0

I can't hack but I like to read about it. From my readings (securityfocus, exploit-db, owasp, etc...) it appears that hackers can actually get in a network using tunneling ; I'm not from a network background but tunnelling is mostly for VPN right ? (Yes !)

What I mean is writen here at offensive security OSCP on the right (bullet point number 6)

So that would mean that even a firewall can't block them. How is that possible ? Is that the reason why when they find a new exploit on a software they can just get in the network and from there have fun exploiting the zero day ?

Jason Krs
  • 359
  • 2
  • 3
  • 12
  • If you say you can't hack, you most certainly can't. But ginger kiddies with kits like core impact can hack? Feh... to tunnel you need only a single connection, sometimes masquerading as another type of traffic. DNS and HTTP POST/GET are adequate. Many packetfilters will even pass 53/tcp, because it's used for zone transfers, so not only 53/udp is allowed, giving you TCP error correction. Pick up a guide to TCP/IP in python, and you can compress and exfiltrate data reliably tomorrow. – user400344 Dec 24 '16 at 19:00
  • As well as being too broad, this appears to be a Re-asking of your previous question: http://security.stackexchange.com/q/146385/485 please read our [about] and [ask] pages – Rory Alsop Dec 27 '16 at 23:54
  • @RoryAlsop That is true. I was into that theme few days ago...I did not realized I was repeatting myself. My bad. – Jason Krs Dec 28 '16 at 15:48

2 Answers2

2

Tunnelling to bypass firewall filtering means that an attacker uses a "trusted" protocol in order to exfiltrate data from the victim machine.

For example, an attacker can inject exfiltrated data into a lookup DNS requests sent to a fake dns server controlled by him.

Victim machine--->DNS REQUEST--->FIREWALL--->Attacker FAKE DNS Server

You can reach the same goal with different protocols, think about maleware with a gmail account as C&C.

nemux
  • 101
  • 3
  • How a bout the other wary ? That is, does it mean that an attacker can get inside a network using the same thing ? .... embedding a malicious payload in a tunnel to avoid firewall detection ? – Jason Krs Dec 24 '16 at 12:01
  • Here we are talking about a post- exploitation technique. That means an attacker has to gain access to the victim machine, for example, exploiting a vulnerability or through orher kinds of vectors. – nemux Dec 24 '16 at 12:06
1

VPN tunnels are generally set up in two ways:

  • Parallel to the firewall or

  • Through the firewall

If an attacker has a victim inside a network, but is unable to exfiltrate data as it's being dropped by a packet analyzer (usually on the firewall) then a tunnel is the perfect alternative - it allows you to shuttle data out in an encrypted form, completely bypassing any filters.

thel3l
  • 3,384
  • 11
  • 24