Launching attacks internally can be both satisfying and rewarding. You will no longer be restricted by the protected outer shell of the network and can traverse at will. Take care that the tools used do not give you away.
Here, we have a connection from a Kali machine to a Kioptrix Level 1 machine. Take a look at the strange traffic being logged by the firewall as represented in the following image:
Now if we were to quickly log into the system and set up or escalate the privilege of a user account to allow us SSH capability, we could merge with the existing traffic on the network. Let's take a look at the difference when we are logged into SSH now while running the tree
command in the SSH session:
bash-2.05# tree | head . |-- X11R6 | |-- bin | | |-- fslsfonts | | |-- fstobdf | | |-- mkfontdir | | |-- xfs | | `-- xfsinfo | |-- include | |-- lib | [Output Truncated…] | |-- i686 | | `-- noarch | |-- SOURCES | |-- SPECS | `-- SRPMS `-- tmp -> ../var/tmp 2093 directories, 33808 files bash-2.05#
While this command passes back the entire directory structure of the Linux box, we will not see anything that relates to SSH in the firewall logs. An example of this is reflected in the following image:
As the preceding image shows, there is no indication of the SSH traffic. We can do this with a number of different protocols. We know we will predominantly see Windows networks, so we can mask our packets on common Windows ports so they look like normal traffic. Then, of course, we have the https protocol and more. Finally, one of the challenges of these protocols is that the administrator we are up against might have done their homework and proxied the site protocols; therefore, we need to select a protocol that virtually is never proxied, but is allowed throughout the network. An excellent choice for this is the Network Time Protocol (NTP). We can use this for our traffic and usually remain undetected throughout the engagement.