Overview
SpecterInsight provides the ability to tunnel traffic from the C2 server through a deployed Specter’s C2 channel and out to a target. This is helpful for allowing direct TCP connections from ops workstation to the target network.
Lateral Movement using RDP over HTTPS Tunnel
Description
Tunneling can get really confusing, really fast. To help make things more clear, we’re going to walk through a concrete scenario.
In this situation, the Red Team operator needs to Remote Desktop from their Kali VM to a workstation in the target environment. They can’t do that directly over the internet because their’s a Firewall in the way and the target IP is in a private IP address space; however, the operator can tunnel traffic through a Specter in the target environment.
The diagram below illustrates how the operator would use SpecterInsight to move laterally to the ‘Target’ workstation. For this scenario, we are going to assume that there is already a Specter running on the 192.168.0.100 system that is calling back to the C2 server over HTTPS. The operator is going to configure a ‘Port Forward’ to tunnel traffic from listening port 5000 on the C2 server destined for 192.168.0.101 on port 3389. Once the port forward tunnel is configured, the operator uses XRDP from Kali to the C2 server on port 5000. The C2 server picks up the connection and tunnels the traffic over the HTTPS C2 channel down to the Specter. The deployed Specter then establishes a new TCP connection to 192.168.0.103 on port 3389 and proxies the RDP traffic it’s receiving from the C2 server. The operator on the Kali box then has remote interactive access to ‘192.168.0.101’ via the RDP tunnel.
Configure a Port Forward Tunnel
From the interactive session window, you can create port forward tunnels by clicking on the “Port Forward” button in the top, left-hand corner of the screen. This will bring up a window with parameters for creating the port forward.
There are several parameters:
- Session: The session id for the current Specter. This is autopopulated and cannot be changed.
- Local Port: The port to listen on the C2 server for incoming connections. Connections to this port will initiate a new tunnel to the target.
- Target: The IP address or hostname of the system you are trying to port forward to.
- Target Port: The port on the target the tunnel will connect to.
Display all Active Port Forward Tunnels
All active tunnels are displayed in the “Tunnels” tab of the Session Info panel in the top, right-hand corner of the screen.
Change the Callback Interval
The callback interval will need to be pretty short for a period of time so that the tunneling connection can be tasked to the implant. Once the tunnel is established, the callback interval can be restored without interrupting the tunnel.
Connect via RDP
With the tunnel tasked and configured, the operator can now connect to the listening port on the C2 server from their operator box. In this case, my server was running on my operator box, so I just connected to localhost on port 5000. This triggers a task to the implant to establish the tunnel.
The target system will prompt for credentials. This may result in a new tunnel being established, but that is how RDP works.
SpecterInsight now completes the tunnel and brokers the connection between the RDP client and the target system over the implant’s C2 channel.
