#socat

This is the first time I have to pentest a remote IPv6 network from my office IPv4 network, so I decided to take a note on how to achieve the connectivity. To make it a little more complex, the remote network is only available via a VPN connection, and I have to use a windows machine to maintain the VPN connection. The target system is not available directly from the VPN, I have to use a jumpserver. Fortunately it is a linux jumpserver, so I can use it for port forwarding. I had no idea how to connect to IPv6 addresses over this tunnel, so I googled a lot and found that socat is a very good friend of mine. It can listen on a tcp4 port and forward to a tcp6 port. The plan is to combine static port forwarding on the jump server, establish a socat tunnel between the jumpserver and the tcp/22 port of the ipv6 target machine, connect these two tunnels together, and finally establish a dynamic port forwarding ssh connection between my kali VM and the target machine through the above mentioned combined tunnel. If this works, than I only have to configure proxychains to use the dynamic port forwarding ssh connection as a socks proxy and I can directly access the target machine from my kali VM.

I sketched it on the tactical whiteboard:

As you can see, the green VPN is maintained between the remote network and my windows computer, the kali VM connects to the ssh jump server using its NAT-ed vmnet adapter (red), on the jumpserver the socat tunnel listens on a local tcp4 port and forwards packets to the target ipv6 server (black). After all of these are established, the kali VM connects directly through the tunnels to the target host  (black dotted line) and provides dynamic port fw.

Sounds good, but I was afraid of the differences between the MTU in IPv4 and IPv6, and of course I was aware that I will have only tcp connection, no udp, no icmp.

Let’s give it a try. The green VPN is transparent let’s concentrate on the ssh and socat magic.

1) Establish the red tunnel from kali_local(8080) to jumpserver_local(5555)

Ok, now the tcp/8080 is now connected directly to the jumpservers tcp/5555.

2) On a separate terminal log on to the jumpserver and establish a fixed socat tunnel from tcp4_jumpserver_local(5555) to tcp6_target(22):

Looks good. Now the black tunnel is set up. If I drop a packet on my kali VM’s 8080 port, it goes through the red and black tunnels directly to the target systems tcp/22.

3) Let’s introduce some dynamic port forwarding in order to access any port and system in the target network.

I connect to my kali VM’s local tcp/8080 with ssh and if it works as assumed, I will be logging into the target IPv6 computer. Let’s see...

Look at that! Now due to the dynamic port forwarding, the local tcp/9090 port functions as a socks proxy, and I can access any tcp port on the remote system. I configure proxychains to use this port as a socks4 proxy service:

And now the black dotted connection from the sketch is ready to use. Let’s grab some banners:

@hudartstoday ‘s OCs for this month’s @secretocartexchange !

Redirecting Unix socket via ssh tunnel

socat “UNIX-LISTEN:/path/to/socket_on_local_side.sock,reuseaddr,fork,mode=777″ EXEC:’ssh -p <ssh port on remote> <user>@<ip of remote end> -i <ssh identity file> socat STDIO UNIX-CONNECT\:/path/to/sock_on_remote.sock‘