Pivoting BOUNCEr - pbounce 0.1 released
By: Meder Kydyraliev
PBOUNCE stands for Pivoting BOUNCEr and it has been inspired by bounce-0.0.1
by Fyodor Yarochkin which can be downloaded from http://o0o.nu/sec/tools/.
PBOUNCE was written from scratch reusing unixlib portability library from
the original bounce.
PBOUNCE has been primarily designed to be used to tunnel TCP connections
into internal network by multiplexing them through one TCP connection (which
is established using outgoing connection from pivoting host, which is very
useful when firewall blocks incoming connections).How it works?
To use PBOUNCE there must be two instances of it running in two modes, one
in listening mode(LiMo) and the other one in pivoting mode(PiMo).
LiMo PBOUNCE must be started on analysts side as it will serve as control
center for the PiMo. LiMo will bind two ports:
- command port on 127.0.0.1 (specified with -L)
- port for PiMo to connect to (specified with -r)
PiMo must be started on a remote computer, in this mode it does not bind
any ports, but instead connects to the PiMo (pivoting mode is triggered
with -P, IP address to connect to is specified with -R and port with -r).
After that PBOUNCE is ready to tunnel data into internal or external
network through remote host(PIVOT). Command port is used to issue commands
to PiMo, at the moment only one command is supported and the format is as
follows:
BIND []
After that on LiMo will be associated with the above bounce
that is, connection to 127.0.0.1: will same as you'd connect
to the : from the
remote(PiMo) machine. specifies IP address for LiMo to bind
on.
How it works
1. Analyst launches two instances of PBOUNCE:
+----------------+
+------------------+ |INTERNAL |
|LAN 192.168.0.0/24+--------|SERVER |
+------------------+ |IP: 192.168.0.10|
| +----------------+
|
+--------------------------------------+
| PiMo (pivot) pbounce |
| IP: YYY.YYY.YYY.YYY |
|pbounce -P -R XXX.XXX.XXX.XXX -r 10000|
+--------------------------------------+
| +---------------------------+
_|_ | PiMo established one TCP |
(:::)-. | connection with LiMo and |
.-(::::::::) | that connection will be |
.-(::::::::::::)-. | used to send/receive all |
(:::: INTERNET ::::) |data to/from LiMo. All con-|
`-(::::::::::::)-' |nections being bounced are |
`-(::::::)-' | multiplexed through this |
| | connection also |
\|/ +---------------------------+
+------------------------+
| LiMo (listen) pbounce |
| IP: XXX.XXX.XXX.XXX |
|pbounce -L 5000 -r 10000|
+------------------------+
2. Analyst issues BIND command to LiMo:
+----------------+
+------------------+ |INTERNAL |
|LAN 192.168.0.0/24+--------|SERVER |
+------------------+ |IP: 192.168.0.10|
| +----------------+
|
+--------------------------------------+
| PiMo (pivot) pbounce |
| IP: YYY.YYY.YYY.YYY |
|pbounce -P -R XXX.XXX.XXX.XXX -r 10000|
+--------------------------------------+ _______________________________
||| | |
||| | Analyst issues the following |
(|:|)-. | command by telnetting to |
.-(::|:|:::) | localhost TCP port 5000: |
.-(:::::|:|::::)-. | |
(:::::INTERNET:::::) | BIND 192.168.0.10 T 22 1022 |
`-(:::::|:|::::)-' | |
`-(::|:|:)-' | port 5000 is now associated |
||| | with port 22 on 192.168.0.10 |
||| .' |
+------------------------+ / ____________________________|
| LiMo (listen) pbounce | .' _.-''
| IP: XXX.XXX.XXX.XXX | .:-''
|pbounce -L 5000 -r 10000|
+------------------------+
3. Analyst initiates connection to port bound by LiMO:
+----------------+
+------------------+ |INTERNAL |
|LAN 192.168.0.0/24+--------|SERVER |
+------------------+ |IP: 192.168.0.10|
| +----------------+
|
+--------------------------------------+ +----------------------------+ ___
| PiMo (pivot) pbounce | |PiMo, establishes connection| |__ \
| IP: YYY.YYY.YYY.YYY | |with 192.168.0.10:22 and all| ) |
|pbounce -P -R XXX.XXX.XXX.XXX -r 10000| | data coming from LiMo is | / /
+--------------------------------------+ |forwarded to that connection| / /_
||| | and vice versa | |____|
||| +----------------------------+
(|:|)-. _____________________________
.-(::|:|:::) __ | |
.-(:::::|:|::::)-. /_ | | Analyst connects her ssh |
(:::::INTERNET:::::) | | | client to 127.0.0.1:1022 |
`-(:::::|:|::::)-' | | | which is the same as |
`-(::|:|:)-' | | | connecting to 192.168.0.10 |
||| |_| | from PiMo |
||| .' |
+------------------------+ / __________________________|
| LiMo (listen) pbounce | .' _.-''
| IP: XXX.XXX.XXX.XXX | .:-''
|pbounce -L 5000 -r 10000|
+------------------------+
With the above setup PiMo will make one outgoing connection to LiMo and
that TCP connection will be used to multiplex all connections that will be
tunneled to LAN.
