Without admin privileges, installing additional software, or modifying the Windows 10 firewall, an attacker can alter a router and perform a variety of exploits. It's accomplished by forwarding requests from Kali through a backdoored Windows computer to the router gateway with simple SSH tunnels.
The attack I'll be outlining takes advantage of the SSH -R and -L port-forwarding options to create encrypted connections to and from the attacker's server. The below diagram provides an over-simplified depiction of the attack.
# Attack Topology [Kali/Hacker] | | SSH | |/ ' [Debian/Server] . /| | SSH +-->[Raspberry Pi on 192.168.1.2:8080] | / | /
[Windows 10/Proxy]---->[Router/Target on 192.168.1.1:80] +-->[Torrent Client on 192.168.1.3:8080]
The connections allow the attacker to forward requests through a virtual private server (Debian), and then through a compromised Windows 10 PC, ultimately granting the attacker access to the router gateway. Other devices and ports on the network can be targeted through the Windows 10 computer, but we'll focus on the router. An attacker with access to router settings can inflict all kinds of damage.
The PowerShell payload is executed in Windows 10, forcing it to create an SSH connection to the attacker's server. That link forwards requests from the server through Windows 10 to the router gateway. To access the forwarding port in the Debian VPS, the attacker also connects to the server, allowing them to use it and Windows 10 as a double-forwarding mechanism.
Similar attacks can be performed with Tor that allow for greater access to devices and ports on the target network. But I wanted to devise a forwarding solution that didn't involve ..
Support the originator by clicking the read the rest link below.
