Categories
Coding Computers Hacking Linux Networks

Kali Dropbox

#Please note any links in this article are affiliate links. You will not be charged extra if you use these links however, I will get some kickback if you do so thank you.

As part of performing a Penetration Test, it is often good practice to try and get a device on the internal network, especially if performing a physical test. There are loads of ways of doing this with guides available from YouTube and other blog sites but I thought I would write up how I’ve done it in case, someone comes across this page and is intrigued. This should be pretty straightforward now as I’ve spent quite some time writing custom scripts to create reverse connections and other things to then realise you can just use a VPN connection.

So to the hardware then; here is a kit list of everything that I’ve got:

*Not strictly necessary but it does mean you can connect to a network if it’s PoE capable without the need for a Power supply

First things first, don’t be the idiot that I was and try and install the Pi into the case with the Micro SD card installed. It’ll cost you £10 for a replacement!

So now that we have everything we need, let’s get Kali installed on the SD Card. This is pretty easy as Kali have an ARM variant of their operating system https://www.kali.org/get-kali/#kali-arm. Download the image specific for your device. To get the image onto your SD card there are a few options for imaging software the one I use is called Etcher by Balena: https://www.balena.io/etcher/. It’s really easy to use, however, I did get an error message when adding my Kali ARM image stating it couldn’t be written properly. I ignored it and installed the SD Card in the Pi and the works fine.

Next we need to decide on how we’re going to connect out to our command and control system. As mentioned above, I went off on a complete tangent with this and tried creating my own Python script to be able to connect out and open a reverse connection. In the end this wasn’t necessary at all. As every business has an internet connection and the main use of this is web browsing using an SSL VPN service is almost always going to be open. To make this work Kali has OpenVPN already installed so you just need to set up a service which your Dropbox can connect to. In my case we’ve already set up a VPN service to our office which is available on TCP/443. All I needed to do is download the OpenVPN config file from my VPN server set the connection request to TCP/443 (default is UDP/1194) and connect up.

We’ve now got a device that can connect up to a remote service from anywhere in the world providing we run that script. Let’s get this to run on boot. To do this we need to enable OpenVPN from boot using this command: systemctl enable OpenVPN

This starts the service on boot and by default looks for a config file in /etc/openvpn/openvpn.conf. Moving our config file and renaming it to openvpn.conf in that location will solve this riddle. Now on boot it automatically starts OpenVPN and connects up to our VPN service. This is great the final piece is to have some error checking, should the VPN go down for whatever reason we need something to attempt to re-establish the connection and/or test for any internet connectivity problems. To solve this we will use a Python script and a Cron Job which will run the script every 5 minutes.

import http.client, urllib
import socket
import ipaddress
import os
import time
from netifaces import AF_INET, AF_INET6, AF_LINK, AF_PACKET, AF_BRIDGE
import netifaces as ni

def CheckIPAddress():
   try:
       SocforIP = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
       SocforIP.connect(("IP of VPN Network", 80))
       vpnIP = SocforIP.getsockname()[0]
       if ipaddress.ip_address(vpnIP) in ipaddress.ip_network('Subnet of VPN Network'):
          VPNOn = CheckifVPNOperational()
          if VPNOn != None:
             return VPNOn
          return vpnIP
       else:
          return "1.1.1.1"
   except:
       return "1.1.1.1"

def CheckIfAddressDifferent(IpAddress):
    try:
        file = open("StoredIP.txt")
        line = file.readline()
        OriginalIP = line.split(",")[0]
        file.close
        if(OriginalIP != IpAddress):
            with open("StoredIP.txt", 'w') as OpenFile:
                OpenFile.truncate(0)
                OpenFile.write(str(IpAddress) + "," + str(time.time()))
                SendNotification("Tap Interface of the-box has change and is now: " + IpAddress)
    except:
        with open("StoredIP.txt", 'w') as file:
            file.write("new file opened")

def SendNotification(Message):
    PushoverConnection = http.client.HTTPSConnection("api.pushover.net:443")
    PushoverConnection.request("POST", "/1/messages.json",
        urllib.parse.urlencode({
            "token": "xxxxxx22222222",
            "user": "xxxxxxx33333333",
            "message": Message,
            "title": "Dropbox has connected to the VPN"
        }), {"Content-type": "application/x-www-form-urlencoded"})
    response = PushoverConnection.getresponse()

