Monday, May 6, 2013

Pen Testing Drop Box using OpenVpn in a restricted environment

Recently I had to perform a penetration test using a vmware box located at the customer's premises in US and accessing it remotely from Europe making use of OpenVpn and my standard pentesting laptop.
The objective of this post is to describe the OpenVpn configuration I used to connect to the box through the corporate proxy.
I am not going into details on howto setup a OpenVpn server as there are plenty of tutorials. Mine is using PKI and TLS.
Additionally the drop box I used is a Kali linux.
First and foremost the customer did not provide me with any details on the environment and deemed no VPN acces was possible. Well he was wrong....
The only possible access to the internet was through the corporate proxy and a proxy pac file.
First action was to download the pac file and understand which was the right proxy to use. You can normally look for a directive like:
return "PROXY 1.2.3.4:8080"

You should then consider that most of the proxies won't accept connection to port and protocol different from 443 and TCP.
So here you go with the OpenVpn client configuration.

client.conf

client
dev tun
proto tcp
remote <OpenVpn Server public address> 443
http-proxy <hostname/IP address of Proxy found in proxy pac file> <Proxy Port(ex. 8080)>
http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1
resolv-retry infinite
nobind

user nobody
group nogroup
persist-key
persist-tun

mute-replay-warnings

ca ca.crt
cert client.crt
key client.key

ns-cert-type server
tls-auth tlsauth.key 1

cipher BF-CBC
comp-lzo

verb 3
mute 20


And here it is the server's configuration.

server.conf

local <OpenVpn Server public address>
port 443
proto tcp
dev tun

ca 2.0/keys/ca.crt
cert 2.0/keys/server.crt
key 2.0/keys/server.key  # This file should be kept secret

dh 2.0/keys/dh1024.pem

tls-auth 2.0/keys/tlsauth.key 0

server 10.66.77.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd #we will assign the dropbox a static IP address see below

keepalive 10 120

cipher BF-CBC        # Blowfish (default)

comp-lzo
max-clients 3
client-to-client #Very important setting so you can ssh to the dropbox from your pentesting laptop which will be connected to the same OpenVpn server
user nobody
group nogroup
persist-key
persist-tun

status openvpn-status.log

verb 3
mute 20

Finally to assign the drop box a static IP, in /etc/openvpn/ccd create a file called client (should have the same name used for the certificate pub and private keys ex: john.crt and john.key)
$cat client
ifconfig-push 10.66.77.9 10.66.77.10

Connect both clients (your pentesting box and the remote vmware) to the OpenVpn server using:
openvpn --config /etc/openvpn/client.conf openvpn-client --verb 4
If all goes well you should be able to ping each other's clients.
Final step is to move all your files to /etc/openvpn/ and, to make OpenVpn start at boot on your drop box, issue:

sudo update-rc.d openvpn enable