In this video, explore what a tunnel is and how it works to act as a relay between an attacker and an internal system.
- [Instructor] Sometimes we need to get access to a service on a target inside a network or access a service outside our network. But access using the protocol for that service is blocked. Sometimes, we just want to hide outgoing traffic by using a common protocol such as http. Tunneling is a technique that allows us to wrap one form of traffic in another protocol so that it looks like a benign or allowed traffic stream.
The concept of a tunnel is simple enough. It requires an agent at both sides of the tunnel, the source and destination systems which accept a stream of traffic and encapsulate it in the desired transport protocol, send it to the target using that protocol, and then use an agent in the target to unwrap it from the outer protocol and pass it to the intended service or collector in its original form. Sometimes, we need to write the agent for tunneling and sometimes protocols exist that are designed to provide tunnels for us to use.
Microsoft, for instance, provides an http protocol tunnel to carry RPC traffic as part of its TCP IP implementation. In Microsoft words, this allows our PC clients to securely and efficiently connect across the internet to our PC server programs and execute remote procedure calls. This is accomplished with the help of an intermediary known as the RPC over HTTP proxy or simply, the RPC proxy.
Another example of a standard tunnel is the point-to-point tunneling protocol or PPTP, known also as RFC 2637. This protocol can be used to create a VPN connection. A PPTP tunnel uses TCP ports 1723 and sends packets using a non standard protocol known as generic routing encapsulation. However, due to many security issues, PPTP is now obsolete and has been superseded by the L2TP protocol.
Strictly speaking, a virtual private network is not a tunnel but rather a collection of protocols which provide a secure path between two network devices. Nevertheless, I'll cover VPNs in this section as they do provide similar functionality and will often send traffic through an integrated tunneling protocol. Open VPN is an open-source application that implements a secure virtual private network tunnel using a custom security protocol based on an SSL TLS key exchange.
This is a popular solution for creating tunnels between peer systems and allows all protocols to pass through the VPN tunnel. While not standardized, there is growing interest in creating a standard for user space VPNs such as Open VPN. IPsec is a standardized VPN protocol which is used in many enterprise and carrier network solutions for protecting network links. IPsec supports network level peer authentication, data original authentication, data integrity, confidentiality, and replay protection.
IPsec is in fact an architecture for security services on IP network traffic and it includes three main protocols. The IP authentication header, defined as RFC 4302, which is an optional packet header to be used for integrity and authentication purposes. And the IP encapsulating security payload ESP, defined as RFC 4303 which is another optional packet header used for confidentiality and access control.
An internet key exchange defined as RFC 7296 which allows hosts to negotiate cryptographic services and keys. You can learn more about IPsec in Liza Boc's Introducing IPsec course. There are a number of other protocols that can be used to tunnel traffic. L2TP, the layer 2 tunneling protocol, is used to tunnel point-to-point protocol packets across a network transparently.
L2TP evolved from two earlier protocols, the point-to-point tunneling protocol mentioned earlier and the Cisco proprietary protocol called the Layer 2 Forwarding Protocol. The L2TP tunnel is designed to carry both control and data packets. L2TP doesn't provide confidentiality but it can be used in conjunction with IPsec in order to create a secure tunnel. This joint protocol is defined in RFC 3193.
The secure socket tunneling protocol SSTP is a tunnel protocol that provides a mechanism to transport point-to-point traffic through an HTTPS connection. Using HTTPS is a useful way of avoiding the tunnel being blocked by firewalls. There's a final technique used which I'll cover for completeness. Port Forwarding, this is a form of network address translation to redirect packets from one address and port number combination to another while the packets are traversing a network gateway.
Examples of this technique include web proxies and routers. In the case of a router, port forwarding is used so that services on a host on an internal network can be accessed from the external network by remapping the destination IP address and port number of the communication to the internal host service. Port forwarding does no wrapping of the packets in another protocol so it's not a tunnel. However it does allow packets to be sent to the target on a port that another protocol would normally use.
If the data is inspected, then it would be detected as invalid protocol traffic for that service. But in the absence of a deep packet inspection, the technique does allow traffic to pass through basic port filtering mechanisms.
- How tunneling works
- Running a local SSH tunnel
- Dynamic SSH tunneling
- Pivoting with Armitage and Metaspoit
- Exfiltrating using DET and DNS
- Covert exfiltration with Cachetalk
- Using PyExfil to exfiltrate over HTTPS