![]() ![]() After looking at CoreDNS’ plugins I discovered the forward plugin supported an option to force TCP. This was very easy as the linuxserver/wireguard docker had CoreDNS as its own DNS server for WireGuard clients. ![]() After fighting with tunnelling UDP traffic and eventually working out that the specific SOCKS proxy I was using did not support UDP I opted to setup a DNS server which would take UDP requests and forward them on as TCP. There is one problem though, UDP traffic is not working great (even though SOCKS5 supports it), which causes issues as DNS is over UDP. \o/ Running SeatBelt on a remote host, inside the compromised network over our WireGuard tunnel, via a SOCKS proxy. PROXYCAP UDP WINDOWSUsing docker compose to glue the services together and to set this up quickly on a jump box, I gave it a test and was able to get SeatBelt.exe into the network from my own Windows VM just by connecting to the WireGuard VPN. I did some editing of the tun2socks docker container with a simpler entry point to our use case. I found that tun2socks also had a container, xjasonlyu/tun2socks and linuxserver/wireguard which I had previously used for my own WireGuard server. To make getting up and running even simpler I did some searching for docker containers to handle some of the work for me. Listing of a Domain Controller’s shared folders via a SOCKS proxy exposed using Cobalt Strike, leveraging WireGuard and tun2socks to reach it. Using this setup, we can now interact with a remote network, using a traditional network route, complete with DNS resolution (more on that in a moment!). ![]() High level architecture diagram for WireSocks tun2socks and Wireguard, we can connect arbitrary clients via Wireguard and route traffic into a SOCKS proxy and into client networks. More specifically in this instance I used WireGuard which is an awesome simple VPN that has clients for all manner of operating systems. Turns out, we have this easy network tooling that runs on Windows (amongst others) that takes your traffic from one point to another called VPNs. This would be more effort than Proxyfier, I felt. This seemed like a great idea, except every time you would want to use it for your Windows machine you would have to setup a Linux router with this installed and route your Windows machine through it. Luckily for me there already was a project that handled this called tun2socks (originally I used RedSocks, but showed me tun2socks which removes some of the iptables complexity in RedSocks) which is really just some Golang magic together with some routes that lets you redirect traffic into a tun device and have it push traffic through your SOCKS proxy. Why not do the redirection at a network level and avoid all the weird Windows nuances? Network Level Proxying Having this happen a few times, I was struck with some inspiration. If you haven’t, go read it! Unfortunately, in some edge cases those tools fail or become annoying by not catching all the traffic as you’d like. PROXYCAP UDP HOW TOThe SpectorOps team wrote an excellent post detailing how to use software such as Proxifier and Proxycap on Windows to force your tools to use your proxy. This comes with the issue of how are we going to trick these Windows applications into using our proxy. However, recently a lot of really nice tools have been released which have been made to run on Windows. Once you have a SOCKS proxy setup, that is usually when good old reliable proxychains-ng comes into the picture where you’d use it to tunnel the majority of your tooling through the proxy. SOCKS proxies are everywhere and there are many examples of Cobalt Strike or Metasploit being used to proxy traffic through an agent or tools like ReGeorg, Pivotnacci or Chisel being used to proxy traffic via a compromised web server or similar. This involves getting network traffic through your compromised device via a SOCKS proxy. We often get into a position where some sort of internal device has been compromised and you want to take it further. PROXYCAP UDP CODEIf you are just looking for the code you can find it here. In this post I’ll elaborate a bit on that idea. PROXYCAP UDP FULLThis is convenient in cases where it would be nicer to have a full network route to a target network (with working DNS) vs just having application specific proxy rules. I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such as SOCKS, using anything that can run WireGuard. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |