Jump to content

How Can the LAN Turtle Discover Network IP Range?


reubadoob
 Share

Recommended Posts

Hello all!

I was recently watching the video Access Internal Networks with Reverse VPN connections - Hak5 1921 and around 15:15 of the video @Darren Kitchen mentions:
 

Quote

...there are many ways using the turtle to find out what ip range the network you've connected is...

 

I was wondering what are some of those "ways" the LAN Turtle can discover the IP range of the network it's connected to and then make itself available for connection via VPN?

Not doubtful just interested in learning the process!

Thanks!

Link to comment
Share on other sites

@Sebkinne thanks for the response! 

WIthout owning a LAN Turtle (yet!) I am assuming the ifconfig bash script can be

1. Run as a LAN Turtle module as soon as it's plugged into the "target/victim"

2. "Auto-connect" to VPS/VPN

3. Enjoy!

Like I said I'm just making some assumptions here. Thanks again!

Link to comment
Share on other sites

49 minutes ago, reubadoob said:

@Sebkinne thanks for the response! 

WIthout owning a LAN Turtle (yet!) I am assuming the ifconfig bash script can be

1. Run as a LAN Turtle module as soon as it's plugged into the "target/victim"

2. "Auto-connect" to VPS/VPN

3. Enjoy!

Like I said I'm just making some assumptions here. Thanks again!

This would be absolutely possible, yeah. 

Link to comment
Share on other sites

36 minutes ago, reubadoob said:

@Dave-ee Jones  I did some forum-search-fu and from what I'm finding is @Just_a_User pictures of what in guessing is a new LAN ?? 

Soooo....When is it going to be released? 

Don't get into the mindset that the 3G LAN Turtle = Packet Squirrel - they are 2 different devices.

The Packet Squirrel was announced a month or so ago, however no one (except Sebkinne) knows what it is, and the 3G LAN Turtle is just a LAN Turtle with 3G support (for an external VPN).

Link to comment
Share on other sites

26 minutes ago, Dave-ee Jones said:

Don't get into the mindset that the 3G LAN Turtle = Packet Squirrel - they are 2 different devices.

The Packet Squirrel was announced a month or so ago, however no one (except Sebkinne) knows what it is, and the 3G LAN Turtle is just a LAN Turtle with 3G support (for an external VPN).

Yeah it was pretty clear from @Just_a_User post the Packet Squirrel is something new all together. 

 

But when you say 

Quote

the 3G LAN Turtle is just a LAN Turtle with 3G support (for an external VPN).

Are you saying it was just a one off creation? Because in the context of the other thread, Lan Turtle 3g, it seemed like it was a version 2 of the LAN Turtle with a price tag. 

 

I know we're getting off track here but if there is another LAN Turtle coming which will solve my original question of how to go about  getting the IP range of a Target/Victim network I may consider holding off  purchasing the current gen Turtle. As oppose to trying to piece together some bash script (I know next to zilch about coding, especially for the LAN Turtle) I get this concept of how the current LAN Turtle would go about doing it just don't have the skillz myself to do it. Yet...

Link to comment
Share on other sites

1 hour ago, reubadoob said:

I know we're getting off track here but if there is another LAN Turtle coming which will solve my original question of how to go about  getting the IP range of a Target/Victim network I may consider holding off  purchasing the current gen Turtle. As oppose to trying to piece together some bash script (I know next to zilch about coding, especially for the LAN Turtle) I get this concept of how the current LAN Turtle would go about doing it just don't have the skillz myself to do it. Yet...

While I cannot find it on the Hakshop, I think it was genuinely made to be sold as a Hakshop item, though the only time I've seen it sold was at the latest event that Hak5 attended (can't remember which - may have been Defcon?).

In regards to whether you should wait for the 'new' Turtle or not, it might be better if @Sebkinne answers that question. My understanding is that the 3G LAN Turtle costs 3x as much as the original, while you still have to pay for the 3G SIM as well. So if you are using it for testing or in-house VPN curiosity then go with the original. However that's not to say there might be an entirely new LAN Turtle coming out soon..But as I said, best person to answer those questions is Sebkinne.

