torsdag 13. august 2015

Hide your ass: Hide by MAC address and internal routing

Scenario: if you have connected your piVPN\raspberry to a network it will be visible during the IT admins network scan.
So what if you want to hide the box for him and his sniffing ?
Of course there is a reason why it should not be on the network in the first place, and placing such a device unauthorized on any corporate network is probably illegal in all countries.
So please only use this method for training and authorized penetration testing at home
All software i mention in the text is preinstalled on my downloadable pivpn image  here (dropbox) or here (direct http).
It is just a raspbian wheezy dated 05.05.2015 with some extra software, and installation procedure is the same as in raspbian.
You will need minimum 4GB SD card and a RPi2 to install the image.
Username and password is root/toor
But you could install all the needed software on anything running linux really.

So on a office network we have installed a raspberry pi with SEVPNServer, xrdp and ssh.

The pivpn box is connected to the remote network with a network cable to eth0 getting an IP from the office networks DHCPd.
From home (using SEVPNClient we are able to connect to the office network; get an IP address from the office DHCPd and then access all information on the office subnet from our device as we where connected by a virtual ethernet cable

The auto generated name is

A quick nmap scan from from the IT admin's PC will show something like this:

Nmap scan report for pivpn.workgroup (
Host is up (0.0073s latency).
Not shown: 97 closed ports
22/tcp   open  ssh
443/tcp  open  https
3389/tcp open  ms-wbt-server

MAC Address: B8:27:EB:DA:87:FF (Raspberry Pi Foundation)

There is a few things here that the admin will react to:

1) what is an unauthorized Raspberry Pi doing in my environment ?
2) why are those ports open (22, 443, 3389) in the first place ?
3) how come a linux box running port 3389 (this would maybe be OK, and slipped by if it was a Windows machine, but not on a linux host).
4) why is it running https and ssh. It is a  web server of some kind ?

In general, at this point, all IT admins would start to trace down the box.

So here are some basic stuff that you could do to try to hide your box:

Change the MAC address

1) Run the macchanger application to change the mac address of your box.
Here you should be a little creative. The MAC address should reflect a device that  the network admin would expect to be on the network. It could be a DAB internet radio MAC or a Cisco address; if you are connected by wireless an iphone MAC would be good.
Your choice.
You could find a list of vendor MAC ranges on:

For this example, all other PC's in the current environment are HP's
A typical HP machine could have a MAC address of something like this(coffer):

Also if they got a naming convention for the device you are imitating, change the hostname of the device by changing the name in these files,:
vi /etc/hostname
vi /etc/hosts
to something that makes sense like (WSHQ156, myiphone5, SwitchHQ2floor3)

We can change our MAC address by running macchanger, Never use an address that is already used in the network.

Usage: macchanger [options] device

  -h,  --help                   Print this help
  -V,  --version                Print version and exit
  -s,  --show                   Print the MAC address and exit
  -e,  --ending                Don't change the vendor bytes
  -a,  --another                Set random vendor MAC of the same kind
  -A                            Set random vendor MAC of any kind
  -p,  --permanent              Reset to original, permanent hardware MAC
  -r,  --random                 Set fully random MAC
  -l,  --list[=keyword]         Print known vendors
  -m,  --mac=XX:XX:XX:XX:XX:XX
       --mac XX:XX:XX:XX:XX:XX  Set the MAC XX:XX:XX:XX:XX:XX

make sure the interface eth0 is down
/sbin/ifconfig eth0 down
macchanger --mac 00:22:64:B9:41:EB eth0

If you are online create a simple script:

#! /bin/bash
/sbin/ifconfig eth0 down
/usr/bin/macchanger --mac 00:22:64:B9:41:EB eth0
/sbin/ifconfig eth0 up

and run it.

Note that the interface will change the IP address if you are on a DHCP server and you will need to figure out that address to reconnect over LAN.

Now the IT admin wants to do a nmap quickscan plus to gain some information:

Nmap scan report for pivpn.workgroup (
Host is up (0.00052s latency).
Not shown: 97 closed ports
22/tcp   open  ssh           OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
443/tcp  open  ssl/http      SoftEther VPN httpd
3389/tcp open  ms-wbt-server xrdp
MAC Address: 00:22:64:B9:41:EB (Hewlett-Packard Company)
No exact OS matches for host (If you know what OS is running on it, see ).

TCP/IP fingerprint:

OS:Scan .. (truncated)....
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Note some changes here, IP change and the OS fingerprint is not exact anymore (this is probably due to a not updated nmap database, but he can still see it is a Debian installation)

Anyway, it is still a very suspicious host, we need to hide the OS, SSH, xrdp and SEVPN from the IT admin's nmap scan.

What we can do is this:
1) Create a virtual interface on the piVPN box with an IP address out of the IT admins address space, and give this virtual interface it own subnet
2) Create a route between eth0 and the virtual interface.
3) Bind SEVPNServer to the virtual interface.
4) Setup iptables to ALLOW all new, created and outgoing packages from eth0 and DROP all incoming packages. ICMP should be stopped too.

The reason this will work is that the SEVPNServer is installed to connect outbound with a default connection to a host in the azure cloud with a dynamic DNS name (
The client does the same. They will meet in the middle and the client will access the inside of the office network remotely.

SEVPNServer->virtualinterface ->route-> eth0-->corp.LAN -->Internet---><---Internet--SEVPNClient

From a hacking perspective this is not perfect, as you only have a layer 3 link into the remote network and not to a layer 2 connection, but as a minimum you will be able to scan all the hosts and ports and resources on the office network using layer 3.
Also, please note accessing through the default vpnazure cloud can be very slow.

SEVPNserver setup:

Setup ad a server (center server)
create a new tap device (I call the device vpn, SE is creating it with the name "tap_vpn" in ifconfig)
Setup the secure NAT (I actually disable that now) and virtual DHCP server.
the default setting is for the virtual hosts network, and a DHCP scope of for the clients.
I just disabled the SecureNat thing (but you can just use that too), as in the picture.

iptables time...

#Enable routing between eth0 and the tap device:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o tap_vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i tap_vpn -o eth0 -j ACCEPT
#Enable lo
iptables -A INPUT -i lo -j ACCEPT  
iptables -A OUTPUT -o lo -j ACCEPT 
#Enable vpn tun card
iptables -A INPUT -i tap-vpn -j ACCEPT
iptables -A OUTPUT -o tap-vpn -j ACCEPT
#Drop ICMP
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
#Drop ALL other
iptables -P INPUT DROP

Now start a VPNclient against the machine
The machine will get an IP of 192.168.30.x and will be able to access the network over the linux router.

NOW when the IT admin scans the host with nmap:

The new scan shows:

Nmap scan report for
Host is up (0.010s latency).
All 1000 scanned ports on are filtered
MAC Address: 00:22:64:B9:41:EB (Hewlett-Packard Company)

A detailed scan is not helping him either.
Of course this could\will lead to an investigation as well :-)

Ingen kommentarer:

Legg inn en kommentar