torsdag 13. august 2015

Hide your ass: Hide by MAC address and internal routing

Scenario: if you have connected your piVPN\raspberry to a network it will be visible during the IT admins network scan.
So what if you want to hide the box for him and his sniffing ?
Of course there is a reason why it should not be on the network in the first place, and placing such a device unauthorized on any corporate network is probably illegal in all countries.
So please only use this method for training and authorized penetration testing at home
.
All software i mention in the text is preinstalled on my downloadable pivpn image  here (dropbox) or here (direct http).
It is just a raspbian wheezy dated 05.05.2015 with some extra software, and installation procedure is the same as in raspbian.
You will need minimum 4GB SD card and a RPi2 to install the image.
Username and password is root/toor
But you could install all the needed software on anything running linux really.

So on a office network we have installed a raspberry pi with SEVPNServer, xrdp and ssh.

The pivpn box is connected to the remote network with a network cable to eth0 getting an IP from the office networks DHCPd.
From home (using SEVPNClient we are able to connect to the office network; get an IP address from the office DHCPd and then access all information on the office subnet from our device as we where connected by a virtual ethernet cable




The auto generated name is vpn108759189.vpnazure.net

A quick nmap scan from from the IT admin's PC will show something like this:

Nmap scan report for pivpn.workgroup (192.168.99.10)
Host is up (0.0073s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
3389/tcp open  ms-wbt-server

MAC Address: B8:27:EB:DA:87:FF (Raspberry Pi Foundation)

There is a few things here that the admin will react to:

1) what is an unauthorized Raspberry Pi doing in my environment ?
2) why are those ports open (22, 443, 3389) in the first place ?
3) how come a linux box running port 3389 (this would maybe be OK, and slipped by if it was a Windows machine, but not on a linux host).
4) why is it running https and ssh. It is a  web server of some kind ?

In general, at this point, all IT admins would start to trace down the box.

So here are some basic stuff that you could do to try to hide your box:

Change the MAC address


1) Run the macchanger application to change the mac address of your box.
Here you should be a little creative. The MAC address should reflect a device that  the network admin would expect to be on the network. It could be a DAB internet radio MAC or a Cisco address; if you are connected by wireless an iphone MAC would be good.
Your choice.
You could find a list of vendor MAC ranges on:
http://www.coffer.com

For this example, all other PC's in the current environment are HP's
A typical HP machine could have a MAC address of something like this(coffer):
00:22:64:B9:41:EB

Also if they got a naming convention for the device you are imitating, change the hostname of the device by changing the name in these files,:
vi /etc/hostname
vi /etc/hosts
to something that makes sense like (WSHQ156, myiphone5, SwitchHQ2floor3)

We can change our MAC address by running macchanger, Never use an address that is already used in the network.

Usage: macchanger [options] device

  -h,  --help                   Print this help
  -V,  --version                Print version and exit
  -s,  --show                   Print the MAC address and exit
  -e,  --ending                Don't change the vendor bytes
  -a,  --another                Set random vendor MAC of the same kind
  -A                            Set random vendor MAC of any kind
  -p,  --permanent              Reset to original, permanent hardware MAC
  -r,  --random                 Set fully random MAC
  -l,  --list[=keyword]         Print known vendors
  -m,  --mac=XX:XX:XX:XX:XX:XX
       --mac XX:XX:XX:XX:XX:XX  Set the MAC XX:XX:XX:XX:XX:XX

make sure the interface eth0 is down
/sbin/ifconfig eth0 down
enter
macchanger --mac 00:22:64:B9:41:EB eth0

If you are online create a simple script:

#! /bin/bash
/sbin/ifconfig eth0 down
/usr/bin/macchanger --mac 00:22:64:B9:41:EB eth0
/sbin/ifconfig eth0 up

and run it.

Note that the interface will change the IP address if you are on a DHCP server and you will need to figure out that address to reconnect over LAN.


