KyleMcKay

[Music] when uh brother and I would be in the back seat we be typically fighting about who gets to play with the Game Boy or the Game Gear or maybe whoever gets to eat the last bag of chips my brother was older so he would win and T typically U road trips were just such a great experience for me and more recently in my life also some really wonderful road trips with my family and we did some cool stuff across the US there's one thing that on these road trips that really can cause some problems it's a nice big detour sign like this one you're on a road trip you're feeling great the sun is shining

the wind is perfect and lo and behold you run into a detour sign John when you see that detour sign what what do you usually think about okay so yeah you might think there's construction but usually there's almost like an abiven anxiety that sets in which is what I want Sean to say and he didn't which is unfortunate but anxiety that now there's GNA be a delay my trip is really messed up and now I'm stressed right that's usually what happens to me at least but that being said you see a detour sign like this maybe it's held by a police officer or construction uh crew member you're going to usually comply with it take the detour and go on your

Merry way imagine for a second though this guy was holding up the dour sign by the way this was an AI generated image kind of nice but this guy's holding up the sign are you inclined to take that detour I'll tell you guys right now as much as I'd like to portray myself as a tough guy I would be running the opposite way as fast as absolutely possible faster then George castanza running out of this burning fire for those of you who've seen this uh Seinfeld episode was absolutely one of my favorite scenes but in any case I wouldn't be taking that detour I'll tell you that right now and uh what it comes down to

is we're gonna as we look through tunnel crack and and talk about some of the technical details um the decision made by I would let you watch this over and over and I'm sure this would be actually be the best presentation you've seen but I've got to skip that but uh tunnel crack in in some of the vulnerabilities we're going to talk about take advantage of inherent trust under the hood similar to that of the inherent trust that we see with this nice fancy official detour sign so we're going to get into the details and um hopefully enjoyed that little uh introduction all right so super quick agenda in favor of time we'll do a quick

quick intro explain who I am why I'm here all that good stuff high level introduction to remote access Technologies in general we're not going to go super deep into any of that then we're going to talk about uh this category of vulnerabilities called tunnel crack get into the details also have about 10 minutes of of demonstration uh to to share along with that and then time permitting chances are we're not going to get to it but I will do my absolute best uh some just general best practices and Lessons Learned From my experience uh in uh securing remote access infrastructure and remote access technology oops we uh skipped to the very end um so that was great um by the way I'm

I'm borrowing someone's laptop so it's actually kind of interesting that that would happen I'm going back to the beginning right sorry about that you're not like controlling the laptop from all way back there are you sabotaging all right so who am I so currently I'm a systems engineer at palta networks uh for the last 16 months was also a Consulting engineer at palto Network so working with companies across North America specifically in remote access zero trust network access to be specific uh companies of all sizes organizations of all SI is just working with them to to figure out a whole variety of best practices and implementation and operations uh experience primarily in the networking and networking security

realm more specifically and more recently application security as well which has been a lot of fun hobbies include gaming so I'm I'm a gamer when I have the opportunity my son is actually in the room which is kind of a a fun little uh little tidbit of information he's a little bit shy but I would be remiss if I didn't say there was a wonderful game that was launching today it's uh the remake of a fun game that I used to play as a kid Super Mario RPG and I wore these awesome Mario socks to embarrass my wife as you guys can see um is a a little bit of an honor to that um

I love sci-fi books TV movies and hockey as well and uh this is not a sponsored talk by the way or anything like that so everything that I'm just talking about and all of the information is is purely my own not of my employer all right now let's get into the details so as I said a high Lev intro to remote access Technologies so I'm I I developed this quote all by myself so it's uh pretty thought-provoking so what is a remote Tech remote access technology the technology which provides access to servers devices Andor applications residing in a location to users or devices located anywhere very simple but a big brain uh quote there that I put together

hopefully you all enjoy it now the types of remote access very simple high level overview of of the sort of broad categories remote desktop style Solutions virtual private Network Solutions as well as more recently uh zero trust network access Solutions tunnel crack and some of the specifics to that are going to be much more applicable to both virtual private Network and zero trust Network so I'm going to be kind of om the remote desktop Solutions but it's um it was worth pointing out for the sake of completions so what is a virtual private Network or VPN it's been around for a very long time I'm sure a lot of you are very familiar with this already but the

