_ | | _ __ | |__ ___ _ _ _ __ ___ ___ | '_ \| '_ \ / _ \| | | | '_ \ / __/ _ \ | |_) | |_) | (_) | |_| | | | | (_| __/ | .__/|_.__/ \___/ \__,_|_| |_|\___\___| | | |_| v.0.1 by meder & fyodor What is it? ~~~~~~~~~~~ PBOUNCE stands for Pivoting BOUNCEr and it has been inspired by bounce-0.0.1 by Fyodor Yarochkin which can be downloaded from http://o0o.nu/sec/tools/. PBOUNCE was written from scratch reusing unixlib portability library from the original bounce. PBOUNCE has been primarily designed to be used to tunnel TCP connections into internal network by multiplexing them through one TCP connection (which is established using outgoing connection from pivoting host, which is very useful when firewall blocks incoming connections). Basics ~~~~~~ To use PBOUNCE there must be two instances of the pbounce process running on two systems. One on your local system, should run in in listening mode(LiMo) and the other one, on the system, where you want to have tunnel from (a host behind firewall or NAT device), in pivoting mode(PiMo). LiMo PBOUNCE must be started on local side as it will serve as control center for the PiMo instances. LiMo will bind two ports: - command port on 127.0.0.1 (specified with -L) - port for PiMo to connect to (specified with -r) PiMo must be started on a remote computer, in this mode it does not bind any ports, but instead connects to the PiMo (pivoting mode is triggered with -P, IP address to connect to is specified with -R and port with -r). After that PBOUNCE is ready to tunnel data into internal or external network through remote host(PIVOT). Command port is used to issue commands to PiMo, at the moment only one command is supported and the format is as follows: BIND [] After that on LiMo will be associated with the above bounce that is, connection to 127.0.0.1: will same as you'd connect to the : from the remote(PiMo) machine. specifies IP address for LiMo to bind on. How it works ~~~~~~~~~~~~ 1. Analyst launches two instances of PBOUNCE: +----------------+ +------------------+ |INTERNAL | |LAN 192.168.0.0/24+--------|SERVER | +------------------+ |IP: 192.168.0.10| | +----------------+ | +--------------------------------------+ | PiMo (pivot) pbounce | | IP: YYY.YYY.YYY.YYY | |pbounce -P -R XXX.XXX.XXX.XXX -r 10000| +--------------------------------------+ | +---------------------------+ _|_ | PiMo established one TCP | (:::)-. | connection with LiMo and | .-(::::::::) | that connection will be | .-(::::::::::::)-. | used to send/receive all | (:::: INTERNET ::::) |data to/from LiMo. All con-| `-(::::::::::::)-' |nections being bounced are | `-(::::::)-' | multiplexed through this | | | connection also | \|/ +---------------------------+ +------------------------+ | LiMo (listen) pbounce | | IP: XXX.XXX.XXX.XXX | |pbounce -L 5000 -r 10000| +------------------------+ 2. Analyst issues BIND command to LiMo: +----------------+ +------------------+ |INTERNAL | |LAN 192.168.0.0/24+--------|SERVER | +------------------+ |IP: 192.168.0.10| | +----------------+ | +--------------------------------------+ | PiMo (pivot) pbounce | | IP: YYY.YYY.YYY.YYY | |pbounce -P -R XXX.XXX.XXX.XXX -r 10000| +--------------------------------------+ _______________________________ ||| | | ||| | Analyst issues the following | (|:|)-. | command by telnetting to | .-(::|:|:::) | localhost TCP port 5000: | .-(:::::|:|::::)-. | | (:::::INTERNET:::::) | BIND 192.168.0.10 T 22 1022 | `-(:::::|:|::::)-' | | `-(::|:|:)-' | port 5000 is now associated | ||| | with port 22 on 192.168.0.10 | ||| .' | +------------------------+ / ____________________________| | LiMo (listen) pbounce | .' _.