On LiMo:
---------------------------------------------------------------
[meder@beastie meder]$nc localhost 5000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Command format: BIND []
Examples:
bouncing local TCP port 2222 bound on 127.0.0.1 to remote port 22 on 10.1.1.1
BIND 10.1.1.1 T 22 127.0.0.1 1022
bouncing local UDP port 53 to remote port 53 on 10.1.1.1
BIND 10.1.1.1 U 53 53
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Enter your command...
192.168.1.10 T 22 1022
OK
^C
[meder@beastie meder]$ssh -p 1022 meder@127.0.0.1
---------------------------------------------------------------
Now all connections to local IP addresses TCP port 1022 will be tunneled to
192.168.1.10:22 through PiMo.
By default LiMo binds port on all available IP addresses, which may or may not
be what you want, in any case you can also specify IP address for LiMo to bind
the port you want to bounce, the following command will bind TCP port 1022 on
127.0.0.1 which will be bounced to 10.1.1.1 22:
10.1.1.1 T 22 127.0.0.1 1022
Thing you should know
- After issuing command on command port you can safely disconnect, nothing
will happen. You can reconnect later to issue more commands.
- If you kill PBOUNCE on LiMo, PiMo will try to reconnect forever.
- Multiple simultaneous connections to local port (1080 in the example)
are supported. Author ran 30 instances of nikto and 20 instances of hydra
through one pbounce setup and had no problems.
- PBOUNCE supports very primitive encryption mechanism for the channel
between PiMo and LiMo. To use it -k must be specified with
being an encryption key in range 1-255, must be used on both PiMo and
LiMo. THIS "ENCRYPTION" (OBFUSCATION) HAS BEEN DESIGNED TO EVADE NETWORK
INTRUSION DETECTION SYSTEMS, NOT FOR CONFIDENTIALITY, DO NOT USE IT WHEN
TRANSMITTING SENSETIVE DATA!!!
- PBOUNCE has HTTP proxy support, PiMo will use CONNECT method to connect to
LiMo. Proxy IP is specified with -F and proxy port with -f. HINT: usually
proxies only allow CONNECTs to TCP port 443 so you should start LiMo and PiMo
with '-r 443', which will result in LiMo waiting for connection from PiMo on
port 443 and PiMo connecting to that port.
Compiling
On Win32 (with lcc):
make -f makefile.w32
On Unix (Linux, *BSD):
make
On Solaris:
make solaris
Supported platforms
Curently PBOUNCE has been tested on the following platforms:
FreeBSD, OpenBSD, Linux, Solaris, Win32 (use lcc to compile)
Though it should compile on all major Unix platforms.
Please check the projects homepage for new releases and binaries for the
most common platforms:
http://o0o.nu/~meder/index.php?pg=pbounce
Comments, suggestions, bugreports and patches
Meder Kydyraliev
Fyodor Yarochkin
Pivoting BOUNCEr can be downloaded here.
1.) Protecting Your Network Against Spoofed IP Packets - Brien M. Posey
2.) Pivoting BOUNCEr - pbounce 0.1 released - Meder Kydyraliev
3.) TCP and IP Options - Don Parker
4.) Coping with A Major Security Breach? What’s your Contingency Plan? - Martin Allen
5.) Caveat Lector: Authentication, the Forgotten, Should-be Predominant - Justin Troutman
6.) Malware – future trends - Dancho Danchev