Port Forwarding Internals

Command:

netsh.exe interface add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.101

I tossed it into x64dbg and checked for DeviceIOControl calls, but there was only one to \Device\CNG, which is apparently a cryptography driver?

Untitled

Now we monitor as much “relevant” (i dont even know whats relevant here) api calls via apimonitor

I clicky a lot of boxes and filtered out some apis that did “generic irrelevant stuff”

Interesting things while scrolling down 4000 api calls lmao

Untitled

its just doing the syscall directly! After running through setting up the port forward rule, it seems to be around 11-13 ioctls sent (a lot of them being to the console host)

the 5, 6, 7 calls get sent to c:\\windows\\system32\\drivers\\nsiproxy.sys. After following their return routines, doesn’t seem like they trigger the port forward.

at some point i made the observation that at a successful run, a registry key is written and svchost process is spawned (listens on the lport, in this case, 3389)

maybe the key lies within the dlls, so after the 6th ioctl is sent, i noted them down

DLL Loaded: 00007FF9AFE00000 C:\Windows\System32\kernel.appcore.dll DLL Loaded: 00007FF9AB850000 C:\Windows\System32\ifmon.dll DLL Loaded: 00007FF9B34A0000 C:\Windows\System32\ws2_32.dll DLL Loaded: 00007FF9B1F20000 C:\Windows\System32\cfgmgr32.dll DLL Loaded: 00007FF9B0970000 C:\Windows\System32\IPHLPAPI.DLL DLL Loaded: 00007FF9946E0000 C:\Windows\System32\mprapi.dll DLL Loaded: 00007FF994360000 C:\Windows\System32\rasmontr.dll DLL Loaded: 00007FF9B3090000 C:\Windows\System32\advapi32.dll DLL Loaded: 00007FF9B2510000 C:\Windows\System32\sechost.dll DLL Loaded: 00007FF9B32F0000 C:\Windows\System32\user32.dll DLL Loaded: 00007FF9B1EF0000 C:\Windows\System32\win32u.dll DLL Loaded: 00007FF9B24B0000 C:\Windows\System32\gdi32.dll DLL Loaded: 00007FF9B1DD0000 C:\Windows\System32\gdi32full.dll DLL Loaded: 00007FF99A390000 C:\Windows\System32\rasapi32.dll DLL Loaded: 00007FF9A8080000 C:\Windows\System32\FWPUCLNT.DLL DLL Loaded: 00007FF9B18F0000 C:\Windows\System32\bcrypt.dll DLL Loaded: 00007FF99A260000 C:\Windows\System32\rasman.dll DLL Loaded: 00007FF97E790000 C:\Windows\System32\mfc42u.dll DLL Loaded: 00007FF9B3DA0000 C:\Windows\System32\ole32.dll DLL Loaded: 00007FF9B24E0000 C:\Windows\System32\imm32.dll INT3 breakpoint at <ntdll.ZwDeviceIoControlFile> (00007FF9B3FAD0E0)! DLL Loaded: 00007FF987C00000 C:\Windows\System32\authfwcfg.dll DLL Loaded: 00007FF9A0F80000 C:\Windows\System32\fwpolicyiomgr.dll DLL Loaded: 00007FF9B0180000 C:\Windows\System32\FirewallAPI.dll DLL Loaded: 00007FF9B09B0000 C:\Windows\System32\dnsapi.dll DLL Loaded: 00007FF9B3680000 C:\Windows\System32\nsi.dll INT3 breakpoint at <ntdll.ZwDeviceIoControlFile> (00007FF9B3FAD0E0)! INT3 breakpoint at <ntdll.ZwDeviceIoControlFile> (00007FF9B3FAD0E0)! (6) The port forward is not written to registry yet, or is the svchost process spawned

Checking these things in pebear is a mess. Let’s focus back on the registry and svchost stuff. I don’t know anything about svchost except com and rpc so 💀. However, if the registry key is being written, the string’s gotta be somewhere