OpenVPN Pivoting. By :[ Mohamed Ahmed ]

As you all know, pivoting is a method that basically consists of using a system under our control as a gateway to attack other systems and networks, thus avoiding restrictions such as the rules of an intermediate firewall. We could divide this technique into two big types:

• Proxy pivoting : traffic is channeled through a payload on the computer through which we will pivot. It is limited to certain TCP and UDP ports.
• VPN pivoting : is to create an encrypted tunnel against the equipment through which we will pivot to route all network traffic, for example to run a vulnerability scan to other computers in your network or other networks to which you have access.

In my case, for versatility, I need this last technique. I could use the Pro version of Metasploit or Cobalt Strike which are excellent tools for VPN pivoting, although they are also paid, so according to the economy I choose OpenVPN.

Imagine a topology with a monitoring server with Nagios in the DMZ which, by its nature, has also enabled access to other network segments. I have the root user and I already access the console via SSH. In addition, the internal firewall allows me to access other ports on the server.

If I perform a scan from my laptop I get the following results:

Code

Nmap scan report for 192.168.2.50

Host is up (0.00s latency).

Not shown: 991 filtered ports

PORT STATE SERVICE

22/tcp open ssh

23/tcp closed telnet

80/tcp open http

113/tcp closed ident

161/tcp closed snmp

1060/tcp open polestar

2869/tcp open icslap

8080/tcp open http-proxy

8100/tcp open xprint-server

I could mount a tunnel directly over ssh, but it would be very easy to screw up and lose the connection to the remote server, and I would not want to have to call the system administrator several times to restart the server ¬_¬ ... So I will use another open port, for example telnet (why the fuck is the telnet port open?).

I'll start by installing OpenVPN. The server is Ubuntu so this is pretty trivial:

Code

apt-get install openvpn

OpenVPN has two modes of operation, one based on static pre-shared keys and another on SSL / TLS using certificates and RSA keys. Although not so sure, I will use the first one for simplicity. I then generate the private key:

Code

openvpn --genkey --secret secret.key

This key is symmetric, so it has to have both the server and the client, which, after generating it I will copy it to my laptop using SCP (with WinSCP since my OS is Windows 7) and protect it as gold in cloth ... why do not you need to tell you what would happen if a third party did with her ... no?

The goal then is to create a point-to-point VPN tunnel that will be established between the virtual interfaces (tun0) of the server and my laptop with a private IP at each end: 10.8.0.1 at the endpoint of the server and 10.8.0.2 at the endpoint of the client. With the p2p (default) mode, a peer-to-peer topology is established where the virtual peer IP address of the client's client interface always points to the local virtual IP address of the server's tun interface

• I create the file /etc/openvpn/server.conf with the following configuration:

Code

mode p2p

dev tun

port 23

proto tcp-server

ifconfig 10.8.0.1 10.8.0.2

secret secret.key

;user nobody

;group nobody

keepalive 10 60

ping-timer-rem

persist-tun

persist-key

comp-lzo

As you can see, all communications between the two points will be encrypted and will be done on port 23 / TCP , since telnet is allowed in the internal firewall which will let the traffic of the tunnel "flow" as if nothing ...

Let us not forget that it is necessary to enable packet forwarding on the server:

Code

echo 1 > /proc/sys/net/ipv4/ip_forward

Neither do I have to mask my IP address to enable traffic back because the networks I will access do not have to know the route back if I use my real private IP. Well, it gives me a certain anonymity:

Code

iptables -t nat -A POSTROUTING -s 10.8.0.2 -o eth0 -j MASQUERADE

Finally, I will only activate the tunnel on demand so I delete all the startup scripts:

Code

update-rc.d -f openvpn remove

And with this I have finished configuring the server. I can open the OpenVPN service with the command 'openvpn --config /etc/openvpn/server.conf &' or create a junk script like the following:

Code

#! /bin/sh

case "$Code: Select1" in

start)

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

/usr/sbin/openvpn --config /etc/openvpn/server.conf &

/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.2 -o eth0 -j MASQUERADE

;;

stop)

/bin/echo 0 > /proc/sys/net/ipv4/ip_forward

/usr/bin/killall openvpn

/sbin/iptables -t nat -F

/sbin/iptables -t nat -X

;;

*)

echo "Uso: ovpn|start|stop"

exit 1

;;

esac

As you see when lifting the tunnel will also the virtual device:

code

ps -ef | grep openvpn

root 5976 1 0 12:39 ? 00:00:01 /usr/sbin/openvpn --config /etc/openvpn/server.conf

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

RX packets:9523 errors:0 dropped:0 overruns:0 frame:0

TX packets:10414 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:1156752 (1.1 MB) TX bytes:4833017 (4.8 MB)

Now I only have to configure the OpenVPN client on my laptop. To do this I create the file pivoting.ovpn in C: \ Program Files (x86) \ OpenVPN \ config with the following configuration:

Code

mode p2p

remote 192.168.2.50

dev tun

port 23

proto tcp-client

ifconfig 10.8.0.2 10.8.0.1

secret "C:\\Program Files (x86)\\OpenVPN\\config\\secret.key"

comp-lzo

dhcp-option DNS 192.168.2.36

route-metric 15

route 192.168.3.0 255.255.255.0 10.8.0.1

verb

Note that I add a DNS to my choice and the path of the server network (192.168.3.0/24) for my Windows client to properly route the packets.

To finish I check that I reach the virtual interface of the tunnel and to a computer of the VLAN of servers:

Code: Select

C: \ Users \ vmotos> ping -n 1 10.8.0.1

Pinging 10.8.0.1 with 32 bytes of data:

Response from 10.8.0.1: bytes = 32 time = 1ms TTL = 64

Statistics of ping to 10.8.0.1:

Packages: sent = 1, received = 1, lost = 0

(0% lost),

Approximate round trip times in milliseconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

C: \ Users \ mado> tracert 192.168.3.12

Draw at 10.20.16.12 on paths with a maximum of 30 jumps.

1 1 ms 1 ms 1 ms SERVER 10.8.0.1

2 6 ms 2 ms 2 ms 192.168.2.1

3 2 ms 2 ms 2 ms 192.168.3.12

Full trace.

And that's it! I am already pivoting through the monitoring server through the VPN tunnel.

Note

that the server in this example is legally managed. If we compromise a server, we obtain access as root and we want to use openvpn for vpn pivoting, we must also think about using some rootkit or other techniques to hide at least the virtual interface and the process.

Greetings.....