Link to comment
Share on other sites

Hi,

To get the address of the network you are plugged into via the ethernet cable, you can use the "ip addr show" command and pipe it through some utilities.  For example:

ip addr show dev eth1|grep -i "inet "|tr -s " "|cut -f 3 -d " "

the first part (ip addr show dev eth1) will get you something like:

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:13:37:a6:58:2d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.19/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::213:37ff:fea6:582d/64 scope link
       valid_lft forever preferred_lft forever

piping this into grep to grab just the line with "inet " in it gets you:

    inet 192.168.1.19/24 brd 192.168.1.255 scope global eth1

note the leading spaces.

Then pipe that into translate (tr) to squeeze (-s) the spaces (" ") together to get:

 inet 192.168.1.19/24 brd 192.168.1.255 scope global eth1

and finally pipe to cut to pick out field 3 (-f 3) the fields being separated/delimited by spaces (-d " ") to get:

192.168.1.19/24

you can put this into a variable to use later by wrapping up that line as commands to run and assign the output.  For example:

eth1addr=$(ip addr show dev eth1|grep -i "inet "|tr -s " "|cut -f 3 -d " ")
echo $eth1addr

to get the result:

192.168.1.19/24

Now you know the IP range you are plugged into, go to your VPS and ensure the range is in the list of networks your LT is acting as a gateway for, as per Darren's video.

If you wanted to get at other networks via the eth1 connection (i.e. if it is not just a single flat 1 subnet setup), you would need to add routing entries on the turtle to tell it how to get at them, and let the VPS know those also.

hope that helps.

 

Link to comment
Share on other sites

@reubadoob Once you have your LT running the OpenVPN client as per Darren's video, the LT doesn't point its local IP settings back to the VPS - rather the OpenVPN gateway client-side subnet settings are routed via the LT by the VPN.

To get as automatic as possible, if you are happy to blanket route all 192.168.x.y and 10.w.x.y addresses via the LT (i.e. this doesn't clash with any local PC private address routing you have), you can set the OpenVPN gateway settings just once and plug the LT into any of those networks and the routing will go to all of those via the LT regardless. 

The assumption is that you are using your PC to get to such networks via the LT, and your PC and LT are the only 2 devices on that VPN, so why not ?  It's only an issue if you clash with any routing your local PC already has to your local home networks.  If that's the case, you may have to manually adjust each time.  Mostly, I've found the blanket approach doesn't cause me any issues I care about.

To set this, in the OpenVPN gateway user permission settings for the LT user account, add networks 10.0.0.0/8 and 192.168.0.0/16 to go via the LT and then apply those changes and click on the button to update the server with the new settings.  You can also add in 172.w.x.y addresses if you want (but by default OpenVPN uses 172.27.224.0/24 for itself).

If you then connect the LT to any 192.168.x.y or 10.w.x.y network, the VPN will route packets for those client subnets via the LT regardless of which one the LT is plugged into this time, so you can then reach the one you are plugged into this time from the PC without changing anything.

So  -

plug in the LT and connect the PC to the VPN.

On the PC, tracert to a 192.168 address that doesn't exist and break out of it when you start getting * responses.  The output will tell you the LT VPN address.

e.g.

tracert 192.168.44.55

Tracing route to 192.168.44.55 over a maximum of 30 hops

  1    21 ms    16 ms    17 ms  172.27.224.1
  2    32 ms    31 ms    29 ms  172.27.224.7
  3     *     ^C

which tells you the LT VPN address is 172.27.224.7

That doesn't actually tell you which client-side IP address/subnet you got on the LT this time.

You can get this using the plink program included with putty.

Create a text file (e.g. ifconfig.txt) on the PC with the following 1 line in it:

ifconfig eth1 | grep -i "inet ad"

then run the following command from your PC (obviously change the LT address to the one you just found and use your own LT password) to see the desired output:

plink.exe -ssh root@172.27.224.7 -pw xxxxxx -m c:\data\putty\ifconfig.txt
          inet addr:192.168.1.17  Bcast:192.168.1.255  Mask:255.255.255.0

This tells you the LT client-side address is currently 192.168.1.17 in a class C subnet.

As before, if you want to get to all parts of a multi-subnet setup, routes would be needed in the LT also (not needed if its just the one network). 

That will need a script to grab the default gateway your connection was given and create routing entries to go via that address.  You can invoke that script at startup via /etc/rc.local entries or you could run a scheduled task to run a script every so often. 

If you don't want to modify the LT, you could use plink files/commands to set it up, but that isn't automatic.

Again, hope that helps.

 

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...