As you all know, pivoting is a method that basically consists of using a system under our control as a gateway to attack other systems and networks, thus avoiding restrictions such as the rules of an intermediate firewall. We could divide this technique into two big types:
- Proxy pivoting : traffic is channeled through a payload on the computer through which we will pivot. It is limited to certain TCP and UDP ports.
- VPN pivoting : is to create an encrypted tunnel against the equipment through which we will pivot to route all network traffic, for example to run a vulnerability scan to other computers in your network or other networks to which you have access.
In my case, for versatility, I need this last technique. I could use the Pro version of Metasploit or Cobalt Strike which are excellent tools for VPN pivoting, although they are also paid, so according to the economy I choose OpenVPN.
Imagine a topology with a monitoring server with Nagios in the DMZ which, by its nature, has also enabled access to other network segments. I have the root user and I already access the console via SSH. In addition, the internal firewall allows me to access other ports on the server.
If I perform a scan from my laptop I get the following results:
Code
Nmap scan report for 192.168.2.50
Host is up (0.00s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
113/tcp closed ident
161/tcp closed snmp
1060/tcp open polestar
2869/tcp open icslap
8080/tcp open http-proxy
8100/tcp open xprint-server
I could mount a tunnel directly over ssh, but it would be very easy to screw up and lose the connection to the remote server, and I would not want to have to call the system administrator several times to restart the server ¬_¬ ... So I will use another open port, for example telnet (why the fuck is the telnet port open?).
I'll start by installing OpenVPN. The server is Ubuntu so this is pretty trivial:
Code
apt-get install openvpn
OpenVPN has two modes of operation, one based on static pre-shared keys and another on SSL / TLS using certificates and RSA keys. Although not so sure, I will use the first one for simplicity. I then generate the private key:
Code
openvpn --genkey --secret secret.key
This key is symmetric, so it has to have both the server and the client, which, after generating it I will copy it to my laptop using SCP (with WinSCP since my OS is Windows 7) and protect it as gold in cloth ... why do not you need to tell you what would happen if a third party did with her ... no?
The goal then is to create a point-to-point VPN tunnel that will be established between the virtual interfaces (tun0) of the server and my laptop with a private IP at each end: 10.8.0.1 at the endpoint of the server and 10.8.0.2 at the endpoint of the client. With the p2p (default) mode, a peer-to-peer topology is established where the virtual peer IP address of the client's client interface always points to the local virtual IP address of the server's tun interface
- I create the file /etc/openvpn/server.conf with the following configuration:
Code
mode p2p
dev tun
port 23
proto tcp-server
ifconfig 10.8.0.1 10.8.0.2
secret secret.key
;user nobody
;group nobody
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
comp-lzo
As you can see, all communications between the two points will be encrypted and will be done on port 23 / TCP , since telnet is allowed in the internal firewall which will let the traffic of the tunnel "flow" as if nothing ...
Let us not forget that it is necessary to enable packet forwarding on the server:
Code
echo 1 > /proc/sys/net/ipv4/ip_forward
Neither do I have to mask my IP address to enable traffic back because the networks I will access do not have to know the route back if I use my real private IP. Well, it gives me a certain anonymity:
Code
iptables -t nat -A POSTROUTING -s 10.8.0.2 -o eth0 -j MASQUERADE
Finally, I will only activate the tunnel on demand so I delete all the startup scripts:
Code
update-rc.d -f openvpn remove
And with this I have finished configuring the server. I can open the OpenVPN service with the command 'openvpn --config /etc/openvpn/server.conf &' or create a junk script like the following:
Code
#! /bin/sh
case "$Code: Select1" in
start)
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/openvpn --config /etc/openvpn/server.conf &
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.2 -o eth0 -j MASQUERADE
;;
stop)
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
/usr/bin/killall openvpn
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
;;
*)
echo "Uso: ovpn|start|stop"
exit 1
;;
esac
As you see when lifting the tunnel will also the virtual device:
code
ps -ef | grep openvpn
root 5976 1 0 12:39 ? 00:00:01 /usr/sbin/openvpn --config /etc/openvpn/server.conf
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:9523 errors:0 dropped:0 overruns:0 frame:0
TX packets:10414 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1156752 (1.1 MB) TX bytes:4833017 (4.8 MB)
Now I only have to configure the OpenVPN client on my laptop. To do this I create the file pivoting.ovpn in C: \ Program Files (x86) \ OpenVPN \ config with the following configuration:
Code
mode p2p
remote 192.168.2.50
dev tun
port 23
proto tcp-client
ifconfig 10.8.0.2 10.8.0.1
secret "C:\\Program Files (x86)\\OpenVPN\\config\\secret.key"
comp-lzo
dhcp-option DNS 192.168.2.36
route-metric 15
route 192.168.3.0 255.255.255.0 10.8.0.1
verb
Note that I add a DNS to my choice and the path of the server network (192.168.3.0/24) for my Windows client to properly route the packets.
