I did some editing of the tun2socks docker container with a simpler entry point to our use case. I found that tun2socks also had a container, xjasonlyu/tun2socks and linuxserver/wireguard which I had previously used for my own WireGuard server. To make getting up and running even simpler I did some searching for docker containers to handle some of the work for me. Listing of a Domain Controller’s shared folders via a SOCKS proxy exposed using Cobalt Strike, leveraging WireGuard and tun2socks to reach it. Using this setup, we can now interact with a remote network, using a traditional network route, complete with DNS resolution (more on that in a moment!). High level architecture diagram for WireSocks tun2socks and Wireguard, we can connect arbitrary clients via Wireguard and route traffic into a SOCKS proxy and into client networks. More specifically in this instance I used WireGuard which is an awesome simple VPN that has clients for all manner of operating systems. Turns out, we have this easy network tooling that runs on Windows (amongst others) that takes your traffic from one point to another called VPNs. This would be more effort than Proxyfier, I felt. This seemed like a great idea, except every time you would want to use it for your Windows machine you would have to setup a Linux router with this installed and route your Windows machine through it. Luckily for me there already was a project that handled this called tun2socks (originally I used RedSocks, but showed me tun2socks which removes some of the iptables complexity in RedSocks) which is really just some Golang magic together with some routes that lets you redirect traffic into a tun device and have it push traffic through your SOCKS proxy. Why not do the redirection at a network level and avoid all the weird Windows nuances? Network Level Proxying Having this happen a few times, I was struck with some inspiration. If you haven’t, go read it! Unfortunately, in some edge cases those tools fail or become annoying by not catching all the traffic as you’d like. The SpectorOps team wrote an excellent post detailing how to use software such as Proxifier and Proxycap on Windows to force your tools to use your proxy. This comes with the issue of how are we going to trick these Windows applications into using our proxy. However, recently a lot of really nice tools have been released which have been made to run on Windows. Once you have a SOCKS proxy setup, that is usually when good old reliable proxychains-ng comes into the picture where you’d use it to tunnel the majority of your tooling through the proxy. SOCKS proxies are everywhere and there are many examples of Cobalt Strike or Metasploit being used to proxy traffic through an agent or tools like ReGeorg, Pivotnacci or Chisel being used to proxy traffic via a compromised web server or similar. This involves getting network traffic through your compromised device via a SOCKS proxy. We often get into a position where some sort of internal device has been compromised and you want to take it further. If you are just looking for the code you can find it here. In this post I’ll elaborate a bit on that idea. This is convenient in cases where it would be nicer to have a full network route to a target network (with working DNS) vs just having application specific proxy rules. Then SOCKS Server can relate the incoming udp packet with a TCP connection correct.I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such as SOCKS, using anything that can run WireGuard. The problem is how SOCKS Server relate a incoming udp packet with current tcp connection when a lot of SOCKS Clients request the UDP Association command concurrent ?Īfter my deep thinking, we can set the reply of UDP Association command with a dynamic BND.PORT to solve. Then the SOCKS Client can only set the UDP Association DST.ADDR and DST.PORT with zero because can not foresee the NAT's behavior. The situation mentioned by just like this:Īpplication Client - SOCKS Client - NAT - SOCKS Server - Application Server socks5 server only can handle incoming src, Īnd more, socks5 server is also a NAT too, this library implements Symmetric NAT After negotiation, when udp packets come, the server would get a public ip When it wants to negotiate with the server, it can only fill local ip and port into DST.ADDR and DST.PORT. But if the client is in a lan, it does not have a public ip.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |