SSH Proxy Tunnel / Pivot

[NetSecNow]

Hey Guys,

Need a little help understanding ssh proxy forwarding, otherwise known as ssh pivoting. I Have read a few tutorials that were very vague, seen a few videos from Hak5, but It still hasn't hit home yet. Here's my lab setup;

I have a few static IP's. I am testing a real world scenario using a remote ssh box to pivot and scan the remote internal network. I am also using Metasploit.

Remote network: 75.xxx.xxx.x96

My local Public IP: 75.xxx.xxx.x98

.x96 is behind a pfsense firewall I have setup. Port 22 is fowarded to a Metaspolitable2 box I Have there, lan IP 192.168.2.2 (no worries, I have it setup to only accept connections from .x98 for security reasons) Also behind that pfsense firewall is a Proxmox VM server running various windows images on the same lan subnet as Metasploitable2.

on .x98 I am running a standard nat router device, with my Kali linux VM on the DMZ. the local lan IP of the kali machine is 192.168.1.2

so in Kali, I do the following;

ssh -D 127.0.0.1:8001 msfadmin@75.xxx.xxx.x96 - This should setup my ssh proxy to msfadmin on x.96

I added in socks4 127.0.0.1 8001 in proxychains.conf

I have confirmed this works by doing:

proxychains nmap -sT -Pn 192.168.2.4 (the winxp box on .x96 with lan IP 192.168.2.4) and this works, nmap returns results.

One of the windows boxes on that remote lan is 192.168.2.4 and it's Vulnerable to the ms08_067 netapi exploit. I can confirm this in msfconsole after I setg Proxies socks4:127.0.0.1:8001 and run the check command against 192.168.2.4 - returns Host is vulnerable.

However, when I fire the exploit in question, it almost seems like nothing is returning.

Say I setup the exploit and payload with bind_tcp to use port 4444. Since I have the Kali linux box on the dmz, no NAT port forwarding should need to happen, right?

I would assume, since my above examples of nmap and check in msfconsole return results for the remote lan IP of 192.168.2.4 that the tunnel is working bi-directional, but still why isn't anything returning?

The exploit identifies the machine as windows xp pro, etc, but still my payload never gets sent to that machine.

I'm probably missing something, so I am asking you guys for some guidance.

Thanks in advance!

[digininja]

Some questions, how do you confirm that the windows box is vulnerable to 08-067? What are you using to check it?

Your DMZ attack machine, what is between it and the Internet? Just because it is in a DMZ that doesn't mean it automatically gets all traffic that comes to the DMZ external IP it just means that it is in a specific network. This shouldn't matter as you are binding out but something to be aware of.

If you start something listening on a port on the windows box can you connect to it through the proxy? I'd guess that something is missing the proxy.

[NetSecNow]

in msfconsole, you can issue the check command when you use exploit windows/smb.ms08_067.

Yes, as I mentioned, when I port scan that box through that proxy, it shows open ports.

[NetSecNow]

A link for reference.. http://blog.strategiccyber.com/2013/03/28/pivoting-through-ssh/

[digininja]

I'd drop tcpdump or wireshark on the machines and see what traffic is going where. If everything is working correctly all traffic will be over SSH so you won't see the actual data but you will see packets just to confirm things are moving. If you see a connection heading out to 4444 or maybe ARP traffic in the wrong place then you know where to start looking.

[NetSecNow]

Thanks for the replies. I did wind up doing the whole wireshark thing, and figured out what was wrong. I will be making a video tutorial on this for our NetSecNow project on youtube http://www.youtube.com/user/NetSecNow

In short; I wasn't setting the LHOST right in the payload/exploit, and also the target machine on my remote lab must have auto updated or something because it was no longer subject to ms08_067_netapi, luckily another box was, and I got it working.

Thanks for the help guys.