Unleash the power of reverse SOCKS5 tunnel in your corporate red teaming and adversary emulation exercises

While commercial EDR solutions have undoubtedly strengthened cyber defence capabilities, they also introduce significant challenges for offensive security professionals, as they usually need to spend a large amount of time developing in-house security toolkits (e.g. powershell script, .NET assembly, C/C++/Go binaries) to bypass EDR before they can even conduct a practical adversary simulation in a corporate network.

Moreover, it is believed that an increasing number of SOC teams are trying to build more robust detection rules based on deviations and anomalies from standard behaviour as well as developing in-house threat hunting capabilities nowadays, which inevitably adds more challenges for your penetration testers and purple team members.

As an offensive security professional, let’s once again think ‘out of the box’. In this article, I will demonstrate the power of reverse SOCKS5 proxy tunnelling, which could potentially help your team members minimize the time needed to evade EDR solutions while still maintaining essential offensive security capabilities, typically achieved by executing a C2 Implant on a victim’s machine.

What is a SOCKS5 ? What is network tunnelling?

SOCKS (Socket Secure) is a network protocol that, on behalf of a client, facilitates network traffic through a firewall to a remote server. SOCKS sits at OSI Layer 5 which is responsible for opening, closing and managing a session between end-user application processes. SOCKS5 protocol is defined in RFC 1928 and compared to SOCKS4 version, it incorporates support for IPv6 and UDP (e.g. DNS lookups).

A network tunnel is a virtual pathway which usually provides a secure communication channel established over the internet. By running computer programs such as OpenSSH, PuTTY, we can easily create a SOCKS tunnel through remote servers. In practice, a common use case involves fulfilling the needs of safe and private browsing.

What is a reverse tunnel? What could be the benefit if we run a malicious program on an unmonitored remote server and … ?

A reverse tunnel typically represents a private network connection initiated from a remote server residing on the Internet back to the target client, which is usually located in a restrictive corporate network.

The Reverse SOCKS5 Tunnel

We are almost reaching the key technical takeaway of this post here. However, before we demonstrate two practical reverse SOCKS5 tunnelling approaches, here is a quick summary regarding the question of ‘benefit’ mentioned above:

• Imitating various threat actor behaviours
• An effective evasion of security restrictions
• Gaining realistic assessment of security posture

[Approach 1] Outbound SSH Connection + Local Socks5 Listener

I know many people might ask a question that “Outbound SSH, seriously? Isn’t it by default that outbound TCP port 22 would have been blocked by most security engineers?” Yes, that’s absolutely correct. However, “what if your remote SSH server is listening on TCP port 443?”

PuTTY Session Configuration (1)

We won’t delve deeper into computer network fundamentals here, but when creating a reverse SOCKS5 tunnel, it will be highly likely (and also ‘unfortunately’) that all you need is a pre-installed PuTTY on your (Windows) machine. Furthermore, if it applies to your corporate network environment, you can also directly add your proxy’s host and port.

PuTTY Session Configuration (2)

My working machine does not have PuTTY pre-installed and our IT department would not allow people to install this tool. What should I do?

The anwser is quite simple — ‘Powershell + 3rd part .NET Library’ comes to the rescue and you can also download this ready-to-use Powershell script from my GitHub project RevSSHTunnelPowershell.

Screenshot from https://github.com/superpb9/RevSSHTunnelPowershell

Now that we have created a reverse tunnel via an SSH outbound connection, the next required step is to run a local SOCKS5 Listener on ‘127.0.0.1:1080’. This listener will help receive all inbound traffic from the other end of your tunnel and transparently route it to the internal network assets. There are multiple ways of creating a listener on the client machine and we will introduce two options below.

# Option 1: Build a simple Go executable yourself

import (
    "github.com/armon/go-socks5"
)
 
func main() {
  myConf := &socks5.Config{}
  server, err := socks5.New(myConf)
  if err != nil {
    panic(err)
  }
 
  // Create SOCKS5 Lisener on 127.0.0.1:1080
  if err := server.ListenAndServe("tcp", "127.0.0.1:1080"); err != nil {
    panic(err)
  }
}

This Go executable can also be built in conjunction with the use of LOLBins such as regsvr32.exe to achieve maximum Defense Evasion effectiveness. You can also, of course, use burrowers/garble to obfuscate this executable but it might become an ‘overkill’ for this simple function.

// DLL version
go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o main.dll main.go
// EXE version
go build -ldflags="-w -s -H=windowsgui" -o main.exe main.go

// [Optional] Go obfuscation using 'burrowers/garble'
param([String]$randomHash="AXSDEFWCXZSD$ASWDSADMSAMSAM")
garble build -buildmode=c-shared -ldflags="-X main.randomHash=$randomHash" -o main.dll

# Option 2: Use a third party powershell module

If you are not a fan of Go programming, there are still many other options available that can help you achieve the same goal. For example, a GitHub project called PowerProxy can quickly help you start a local SOCKS5 listener using PowerShell.

Import-Module PowerProxy.ps1
Start-SocksProxy 127.0.0.1 -Port 1080

[Approach 2] Outbound TLS Connection

If your outbound SSH attempt via a typical HTTP(s) port such as 443 is ‘unfortunately’ blocked by your security engineers on the corporate firewall, the next approach to consider would be leveraging TLS protocol. There are numerous open-source reverse SOCKS5 proxies via TLS available on GitHub, such as chisel, crowbar, rsocks, rsockstun, etc.

One thing to consider when using these tools is that they might be ‘easily’ signatured by modern EDR solutions such as MDE and CrowdStrike. In other words, if possible, it is still recommended to develop your own tool which is capable of performing reverse SOCKS5 tunnel via TLS.

Summary

In this post, we primarily explored the practical use of reverse SOCKS5 tunnels to enhance your corporate red teaming and adversary emulation activities. In addition, we introduced two practical approaches to quickly set up your own tunnelling toolbox, ensuring readiness for various scenarios and challenges.

One last thing worth noting while running your reverse tunnel is that please do not forget to change your default hostname from ‘kali’ to a corporate-like one. This step sometimes helps counter your Blue Team’s quick wins achieved through the use of commercial EDR solutions. 😄

I hope you find this article useful, and thank you for reading.