50
for 81. A one.
08:52
00 it's http is remember is https this month. My fail because at the end of the new browsers nowadays have some kind of malicious connection detections.
09:05
And since I'm connecting to support my local hose on port 81 81 the certificate coming back
09:13
from from my local machine will not match at all. Um,
09:20
the certificate that the browser in this case
09:26
edge is expecting in my failed due to, you know, this restriction, but let's see what happens.
09:33
Ok, this side might will be secured. That's what I'm talking about. This you know, the browsers actually rejecting that I go to that page. Oh, so sorry.
09:43
Home page.
09:45
You know, we saw that in here in details, you know, certificate. It's invalid about it. See a involve the certificate authority. You know, that's expected that.
09:56
You know, I just say, Hey, I don't care about that and just go here. And,
10:01
you know, I can actually look in you remember?
10:05
I'm actually connecting to the local machine. Oh, my Windows machine, which will is representing the home computer. And I can actually look again to administrate my balloon abilities. Kinder. Back of home
10:20
again If I just let me just go take that here. If I kill this, if I kill this connection
10:30
Oops. Sorry.
10:31
And go back to my windows machine. You know? No, no connection will. I will not be displayed. All will be time. Wait.
10:41
Meaning that you? No, no, no, no. Not the port. Anyone. Anyone is not listening anymore. If I go here and I refreshed its page, you will fail. Of course. So that's the magic of remote for forwarded.
10:54
But what I What about dynamic pull forward in this, perhaps, is the most use. And, you know, you can actually turn out all the air traffic from different ports through these to another server.
11:03
This is kind of a proxy, actually. If you use dynamic, which will be dash D, let me just show the syntax I will not execute. That was a little checking out a proxy chain synth or in this video. But the syntax is fairly almost the same Dash D for dynamic. And they just put anyone, anyone, you know, port again.
11:24
Then log in again to your remote server,
11:26
Um,
11:30
37 that's it. That's the syntax. And then you just go to your browser and say I'll be using a proxy. Ah, socks five Proxy to be more precise and you know, every every all the traffic tunnel it, you have to tunnel it. Our passage through this tunnel is sshh style.
11:48
So this is basically what it is.
11:50
But let me just show you this same scenario. But using something called called for you know, the tor Network and the proxy change for does not come install, but the fall in college. You just have to type a pity dash get installed, Thor and I will be You know it well with style.
12:09
Um, this is basically Thor is basically
12:13
need work so you can pass all the traffic through it, and, you know, it's kind of a proxy. You just have to connect to the fourth proxy, the tor network. Indy will pinpoint your location through the tire world. Kind of a neat thing to do, actually. And, you know,
12:33
let me just, uh,
12:35
give you this command, so you know, you know, they empty. Get that? Sorry. I'm sure. Dash, get a pity that should get him. Sorry. Start for it. And that's it. And then just service
12:50
for a start. I don't want to stop but to explain much mouth, or you can actually go click. You know, it's kind of a proxy. Were its importance to your location. You know, you can google it for more information. Uh, then, you know, just to check a service Thor status.
13:09
You know, it's active listening,
13:11
and, you know, just so nothing is messing off my connections. Well,
13:18
nets that hope Sorry. By default, let me just give you the port.
13:28
Uh,
13:30
by the fall, our tour will be listening to this
13:33
in this sport. 90 50. So what now? We need to tell us all over programs, you know, for example, or or or
13:43
um,
13:45
browser or you know, or tools that we want to connect to that to that proxy. So for that, we use something called proxy chains. There's new, newer versions. Brooks. It changes. Just proxy changed three years. You know, at this point, budget proxy chain three. It was one, Um,
14:05
but you know, you can use whatever version of proxy change. The point is that you can use proxy change to actually passing traffic through the toward a proxy. So for that, we actually went to first con figure proxy chains.
14:20
And let me just give you some insight of this, although that is fully pretty cell self's planetary. But you can, you know, let me just give you some hands about this.
14:33
Ah, there's dynamic chain, which will be, you know, as the name's Jess or the The comments say that each connection would be done, be a changed boxes up. Brooks is changing the order as they appear on the list. At least one proximos being lined to play to play in chain This mean that? Let's say you have four proxies
14:54
and three of them are dead. It doesn't mean that the financial will not work. It will just go to one proxy. But that's it.
15:01
Strict chain means that it will go to all of the proxies in the order you put it. And if one fails, the connection failed. So
15:09
you maybe maybe you actually went to for some recent went to use the strict up proxy chain because you want to jump in exactly that order for that those specific boxes. But you know, dynamic, I guess the most use one and random chain, you know, maybe the same is dynamic just in random order.
15:28
Now, each each connection will be done. Be a random proxy or proxy chain and see chain land.
15:35
And you tell that the land of change. But you know, the most used one I believe at this point is dynamic proxy chain.
15:41
Then we have a proximity ns for Deanna's leak.
