a tool designed to bypass firewall restrictions on remote ... · pdf filea tool designed to...
TRANSCRIPT
![Page 1: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/1.jpg)
TUNNAA tool designed to bypass firewall restrictions
on remote webservers
By:
Rodrigo Marcos
Nikos Vassakis
![Page 2: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/2.jpg)
Web Applications
What a User sees
![Page 3: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/3.jpg)
Web Applications
What a Penetration Tester sees
80/443
![Page 4: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/4.jpg)
Firewall
A firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set.
![Page 5: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/5.jpg)
DMZ
Web Application InfrastructureWhat a Penetration Tester can “assume” ?
The Web Server will have other services running
80/443
RDP
SSH
DB
Etc.
![Page 6: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/6.jpg)
DMZ
Web Application InfrastructureThe Web Server might be connected to other hosts
80/443
![Page 7: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/7.jpg)
Web Application InfrastructureMaybe even connected to the local network
80/443
Internal Network
![Page 8: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/8.jpg)
![Page 9: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/9.jpg)
The Goal!“Don’t worry, it happens to a lot of guys (and girls)”
Magic!
![Page 10: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/10.jpg)
Post Exploitation 101
Steps:
1.Upload meterpreter
2.Run meterpreter
3.???
4.Profit
![Page 11: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/11.jpg)
Post Exploitation
A (*well configured*) firewall, would block both incoming and outgoing connections to the internet from the webserver.
![Page 12: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/12.jpg)
Post Exploitation
There is however one connection the firewall can’t block
And this is to the webserver on ports 80 and/or 443 *
*typically
![Page 13: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/13.jpg)
This will always be allowed
![Page 14: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/14.jpg)
Idea
Use a web application to establish connections on the other end of the firewall
![Page 15: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/15.jpg)
The theory
Meterpreter Handler
Meterpreter Shell
![Page 16: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/16.jpg)
What we want to achieve
DMZ
80/443
RDP
SSH
services
Etc.
Internal Network
Tunna WebShell
![Page 17: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/17.jpg)
Using Tunna
Once the “Tunna WebShell” has been uploaded to the webserver, the user can connect to any port the host can access on the internal network.
*Slide added becausefor the picture
![Page 18: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/18.jpg)
How Tunna works
HTTP
Application Data RDP
Application Data
Application Data
Tunna Webshell
![Page 19: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/19.jpg)
Detailed View
Tunna Client RDP
Initial Connection
Send Cookie
Connect to [IP:port]Establishes Connection
Received Data
Received Data
Get Data
Get Data
No Data
Send Data (Receive Response)
Send Data (Receive Response)
Tunna Webshell
![Page 20: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/20.jpg)
Tunna RDP Demo
![Page 21: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/21.jpg)
Tunna RDP Demo
HTTP tunneling with Tunna - webshell connecting to remote RDP
https://www.youtube.com/watch?v=Kqb1PGrkzVw
![Page 22: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/22.jpg)
Making Things Easy
Tunna Metasploit Module:• Creates a meterpreter listener that listens on a local port• Uses “Tunna WebShell” to transfer meterpreter to the remote server,• Executes it and • Connects to it
![Page 23: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/23.jpg)
Metasploit Demo
![Page 24: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/24.jpg)
Metasploit Demo
HTTP tunneling with Tunna - metasploit module example run
https://www.youtube.com/watch?v=-Svxx7OVfQY
![Page 25: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/25.jpg)
Tunna Version 1.1Opening a new can of Tunna
![Page 26: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/26.jpg)
Breaking Out Tunna
The Problem:
Internal firewall blocks certain services and/or sites
Internal Network
![Page 27: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/27.jpg)
Breaking Out TunnaTypically Internal firewalls block traffic based on the service or IP/DNS name of the remote host
Tunna can be used to pivot the connection to the remote host
Internal NetworkTunna WebServer
![Page 28: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/28.jpg)
Breaking Out Tunna
To ease this scenario a standalone “Tunna webserver” was developed. A webserver like Apache or IIS is not required.
Proxy support was also added to “Tunna Client” for situations where an internal proxy gateway is present. Tunna will use the internal proxy the same way the browser does and will channel all traffic through the proxy.
![Page 29: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/29.jpg)
LimitationsThe first version of Tunna had one limitation.
• It could only tunnel a single connection to a single remote service.
• A new Tunna instance was required for a second connection.
• However, third party software
like SSH or a meterpreter shell
could be used along with Tunna
to tunnel multiple connections
![Page 30: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/30.jpg)
Socking Tunna
Due to popular demand, the new
version, Tunna (v1.1a) can be set
up to be a local SOCKS proxy
Only SOCKS version 4a* is supported
but works great for most scenarios!
*Note: SOCKS BIND method is not yet supported
![Page 31: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/31.jpg)
Split SOCKS 4a Proxy
The local applications connects to the local “Proxy Server” everything is transferred to the remote “Proxy Server” over a single connection
It works by tracking every connection but its transparent to the applications using it. It’s just like using a SOCKS 4a proxy.
L port
L port
L port
L port
Local Socks Proxy
R port
R port
R port
R port
Remote Socks Proxy
![Page 32: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/32.jpg)
SOCKS Implementation
•The applications connect to the local “Socks Proxy”
•Everything is forwarded to “Tunna”,
•Is transferred to the remote “Tunna Webserver” and
•Forwarded to the “Remote Socks Proxy”
Local Socks Proxy
Remote Socks Proxy
Tunna Client
HTTP Tunnel
Tunna WebServer
![Page 33: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/33.jpg)
Tunna SOCKS Demo
![Page 34: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/34.jpg)
Tunna SOCKS Demo
HTTP tunneling with Tunna v1.1a using proxychains
https://www.youtube.com/watch?v=tyWTicaUD1k
![Page 35: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/35.jpg)
Secondary AdditionsTunna Binaries for Windows are included in the new version (no need for python to be installed). •Tunna Client executable•Tunna Server executable
Settings.py file has been added to ease setting up the client
*Note: All Tunna client binaries or python scripts can be used with all the different webshells or the Tunna Webserver (binary or python script) the same way.
![Page 36: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/36.jpg)
Word of Caution !
Tunna generates a massive overhead for every TCP packet
Consequently, large amounts of traffic translate to large amounts of HTTP request.
This can lead to a Denial of Service condition where the webserver/network devices etc. will not be able to cope with all the requests*.
It is also recommended for Tunna webshells not to be used as a permanent solution.
Some functionality is still experimental.
*Tunna standalone webserver is not affected at the same level.
![Page 37: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/37.jpg)
Future Plans
1.Add Authentication to Tunna
2.Add support for SOCKS v5
3.???
4.World Domination
![Page 38: A tool designed to bypass firewall restrictions on remote ... · PDF fileA tool designed to bypass firewall restrictions on remote webservers By: ... *Slide added becausefor the](https://reader034.vdocuments.us/reader034/viewer/2022042600/5aa055fa7f8b9a7f178dfb87/html5/thumbnails/38.jpg)
Tunna SUCKS!
… but it is still in development and
is getting better with every release!
Thank you for listening!
…and watch this space:
http://www.secforce.com/blog/
*No animals were harmed during the making of this tool