concept is quite simple to you want to extend a network to somewhere else that's quite frankly what it is commonly used under the hood uh using protocols like IPC and and TLS to create a tunnel of some kind very common to leverage this type of technology to enable privacy over some insecure medium whether that's a guest Wireless or um a local area network maybe that you just don't trust like in a hotel for example it's typically um but I guess fundamentally the way it behaves is it's very All or Nothing once you're on that Network once you establish this VPN you're sort of it's almost like teleporting your laptop or your machine to the other location

meaning you're now on that network with unlimited access fundamentally you could Implement other controls at a different location but that's sort of outside the scope of how a VPN operates it's uh detached from that so very simple and by the way the five or six or seven slides we're going to talk about here about um uh uh these types of remote access Solutions it's meant to be very high level just to make sure we all have the same basic context but we'll be getting pretty deep into technical context here right away as well so if we look at this very nice simple um drawing here we have a user some client on the left we have a VPN

concentrator here kind of located in the middle-ish there's the internet of course that we're uh transmitting over and some fancy applications on the very right hand side so the client's going to of course create a connection and authenticate to our concentrator nice and simple after that our concentrators then responsible for assigning an IP address subnet DNS Etc to our client so that now it's at that point after that first two steps have established IP packets from that user that device are now going to be targeting this DPN concentrator to join this network over here whatever that is and as a result the client can access these two applications everything's great so very simple very high

level now zero zero trust network access kind of an evolution of the same Concepts that I just talked about extends that Enterprise Network to another location however of course the the difference and why this even exists is we uh now take that concept but ingrain zero trust principles natively into that solution that's really the big difference here under the hood though and why this is why this is even something I'm talking about is that we may be using tunnel-based Technologies and they may be susceptible to Tunnel based vulnerabilities similar to that of a VPN now major difference like I've already talked about we're using fine grain identity and context based controls to perform all the validation

of the end user their device before they can actually get on to network and instead of teleporting your your machine or your laptop over to this remote location instead of doing that and just allowing them unfettered access it's almost like saying hey I'm going to teleport your laptop over here but only going to plug it into this one application and that's it so it's a very fundamentally different architecture and um key there is explicit access so revisiting these nice simple uh diagrams of course the client similar to the last diagram we're going to connect to this ztna device whatever that may be some sort of assessment is going to be performed against the device whether

that's based on the user the device combination of the two the client is then going to be permitted access to a set of resources based on who they are what uh they should have access to so think about it as uh you know somebody in your HR department they might need access to HR related resources but other users in the organization probably don't and then rather than trying to uh provide access to everything let's let's limit the scope so you can see here the client has access to application number one but inherently doesn't have access to application number two very straightforward again VPN you can think of it as VPN plus uh zero uh zero trust

fundamentals ingrained into it all right so that was a bit of a a simple highle overview of um epns remote access zero trust next up we're going to talk more specifically about tunnel crack what this vulnerability is how it works and then of course we're actually going to get into a cool demonstration so what is tunnel crack that's the first question we we're going to have to answer and uh what it is is quite quite simply here is it's a combination of two widespread vulnerability and I pointed out or I bolded widespread because it's very very widespread and uh it's a vulnerability class in mostly in tunnel-based remote access Technologies like VPN and zero trust uh

like I I just shared what's interesting is every single VPN product on the market today is vulnerable to this at least on One OS or another and the root cause of this stems all the way back to the real fundamentals of uh tunnel based Technologies all the way back to 1996 and that's what I quite frankly found a little bit um more interesting about this vulnerability is that it is so ubiquitous it covers like I said every VPN product on the market and it's been around for so long so sort of so fundamental to how these things work it's just been kind of hiding there all along which is kind of interesting now the vulnerability itself

when it's exploited either of the two vulnerabilities the net outcome is really to take users private traffic that should be going over this virtual private Network taking it out of the tunnel and sort of spitting it out on the local area network that's the root outcome that this vulnerability aims to achieve uh is effectively to to hurt the privacy and the security of uh of the user and so we're going to see that in a little bit more detail I would be uh a bit of it would be a bit of a fail on my part if I didn't recognize that this class of vulnerabilities was discovered and disclosed by this group of individuals at the bottom I had absolutely nothing

to do with that uh as much as that would have been kind of cool however um they did a great job of dissecting this and sharing this information I've uh taken that information they've shared I've packaged it up in a different way created my own demonstration and I'm sharing that uh onwards with with all of you so when I said it was uh ubiquitous and this was applicable to most bpn products this is this is the chart um specifically for one of the vulnerabilities as you can see every single iOS VPN product today is vulnerable to the one vulnerability in U in tunnel crack Mac OS most of them are windows most of them are Linux and

