GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack, or.... Ways to practice while still being legal and safe. When the release of BT5 x86_64 allows more than 2GBs of memory on your backtrack machine, this method could be used to build larger portions of corporate networks to practice against than is demonstrated here. The tap1 loopback adapter acts as an switch and multiple virtual machines can be bridged to it.
For this writeup
192.168.25.0/24 is my LAN that backtrack is on.
192.168.99.0/24 is the target inside network on the emulated cisco router.
Here I will demonstrate configuring an ecrypted IPSEC VPN server on a cisco router using AES 256 bit encryption, to use for pivoting to the inside network. I am then able to nmap and otherwise attack the inside hosts over said tunnel. In this case I won't demonstrate the metasploit aspect as I've already spent time on a metasploit write-up. You will need to have a cisco router configured in GNS, communicating with your LAN as well as virtualbox installed with some sort of virtual machine to attack that will be placed on this cisco's inside network. Please refer to my previous GNS3 posts if more information is needed on it's use or configuration.
Bear in mind this type of tunnel does not work on all IOS versions/feature sets. If one were to attempt this on an IOS that is not capable, one would notice some of these commands are not available or appear to be missing in the router.
To install virtualbox, follow this set of intructions
Advanced Corner - BackTrack Linux
Or you could run my virtualbox installation script. The wiki instructions are very easy, but this script should make it easier yet
download and run
This is the IOS version/feature set I am using for this demonstration.
root@bt:~# chmod +x install-vbox
Now there is one difference from the usual GNS3 network config you might use. You just add one more loopback adapter.
This second loopback adapter is what your Virtualbox machine will have it's network adapter bridged to. You will need to add two cloud devices to GNS3 in this scenario. This second cloud is also bridged to the loopback adapter 'tap1' and connects to the inside interface of our cisco router(fa0/1). The first cloud of course is bridged to tap0 and connected to the outside interface of the router(fa0/0) for network access to your LAN.
root@bt:~# apt-get update
root@bt:~# apt-get install uml-utilities
root@bt:~# apt-get install gns3
root@bt:~# tunctl -t tap1
root@bt:~# brctl addbr br0
root@bt:~# brctl addif br0 eth0
root@bt:~# brctl addif br0 tap0
root@bt:~# ifconfig eth0 0.0.0.0 promisc up
root@bt:~# ifconfig tap0 0.0.0.0 promisc up
root@bt:~# ifconfig tap1 0.0.0.0 promisc up
root@bt:~# dhclient br0
Here is a supplemental picture
I haven't shown it before, but the Vbox machine in my configuration receives it's IP address via DHCP. Here is how to configure a DHCP server on your router. In this case the inside network is 192.168.99.0/24.
And now the tunnel config.
victimz(config)# ip dhcp excluded-address 192.168.99.1 192.168.99.10
victimz(config)# ip dhcp pool LAN
victimz(dhcp-config)# network 192.168.99.0 255.255.255.0
victimz(dhcp-config)# dns-server 126.96.36.199
victimz(dhcp-config)# default-router 192.168.99.1
Also, do not forget to set up a username to use with the vpn connection
victimz(config)# aaa new-model
victimz(config)# aaa authentication login vpn-auth local
victimz(config)# aaa authorization network vpn-auth local
victimz(config)# aaa session-id common
victimz(config)# crypto isakmp policy 100
victimz(config-isakmp)# encr aes 256
victimz(config-isakmp)# authentication pre-share
victimz(config-isakmp)# group 2
victimz(config)# crypto isakmp keepalive 30 5
victimz(config)# crypto isakmp xauth timeout 30
victimz(config)# crypto isakmp client configuration group vpn99
victimz(config-isakmp-group)# key gameover*
victimz(config-isakmp-group)# dns 188.8.131.52
victimz(config-isakmp-group)# pool vpn-pool
victimz(config)# crypto ipsec transform-set vpn-test esp-aes 256 esp-sha-hmac
victimz(config)# crypto ipsec profile ipsec-9
victimz(ipsec-profile)# set transform-set vpn-test
victimz(config)# crypto dynamic-map vpn-dynamic 100
victimz(config-crypto-map)# set transform-set vpn-test
victimz(config)# crypto map vpn-cm client authentication list vpn-auth
victimz(config)# crypto map vpn-cm isakmp authorization list vpn-auth
victimz(config)# crypto map vpn-cm client configuration address respond
victimz(config)# crypto map vpn-cm 65535 ipsec-isakmp dynamic vpn-dynamic
victimz(config)# interface FastEthernet0/0
victimz(config-if)# crypto map vpn-cm
victimz(config)# ip local pool vpn-pool 192.168.99.200 192.168.99.225
Now that our tunnel is set up we can go ahead and use it to scan the inside subnet. For my vbox machine I used windows XP. Here are the steps.
victimz(config)# username iprouteth0 privilege 15 password gameover*
And a quick scan of the XP machine. FYI nessus or openVAS should work through these tunnels as well.
root@bt:~# apt-get install vpnc
Enter IPSec gateway address: 192.168.25.113
Enter IPSec ID for 192.168.25.113: vpn99
Enter IPSec secret for firstname.lastname@example.org:
Enter username for 192.168.25.113: iprouteth0
Enter password for email@example.com:
VPNC started in background (pid: 8344)...
root@bt:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-0
inet addr:192.168.99.201 P-t-P:192.168.99.201 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1390 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Then go ahead and run appropriate exploits. Bear in mind when attacking through a tunnel like this and using reverse type payloads, make sure to point your LHOST to your tunnel adapters IP address... In this scenario it would be
root@bt:/workspace# nmap 192.168.99.11
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-21 06:45 CST
Nmap scan report for 192.168.99.11
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 17.18 seconds
msf exploit(ms10_061_spoolss) > set lhost 192.168.99.201
Hope this is useful or interesting for someone out there, and leave feedback if you're of a mind. This will be a work in progress for a bit as I get the video demo nailed out. I'd like to try to be complete as possible in the video demo and will even try to include some metaploit usage over the tunnel also.