def CheckforInternetConnectivity():
    response = os.system("ping -c 1 8.8.8.8")
    if response == 0:
        os.system("systemctl restart openvpn")
        time.sleep(5)
        ipaddressfound = CheckIPAddress()
        if ipaddressfound == '1.1.1.1':
            True
    else:
        with open("StoredIP.txt", 'w') as file:
            file.truncate(0)
            file.write("There is no internet connectivity," + str(time.time()))

def CheckifVPNOperational():
    response = os.system("ifconfig tun0")
    try:
       if "Device not found" in response:
         os.system("systemctl restart openvpn")
    except Exception as e:
         tun0ip = ni.ifaddresses('tun0')[AF_INET][0]['addr']
         return tun0ip

if __name__ == '__main__':
    ipaddressfound = CheckIPAddress()
    if ipaddressfound != '1.1.1.1':
        CheckIfAddressDifferent(ipaddressfound)
    else:
        CheckforInternetConnectivity()

Finally to run a Cron Job every five minutes you need to set the timings as follows: */5 * * * python3 notification.py

Categories
Networks

Automatically backing up Juniper switch configs

Over the past few years I’ve spent a considerable amount of time trying to find an cheap or free solution for backing up network devices at my workplace. As we were completely a Cisco house this lead be to installing RANCID on Ubuntu. This was a brilliant solution only taking a couple of hours to implement and backup the entire network.

Fast forward 8 years and things have changed dramatically, my workplace is no longer a Cisco only house, implementing Dell, Juniper, Fortinet and Cisco device into the network. This in turn has caused quite a bit of pain in getting our backups to work effectively. Our most recent requisition was some Juniper EX series switches. Investigation suggested that RANCID is capable of backing up Juniper equipment but it took some messing about to make it work. Here are the steps I have implemented to be able to get a backup of the switches:

  1. Software used:
    Ubuntu Linux
    RANCID 3.7
  2. Juniper Config
    Install a class specifically for the backup user:
set system login class backup permissions access
set system login class backup permissions admin
set system login class backup permissions firewall
set system login class backup permissions flow-tap
set system login class backup permissions interface
set system login class backup permissions network
set system login class backup permissions routing
set system login class backup permissions secret
set system login class backup permissions security
set system login class backup permissions snmp
set system login class backup permissions storage
set system login class backup permissions system
set system login class backup permissions trace
set system login class backup permissions view
set system login class backup permissions view-configuration

Install a new user and tie to the newly created class:

set system login user backup class backup
set system login user backup authentication plain-text-password

This isn’t ideal and the best way would be to implement the user with an SSH key-pair rather than passwords that way the RANCID server doesn’t have your network passwords in a plain text file.

3. RANCID Config

Here I have needed to make some modifications. First of all if you already have backups and are re-using the management addresses when migrating delete the files from the config folder and also the Entries file in the CVS folder of each individual site.

Modify your router.db file in your site folders to be the following for each of your juniper switches:

<deviceIP/name:deviceType:status>
router.name:juniper:up

Next you will need to modify the base file for types within RANCID, for me this was in /etc/rancid. In this file fine the following line:

juniper;command;junos::ShowConfiguration;show configuration

and change it to this:

juniper;command;junos::ShowConfiguration;show configuration | display set

If required, modify your .cloingrc file to include your newly created user and password here is what I did as a test:

add method 192.168.1.1 ssh
add user 192.168.1.1 backup
add password 192.168.1.1 passwordsetinjuniper

Then I needed to modify the junos perl script, for Ubuntu and the default install location this is in /usr/share/perl5/rancid/junos.pm. The following line needs to be commented:

next if (/^## last commit: /i);

Finally if you’re running this in Ubuntu run the login for Juniper to ensure that the server can login to switch successfully:

/usr/lib/rancid/bin/jlogin -f /var/lib/rancid/.cloginrc junipermgmtIP

If all is well and you can successfully login proceed to running the rancid-run file and monitor the logs to confirm the configuration have backed up:

sudo su -c /var/lib/rancid/bin/rancid-run -s /bin/bash -l rancid

Categories
Networks

Mist/PacketFence Web Auth

Please note this is not supported by PacketFence/Inverse at the time of writing

There aren’t really any guides out there for Mist and Packetfence integration. During our time working with the Mist engineers we were able to get the authentication services working between Mist and PacketFence. We’ll submit this as a PR to Packetfence in the hope that it’s included in the main release.

