VPN(virtual private network)


VPN(virtual private network)

How VPN works?

Background: 3 properties of the packet

  • user authenticated 
  • content protected
  • integrity preserved
To achieve the goal, we have to encrypt the packet, but we cannot simply encrypt all the IP packet because the header will be encrypted so that the router cannot read the header of the packets and change the header(TTL and checksum).

To solve this problem, we have IP tunneling. 
  • IPSec Tunneling. Based on IP layer, and encapsulated the old IP packet into a new IP packet. This implement in the kernel.
  • TLS/SSL Tunneling. Based on transport layer, and encapsulated inside a TCP or UDP packet. Both end of the tunnel utilize the TLS/SSL protocol on top of TCP/UDP.

TLS/SSL is more popular because update application is much easier than update tha OS.



What is tun/tap: tun is at layer 3 and tap is at layer 2, Ethernet. 
TUN/TAP provides packet reception and transmission for user space programs


e.g. : The packet from 10.0.7.0/24 want to send to 10.0.8.0/24. All the packet will send to VPN client first.

Step 1: Established a TLS/SSL tunnel first. Client have to make sure it joins the intended private network and the server has to authenticate the client.

Step 2: The IP packet wants to go to 10.0.8.0/24 will go through tun interface and proceed by openVPN program, then send out through eth0 interface. All this happened in the user space on the client-side. The new IP header and UDP/TCP header added at this time. The destination IP and source IP are VPN server's and VPN client's IP.

Step 3: When the packet arrives at the VPN server, the new IP header and the UDP/TCP header will be stripped away, and the original IP packet will be sent to the destination computer according to the destination IP in the header.


Both VPN-Client and VPN-server has at least two Virtual network interface(VIF) which are tun/tap and eth0. They are in different network mask, such as '10.0.7.0' and '192.230.2.0'.

Problem: We are going to ping '192.168.60.101' from '10.0.2.7'
Create a VPN tunnel via TUN/TAP

Make a tunnel and set its network segment as 192.168.53.0/24.
  • On VPN server(10.0.2.10/192.168.60.1)
Turn up the 'tun0' interface and set its network.
sudo ifconfig tun0 192.168.53.1/24 up

make it transmit the packet

sudo sysctl net.ipv4.ip_forward=1 

 Add route entry that all the traffic related to '192.168.53.0' direct to 'tun0' interface.
sudo route add -net 192.168.53.0/24 tun0 

  • Set the VPN client (10.0.2.7)
Turn up the 'tun0' interface and assign IP for it :
sudo ifconfig tun0 192.168.53.5/24 up

Set all the traffic related to '192.168.60.0' go through 'tun0'.

sudo route add -net 192.168.60.0/24 tun0 

Try to ping '192.168.60.101' from '10.0.2.7'.

















Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more