Doubt about routing traffic

hacking

#1

Hello ,

recently is was reading the two diy guides of hackback

i read according to his guide he uses hacked servers to hide the ip from the stable servers

(in this case I think he was referring to the vps the name stable servers )

i was reading about pivoting but the techniques exposed using metasploit was oriented to access to the other ips of the internal network and use it too for routing traffic from a normally non-routable network.

then i was wondering how did he do that?

how blackhats/hacktivist uses a owned server to hide/mask the ip of another server ?

and how companies can protect themselves from this kind of cyber attacks (?)

thanks


(Community & PR manager) #2

My guess would be that he used these servers a proxy servers. I don’t know what this hackback guide is, but here is how I would probably do it:

  • After you have compromised a system, install a very minimalistic SOCKS proxy on it so that it won’t be easily detected

  • Then add the IP addresses of your pwn’d hosts to your proxychains.conf.

  • Start your tools through proxychains.

Voila! You are now sending your traffic through your pwned servers!

I hope my answer helped you.


#4

hello,

thank you so much for your reply

well the hacker i was talking is the same guy who hacked gamma group and hacking team ( it’s very famous)

i post his guide https://pastebin.com/0SNSvyjJ

and another doc https://pastebin.com/cRYvK4jb

it’s very interesting i learn a lot reading this guides

( it’s okay if i put links?)

and about my doubt , first i thought he use routing or pivoting but in this case the servers are in different networks so i think it’s no possible… , if i use the configuration you’re posted the traffic goes through the owned server but i don’t have clear if the ip address of the pwned server could be used to hide other server like a vps for example ( then install the tools on the vps ) , the purpose of this configuration is protect the vps connection and be as inconspicuous as possible…


(Community & PR manager) #5

It is always okay to post links if they are not harmful and are educational. If you use common sense on 0x00sec, you will never be in trouble. In this case, posting these links is perfectly fine.

Oh yes I remember now, I had forgotten what it was called. Thanks for reminding me.

And I think my logic still applies. See below diagram for more clarity.

Attacker’s main machine -> Anything in between (TOR?) -> VPS -> pwned hosts through proxychains -> target

The above configuration is totally possible according to what I know, you just have to use proxychains from the VPS. Or did I not understand what you are trying to say?

I hope I helped once again.


#6

hi ,

thanks for your reply

this configuration is more detailed than the other

your knowledge help me a lot =)

i’ll use dante like proxy socks ( it will installed on the pwned server)

so the configuration is: ( i’m reviewing xd)

attacker vm and all traffic routed by tor using whonix gateway -> connect to the vps using ssh ->

use proxychains ( on the vps) to chain the connection to the pwned server who use the program dante -> start tools using proxychains on the vps -> target

PS: proxychains & dante needed the ips of the host owned and the socks proxy chosed to connect both right?

thank you


(system) #7

This topic was automatically closed after 30 days. New replies are no longer allowed.