Android a little less so so you can you can think about that that's pretty sign that's a that's a bulk of uh endpoints and and agents out there on the internet that are inherently vulnerable to this attack technique um and well this vulnerability but we talked about tunneling uh a little bit but just to be more specific and make sure we're all working from the same context here when a device has a VPN or zero trust network access uh client or agent installed on it in almost all cases you're going to have something called the virtual adapter installed on that machine now the purpose of that virtual adapter is effectively to direct packets to the far end of the tunnel that's

really ultimately what it's for the reason for that of course is the operating system needs some logical construct on where to send all these packets to and uh ultimately anything that goes into the virtual adapter goes all the way out to the over end the other end basically like like I said earlier almost like you're teleporting uh that device all the packets from it and then ultimately of course the purpose of that is to provide the security and privacy associated with those layers of encapsulation and encryption so here's a little bit of a uh drawing that I put together I can tell not really an artist nor did I claim to be but um the simple simple

draw drawing here it's a laptop on the left hand side you can see I drew a little orange virtual adapter uh indicated in the laptop so that's the operating systems way of recognizing and seeing this this tunnel or this agent and then the orange dotted line is effectively the tunnel that takes this user all the way from where they are today through the internet or through whatever Wan or land to a tunnel end point on the other side so anything in between that point and this point should have absolutely no clue what this device is trying to do as far as these packets being sent through this guy could be trying to access eBay or a bank but

anything in the middle should be completely um unaware of what's happening and that's the whole purpose right privacy security so why do we care well all that was just a tunnel right well what's the purpose of of all of this well one important Point here is um many architectures security inspection Technologies are actually deployed over here on the on the farand side so think about like web control anti- malware basic firewalling controls if that all of that is over here then this path is actually quite important it's important for me to make sure that that guy over here or this girl over here can actually get all the way over here because I want all these security tools to do their job

similarly privacy right we talked a little bit about that already but the user who is leveraging a VPN maybe maybe they don't work for an organization maybe they're just using a VPN purely for privacy related reasons if I'm on Starbucks Wi-Fi I don't want Starbucks knowing what I'm doing and why I just want to go to nhl.com without anybody looking at what I'm doing and that's perfectly fine all right so now we'll get into more specifics so a typical adversary in the middle attack now if I just go back to this uh picture for just one moment if I was an adversary in the middle here and I use whatever technique I wanted DHCP DNS ARP icmp Rogue AP doesn't

really matter what I use if I'm using a VPN to go from point A over here to point B and the VPN connect successfully the expectation as me as an in user that privacy and security are are in place and I can be relatively I can feel relatively comfortable that I don't really care what's going on in the middle here to to a certain degree now the challenge with that is okay if I'm an adversary and I want to perform one of these uh adversary in the middle attacks well I I don't get a whole lot of value out of my attack the user is using a VPN a lot of what I'm going to see is

basically just VPN traffic I don't know what's in it I don't know why they're using it and that makes it very challenging as an adversary so the techniques that I'm listing on the screen that I just described they're all significantly hindered by this user leveraging that VPN so us as as users as as people who want to maintain security and privacy DPN are a great thing for the adversary not so much so what if from the adversary's perspective we could enhance that adversary in the middle attack what if we could make it better what if we could actually get something out of this uh VPN traffic that would be kind of good right from from the adversary

perspective of course putting on the the scientific Hab and the reason of course that they may want to do that maybe they want to do a fishing uh attempt some form of credential theft some data manipulation content injection some form of Replay attack reconnaissance for the purpose of blackmail um a lot of good reasons I might want to do that as a as an adversary um so why don't we explore that now blocking one answer or one thought process might be why don't we just block their VPN we care so much we see a vpn's happening let's just block whatever they're trying to do and that is a that is a reasonable approach however of course a

