New ways of intrusion into the system can be accessed through VPN

New ways of intrusion into the system can be accessed through VPN

VPN has become more and more widely used. Some people use it to bypass the review system, some use it to access websites prohibited by the State, and some use it as the privacy protection layer.

There are usually two reasons for using VPN in our work: Access Vulnerability exploitation toolkit or anonymous testing of audio and terminal security products. Most vulnerability exploitation kits attack by filtering the victim's IP address. In addition, the testing results of audio and terminal security products in the lab environment are different from those on the home or enterprise user machine. Therefore, VPN is very important in daily work.

One thing happened this month. We use commercial VPN as usual. As usual, we use Fiddler to test the malicious traffic of the VirtualBox client and manually enable "Allow Remote Computer Connection" in the configuration ", then the machine in the lab also opens the firewall and NAT. The proxy and VPN were opened for one night.

Then, the next morning, when all the clients were shut down that night, we found some strange traffic in the history of Fiddler. We guess whether a malware is running on the host or someone accesses the Fiddler agent over the network. Therefore, we quickly checked the traffic that we found was passing through the VPN network interface. The Nmap scan of the vpn ip proves our doubts again. Lab machines can connect to all services (Apache, FTP, Fiddler, RDP) over the Internet through vpn ip addresses ). Among them, the Fiddler proxy port is used as an open proxy for malicious purposes such as click fraud. But at least port SMB 445 is filtered out by the firewall.

Although Windows Firewall is always on, VPN interface is set to public mode, private network is set to private mode, but because these services are manually configured, you can directly access the service to browse the privacy document.

We think most VPN companies do not have this problem. Generally, VPN providers have fewer public IPS than VPN users, which means they use NAT in some places. This will not happen if you use NAT.