Mist Configuration

To make this work you need to configure the Mist system with an SSID with the following security parameters:

Security Settings
Radius Settings
CoA Settings

From here the Mist system attempts to authenticate the device using RADIUS-MAB against the PacketFence system. Should PacketFence not authenticate the device, it returns a redirect request for the device which the Mist AP picks up and forwards to the client so that they can register.

The CoA settings are required here as, should the user no longer become registered e.g. PacketFence times out the device, then a CoA is sent to the Mist system for the device to be disassociated from the wireless environment.

PacketFence Configuration

Firstly, the Mist.pm perl script will need to be installed into the PacketFence environment so PacketFence understand hows to communicate with Mist and to perform the CoA requests as per the configuration. To access this please visit here: https://github.com/talanw/mist-packetfence

Mist uses the APs as a RADIUS Authenticator so each AP will need to be installed as a “Switch” in the PacketFence configuration. We have created a script to do this as PacketFence do not provide a POST in their API Documentation for config/switches as well as deployment of RADIUS to NPS which is available here: https://randomitstuff720939636.wordpress.com/2020/06/02/mist-nps-and-packetfence-radius-scripts/

However, should you only need to deploy one or two APs as part of a PoC then the switch settings required are as follows:

Definition
IP Address: Ip Address of the AP
Type: Cisco::Mist
Mode: Production
Deauthentication Method: RADIUS
Use CoA: Yes

Roles
Role by VLAN ID: Off
Role by Switch Role: Off
Role by Access List: Off
Role by Web Auth URL: On
registration: https://packetfence.contoso.com/Cisco::WLC

RADIUS
Secret Passphrase: RadiusSecretKey

Categories
Networks

Mist – NPS and PacketFence Radius Scripts

Here is a generic script for importing Mist APs into Microsoft’s NPS RADIUS Server and Packetfence’s Switching configurations:

Mist Setup

$Headers = @{
Authorization = "Token xWH84fgSnZTBMfA2eC9azGqNR2RFfgpmRGo9FGbaw0DlTm6enmfrK0cxkIYtEhdEvvRZesWddU222vHT82hnb0eSZecswe1iWl9h7C"
}
$Sites = @("771cb8f4-83ac-4385-bf4b-a68a61a8c853", "32f7bd38-9f01-4a3e-81b0-d4afbbc10f12", "e6f6d5c8-4dc9-4a55-ba76-1a903ec5d3f4", "d1320dcc-1e38-4d10-8518-19d844c119f4", "c8d2c1ea-76dd-4183-8cd4-5efcf3de6c4a", "b67b5694-03c2-4155-9b3d-751484b58c65", "dfcd013d-17b3-4805-9b91-2c86f70f3936" )
$SiteNames = @("Site 1", "Site 2", "Site 3", "Site 4", "Site 5", "Site 6", "Site 7")

packetfence setup

$LoginParams = @{"username"="admin";"password"="supersecretpassword"}
$PFLogin = Invoke-WebRequest -Uri "https://packetfence.contoso.com:1443/api/v1/login" -Method POST -Body ($LoginParams|ConvertTo-JSON)
$PFToken = ConvertFrom-Json $PFLogin.Content
$PFToken = $PFToken.token
$PFHeaders = @{
Authorization = "Bearer $PFToken"
}

System Loop

for($i=0; $i -lt $Sites.length; $i++)
{
	Write-Host "Performing checks on site:" $SiteNames[$i]
	$Uri = "https://api.mist.com/api/v1/sites/" + $Sites[$i] + "/stats/devices"
	$APStats = Invoke-WebRequest -Uri $Uri -Headers $Headers -ContentType "application/json"
	$Converted = ConvertFrom-Json $APStats
	$CurrentNPSClients = Get-NpsRadiusClient
	Foreach($AP in $Converted) {
	#check NPS and if the RADIUS Client doesn't exist create a new entry
	$ClientCheck = $false
	$NewNameObject = $AP.name
	$CurrentNPSClients | ForEach-Object {
		If($_.Name -eq $NewNameObject)
		{
			$ClientCheck = $true
		}
	}
	Write-Host "Is the AP already configured in NPS:" $ClientCheck
	if($ClientCheck -eq $false)
		{
		New-NpsRadiusClient -Name $AP.name -Address $AP.ip -SharedSecret "RadiusSharedSecret"
		}

