Post breach on a recent external penetration test, I wanted to do some poking around the target’s intranet which required that I set up a SOCKS proxy. Given that I was using a jumpbox, I knew it was going to be necessary to set up a tunnel to get everything working properly. If you’re anything like me, tunneling makes your brain hurt. Fortunately, with a little help from jagar, some convenient Metasploit options, and a little white boarding, I was able to get things set up in no time at all. And I decided to document it for anyone else that might run across similar situations in the future and need a few reminders.
This scenario assumes that you’ve compromised a host on a target, private network via a jumpbox.
It is important to note that there is a less secure method of getting to an organization’s intranet. Running socks4a on a public interface will accomplish the same goal but leave your target open and exposed. This is the better option.
Step 1: Define a Route
The first thing you will need to do is establish a route in Metasploit. The session you choose should be as stable as possible. It helps to migrate into a stable process (spoolsv is my personal favorite). The syntax for adding a route is as follows.
route add SUBNET NETMASK SESSION_GATEWAY
Here is a rough visual representation of Step 1:
Step 2: Start Socks Proxy
There is a very convenient auxiliary module in Metasploit that provides a SOCKS4a proxy server which will respect any routes that have been configured in Metasploit.
Set the SRVHOST to localhost. The SRVPORT option can be whatever you choose. I tend to stick to XX80 out of habit. The visualization doesn’t change much from the previous step.
Once your options are set, run the module and move onto step 3.
Step 3: SSH Tunnel to Jump Box from Host
To tunnel web traffic from your host to the SOCKS proxy server on the jump box, you will need to establish a new ssh connection to the jumpbox with additional parameters. It’s simple enough:
ssh -L 127.0.0.1:2080:127.0.0.1:1080 user@jumpbox
Breaking the command down, you are creating an ssh connection as ‘user’ to your jumpbox with the following additions:
- On your host, you are opening a listener on localhost port 2080
- Traffic sent to localhost port 2080 on YOUR HOST will be tunneled over SSH to the JUMPBOX’S localhost port 1080 (specified earlier in Metasploit’s SOCKS4a module)
Conceptually, it resembles the following image:
Step 4: Set Browser Options
The final step in the process is to set your browser on your host to connect to the local listener established in the previous step. I prefer the FoxyProxy browser add-on for Firefox, but there are other options. The important thing to remember is that you must select the SOCKS4a option and not SOCKS5 as the Metasploit socks proxy server only supports SOCKS4a. The correct settings (for my chosen port) are displayed on the left.
After saving your connection settings (and enabling FoxyProxy, if you are using it), point your browser at a web page on the target internal network. You may also want to verify that your session is still valid if the setup process took a while.
Assuming everything worked correctly, you should now be able to hit web pages on the target private network from your host!