Results 1 to 4 of 4

Thread: GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack.

  1. #1
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Midwest, USA

    Default GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack.

    GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack, or.... Ways to practice while still being legal and safe. When the release of BT5 x86_64 allows more than 2GBs of memory on your backtrack machine, this method could be used to build larger portions of corporate networks to practice against than is demonstrated here. The tap1 loopback adapter acts as an switch and multiple virtual machines can be bridged to it.

    For this writeup is my LAN that backtrack is on. is the target inside network on the emulated cisco router.

    Here I will demonstrate configuring an ecrypted IPSEC VPN server on a cisco router using AES 256 bit encryption, to use for pivoting to the inside network. I am then able to nmap and otherwise attack the inside hosts over said tunnel. In this case I won't demonstrate the metasploit aspect as I've already spent time on a metasploit write-up. You will need to have a cisco router configured in GNS, communicating with your LAN as well as virtualbox installed with some sort of virtual machine to attack that will be placed on this cisco's inside network. Please refer to my previous GNS3 posts if more information is needed on it's use or configuration.

    Bear in mind this type of tunnel does not work on all IOS versions/feature sets. If one were to attempt this on an IOS that is not capable, one would notice some of these commands are not available or appear to be missing in the router.

    To install virtualbox, follow this set of intructions
    Advanced Corner - BackTrack Linux
    Or you could run my virtualbox installation script. The wiki instructions are very easy, but this script should make it easier yet
    download and run
    root@bt:~# chmod +x install-vbox
    root@bt:~# ./install-vbox
    This is the IOS version/feature set I am using for this demonstration.
    Now there is one difference from the usual GNS3 network config you might use. You just add one more loopback adapter.
    root@bt:~# apt-get update
    root@bt:~# apt-get install uml-utilities
    root@bt:~# apt-get install gns3
    root@bt:~# tunctl
    root@bt:~# tunctl -t tap1
    root@bt:~# brctl addbr br0
    root@bt:~# brctl addif br0 eth0
    root@bt:~# brctl addif br0 tap0
    root@bt:~# ifconfig eth0 promisc up
    root@bt:~# ifconfig tap0 promisc up
    root@bt:~# ifconfig tap1 promisc up
    root@bt:~# dhclient br0
    This second loopback adapter is what your Virtualbox machine will have it's network adapter bridged to. You will need to add two cloud devices to GNS3 in this scenario. This second cloud is also bridged to the loopback adapter 'tap1' and connects to the inside interface of our cisco router(fa0/1). The first cloud of course is bridged to tap0 and connected to the outside interface of the router(fa0/0) for network access to your LAN.
    Here is a supplemental picture