sophisticated user is going to notice that their VPN is not functional I know I do um first thing I do at any public or insecure local area network when I fire up my VPN and once it's established I I have some level of a fuzzy feeling inside that okay I'm sort of secure right like I have a have a better feeling about all this without that though I don't feel so good I I know that I'm subject to whatever is going on on this insecure Network and in addition even if the user themselves isn't very sophisticated the VPN software or the agent in many cases also can be made sophisticated enough to recognize that it's being blocked and that case

restrict all access so blocking is one option but that's not quite good enough instead of blocking what if if we could silently bypass the VPN tunnel from the end user that sounds a lot better if I could tell you Sean right there that guy that I can see you're probably going to TD Canada Trust you're you're probably a customer of theirs and any traffic that's going out to TD Canada Trust from you I'm going to force it so that you send that out your local adapter instead of the tunnel to me as an adversary if I'm if I'm playing that uh that hat or role playing as an adversary that sounds pretty good um and so let's explore that

and so that would be my face if I was the the bad guy so there's a Christmas theme mixed in with a bit of a uh devilish grin so fundamentally and as I talked about at the very beginning of the presentation uh and by the way anybody who missed the opening slide introduction I I apologize but some of this may not um make sense but tunnel crack aims to take advantage of that inherent trust uh in two ways the one the inherent trust between the client or the the VPN adapter and the local area network that's called the local net attack and um the second is the client and the remote termination point so if

you remember the diagram that we had up there was a a device over on the very farand side that was the the tunnel termination Point that's called the server IP attack so back way back to the beginning of the presentation now we saw the detour and now making this relate back to that we're taking advantage of that inherent trust see the dour sign see somebody with some level of authority holding it up you're probably just going to follow the suit right however for us with uh a bit of intuition we saw somebody who looked a little nefarious and I sure as heck wasn't going to follow that detour uh however our our laptops or machines

aren't going to discriminate in that way somebody tries to make us detour they're probably just going to go along with it so let's get into the local net attack more specifically now and this is a fundamental by default in most d clients ztna clients traffic or packets sent to the local area network are going to be omitted from the tunnel itself fundamentally that's just for ease of use right if you have a printer sitting beside you or a phone or maybe a PLC or something like that you need to connect to why would we want to send that through the tunnel we need to access it because it's right here so this is very common so how could we take advantage of

that fact and turn that into something we can use from the adversaries perspective so ultimately hey can we selectively circumvent that tunnel and how we do that quite it's quite simple and that's why I kind of uh was very fascinated by this it's quite simple and straightforward right what I'm going to do from the adversaries perspective is I'm going to assign the client a public IP address and subnet and uh the result you might ask well okay that's great but why that doesn't do anything well it does because if I can control what IP address and what subnet you're on that means I can control what you interpret as being on the local area network so think about this for a second

if the VPN client or the agent thinks that acme.com that domain actually is right beside them well they'd have no reason to use this tunnel would they they would just send it over there because this they're on my network so there in lies the the way and the method of how we can circumvent our tunnel so to set the stage and and give you a little bit more of a visual form factor here we're in a coffee shop common common to use a VPN in a coffee shop I know I do the attack refer first has to execute some form of a adversary in the middle attack whether that's DP Rogue AP Etc in this case they're going to use a rogue

AP you're going to see Starbucks Wi-Fi they're going to log in fantastic you think you because you it's connected to your VPN you're safe doesn't matter if it's a real Gap I've got a VPN right that's that's all good so what the attacker does they since they control the AP they control DHCP and you can see over here acme.com has an IP address of 23 93761 124 so as an attacker very simple okay great I I want to intercept traffic to acme.com because I know that acme.com has a lot of cool pii and whatever somebody's going to interact with that site they likely are going to type in a a credential that I like and I want so

I'm assigning an IP address to that local client of 23 93760 24 connect the dots and you see acme.com now is in that subnet so from the perspective of the client that's local okay great that's that's step one that's that's good so the client is still going to connect to its VPN concentrator over here it's going to connect client's happy sophisticated user like myself you know that's sophisticated uh is going to connect they're going to be happy I'll see my VPN as a green check mark or something feel great I'm secure I'm smart um however when the client attempts access to the Target destination acme.com in this case what do you think's G to happen GNA go direct so our adversary

