55

Then you will

know the
truth and
the truth will set you
free.

John 8:32
 3

Information provided in this Magazine is

strictly for educational purpose only.
Please don't misuse this knowledge
to hack into devices or networks without
taking permission. The Magazine will not
take any responsibility for misuse of this
information.
 4
Part 2- Port Forwarding and Lateral Movement

BLACK HAT HACKING

By the time you finish reading this Ebook, you will learn about two important concepts of Black
hat Hacking. They are
1) Port forwarding and
2) Lateral Movement or pivoting.
But before that make sure you have read and understood the first Ebook we sent you “Black
Hat Hacking-Part-2”. Let’s begin with.

While reading the Part-1 of this Ebook, did you get any doubt as to how when we placed our
target system behind a Network Firewall, it’s port 445 was exposed to the internet? Well, it’s beca-
use of port forwarding.
What is port forwarding? Port Forwarding or Port mapping is a technique using which we can
allow ports in our internal network to connect over internet. Let me give you an example. You ha
-ve a Desktop in your home network (Desktop, not laptop) which you use for some important
works.
One day, you have to go to out of town or other country but it is important for you to work on
your Desktop. You need to have access to it. This can be achieved by using Remote Desktop
Protocol (RDP). Remote Desktop Protocol allows users to manage computers remotely. So, you in
-stall a RDP server on your Desktop. RDP works by default on port 3389.
A Firewall or Router has access to two networks. They are Local Area Network (LAN) and
Wide Area Network (WAN). Your Desktop is in your LAN network while the internet is in your
WAN. To be able to access port 3389 in your LAN network (Your Firewall doesn’t expose your
LAN to WAN network), you need to map port 3389 to your Firewall or router for that matter.
Let’s see this practically. This is known as port forwarding. For this, we will be going back to the
same network we used in Part-1.

Then make some changes to it. This time, we will place Attacker System also behind a Firewall as
it is more related to Real World Network nowadays. Almost all devices are behind Routers and
Firewalls nowadays.
In it's 2023 global threat report, Crowd Strike reported that the average time to move
laterally to the next system from the initial host decreased from 98 minutes in 2021 to
84 minutes in 2022.
 Let’s see it practically. For this, I install another PFSense Firewall to act as Gateway for the attac-
ker system. Here are the WAN and LAN network of the target system’s firewall.

The target system’s IP address is 192.168.223.6.

 6
Given below is the WAN and LAN network information of the Attacker system’s Firewall.

The attacker system’s IP address is 192.168.110.5

Here’s the IP address information of the network I am using for this tutorial.
If you are trying to port forward with non-admin privileges on a system, you can
only forward ports above 1 024.
 7

Here, once again, I am exploiting ms08_067 vulnerability (I am not going to leave that vulnerabili-
ty so soon). So, I start with port scanning of Port 445.

So, I load the ms08_067 module and the target is indeed vulnerable. I set other required options.

According to Crowd Strike's global threat report 2023, Black Hat Hackers used
protocols such as RDP, SSH and SMB for lateral movement in cloud environments.
 8

After all the options are set, I execute the module and the result is given below.
 9
It’s this message again. (I don’t think just like I am not going to leave the ms08_067 module, this
message is not going to leave me). On a serious note, the vulnerability is triggered but we got no
session. However, I know the exact reason why this module failed now. If you observe the above
image, handler started on the attacker system (192.168.110.5). which is an IP address in the LAN
network. There is no chance that any machine in internet will know about our target system.
However, one device in Attacker LAN will know about this. The only device belonging to this
network (192.168.110.X) that has communication with the internet is the Attacker network’s
Router or Firewall. In our case, it is 192.168.249.159.
Our target system can only communicate with this device (192.168.249.159). So, I forward the
port 81 of 192.168.249.159 to port 81 of my Attacker system(192.168.110.5). Port forwarding can
be performed in PFSense (from Firewall/NAT/Port Forward Section). The process may differ sligh
-tly but is almost same in all Routers and Firewall).
 10
Then, I save the rule. Now, any query coming from the WAN network to port 81 of my Gateway
Firewall (192.168.249.159) will be forwarded to port 81 of 192.168.110.5, which is my attacker mac
hine. Next, I set the local host option to that of this Gateway Firewall (192.168.249.159).

Now, let’s execute the module.

Ha, nothing like a successful meterpreter session.

