#Please note any links in this article are affiliate links. You will not be charged extra if you use these links however, I will get some kickback if you do so thank you.
As part of performing a Penetration Test, it is often good practice to try and get a device on the internal network, especially if performing a physical test. There are loads of ways of doing this with guides available from YouTube and other blog sites but I thought I would write up how I’ve done it in case, someone comes across this page and is intrigued. This should be pretty straightforward now as I’ve spent quite some time writing custom scripts to create reverse connections and other things to then realise you can just use a VPN connection.
So to the hardware then; here is a kit list of everything that I’ve got:
- Raspberry Pi 3 B+: https://amzn.to/3fKRGkZ
- Raspberry Pi PoE Hat*: https://amzn.to/33BtnUd
- San Disk 32Gb Micro SD Card: https://amzn.to/3tNrrCL
- Raspberry Pi Case: https://amzn.to/35b5of4
- Raspberry Pi Power Supply: https://amzn.to/3KsBgMi
*Not strictly necessary but it does mean you can connect to a network if it’s PoE capable without the need for a Power supply
First things first, don’t be the idiot that I was and try and install the Pi into the case with the Micro SD card installed. It’ll cost you £10 for a replacement!
So now that we have everything we need, let’s get Kali installed on the SD Card. This is pretty easy as Kali have an ARM variant of their operating system https://www.kali.org/get-kali/#kali-arm. Download the image specific for your device. To get the image onto your SD card there are a few options for imaging software the one I use is called Etcher by Balena: https://www.balena.io/etcher/. It’s really easy to use, however, I did get an error message when adding my Kali ARM image stating it couldn’t be written properly. I ignored it and installed the SD Card in the Pi and the works fine.
Next we need to decide on how we’re going to connect out to our command and control system. As mentioned above, I went off on a complete tangent with this and tried creating my own Python script to be able to connect out and open a reverse connection. In the end this wasn’t necessary at all. As every business has an internet connection and the main use of this is web browsing using an SSL VPN service is almost always going to be open. To make this work Kali has OpenVPN already installed so you just need to set up a service which your Dropbox can connect to. In my case we’ve already set up a VPN service to our office which is available on TCP/443. All I needed to do is download the OpenVPN config file from my VPN server set the connection request to TCP/443 (default is UDP/1194) and connect up.
We’ve now got a device that can connect up to a remote service from anywhere in the world providing we run that script. Let’s get this to run on boot. To do this we need to enable OpenVPN from boot using this command: systemctl enable OpenVPN
This starts the service on boot and by default looks for a config file in /etc/openvpn/openvpn.conf. Moving our config file and renaming it to openvpn.conf in that location will solve this riddle. Now on boot it automatically starts OpenVPN and connects up to our VPN service. This is great the final piece is to have some error checking, should the VPN go down for whatever reason we need something to attempt to re-establish the connection and/or test for any internet connectivity problems. To solve this we will use a Python script and a Cron Job which will run the script every 5 minutes.
import http.client, urllib
import socket
import ipaddress
import os
import time
from netifaces import AF_INET, AF_INET6, AF_LINK, AF_PACKET, AF_BRIDGE
import netifaces as ni
def CheckIPAddress():
try:
SocforIP = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
SocforIP.connect(("IP of VPN Network", 80))
vpnIP = SocforIP.getsockname()[0]
if ipaddress.ip_address(vpnIP) in ipaddress.ip_network('Subnet of VPN Network'):
VPNOn = CheckifVPNOperational()
if VPNOn != None:
return VPNOn
return vpnIP
else:
return "1.1.1.1"
except:
return "1.1.1.1"
def CheckIfAddressDifferent(IpAddress):
try:
file = open("StoredIP.txt")
line = file.readline()
OriginalIP = line.split(",")[0]
file.close
if(OriginalIP != IpAddress):
with open("StoredIP.txt", 'w') as OpenFile:
OpenFile.truncate(0)
OpenFile.write(str(IpAddress) + "," + str(time.time()))
SendNotification("Tap Interface of the-box has change and is now: " + IpAddress)
except:
with open("StoredIP.txt", 'w') as file:
file.write("new file opened")
def SendNotification(Message):
PushoverConnection = http.client.HTTPSConnection("api.pushover.net:443")
PushoverConnection.request("POST", "/1/messages.json",
urllib.parse.urlencode({
"token": "xxxxxx22222222",
"user": "xxxxxxx33333333",
"message": Message,
"title": "Dropbox has connected to the VPN"
}), {"Content-type": "application/x-www-form-urlencoded"})
response = PushoverConnection.getresponse()
def CheckforInternetConnectivity():
response = os.system("ping -c 1 8.8.8.8")
if response == 0:
os.system("systemctl restart openvpn")
time.sleep(5)
ipaddressfound = CheckIPAddress()
if ipaddressfound == '1.1.1.1':
True
else:
with open("StoredIP.txt", 'w') as file:
file.truncate(0)
file.write("There is no internet connectivity," + str(time.time()))
def CheckifVPNOperational():
response = os.system("ifconfig tun0")
try:
if "Device not found" in response:
os.system("systemctl restart openvpn")
except Exception as e:
tun0ip = ni.ifaddresses('tun0')[AF_INET][0]['addr']
return tun0ip
if __name__ == '__main__':
ipaddressfound = CheckIPAddress()
if ipaddressfound != '1.1.1.1':
CheckIfAddressDifferent(ipaddressfound)
else:
CheckforInternetConnectivity()
Finally to run a Cron Job every five minutes you need to set the timings as follows: */5 * * * python3 notification.py
Random IT Stuff 