over here has caused the traffic going to that destination to be leaked out directly to the local area network meaning it's no longer subject to all the encapsulation encryption confidentiality Integrity of that tunnel and it's just going out to this guy or this girl that happens to be an adversary so that's not great as an end user I I don't really love that what's worse is any IP address is subject to this this attack there's really no limit to what IP address is in scope um as an adversary you could cycle through a whole long list of ips and subnets if you'd like if I if I was sitting on this Rogue AP for long enough

wait for a user to connect listen for the first few packets they send or the first few DNS requests that gives me enough information to to know what they were trying to do and then now I start spinning up uh dhp pools for those users put them into this uh subnet start intercepting their traffic and away we go so I could pick a popular Bank like I did with my example of Sean or weight as uh as I just described even worse there's nothing technically stopping me from assigning a massive subnet like this one right here 128. z.0 one that would be representative of half the internet uh so I could assign that to the end user

and they could think that entire subnet was local uh effectively bypassing the tunnel um so this works that's functional so that's the local net attack and I actually have a demonstration we're going to go through we talk through some more specifics now we're going to get into the server IP attack so as I mentioned in the beginning tunnel crack is a is a a bundle of two vulnerabilities we talked about one already the second one uh takes advantage of that inherent trust uh just like the first one did and uh the way it does that is um by leveraging the far end destination of the tunnel so if you think back to the diagram I showed many many slides ago

there was a tunnel VPN concentrator or tunnel termination point over on this side so the packets I send to that device by Design I can't send those through the tunnel because the tunnel doesn't exist if I can't actually reach that destination so uh we take a advantage of the fact that in most cases the client is going to reference that far-end destination via DNS name of some of some kind so for example let's say that VPN over there was vpn.com so that means I have to resolve vn.com and we can maybe manipulate that a little bit so what if we decided to spoof the DNS response and force traffic of the tunnel in a nice creative

way so we're going to revisit our favorite coffee shop that apparently has an adversary just sitting there every day so same thing uh the adversary has to have established a rogue AP or dhp U uh adversary in the middle attack the spinning AP in this case shows we've done a rogue AP now when the clients uh successfully connect what we do is we assign a malicious DNS server so we could do simple DNS spoofing bya a DNS server locally or out in out on the internet somewhere doesn't matter the IP address in this case doesn't matter what IP I assigned to the client that's you saw in the first vulnerability it did matter that was

core the the uh the vulnerability this case I don't care so 192168 0.0 now the two kind of key pieces of information here on the right we have the VPN this is the what the client wants to connect to 19818 4.1 and then I have my truste acme.com again 2393 76124 so what the attacker is going to do is when the client tries to do DNS resolution against this vpn.com I'm going to spoof the response I don't want that to resolve to this 19818 address I want it to resolve to to the 2393 address so the client performs its DNS request dn.com DNS server in this case is compromised it responds with 2393 76124 and as a

result the tunnel in this case we're going to allow to be established so the attacker has to have um a little bit of technical capability of course they're going to do a destination n effectively all the traffic on certain ports going to this uh this IP address is going to get destination added to this IP address but the traffic we're interested in we're of course not going to do that so what happens here is requests for the acme.com website now take advantage of that trust relationship and they're going to just spit out locally on on the local area network and they're going to be observed of course by this attacker so I have a demonstration specific to this which

will hopefully make this more clear if it's not but effectively we're taking the trust relationship created by the IP address of the tunnel that we're connecting to in this case we're manipulating and spoofing the the IP address of that tunnel and anything sent to this by default can't go through the tunnel that's just fundamentally the way the VPN is going to function so we can't send it through the tunnel and we trust it so let's not send it through the tunnel let's just send it direct which is exactly what happens so continuing with that um same same concept here of the local net attack by using this we can potentially Force any domain or website to bypass

the tunnel which is exactly what we just saw on that previous slide we can choose um a high value Target domain in ADV similar to what I did with sea and TD and uh or of course we could wait and see traffic and then and pick one of our choosing okay so let's try it out I've talked a lot I'm ready to show something now I'm sure you guys are all ready to see something right Quinn he's not ready but uh we're gonna get him ready so what we're gonna do in we're going to Showcase both vulnerabilities uh first and foremost is the local net attack so we're going to do an adversary in the

middle uh attack with C Linux we're going to create a rogue DP server we're actually going to use a tool called dhtp pig to exhaust the legitimate dhtp server that may be present already the reason for that is of course if you have two dhp servers running it's basically a race condition so I want to exhaust that one so it's not even a bother for me anymore so I'm going to use dhp pig to do that and at that point I have control on that network of all the IP and router and DNS assignments so that gives me a ton of power but because this user that I'm attempting to compromise is using a VPN