Now the IT admin wants to do a nmap quickscan plus to gain some information:

Nmap scan report for pivpn.workgroup (192.168.99.117)
Host is up (0.00052s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
443/tcp  open  ssl/http      SoftEther VPN httpd
3389/tcp open  ms-wbt-server xrdp
MAC Address: 00:22:64:B9:41:EB (Hewlett-Packard Company)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:Scan .. (truncated)....
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Note some changes here, IP change and the OS fingerprint is not exact anymore (this is probably due to a not updated nmap database, but he can still see it is a Debian installation)

Anyway, it is still a very suspicious host, we need to hide the OS, SSH, xrdp and SEVPN from the IT admin's nmap scan.

What we can do is this:
1) Create a virtual interface on the piVPN box with an IP address out of the IT admins address space, and give this virtual interface it own subnet
2) Create a route between eth0 and the virtual interface.
3) Bind SEVPNServer to the virtual interface.
4) Setup iptables to ALLOW all new, created and outgoing packages from eth0 and DROP all incoming packages. ICMP should be stopped too.

The reason this will work is that the SEVPNServer is installed to connect outbound with a default connection to a host in the azure cloud with a dynamic DNS name (hostname.vpnazure.net).
The client does the same. They will meet in the middle and the client will access the inside of the office network remotely.
schematic:

SEVPNServer->virtualinterface ->route-> eth0-->corp.LAN -->Internet--->azurevpn.net<---Internet--SEVPNClient

From a hacking perspective this is not perfect, as you only have a layer 3 link into the remote network and not to a layer 2 connection, but as a minimum you will be able to scan all the hosts and ports and resources on the office network using layer 3.
Also, please note accessing through the default vpnazure cloud can be very slow.

SEVPNserver setup:

Setup ad a server (center server)
create a new tap device (I call the device vpn, SE is creating it with the name "tap_vpn" in ifconfig)
Setup the secure NAT (I actually disable that now) and virtual DHCP server.
the default setting is 192.168.30.1 for the virtual hosts network, and a DHCP scope of 192.168.30.10-200 for the clients.
I just disabled the SecureNat thing (but you can just use that too), as in the picture.



iptables time...


#Enable routing between eth0 and the tap device:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o tap_vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i tap_vpn -o eth0 -j ACCEPT
#Enable lo
iptables -A INPUT -i lo -j ACCEPT  
iptables -A OUTPUT -o lo -j ACCEPT 
#Enable vpn tun card
iptables -A INPUT -i tap-vpn -j ACCEPT
iptables -A OUTPUT -o tap-vpn -j ACCEPT
#Drop ICMP
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
#Drop ALL other
iptables -P INPUT DROP


Now start a VPNclient against the hostname.azurevpn.net machine
The machine will get an IP of 192.168.30.x and will be able to access the network over the linux router.




NOW when the IT admin scans the host with nmap:

The new scan shows:

Nmap scan report for 192.168.99.117
Host is up (0.010s latency).
All 1000 scanned ports on 192.168.99.117 are filtered
MAC Address: 00:22:64:B9:41:EB (Hewlett-Packard Company)

A detailed scan is not helping him either.
Of course this could\will lead to an investigation as well :-)

fredag 7. august 2015

The new piVPN "distro"

Note:
This "distro" can be downloaded here: pivpn-2015-05-05-raspbian-wheezy.7z

Username is root
Password is toor
ssh and xrdp is running at start.

Background:
After struggling with some reinstalls I figured I needed  to create a basic SD image with the stuff I need without reinstalling from a scratch image all the time.
I normally need a lot of network tools, and sadly Kali turned out a bit too unstable for me (I had issues with hostapd and firmware).
Finally I figured out it would be better for me with a modified base system that could easily be reinstalled.

This image is just a raspbian image (2015-05-05)with some extra software preinstalled, and also (basically all the childish stuff) some removed.
As it is using the raspian repositories it should get all raspian updates and upgrades.


Added apps are:
iceweasel
thunar
dsniff
sslstrip
ettercap-common
macchanger
wireshark
nmap
driftnet
libnl-3-dev libnl-genl-3-dev
xrdp
iw
vim
git-core
moreutils
lsof
build-essential
curl
hostapd
bridge-utils
tor
cryptsetup
dropbear
isc-dhcp-server
leafpad
softether VPN server Softether VPN bridge Softether Client
aircrack-ng-1.2-rc2