		#check PacketFence to see whether there is a RADIUS Client if not create one
		try
		{
			$URIPF = "https://packetfence.contoso.com:1443/api/v1/config/switch/" + $AP.ip
			$URIPF
			$PFSwitch = Invoke-WebRequest -Uri $URIPF  -Headers $PFHeaders -ContentType "application/json"
			Write-Host "The AP already configured in PacketFence:" $AP.ip
		}
		catch
		{
			Write-Host "Adding the following AP to PacketFence:" $AP.ip
			$IP = $AP.ip
			$Desc = $AP.name
			$PostValues = @{"AccessListMap"=$null;"ExternalPortalEnforcement"="Y";"REJECTAccessList"=$null;"REJECTRole"=$null;"REJECTUrl"=$null;"REJECTVlan"=$null;"RoleMap"=$null;"SNMPAuthPasswordRead"=$null;"SNMPAuthPasswordTrap"=$null;"SNMPAuthPasswordWrite"=$null;"SNMPAuthProtocolRead"=$null;"SNMPAuthProtocolTrap"=$null;"SNMPAuthProtocolWrite"=$null;"SNMPCommunityRead"=$null;"SNMPCommunityTrap"=$null;"SNMPCommunityWrite"=$null;"SNMPEngineID"=$null;"SNMPPrivPasswordRead"=$null;"SNMPPrivPasswordTrap"=$null;"SNMPPrivPasswordWrite"=$null;"SNMPPrivProtocolRead"=$null;"SNMPPrivProtocolTrap"=$null;"SNMPPrivProtocolWrite"=$null;"SNMPUserNameRead"=$null;"SNMPUserNameTrap"=$null;"SNMPUserNameWrite"=$null;"SNMPVersion"=$null;"SNMPVersionTrap"=$null;"UrlMap"="Y";"VlanMap"="N";"VoIPCDPDetect"=$null;"VoIPDHCPDetect"=$null;"VoIPEnabled"=$null;"VoIPLLDPDetect"=$null;"cliAccess"=$null;"cliEnablePwd"=$null;"cliPwd"=$null;"cliTransport"=$null;"cliUser"=$null;"coaPort"=$null;"controllerIp"=$null;"deauthMethod"="RADIUS";"defaultAccessList"=$null;"defaultRole"=$null;"defaultUrl"=$null;"defaultVlan"=$null;"description"="$Desc";"disconnectPort"=$null;"gamingAccessList"=$null;"gamingRole"=$null;"gamingUrl"=$null;"gamingVlan"=$null;"group"="default";"guestAccessList"=$null;"guestRole"=$null;"guestUrl"=$null;"guestVlan"=$null;"id"="$IP";"inlineAccessList"=$null;"inlineRole"=$null;"inlineTrigger"=$null;"inlineUrl"=$null;"inlineVlan"=$null;"isolationAccessList"=$null;"isolationRole"=$null;"isolationUrl"=$null;"isolationVlan"=$null;"macSearchesMaxNb"=$null;"macSearchesSleepInterval"=$null;"mac_trigger"=$null;"mode"=$null;"port_trigger"=$null;"radiusSecret"="RadiusSharedSecret";"registrationAccessList"=$null;"registrationRole"=$null;"registrationUrl"="https://packetfence.contoso.com/Cisco::WLC";"registrationVlan"=$null;"ssid_trigger"=$null;"type"="Cisco::Mist";"uplink"=$null;"uplink_dynamic"="dynamic";"useCoA"="Y";"voiceAccessList"=$null;"voiceRole"=$null;"voiceUrl"=$null;"voiceVlan"=$null;"wsPwd"=$null;"wsTransport"=$null;"wsUser"=$null}
			$PFAddSwitch = Invoke-WebRequest -Uri "https://packetfence.contoso.com:1443/api/v1/config/switches" -Method POST -Headers $PFHeaders -Body ($PostValues|ConvertTo-JSON)
		}
	}
}