    I haven't shown it before, but the Vbox machine in my configuration receives it's IP address via DHCP. Here is how to configure a DHCP server on your router. In this case the inside network is
    victimz(config)# ip dhcp excluded-address
    victimz(config)# ip dhcp pool LAN
    victimz(dhcp-config)# network
    victimz(dhcp-config)# dns-server
    victimz(dhcp-config)# default-router
    victimz(dhcp-config)# exit
    And now the tunnel config.
    victimz(config)# aaa new-model
    victimz(config)# aaa authentication login vpn-auth local
    victimz(config)# aaa authorization network vpn-auth local 
    victimz(config)# aaa session-id common
    victimz(config)# crypto isakmp policy 100
    victimz(config-isakmp)# encr aes 256
    victimz(config-isakmp)# authentication pre-share
    victimz(config-isakmp)# group 2
    victimz(config-isakmp)# exit
    victimz(config)# crypto isakmp keepalive 30 5
    victimz(config)# crypto isakmp xauth timeout 30
    victimz(config)# crypto isakmp client configuration group vpn99
    victimz(config-isakmp-group)# key gameover*
    victimz(config-isakmp-group)# dns
    victimz(config-isakmp-group)# pool vpn-pool
    victimz(config-isakmp-group)# exit
    victimz(config)# crypto ipsec transform-set vpn-test esp-aes 256 esp-sha-hmac 
    victimz(cfg-crypto-trans)# exit
    victimz(config)# crypto ipsec profile ipsec-9
    victimz(ipsec-profile)# set transform-set vpn-test 
    victimz(ipsec-profile)# exit
    victimz(config)# crypto dynamic-map vpn-dynamic 100
    victimz(config-crypto-map)# set transform-set vpn-test 
    victimz(config-crypto-map)# reverse-route
    victimz(config-crypto-map)# exit
    victimz(config)# crypto map vpn-cm client authentication list vpn-auth
    victimz(config)# crypto map vpn-cm isakmp authorization list vpn-auth
    victimz(config)# crypto map vpn-cm client configuration address respond
    victimz(config)# crypto map vpn-cm 65535 ipsec-isakmp dynamic vpn-dynamic 
    victimz(config)# interface FastEthernet0/0
    victimz(config-if)# crypto map vpn-cm
    victimz(config-if)# exit
    victimz(config)# ip local pool vpn-pool
    Also, do not forget to set up a username to use with the vpn connection
    victimz(config)# username iprouteth0 privilege 15 password gameover*
    Now that our tunnel is set up we can go ahead and use it to scan the inside subnet. For my vbox machine I used windows XP. Here are the steps.
    root@bt:~# apt-get install vpnc
    root@bt:~# vpnc
    Enter IPSec gateway address:
    Enter IPSec ID for vpn99
    Enter IPSec secret for vpn99@
    Enter username for iprouteth0
    Enter password for iprouteth0@
    VPNC started in background (pid: 8344)...
    root@bt:~# ifconfig tun0
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-0
              inet addr:  P-t-P:  Mask:
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    And a quick scan of the XP machine. FYI nessus or openVAS should work through these tunnels as well.
    root@bt:/workspace# nmap
    Starting Nmap 5.35DC1 ( ) at 2010-12-21 06:45 CST
    Nmap scan report for
    Host is up (0.20s latency).
    Not shown: 997 closed ports
    135/tcp open  msrpc
    139/tcp open  netbios-ssn
    445/tcp open  microsoft-ds
    Nmap done: 1 IP address (1 host up) scanned in 17.18 seconds
    Then go ahead and run appropriate exploits. Bear in mind when attacking through a tunnel like this and using reverse type payloads, make sure to point your LHOST to your tunnel adapters IP address... In this scenario it would be
    msf exploit(ms10_061_spoolss) > set lhost

    Hope this is useful or interesting for someone out there, and leave feedback if you're of a mind. This will be a work in progress for a bit as I get the video demo nailed out. I'd like to try to be complete as possible in the video demo and will even try to include some metaploit usage over the tunnel also.
    Last edited by iproute; 12-30-2010 at 10:57 PM.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010

    Default Re: GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack.

    Thanks for sharing.
    To be successful here you should read all of the following.
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Midwest, USA

    Default Re: GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack.

    Here is Part one of the videos which consists of installing the tools and setting up the lab environment. The physical LAN ip address is different from the how-to as I made a fresh backtrack VM for this video and its NIC was set to NAT.

  4. #4
    Good friend of the forums
    Join Date
    Jun 2008

    Default Re: GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack.

    Thanks for tut, nice
    It would be ngood to see some way to connect to the windows box, then to the router and do something.

Similar Threads

  1. Replies: 1
    Last Post: 03-22-2011, 05:36 PM
  2. dos attacks within backtrack
    By kevin55 in forum Beginners Forum
    Replies: 5
    Last Post: 12-19-2010, 07:18 PM
  3. Replies: 9
    Last Post: 12-07-2010, 07:07 AM
  4. Replies: 0
    Last Post: 11-24-2010, 02:03 PM
  5. Is it possible to double pivot?
    By abnjudge in forum OLD Pentesting
    Replies: 1
    Last Post: 02-04-2010, 09:14 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts