🙄
p1k4chu@p1k4chu-host
  • About Me
  • Tools
    • Defensive Tools
      • H0neyTr4p
    • Offensive Tools
      • Ransomware Simulator - PyRan
  • Security Research
    • AI Security Research
      • Attacking using (and defending against) Input manipulation attacks against AI
      • (Ab)using AI to attack M365 and other services to conduct plethora of attacks
    • Cloud Security Research
      • Azure Storage Account Security - Attack & Defend: Part 1
      • Attack and Defend Azure Serial Console - Part 1
      • Azure Serial Console Attack and Defense - Part 2
    • Adversarial Tradecraft Research & Detection
      • RDP Exfil - The technique that works almost every time
      • Smishing Traid targets India with large scale "India Post" themed iMessage phish texts
      • Quick Assist: Friend or Foe? How adversaries can exploit this tool and how can you defend?
      • EDR Silencer - Embracing the Silence
      • Dissecting & Detecting Lsass Shtinkering
      • Detecting malicious OOB: Part -1: Hunting for OOB server - Interact.sh
      • Abusing Windows VPN for EXFIL
      • Analyzing Nobelium's HTML Dropper - EnvyScout
    • Web & Mobile App Sec
      • [CVE-2015-2300] ENL-Newsletter CSRF Full Disclosure
      • Yandex Mobile App vulnerable to Insecure Data storage
      • Bug on paypal worth 1000$
      • Session fixation bug on coinbase.
      • CyanogenMod (In)Secure Folder Lock !
  • Security Talk
    • Review of CRTP - Pentester Academy
    • Review of Hacking and Securing Kubernetes
Powered by GitBook
On this page
  • Exfiltration
  • Detection

Was this helpful?

  1. Security Research
  2. Adversarial Tradecraft Research & Detection

Abusing Windows VPN for EXFIL

PreviousDetecting malicious OOB: Part -1: Hunting for OOB server - Interact.shNextAnalyzing Nobelium's HTML Dropper - EnvyScout

Last updated 1 year ago

Was this helpful?

Recently, I came across a section in Windows settings called "VPN Settings". After some digging, I identified that we can "create", "modify" existing VPN settings and "connect" to newly created VPNs.

Obviously, VPNs are used for circumventing network controls. This can be abused to exfiltrate data or create a pivot into network. The following is a small blog post which outlines attack techniques for abusing this Windows VPN feature for Red Team engagements.

Goes without saying, whatever's published is only intended for educational purposes and I'm not responsible for any malicious usage. I'm adding few detection controls at the bottom for our defender friends to start monitoring their network.

Ok, So there's a VPN setting pane inside Windows. Here's how you can access:

  1. Head to Settings > Network & Internet

  2. Choose ‘VPN’ from the left pane

  3. Click ‘Add a VPN connection’ from the screen that appears

The weird thing is that any "non-administrative" users can create a VPN profile, connect to it. Essentially this means that any user can create a VPN without having administrative privilege. This means that user can bypass proxy/firewall and perform c00l actions like: establish tunnel with a server [thereby creating a pivot into the network], exfiltrate huge amounts of data and many more.

How to do it?

Step 1:

  1. Create a PPTP VPN Server by following the guide below (takes 2 minutes)

2. Create a VPN connection using the settings pane

3. Connect to the connection

Exfiltration

Once you are connected, you can do a lot. For instance, using "uploadserver" [Python package] to upload data.

On your VPN server, type:

pip3 install uploadserver
python3 -m uploadserver

Go to your VPN connected computer and use the local URL:

Does it work through PowerShell for non-administrative users?

No.

However, you can use "rasdial.exe" to connect via command line. This can be used to trigger the VPN (which maybe set through compromised RDP) or set it using persistence methods like startup folders to repeatedly connect to the VPN.

Detection

Event ID: "20222" is created in Application log whenever a user connects to a VPN.

The Server Address contains the server that's being used.

Update: I've observed in few setups that although we are able to add a new VPN, I'm unable to connect to it (Not sure which control is blocking it). Drop a note if you know something about it.

Peace

./

@pbssubhash
Windows 10 has a built-in VPN client, but is it worth using?Tech Advisor
Windows 10 Built In VPN
PPTPServer - Community Help Wiki
Logo
VPN Settings page
Logo