I’ve been frustrated during several pen tests lately at the lack of a tool to tunnel through a network in the way that I want to.
Consider the following network:
[Attacker 192.168.200.40 (eth0)] | | [192.168.200.41(eth0) VICTIM 1 10.0.0.5(eth1)] | | [10.0.0.10(eth0) VICTIM2 10.10.10.20(eth1)] | | [10.10.10.21(eth0) VICTIM3]
Once we’ve compromised VICTIM1 we have a number of current choices to tunnel deeper into the network. As far as I’m aware, these are:
- Metasploit’s ‘autoroute’ module.
Advantages: This is a great tool that does exactly what I want. It tunnels traffic through the victim so that the attacker appears to be on the victim’s network.
Disadvantages: Works great, but only works from within metasploit. No use for running external tools, scans, or layer 2 protocols. Metasploit Pro has a VPN tunneling feature that looks ideal although not all of us can afford it 😉
- Metasploit’s portfwd module/iptables/simpleproxy.
Advantages: Quick and easy
Disadvantages: Only forwards specified single layer 3 UDP/TCP ports, and each port must be forwarded individually.
- Proxychains/ssh -D SOCKS tunnelling.
Advantages: This is my current preferred method wherever possible. Easy and reasonably flexible
Disadvantages: Proxychains is a hack in itself, and only supports layer 3 TCP.
- Implement a VPN server and set up bridging on your victim.
Advantages: Will do exactly what we want
Disadvantages: Disastrous idea, requires config and install on victim, possibly reboot or interface reconfiguration/bridging, very unstealthy
Currently, my preferred method is a mixture of the above depending on the scenario. What I’ve always wanted though, is a method to bring up a local interface on the remote network, that I can interact with as if I was directly connected, running any tools I wish including ARP scans and poisoning.
Introducing TUNDEEP… [Get tundeep now]
For the next release I’m planning compression mode, packet mangling, and a code cleanup as well as any bug fixes that arise.