To finish I check that I reach the virtual interface of the tunnel and to a computer of the VLAN of servers:
Code: Select
C: \ Users \ vmotos> ping -n 1 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Response from 10.8.0.1: bytes = 32 time = 1ms TTL = 64
Statistics of ping to 10.8.0.1:
Packages: sent = 1, received = 1, lost = 0
(0% lost),
Approximate round trip times in milliseconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
C: \ Users \ mado> tracert 192.168.3.12
Draw at 10.20.16.12 on paths with a maximum of 30 jumps.
1 1 ms 1 ms 1 ms SERVER 10.8.0.1
2 6 ms 2 ms 2 ms 192.168.2.1
3 2 ms 2 ms 2 ms 192.168.3.12
Full trace.
And that's it! I am already pivoting through the monitoring server through the VPN tunnel.
Note
that the server in this example is legally managed. If we compromise a server, we obtain access as root and we want to use openvpn for vpn pivoting, we must also think about using some rootkit or other techniques to hide at least the virtual interface and the process.
Greetings.....
8 Responses
Hey there.
your tutorials are greatly appreciated but could you please start posting them in the howtos section where they will be easier to find for the people who are looking for them.
Im not an admin or anything by any means, and im not trying to act like one.
its just that i think this section is for people wanting to start descussions or seek advice.
people needing help are lossing out because their posts are becoming alot less accessible for the people who may be able to assist them is all.
Again thank you for sharing your knowledge and experience with us, much appreciated. Keep up the good work!
thank you very much i appreciate your response with m,y posts .
but can you give me instructions on how to post on howto section
i tried before but useless
Hey, I've been trying to contact you about getting your posts featured. Message us on Twitter with an email and we'll get in touch https://twitter.com/NullByteWht
hello sir
sorry for being late to respose , but i was busy I apologize to you .
i have already followed you on twitter account name is Astra 201
https://twitter.com/Astra_201
and you can contact me on this mail
thanks again for your response
You called?
I actually send Mohamed an email about this, we're going to try to get them featured.
as far as i understand you go to the hamburger menu in the top right.
select my writing
where it says "start a new" select how-to.
but if you said you tried, than im sure thays what you have been doing lol.
this article should help.
Altho i just reread it myself and it seems it may automatically be putting your posts in the forums section anyways lol.
from what i understood from it, admin will have to put them in the "real" how-to section. Kind of unusual dont ya think?
If thats the case please accept my sincere apologies and just keep doing what youre doing lol..i certainly wasnt trying to discourage you in any way.
Again keep up the great work!
You are correct. NB is growing and changing, for now since NB as a whole is getting some cool partners and access to exciting stuff based on keeping everything up to AP style guidelines so it's super-readable, has screen shots, and is accessible for beginners. It's pretty hard to do that, so I've been working with a smaller team to get that done.
But, posts like these provide real value, so I've been watching them closely. I've got an idea for how to feature them on the main site, but I'll need some help from the community. I just need to work with community writers to help organize their posts to look a little more professional so we can promote them!
Your post that i had mentioned above cleared things up for me, i had just misunderstood. My bad.
as i mentioned before all the questions and descussions i like to read were getting pushed out of my notifications by how-tos lol. I like to troubleshoot and reading about other peoples problems helps me be able to fix any i may encounter in the future.
Perfectly understandable tho, i realise why its important for you to have to make sure the posts are ledgable and more importantly accurate before there featured. Honestly thats a practice you dont see all that often when your searching around the web for good instructions that acctually work lol.
Share Your Thoughts