An internal penetration tests simulates an attack on the network from inside the network. It typically simulates a rogue employee with user-level credentials or a person with physical access to the network, such as cleaning staff, trying to access resources on the network they're not authorized for.

Internal penetration tests typically require the auditor to be physically present in the location. If you are working as a consultant, then conducting internal penetration tests can mean a lot of travel. Unless the networks you have to audit are in prime vacation spots, this can be a drag, and it's expensive because it reduces billable time and incurs higher T&Es for your customer.

Here's an approach on how you can eliminate the need to travel and still get the same work done. One advantage of this approach is that this approach does not require you to ship an appliance or device to the customer that must later be returned. Also, this doesn't only work for consulting shops but also for large companies with internal penetration testers who need to audit several sites.

Set up SSH server on the Internet

In this example, we set up an Ubuntu server hosted in the cloud. However, you could do this with any server that has an internet-facing IP address. In this example, the server has the address 192.0.2.1 and you will be auditing from 198.51.100.0/24. Here's what you do next:

  • Install the SSH server on the machine using sudo apt-get install openssh-server
  • Setup up a new account for user tunneluser with command sudo adduser tunneluser
  • Set up an SSH account for user tunneluser
  • Open the file /etc/ssh/sshd_config and append the line GatewayPorts yes
  • Configure the server to only accept access to port 3790 from your own network with iptables rules like this:
  iptables -A INPUT -P DROP

  iptables -A INPUT -p tcp --dport ssh -j ACCEPT

  iptables -A INPUT -p tcp --dport 3790 --source 198.51.100.0/24 -j ACCEPT

Create a virtual machine running Metasploit Pro

Next, you need to set up the virtual machine you'll make available to your customer.

  • Create a virtual machine running Ubuntu 12.04
  • Generate an SSH key for tunneluser with ssh-keygen
  • Copy the resulting public key file (~/.ssh/id_rsa.pub) to /home/tunneluser/.ssh/authorized_keys on the Ubuntu machine created in the previous section. Prepend no-pty,command="/bin/false" to the key. This will ensure that someone who grabs the key from your VM will not be able to take control of the tunnel server. Both steps here can be performed with a single command:
  (echo -n 'no-pty,command="/bin/false" ';
  cat id_rsa.pub) >> ~/.ssh/authorized_keys
  • Ensure that the network adapter is set to bridged (payloads won't be able to connect back if the machine is NATed)
  • Download the latest version of Metasploit from www.rapid7.com
  • Install Metasploit on the machine
  • Create your Metasploit user name and password on the machine
  • Activate your Metasploit Pro license (if you don't have a license, sign up for the 7-day trial)
  • Create a start-up script  that contains only the following line: **ssh -n -R3790:localhost:3790 tunneluser@192.0.2.1
    **
  • Shut down the virtual machine

Have your client run the virtual machine in their network

Next, you'll have to ask your client to run the virtual machine on their network.

  • Zip the virtual machine and make it available to your client as a download (or FedEx a DVD)
  • Have the client boot the virtual machine on their network, where it gets a local IP address through DHCP
  • Ask the customer to log in to the machine, which launches the start-up script, creating outbound SSH connection to your server.

Start your internal security audit - remotely

Time to get started on your internal security audit:

  • Point your browser to https://1.2.3.4:3790 and log in to Metasploit Pro.
  • All of your commands will be executed on the virtual machine inside your client's network.
  • When you're done, you can download the project file and reports through the browser directly onto your machine.
  • To end the engagement, ask your client to shut down the virtual machine. Note that all the data from the engagement is saved on this virtual machine, so you should either securely archive it or delete it.

Here's a network diagram of what you just set up:

Security considerations

Providing remote access to a local network can introduce security issues. However, the approach taken in these instructions are less dangerous than a user-level VPN access:

  • The access needs to be initiated from the inside of the network, while VPN connections are initiated from the outside.
  • The virtual machine only has network access, while the VPN user also has credentials to access the network's resources
  • All network communication is encrypted (VM to server: SSH, browser to server: SSL)
  • Strong authentication is used for all connections (VM to server: SSH, browser to server: user/password)
  • Access to Metasploit Pro is limited to the network range of the consultant's network

Please let me know if you've had good experience with this approach, or if you have taken a slightly different approach that you would like to share.