Breaking News



PortBender is a TCP port redirection instrument that permits a crimson body of workers operator to redirect inbound internet website visitors destined for one TCP port (e.g., 445/TCP) to every other TCP port (e.g., 8445/TCP). PortBender contains an aggressor script that operators can leverage to combine the device with Cobalt Strike. Alternatively, given that device is carried out as a reflective DLL, it’ll most probably combine with any C2 framework supporting loading modules by means of a “ReflectiveLoader” interface [1]. The device additionally shall we in operators to simulate a backdoor/endurance mechanism leveraged throughout the “PortServ.sys” capacity utilized by the Duqu 2.0 danger actor.

Design

PortBender leverages the WinDivert library to intercept community internet website visitors the use of the Space house home windows Filtering Platform (WFP). The design of PortBender is punctiliously influenced all the way through the DivertTCPConn instrument which additionally leverages the WinDivert library [1].

Utilization

PortBender has two modes of operation. The primary is “redirector mode,” and the second one is “backdoor mode.” In “redirector mode,” any connection to a targeted vacation spot port (e.g., 445/TCP) is redirected to another port (e.g., 8445/TCP). In “backdoor mode,” we simplest redirect internet website visitors if an attacker sends a specifically formatted TCP packet to a function port (e.g., 443/TCP). PortBender then provides that client IP handle to a list of backdoor customers and redirects all internet website visitors to that focus on port to another port (e.g., 3389/TCP). An operator can leverage this mechanism to emulate the endurance means utilized by the Duqu 2.0 danger actor when compromising Kaspersky.

To execute PortBender we will be able to want to first import the “PortBender.cna” script into Cobalt Strike and add the WinDivert32.sys or WinDivert64.sys binary integrated in “PortBender.zip” to the objective host relying at the running software building. The be in agreement menu for PortBender with the instance utilization is showed underneath:

be in agreement PortBender
Redirect Utilization: PortBender redirect FakeDstPort RedirectedPort
Backdoor Utilization: PortBender backdoor FakeDstPort RedirectedPort Password
Examples: PortBender redirect 445 8445 PortBender backdoor 443 3389 praetorian.antihacker “>

beacon> be in agreement PortBender
Redirect Utilization: PortBender redirect FakeDstPort RedirectedPort
Backdoor Utilization: PortBender backdoor FakeDstPort RedirectedPort Password
Examples:
PortBender redirect 445 8445
PortBender backdoor 443 3389 praetorian.antihacker

Instance Utilization

For example, we might in all probability need to execute PortBender in redirector mode to accomplish an SMB relay assault from a compromised Space house home windows software. To facilitate this, we will be able to instruct PortBender to redirect all internet website visitors to 445/TCP to another port 8445/TCP running an attacker SMB provider. On this instance, we run the command “PortBender redirect 445 8445” to perform this. The expected output is underneath:

On this instance, we need to deploy the covert endurance mechanism on a compromised Web-facing IIS webserver. Right kind proper right here we run the “PortBender backdoor 443 3389 praetorian.antihacker” to instruct the backdoor provider to redirect any connections to 443/TCP to 3389/TCP at the compromised host from any IP handle that gives the desired “praetorian.antihacker” key phrase. The expected output is showed underneath:

 Acknowledgements

  • Arno0x0x for his paintings on DivertTCPConn [1]
  • Stephen Fewer for his paintings on Reflective DLL Injection [2]
  • Basil00 for his paintings on WinDivert [3]
  • Francisco Dominguez for his analysis into showing SMB relaying on Space house home windows [4]

References

[1] https://github.com/Arno0x/DivertTCPconn
[2] https://github.com/stephenfewer/ReflectiveDLLInjection
[3] https://github.com/basil00/Divert
[4] https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445

Supply : KitPloit – PenTest Equipment!


Leave a Reply

Your email address will not be published.

Donate Us

X