How VPN pivoting creates an undetectable local network tap

Last updated at Wed, 26 Jul 2017 14:47:58 GMT

Let's assume your goal for an external penetration test is to pwn the domain controller. Of course, the domain controller's IP address is not directly accessible from the Web, so how do you go about it? Seasoned pentesters already know the answer: they compromise a publicly accessible host and pivot to other machines and network segments until they reach the domain controller. It's the same concept as a frog trying to cross a pond by jumping from lily pad to lily pad. 

If you have already used pivoting, chances are high that you've used proxy pivoting. In other words, the payload you have deployed to a compromised machine to enable pivoting is a proxy that understands and forwards specific protocols. It works, but it can be very limiting.

Metasploit Pro introduces a new type of pivoting, which we've called VPN pivoting because it essentially creates a VPN gateway on your target machine to which you have an encrypted layer 2 connection. VPN pivoting creates a virtual Ethernet adapter on the Metasploit Pro machine that enables you to route any traffic through the target. Let me repeat that: “Metasploit Pro is the first and only pentesting solution to route any traffic through a compromised target". 

Let's say you've just pivoted into a different subnet, VPN pivoting enables you to run nmap or a vulnerability scanner such as NeXpose through the compromised machine to discover new hosts in that subnet, for example the domain controller you've been after. Even better, there are no limits on how many VPN pivots you can chain behind each other. Got custom tools you'd like to use through a VPN pivot? Go ahead! 

Metasploit Pro's VPN pivot payload does not install any software on the target machine, doesn't show up as a separate process or give any other visual signs it's present on the machine. In other words, it's akin to a local network tap that is virtually undetectable. And yes: you can deploy VPN pivots using social engineering attacks, such as email attachments and USB thumbdrives to get around the corporate firewall. 

In version 3.5.0 of Metasploit Pro, VPN pivoting is supported for Metasploit Pro running on Linux and targeting a Windows machine. We'll soon extend that support, so stay tuned. In the meantime, take the software for a spin with the free Metasploit Pro trial download!