 11

In Real world, Black Hat Hackers hack to get access to high-value assets. This can include
sensitive data, source code, and other important information. Rarely, a system to which Black Hat
Hackers gain initial access contains high-value assets mentioned above. So Black Hat Hackers afte-
r gaining initial access in a network tries to move around the network in search of high value asset
-s and finally take control of the entire network. This is known as Lateral Movement or Pivoting.
They use various techniques to achieve this. The first step in lateral Movement is of course
perform reconnaissance to gather information about the network devices. To gather information a-
bout the target network, Black Hat Hackers perform steps like viewing the Address Resolution
Protocol (ARP) table, viewing network interfaces, network connections and the target network’s
routing table.
Let’s see it practically. On the target network, I have SYSTEM level METERPRETER access on
one of the systems (I am talking about our target system, buddy). Meterpreter has many comman-
ds built in to perform the above-mentioned reconnaissance.

SOCKS stands for Socket Secure and is an internet protocol that enables the exchange
of network packets between a client and a server through a proxy server.
 12

Let’s first view the Address Resolution Protocol (ARP) table of the target system.

Let’s see if the target system belongs to a Dual homed network or Single homed network. A
computer in a Dual homed network is connected to two networks. For example, the PFsense Fire-
wall we are using here (WAN & LAN). The ‘ipconfig’ command in Windows reveals the network
interfaces the system is connected to.
 13

The target system belongs to a Single Homed network. No luck here. Next, let’s view the routing
table on the target system.In the above image, you can see that there is only one IP address which

appears to be unique it is 192.168.223.3 apart from 192.168.223.6 which is our target system we
already have access to.
Since we already know this system is behind a Firewall, this IP (192.168.223.3) should belong
to the Firewall or we are horribly wrong. If it is a Firewall, it will be remotely administered. The
only system from which it can be administered will be our 192.168.223.6 as the routing table does-
n’t provide information about other systems in this network. Once again, let’s assume we can be
 14
horribly wrong.
We need to port scan this device to find more information about it. But before that we need to
add a route to this device from inside the network as it is not accessible from my attacker system.
This can be done by using the ‘autoroute” module of Metasploit.
 15
All I have to do to execute this module is to set the session ID of the meterpreter.

The route is added, Now, we can perform a port scan of this device. Here I am scanning for some
common parts to be open on this device.

I found port 80 open. Very good. If this is indeed the Firewall and port 80 is open, it means it
would be administered using a browser, right. So, all I have to do is see the browser installed on
this target system and then try to collect information from it. Although Metasploit has a module fo
-r this too, let’s just go to shell and view the “Program Files” folder of our target system.
16
 17

The target system has two browsers installed. They are Internet Explorer and Opera. Now, I will
use Metasploit post enumeration modules to gather credentials from these browsers as shown
below.
18
 19

The module runs, downloads and saves any interesting information in binary files as shown above
. Nothing in Internet Explorer. Let’s collect information from Opera browser.

Black Hat Hackers belonging to Dark Nexus botnet attack infected numerous IOT
devices and then ran a SOCKS proxy on a random port to connect with their C&C
server.
 20

We can just use cat command to view the contents of these files.
 21
In one of the dumps the module downloaded, I found some credentials.

This is exciting. You know why? The credentials I got are default credentials of PFSense
Firewall. It’s confirmed this device is the Gateway Firewall and now we can own it just like our
Windows XP. We already have the credentials but how to login into the Firewall. There are a few
ways to do it. Here, we will use a proxy server.
A proxy server is a server that acts as a gateway between the local network and Wide Area
Network (in this case). So, if I run a Proxy Server, it will act as a gateway between the
(192.168.222.X) (to local network and my attacker systems network (192.168.110.X)) through the
route we already added.
Let’s see it practically. Metasploit has a SOCKS proxy server module (Seriously, is there anything
Metasploit cannot do).

"I was hooked in before hacking was even illegal". -Kevin Mitnick
22
 23
Now, all we have to do is connect to this Proxy Server on (127.0.01:1080). Note that this Proxy
Server uses the route added by the autoroute module earlier to relay the data to us. I open a brow
-ser ad change its settings to connect through a proxy.

In some instances, QNAPCrypt ransomware group that focusses on Network Attached

Storage (NAS) devices, exploited authentication methods to establish a SOCKS5 proxy
connection.
 24

Now, when I type the IP address “192.168.223.3” in browser, I can see the interface of the
Firewall. Remember that this Firewall belongs to the target network and we can easily login since
we already know the credentials.
 25

Voila, Login successful. We now owned the Firewall too.

 26
We have successfully performed Lateral Movement too. Now, we can set any rules we want and
do whatever we do. But for now, let’s just view the rule that exposed Windows XP to internet.

https://haveibeenpwned.com
Follow Hackercool Magazine For Latest Updates