-'' | IP: XXX.XXX.XXX.XXX | .:-'' |pbounce -L 5000 -r 10000| +------------------------+ 3. Analyst initiates connection to port bound by LiMO: +----------------+ +------------------+ |INTERNAL | |LAN 192.168.0.0/24+--------|SERVER | +------------------+ |IP: 192.168.0.10| | +----------------+ | +--------------------------------------+ +----------------------------+ ___ | PiMo (pivot) pbounce | |PiMo, establishes connection| |__ \ | IP: YYY.YYY.YYY.YYY | |with 192.168.0.10:22 and all| ) | |pbounce -P -R XXX.XXX.XXX.XXX -r 10000| | data coming from LiMo is | / / +--------------------------------------+ |forwarded to that connection| / /_ ||| | and vice versa | |____| ||| +----------------------------+ (|:|)-. _____________________________ .-(::|:|:::) __ | | .-(:::::|:|::::)-. /_ | | Analyst connects her ssh | (:::::INTERNET:::::) | | | client to 127.0.0.1:1022 | `-(:::::|:|::::)-' | | | which is the same as | `-(::|:|:)-' | | | connecting to 192.168.0.10 | ||| |_| | from PiMo | ||| .' | +------------------------+ / __________________________| | LiMo (listen) pbounce | .' _.-'' | IP: XXX.XXX.XXX.XXX | .:-'' |pbounce -L 5000 -r 10000| +------------------------+ With the above setup PiMo will make one outgoing connection to LiMo and that TCP connection will be used to multiplex all connections that will be tunneled to LAN. On LiMo: --------------------------------------------------------------- [meder@beastie meder]$nc localhost 5000 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Command format: BIND [] Examples: bouncing local TCP port 2222 bound on 127.0.0.1 to remote port 22 on 10.1.1.1 BIND 10.1.1.1 T 22 127.0.0.1 1022 bouncing local UDP port 53 to remote port 53 on 10.1.1.1 BIND 10.1.1.1 U 53 53 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Enter your command... 192.168.1.10 T 22 1022 OK ^C [meder@beastie meder]$ssh -p 1022 meder@127.0.0.1 --------------------------------------------------------------- Now all connections to local IP addresses TCP port 1022 will be tunneled to 192.168.1.10:22 through PiMo. By default LiMo binds port on all available IP addresses, which may or may not be what you want, in any case you can also specify IP address for LiMo to bind the port you want to bounce, the following command will bind TCP port 1022 on 127.0.0.1 which will be bounced to 10.1.1.1 22: 10.1.1.1 T 22 127.0.0.1 1022 Thing you should know ~~~~~~~~~~~~~~~~~~~~~ - After issuing command on command port you can safely disconnect, nothing will happen. You can reconnect later to issue more commands. - If you kill PBOUNCE on LiMo, PiMo will try to reconnect forever. - Multiple simultaneous connections to local port (1080 in the example) are supported. Author ran 30 instances of nikto and 20 instances of hydra through one pbounce setup and had no problems. - PBOUNCE supports very primitive encryption mechanism for the channel between PiMo and LiMo. To use it -k must be specified with being an encryption key in range 1-255, must be used on both PiMo and LiMo. THIS "ENCRYPTION" (OBFUSCATION) HAS BEEN DESIGNED TO EVADE NETWORK INTRUSION DETECTION SYSTEMS, NOT FOR CONFIDENTIALITY, DO NOT USE IT WHEN TRANSMITTING SENSETIVE DATA!!! - PBOUNCE has HTTP proxy support, PiMo will use CONNECT method to connect to LiMo. Proxy IP is specified with -F and proxy port with -f. HINT: usually proxies only allow CONNECTs to TCP port 443 so you should start LiMo and PiMo with '-r 443', which will result in LiMo waiting for connection from PiMo on port 443 and PiMo connecting to that port. Compiling ~~~~~~~~~ On Win32 (with lcc): make -f makefile.w32 On Unix (Linux, *BSD): make On Solaris: make solaris Supported platforms ~~~~~~~~~~~~~~~~~~~~ Cureently PBOUNCE has been tested on the following platforms: FreeBSD, OpenBSD, Linux, Solaris, Win32 (use lcc to compile) Though it should compile on all major Unix platforms. Please check the projects homepage for new releases and binaries for the most common platforms: http://o0o.nu/~meder/index.php?pg=pbounce Comments, suggestions, bugreports and patches ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Meder Kydyraliev Fyodor Yarochkin