Blue Team: Port Forwarding Detection!
Let’s Connect | LinkedIn | Twitter
I have written about port forwarding for red teams previously! In contrast, this post covers the port forwarding detection for blue teams.
Note: This article covers the detection of client-based port forwarding, not router-based port forwarding.
Based on the MITRE Framework (Technique T1572), we can look for port forwarding evidence at the client level or network level. Let’s see how we can deal with the chisel.
Client-level: Process to Port Mapping
MITRE: Check all the running processes and look for those associated with port forwarding such as Plink, OpenSSH client, chisel, etc.
A simple tasklist command helps to list all the running processes for the windows operating system.
As shown in the figure above, the chisel runs with process ID [PID] of 3244.
MITRE: Monitor open ports in the targeted system in both listening and establishing modes
Let’s get the list of all established connections associated with PID 3244 [the chisel]
netstat -ano | findstr ESTABLISHED | findstr 3244
The result shows the chisel process has established TCP connection to the external IP of 192.168.177.140 over port 8000!
As a blue team, we are certainly looking for the process executable path, wmic helps as follows:
wmic process get executablepath,processid,name | findstr 3244
Network-Level: Analyze network data
Network traffic analysis may not provide us with many details than the client-based analysis, but it can still be considered an option if we don’t have access to the targeted system.
MITRE: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server)
I am using Wireshark and sniffing the virtual network where both windows and Kali Linux are placed.
Let’s check the conversations from the statistics menu:
In the IPv4 tab, we can see the communication between 192.168.177.146, which is my victim windows machine, and 192.168.177.140, which is my kali box [chisel had established TCP connection to this IP]
Applying a simple filter helps to display packets that only associated with this conversation:
- TCP handshake
A TCP handshake was observed in which its initiated by 192.168.177.146 and port 49219 to192.168.177.140 port 8000. mmm… looks familiar :)
- Chisel Footprint
An HTTP GET Request relieves the footprint of the chisel version 3.
Let’s see what we can get by following TCP Stream
Opsss …..