GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack.

[iproute]

GNS3 AES 256bit encrypted vpn pivot-Simulated attacks in backtrack, or.... Ways to practice while still being legal and safe. When the release of BT5 x86_64 allows more than 2GBs of memory on your backtrack machine, this method could be used to build larger portions of corporate networks to practice against than is demonstrated here. The tap1 loopback adapter acts as an switch and multiple virtual machines can be bridged to it.

For this writeup
192.168.25.0/24 is my LAN that backtrack is on.
192.168.99.0/24 is the target inside network on the emulated cisco router.


Here I will demonstrate configuring an ecrypted IPSEC VPN server on a cisco router using AES 256 bit encryption, to use for pivoting to the inside network. I am then able to nmap and otherwise attack the inside hosts over said tunnel. In this case I won't demonstrate the metasploit aspect as I've already spent time on a metasploit write-up. You will need to have a cisco router configured in GNS, communicating with your LAN as well as virtualbox installed with some sort of virtual machine to attack that will be placed on this cisco's inside network. Please refer to my previous GNS3 posts if more information is needed on it's use or configuration.

Bear in mind this type of tunnel does not work on all IOS versions/feature sets. If one were to attempt this on an IOS that is not capable, one would notice some of these commands are not available or appear to be missing in the router.

To install virtualbox, follow this set of intructions
Advanced Corner - BackTrack Linux
Or you could run my virtualbox installation script. The wiki instructions are very easy, but this script should make it easier yet
install-vbox
download and run

Code:

root@bt:~# chmod +x install-vbox
root@bt:~# ./install-vbox

This is the IOS version/feature set I am using for this demonstration.

Code:

c3745-advsecurityk9-mz.124-23

Now there is one difference from the usual GNS3 network config you might use. You just add one more loopback adapter.

Code:

root@bt:~# apt-get update
root@bt:~# apt-get install uml-utilities
root@bt:~# apt-get install gns3
root@bt:~# tunctl
root@bt:~# tunctl -t tap1
root@bt:~# brctl addbr br0
root@bt:~# brctl addif br0 eth0
root@bt:~# brctl addif br0 tap0
root@bt:~# ifconfig eth0 0.0.0.0 promisc up
root@bt:~# ifconfig tap0 0.0.0.0 promisc up
root@bt:~# ifconfig tap1 0.0.0.0 promisc up
root@bt:~# dhclient br0

This second loopback adapter is what your Virtualbox machine will have it's network adapter bridged to. You will need to add two cloud devices to GNS3 in this scenario. This second cloud is also bridged to the loopback adapter 'tap1' and connects to the inside interface of our cisco router(fa0/1). The first cloud of course is bridged to tap0 and connected to the outside interface of the router(fa0/0) for network access to your LAN.
Here is a supplemental picture



I haven't shown it before, but the Vbox machine in my configuration receives it's IP address via DHCP. Here is how to configure a DHCP server on your router. In this case the inside network is 192.168.99.0/24.

Code:

victimz(config)# ip dhcp excluded-address 192.168.99.1 192.168.99.10
victimz(config)# ip dhcp pool LAN
victimz(dhcp-config)# network 192.168.99.0 255.255.255.0
victimz(dhcp-config)# dns-server 8.8.8.8
victimz(dhcp-config)# default-router 192.168.99.1
victimz(dhcp-config)# exit

And now the tunnel config.

Code:

victimz(config)# aaa new-model
victimz(config)# aaa authentication login vpn-auth local
victimz(config)# aaa authorization network vpn-auth local 
victimz(config)# aaa session-id common
victimz(config)# crypto isakmp policy 100
victimz(config-isakmp)# encr aes 256
victimz(config-isakmp)# authentication pre-share
victimz(config-isakmp)# group 2
victimz(config-isakmp)# exit
victimz(config)# crypto isakmp keepalive 30 5
victimz(config)# crypto isakmp xauth timeout 30
victimz(config)# crypto isakmp client configuration group vpn99
victimz(config-isakmp-group)# key gameover*
victimz(config-isakmp-group)# dns 8.8.8.8
victimz(config-isakmp-group)# pool vpn-pool
victimz(config-isakmp-group)# exit
victimz(config)# crypto ipsec transform-set vpn-test esp-aes 256 esp-sha-hmac 
victimz(cfg-crypto-trans)# exit
victimz(config)# crypto ipsec profile ipsec-9
victimz(ipsec-profile)# set transform-set vpn-test 
victimz(ipsec-profile)# exit
victimz(config)# crypto dynamic-map vpn-dynamic 100
victimz(config-crypto-map)# set transform-set vpn-test 
victimz(config-crypto-map)# reverse-route
victimz(config-crypto-map)# exit
victimz(config)# crypto map vpn-cm client authentication list vpn-auth
victimz(config)# crypto map vpn-cm isakmp authorization list vpn-auth
victimz(config)# crypto map vpn-cm client configuration address respond
victimz(config)# crypto map vpn-cm 65535 ipsec-isakmp dynamic vpn-dynamic 
victimz(config)# interface FastEthernet0/0
victimz(config-if)# crypto map vpn-cm
victimz(config-if)# exit
victimz(config)# ip local pool vpn-pool 192.168.99.200 192.168.99.225

Also, do not forget to set up a username to use with the vpn connection

Code:

victimz(config)# username iprouteth0 privilege 15 password gameover*

Now that our tunnel is set up we can go ahead and use it to scan the inside subnet. For my vbox machine I used windows XP. Here are the steps.

Code:

root@bt:~# apt-get install vpnc
root@bt:~# vpnc
Enter IPSec gateway address: 192.168.25.113
Enter IPSec ID for 192.168.25.113: vpn99
Enter IPSec secret for vpn99@192.168.25.113:
Enter username for 192.168.25.113: iprouteth0
Enter password for iprouteth0@192.168.25.113:
VPNC started in background (pid: 8344)...
root@bt:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-0
          inet addr:192.168.99.201  P-t-P:192.168.99.201  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1390  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

And a quick scan of the XP machine. FYI nessus or openVAS should work through these tunnels as well.

Code:

root@bt:/workspace# nmap 192.168.99.11

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-21 06:45 CST
Nmap scan report for 192.168.99.11
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 17.18 seconds

Then go ahead and run appropriate exploits. Bear in mind when attacking through a tunnel like this and using reverse type payloads, make sure to point your LHOST to your tunnel adapters IP address... In this scenario it would be

Code:

msf exploit(ms10_061_spoolss) > set lhost 192.168.99.201

Hope this is useful or interesting for someone out there, and leave feedback if you're of a mind. This will be a work in progress for a bit as I get the video demo nailed out. I'd like to try to be complete as possible in the video demo and will even try to include some metaploit usage over the tunnel also.

[Archangel-Amael]

Thanks for sharing.

[iproute]

Here is Part one of the videos which consists of installing the tools and setting up the lab environment. The physical LAN ip address is different from the how-to as I made a fresh backtrack VM for this video and its NIC was set to NAT.

[compaq]

Thanks for tut, nice
It would be ngood to see some way to connect to the windows box, then to the router and do something.