15:48
Ah, you know,
15:50
as you can see, the option property and SS enabled by default. This wasn't true in all version of proxy chains, though, but, you know, from from this process chain version from really previous practice change versions up to this one, and I believe the future will be the same. This option is enabled by default.
16:08
What CNN's leak means is that even though your I p change
16:12
your DNA is still the same and will point back to your original Deanna Surber, meaning that Yeah, Europea change. But, you know, if I going to actually track who's actually poor poor scanning me or maybe something malicious you did something Malaysians to me and the old you change was your people know your d n s.
16:33
Anybody would access to that. Vienna's locks can find your real location.
16:37
So this is what the N s lik means, so enable in this option means that proxy change will take care of that it will actually use a different proxy. I'm sorry. A different you will show you a different I p. But it will also show you or, you know, use a different d N s o. They cannot point you point by your location.
16:57
Uh, yeah, this is enable but the fall now but the fall process James Gone comes with broke up soaks four
17:07
proxy enable but you can, you know, you know, enable sucks. Five. I do this. And I guess everybody does this because satisfy house more authentication options and, you know, in the proxy and the initial handshake has a couple of additional security steps.
17:26
You know, you can live with the suck for if that's what you want, but I just enabled. Sucks five.
17:32
At this point in time sucks fight Is that enabled by default. So you have to do this.
17:37
And, you know,
17:40
let me just This is, you know, so we have food components here, Thor, which will be the proxy and proxy change will be the program to actually turn out all the traffic to that proxy again. Remember that you can do the same with dynamic pour forward in in the S H.
17:56
Tool with this stool, which will be will be creating kind of sucks five proxy.
18:00
But you came to also did the same with proxy chains and Thor. Very cool. Actually. Thought it's really neat,
18:07
uh, boxes. So you can pinpoint or hide your your location, your traffic and what you're actually looking for. So let me just say proxy change here and just fire folks, for example. And it will start my Firefox. If, for example, I'm It's just, by the way. Ah, this might not work all the time,
18:26
because but brooksie chains and thought have you know, they're not created by the same guy, so they have some compatibility issues sometimes. And
18:37
sometimes they actually worked. For example, it seems that it's no working right now. Um,
18:42
because at the end, I'm based in Guatemala, by the way, so you can actually see my location? Oh, no, it's actually working. Okay, I'm basing. What? Amalia, I already told you that, but you know, this is telling that I mean, the United States really nice to be more precise and definitely not there. So that's that.
19:02
Let me just
19:03
close this and you can actually get new I p and your information. But just, uh,
19:08
we're starting the service.
19:15
And if I
19:17
hit the sink a man again,
19:18
um,
19:21
Meus, my location.
19:26
And this, of course, this whole I mean, Moldova, whatever that is. Romania work, Rania. Multiple. Okay. Yeah. I'm not a mold about the Philly again located in Guatemala, Central America,
19:41
but, um,
19:42
you know, But
19:44
this is what project Thames does. And actually, if I close all of this duking actually terminal every traffic, for example, you can actually hopes just little this proxy chains and, for example, a name Abbas Khan.
20:00
You can actually
20:02
This will not throw on some, you know, social. Actually, you can also sit this Mrs just deny it or time out again.
20:14
Proxy chains and thought that does not get alone all the time. So even though you see the message, it will work as you can, as you just saw. And also, sometimes you don't see the message and it will not work. So you have to Maybe the but the buck that true. Maybe
20:33
this'd be damp or something like that.
20:34
Well, you can you can actually let me just put one specific port that would now is open
20:44
and he still tells us disappear were up to. So it's not telling us that is up in or close its discipline. Grab. Okay, wonderful. But the point is that this i p
20:56
we'll see. Let me find okay. This happy will see a traffic coming for multiple in this case or whatever other location proceed chains uses. This is, you know, the basic tunneling you can actually perform or use for your attacks.
21:11
You know, ethical hacking attacks or had your traffic for some recent. Remember, you have to use all of this
21:17
for ethical purposes.
21:19
So what are the different between reverse and dynamic? Poor for burden will reverse its Actually telling your remote server to connect back to your machine your local mission to a different port or throughout service or whatever. And dynamic performer in is kind of a proxy
21:37
brooksie
21:38
fashion server,
21:41
where you can actually pass all your traffic through that proxy, for example, of sucks five proxy,
21:47
Can we actually get a remote control to this attack? Yeah, we can.
21:51
You know, this is not necessarily something to gain remote control, but you can actually control anything you want remotely. And you know how your traffic, and even worse you know that that the victim will never know that it was you.
22:03
It is video. We learn the concepts behind this attack. You know, behind tunneling, we implemented something next to two kids this attack or this technique itself on. We saw how much of this that can be
22:15
supplemental materials, as always for the all this, this entire domain or module? The hacker playbook has really good techniques and commands and ideas you can actually practice on your local out. Love and every possible source in Google us always need to
22:33
in the next video cover lateral and vertical movement.
22:37
Well, that's it for today, folks, I hope in your deberia and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor