h1

HOWTO: Port Forwards through a SOCKS proxy

June 1, 2016

Recently, I’ve had multiple people ask about port forwards with Cobalt Strike’s Beacon payload. Beacon has had SOCKS proxy pivoting support since June 2013. This feature opens a SOCKS proxy server on the team server. Each SOCKS server instance is associated with an individual Beacon. All requests and traffic sent to a Cobalt Strike SOCKS server are sent to the Beacon to take action on.

SOCKS pivoting is a no-brainer with a SOCKS aware application, such as a web browser. Simply point the application at your Cobalt Strike team server, put in the right port, and away you go.

SOCKS pivoting is also easy on Linux, thanks to the magic of proxychains. The proxychains program will run a program, intercept outbound network connections from that program, and force the connection through the SOCKS proxy set in a global configuration file (/etc/proxychains.conf).

These options work well in many cases, but they do not cover all cases. What happens if you need to tunnel the Windows RDP client through the Beacon payload? How about interacting with a target network share from a red Windows asset tunneled over Cobalt Strike’s Beacon payload?

One way to meet the above needs is to use a commercial tool, like ProxyCap, to make your Windows system proxy aware. [Thanks Meatballs, for the tip on this one]. This will allow you to force Windows tools and clients through the Beacon payload.

Another option is to create a port forward on your team server that reaches the target host and port through your Beacon. There’s one problem here. Beacon does not have a port forward command [it does have reverse port forwards]. I may add this in the future, but it’s not a big omission. You can use socat to create a port forward that goes through a SOCKS proxy. Here’s the syntax to do this:

 socat TCP4-LISTEN:<listen port>,fork SOCKS4:<team server host>:<target>:<target port>,socksport=<socks port>

Let’s say you want to port forward 3389 on your team server in red space to 192.168.1.100:3389 in blue space. Let’s assume the Beacon SOCKS proxy lives on port 9999. Here’s the syntax to do this:

 socat TCP4-LISTEN:3389,fork SOCKS4:127.0.0.1:192.168.1.100:3389,socksport=9999

And, that’s how you turn a SOCKS proxy server into a port forward. This works equally well with the SOCKS pivoting available over SSH. In fact, Advanced Threat Tactics, part 7 – Pivoting, covers the topics in this post. If you liked this post, I recommend that you check out that lecture. [The whole course is chock-full of other goodness too]

2 comments

  1. Do you consider using a windows client to perform RDP / windows share better than a Linux alternative?
    rdesktop + proxychains + cobalt strike socks worked just fine for me.

    PS. There are multiple “proxifiers” out there: https://en.wikipedia.org/wiki/Comparison_of_proxifiers
    I used SocksCap64 in the past because it is foss.


    • I get by fine with rdesktop/freerdp + proxychains on Linux, but I’ve had separate requests from folks who wanted a port forward for the case described here. These requests were the inspiration for this post.

      Time to time, I do use a Red windows asset to interact with or take a Blue target. This was the impetus for the Beacon over SSH demo.

      Thanks for the referral on the other proxifiers. Between your comments and the tool suggested, I think folks will be well served with options.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s