Sunday, October 15, 2017

SSH Tunneling (II): REMOTE port forwarding


- Layout for this exercise:

* This exercise is a continuation of the previous one

1 - Exploiting Windows 7

- First of all Kali detects that Windows 7 has the vulnerable BadBlue service running on port 80:

- Exploiting the Windows 7 device with Metasploit:

2 - SSH Tunneling with REMOTE port forwarding

- Checking that Windows 7 is listening on port 3389 (Remote Desktop Protocol):

- In the same way, Kali detects that port 3389 is open:

- Plink.exe is a command-line connection tool typically used with the SSH protocol to enable to talk directly to a program running on the server:

- In case of not being present at the Windows 7 (it is included with PuTTY), plink.exe could be passed from the attacker Kali following these instructions:

- plink.exe help us to create a reverse SSH tunnel, exposing the RDP port on Kali's at port 3390:

- Let's see what are the parameters used in the previous command:

plink                                   <- enables ssh connection
-l root -pw rootpassword    <- user and password                      <- attacker Kali
-R                                       <- remote option
3390                                   <- local port at Kali                            <- localhost Kali
3389                                   <- remote port at Windows 7

- Once the tunnel is created, we need another terminal for opening an RDP session:

- The new RDP session is created for user marie and her password:

- Finally the attack is successful, because Kali has got an RDP session available in its own desktop:

3 - Analyzing ESTABLISHED connections and corresponding ports with netstat

- Let's check what connections are ESTABLISHED at Windows7 and what corresponding ports are implied:

- Same information (symmetrical) from Kali:

- There is one connection from Kali to Windows 7 on port 3389 (RDP)

There is a second connection from Kali to Windows 7 on port 4444 (Metasploit):

There is a third connection from Kali to Windows 7 on port 22 (SSH):