PortBender is a TCP port redirection software that permits a pink group operator to redirect inbound internet web page visitors destined for one TCP port (e.g., 445/TCP) to each other TCP port (e.g., 8445/TCP). PortBender comprises an aggressor script that operators can leverage to combine the instrument with Cobalt Strike. Then again, for the reason that instrument is performed as a reflective DLL, it will most likely combine with any C2 framework supporting loading modules by means of a “ReflectiveLoader” interface . The instrument additionally we could in operators to simulate a backdoor/endurance mechanism leveraged throughout the “PortServ.sys” capacity utilized by the Duqu 2.0 likelihood actor.
PortBender leverages the WinDivert library to intercept team internet web page visitors the use of the Space house home windows Filtering Platform (WFP). The design of PortBender is punctiliously influenced by means of the DivertTCPConn software which additionally leverages the WinDivert library .
PortBender has two modes of operation. The primary is “redirector mode,” and the second one is “backdoor mode.” In “redirector mode,” any connection to a targeted vacation spot port (e.g., 445/TCP) is redirected to another port (e.g., 8445/TCP). In “backdoor mode,” we highest redirect internet web page visitors if an attacker sends a particularly formatted TCP packet to a goal port (e.g., 443/TCP). PortBender then provides that shopper IP handle to an inventory of backdoor shoppers and redirects all internet web page visitors to that target port to another port (e.g., 3389/TCP). An operator can leverage this mechanism to emulate the endurance means utilized by the Duqu 2.0 likelihood actor when compromising Kaspersky.
To execute PortBender we will be able to should first import the “PortBender.cna” script into Cobalt Strike and add the WinDivert32.sys or WinDivert64.sys binary built-in in “PortBender.zip” to the objective host relying at the operating gadget development. The have the same opinion menu for PortBender with the instance utilization is showed underneath:
beacon> have the same opinion PortBender
Redirect Utilization: PortBender redirect FakeDstPort RedirectedPort
Backdoor Utilization: PortBender backdoor FakeDstPort RedirectedPort Password
PortBender redirect 445 8445
PortBender backdoor 443 3389 praetorian.antihacker
As an example, we might most likely need to execute PortBender in redirector mode to accomplish an SMB relay assault from a compromised Space house home windows gadget. To facilitate this, we will be able to instruct PortBender to redirect all internet web page visitors to 445/TCP to another port 8445/TCP operating an attacker SMB carrier. On this instance, we run the command “PortBender redirect 445 8445” to perform this. The anticipated output is underneath:
On this instance, we need to deploy the covert endurance mechanism on a compromised Web-facing IIS webserver. Correct proper right here we run the “PortBender backdoor 443 3389 praetorian.antihacker” to instruct the backdoor carrier to redirect any connections to 443/TCP to 3389/TCP at the compromised host from any IP handle that gives the required “praetorian.antihacker” key phrase. The anticipated output is showed underneath:
- Arno0x0x for his artwork on DivertTCPConn 
- Stephen Fewer for his artwork on Reflective DLL Injection 
- Basil00 for his artwork on WinDivert 
- Francisco Dominguez for his analysis into appearing SMB relaying on Space house home windows