praetorian-inc/PortBender praetorian-inc/PortBender

  • Stars
    star
    657
  • Rank 68,119 (Top 2 %)
  • Language
    C
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
praetorian-inc/PortBender
github

praetorian-inc

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

TCP Port Redirection Utility

Overview

PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP). PortBender includes an aggressor script that operators can leverage to integrate the tool with Cobalt Strike. However, because the tool is implemented as a reflective DLL, it can integrate with any C2 framework supporting loading modules through a "ReflectiveLoader" interface [1]. The tool also allows operators to simulate a backdoor/persistence mechanism leveraged within the "PortServ.sys" capability used by the Duqu 2.0 threat actor.

Design

PortBender leverages the WinDivert library to intercept network traffic using the Windows Filtering Platform (WFP). The design of PortBender is heavily influenced by the DivertTCPConn utility which also leverages the WinDivert library [1].

Usage

PortBender has two modes of operation. The first is "redirector mode," and the second is "backdoor mode." In "redirector mode," any connection to a targeted destination port (e.g., 445/TCP) is redirected to an alternative port (e.g., 8445/TCP). In "backdoor mode," we only redirect traffic if an attacker sends a specially formatted TCP packet to a target port (e.g., 443/TCP). PortBender then adds that client IP address to a list of backdoor clients and redirects all traffic to that target port to an alternative port (e.g., 3389/TCP). An operator can leverage this mechanism to emulate the persistence technique used by the Duqu 2.0 threat actor when compromising Kaspersky.

To execute PortBender we must first import the "PortBender.cna" script into Cobalt Strike and upload the WinDivert32.sys or WinDivert64.sys binary included in "PortBender.zip" to the target host depending on the operating system architecture. The help menu for PortBender with the example usage is shown below:

beacon> help PortBender
Redirect Usage: PortBender redirect FakeDstPort RedirectedPort
Backdoor Usage: PortBender backdoor FakeDstPort RedirectedPort Password
Examples:
	PortBender redirect 445 8445
	PortBender backdoor 443 3389 praetorian.antihacker

Example Usage

For example, we may wish to execute PortBender in redirector mode to perform an SMB relay attack from a compromised Windows system. To facilitate this, we can instruct PortBender to redirect all traffic to 445/TCP to an alternative port 8445/TCP running an attacker SMB service. In this example, we run the command "PortBender redirect 445 8445" to accomplish this. The expected output is below:

In this example, we want to deploy the covert persistence mechanism on a compromised Internet-facing IIS webserver. Here we run the "PortBender backdoor 443 3389 praetorian.antihacker" to instruct the backdoor service to redirect any connections to 443/TCP to 3389/TCP on the compromised host from any IP address that provides the specified "praetorian.antihacker" keyword. The expected output is shown below:

Acknowledgements

  • Arno0x0x for his work on DivertTCPConn [1]
  • Stephen Fewer for his work on Reflective DLL Injection [2]
  • Basil00 for his work on WinDivert [3]
  • Francisco Dominguez for his research into performing SMB relaying on Windows [4]

References

[1] https://github.com/Arno0x/DivertTCPconn
[2] https://github.com/stephenfewer/ReflectiveDLLInjection
[3] https://github.com/basil00/Divert
[4] https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445

More Repositories

1

gokart

A static analysis tool for securing Go code
Go
2,175
star
2

noseyparker

Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Rust
1,555
star
3

Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns
1,404
star
4

pentestly

Python and Powershell internal penetration testing framework
Python
716
star
5

purple-team-attack-automation

Praetorian's public release of our Metasploit automation of MITRE ATT&CKâ„¢ TTPs
Ruby
713
star
6

DVRF

The Damn Vulnerable Router Firmware Project
HTML
661
star
7

fingerprintx

Standalone utility for service discovery on open ports!
Go
547
star
8

gato

GitHub Actions Pipeline Enumeration and Attack Tool
Python
488
star
9

trudy

A transparent proxy that can modify and drop traffic for arbitrary TCP connections.
Go
275
star
10

pyshell

PyShell makes interacting with web-based command injection less painful, emulating the feel of an interactive shell as much as possible.
Python
255
star
11

mitm-vm

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.
Shell
191
star
12

gladius

Automated Responder/secretsdump.py cracking
Python
181
star
13

snowcat

a tool to audit the istio service mesh
Go
173
star
14

vulcan

a tool to make it easy and fast to test various forms of injection
C++
172
star
15

ADFSRelay

Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
Go
172
star
16

trident

automated password spraying tool
Go
145
star
17

NTLMRecon

A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
Go
78
star
18

epictreasure

radare, angr, pwndbg, binjitsu, ect in a box ready for pwning
Shell
74
star
19

INTRACTABLEGIRAFFE

A Proof of Concept Rootkit Demonstrating Keylogging and Virtual File System (VFS) Capabilities
C
69
star
20

proxylogon-exploit

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Python
46
star
21

hashcatJS

An implementation of the hashcat rules engine in javascript
JavaScript
45
star
22

slack-c2bot

Slack C2bot that executes commands and returns the output.
Go
44
star
23

ruby_hashcat

Command line wrapper, Library, and Rest API for oclHashcat.
Ruby
40
star
24

dert

DNS Enumeration and Reconnaissance Tool
Ruby
37
star
25

Matryoshka

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
C
36
star
26

Okta_Watering_Hole

Next Generation Phishing Tool For Internal / Red Teams
Python
35
star
27

ctf-writeups

Collection of Praetorian solutions to CTF challenges
OpenEdge ABL
25
star
28

chariot-ui

Chariot Offensive Security Platform
TypeScript
21
star
29

konstellation

Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j.
Cypher
19
star
30

bsidesaustin

Python
14
star
31

burp-wcf-gzip

Burp extension for decoding WCF-gzipped requests.
Python
12
star
32

gcloud-lockdown

Scripts to demonstrate VPC Service Controls between tenant and shared projects
Shell
12
star
33

chariot-launch-nuclei-templates

11
star
34

highlight

Text file to BMP image with box drawing and blurring from the command line
C
9
star
35

log4j-detector

Log4j detector and reporting server for scalable detection of vulnerable running processes.
Go
8
star
36

praetorian-cli

The command line interface for Praetorian products and services
Python
7
star
37

aws-labs

Shell
5
star
38

tpm_bound_sa_key

Go
5
star
39

rpi-setup

set up rpi for zbwardrive
Python
5
star
40

sonicwall-nsv-decrypter

C
5
star
41

product-frontend-interview

JavaScript
3
star
42

zeroqlik-detect

A Nuclei template to detect ZeroQlik (CVE-2023-41265 and CVE-2023-41266)
3
star
43

product-backend-interview

Java
1
star