As you all know, pivoting is a method that basically consists of using a system under our control as a gateway to attack other systems and networks, thus avoiding restrictions such as the rules of an intermediate firewall. We could divide this technique into two big types:
- Proxy pivoting : traffic is channeled through a payload on the computer through which we will pivot. It is limited to certain TCP and UDP ports.
- VPN pivoting : is to create an encrypted tunnel against the equipment through which we will pivot to route all network traffic, for example to run a vulnerability scan to other computers in your network or other networks to which you have access.
In my case, for versatility, I need this last technique. I could use the Pro version of Metasploit or Cobalt Strike which are excellent tools for VPN pivoting, although they are also paid, so according to the economy I choose OpenVPN.
Imagine a topology with a monitoring server with Nagios in the DMZ which, by its nature, has also enabled access to other network segments. I have the root user and I already access the console via SSH. In addition, the internal firewall allows me to access other ports on the server.
If I perform a scan from my laptop I get the following results:
Nmap scan report for 192.168.2.50
Host is up (0.00s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp closed telnet
80/tcp open http
113/tcp closed ident
161/tcp closed snmp
1060/tcp open polestar
2869/tcp open icslap
8080/tcp open http-proxy
8100/tcp open xprint-server
I could mount a tunnel directly over ssh, but it would be very easy to screw up and lose the connection to the remote server, and I would not want to have to call the system administrator several times to restart the server ¬_¬ ... So I will use another open port, for example telnet (why the fuck is the telnet port open?).
I'll start by installing OpenVPN. The server is Ubuntu so this is pretty trivial:
apt-get install openvpn
OpenVPN has two modes of operation, one based on static pre-shared keys and another on SSL / TLS using certificates and RSA keys. Although not so sure, I will use the first one for simplicity. I then generate the private key:
openvpn --genkey --secret secret.key
This key is symmetric, so it has to have both the server and the client, which, after generating it I will copy it to my laptop using SCP (with WinSCP since my OS is Windows 7) and protect it as gold in cloth ... why do not you need to tell you what would happen if a third party did with her ... no?
The goal then is to create a point-to-point VPN tunnel that will be established between the virtual interfaces (tun0) of the server and my laptop with a private IP at each end: 10.8.0.1 at the endpoint of the server and 10.8.0.2 at the endpoint of the client. With the p2p (default) mode, a peer-to-peer topology is established where the virtual peer IP address of the client's client interface always points to the local virtual IP address of the server's tun interface
- I create the file /etc/openvpn/server.conf with the following configuration:
ifconfig 10.8.0.1 10.8.0.2
keepalive 10 60
As you can see, all communications between the two points will be encrypted and will be done on port 23 / TCP , since telnet is allowed in the internal firewall which will let the traffic of the tunnel "flow" as if nothing ...
Let us not forget that it is necessary to enable packet forwarding on the server:
echo 1 > /proc/sys/net/ipv4/ip_forward
Neither do I have to mask my IP address to enable traffic back because the networks I will access do not have to know the route back if I use my real private IP. Well, it gives me a certain anonymity:
iptables -t nat -A POSTROUTING -s 10.8.0.2 -o eth0 -j MASQUERADE
Finally, I will only activate the tunnel on demand so I delete all the startup scripts:
update-rc.d -f openvpn remove
And with this I have finished configuring the server. I can open the OpenVPN service with the command 'openvpn --config /etc/openvpn/server.conf &' or create a junk script like the following:
case "$Code: Select1" in
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/openvpn --config /etc/openvpn/server.conf &
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.2 -o eth0 -j MASQUERADE
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
echo "Uso: ovpn|start|stop"
As you see when lifting the tunnel will also the virtual device:
ps -ef | grep openvpn
root 5976 1 0 12:39 ? 00:00:01 /usr/sbin/openvpn --config /etc/openvpn/server.conf
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:9523 errors:0 dropped:0 overruns:0 frame:0
TX packets:10414 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:1156752 (1.1 MB) TX bytes:4833017 (4.8 MB)
Now I only have to configure the OpenVPN client on my laptop. To do this I create the file pivoting.ovpn in C: \ Program Files (x86) \ OpenVPN \ config with the following configuration:
ifconfig 10.8.0.2 10.8.0.1
secret "C:\\Program Files (x86)\\OpenVPN\\config\\secret.key"
dhcp-option DNS 192.168.2.36
route 192.168.3.0 255.255.255.0 10.8.0.1
Note that I add a DNS to my choice and the path of the server network (192.168.3.0/24) for my Windows client to properly route the packets.
To finish I check that I reach the virtual interface of the tunnel and to a computer of the VLAN of servers:
C: \ Users \ vmotos> ping -n 1 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Response from 10.8.0.1: bytes = 32 time = 1ms TTL = 64
Statistics of ping to 10.8.0.1:
Packages: sent = 1, received = 1, lost = 0
Approximate round trip times in milliseconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
C: \ Users \ mado> tracert 192.168.3.12
Draw at 10.20.16.12 on paths with a maximum of 30 jumps.
1 1 ms 1 ms 1 ms SERVER 10.8.0.1
2 6 ms 2 ms 2 ms 192.168.2.1
3 2 ms 2 ms 2 ms 192.168.3.12
And that's it! I am already pivoting through the monitoring server through the VPN tunnel.
that the server in this example is legally managed. If we compromise a server, we obtain access as root and we want to use openvpn for vpn pivoting, we must also think about using some rootkit or other techniques to hide at least the virtual interface and the process.