I've lost some of that power and I want to take it back right that's what the adversary wants to do so the question and what we're going to try to do is can we force acme.com to get outside of the tunnel the VPN connection and that's if I made a successful demo then you'll know it's successful based on that outcome same Concepts here with the server IP attack we're going to use a rogue dhp server use DHCP Pig again this time we're going to take advantage of the DNS and router assignment we're going to look for the presence of a tunnel or VPN connection in some way then we're going to do the DNS spoofing

with DNS chef and then the question remains can we again Force traffic outside the VPN tunnel all right that means it's demo time that means uh and by the way this I was briefly considering doing a live demonstration trying to go whiz through everything and impress everybody but then I thought you know what something will absolutely go wrong and I want to get home and play Super Mario RPG tonight so I got to make sure this goes well I'm going to take audin here just to soothe my throat and I'm going to go ahe and play the first demo and I'll be talking through it and hopefully it comes up okayish I know it's not going to be

perfect right so the scope here of the the yeah it's a little small I apologize but hopefully the the uh the essence of what I'm describing is uh is there so I'm going to go back to the beginning just so I can talk through this so I've got two uh two things happening here I've got first and foremost my Windows 10 client that you're seeing right here and then I've got a Cali Linux instance that I'm also going to be swapping between so the first thing I'm showing you here in the this demonstration is the the IP address of the local client you can see it's right now 192168 blah blah not important in addition the VPN connection

also has a 19211 16830 dox IP address there you go that's what I'm highlighting there at the top you can see I'm also highlighting the Gateway and the dhp server of the VPN adapter I'm going to do a trace route to an internet destination and you can see hopefully is uh the next hop is the VPN adapter 30.1 we're going to do a route print just to show this is the state of the routing table what's important to note here is two things one is I have a default route on this machine it's pointing me out to the 30.1 Gateway which is the DPN and right below it I have a special route which I'm not going to talk about

right now but that'll be relevant to the server IP attack okay so also this is sort this is just the Baseline um on the bottom there I'm just showing you I'm using a an open source software called Soft ether for the VPN and right now it's connected okay great nice and simple I'm going to go to the acme.com and with a little bit of patience acme.com will load and everything's great acme.com looks good is very clearly in a very old website sure some of you have been here before I'm also showing certificate is there it's normal nothing strange is happening okay great so user can do what they want to do everything's secure everyone's happy now apologies again this a bit

small what you're seeing here on my Cali box first and foremost bunch of U secondary addresses on my ethernet interface those will become relevant in a moment you don't need to worry about reading them first thing I'm doing if you can remember the little script that I that I wrote up I'm going to do a dhtp exhaustion attack against that local network I'm using dhtp Pig let's eat up all the dhtp leas pces so there you can see it's running they'll come here in just a moment we'll show up that it's the DP pools exhausted and then me as an attacker I know hey that's great now I'm going to fire up my own Rogue dhp

server all right so vhp pool exhausted there at the

bottom loading screen okay next up just doing a simp Le curl command here if it loads there you go so curl the reason I'm showing you this is I'm running an enginex server locally on this machine and it's uh presenting a forged malicious version of the acne website so I just did a curl to the loop back address now I'm running D DNS Chef DNS Chef again it was a command that allows me to do DH DNS spoofing in this specific attack it's actually not that important to do any DNS uh spoofing however I'm doing it because there are certain destinations and domains and websites that you might be going to that actually respond or or

resolv to a whole list of IP addresses so if you did an NS look up to rbc.com or one of the the large e-commerce um websites you're likely going get a whole bunch of different IPS that come back the reason I'm doing this in this attack is just simply to um Force resolution to always be that address uh so I can sort of coax the user to uh to always be referencing that address in that subnet all right now finally I'm going to boot up my rogue dhp server with Eder cap you can see I'm putting a dhp pool for the 23 9376 uh subnet like we saw earlier and now the the magic is is finished on

the on the back end side so I'm going to do a release Renew on the client this would be very analogous to a new client joining the network that you're perhaps trying to compromise we're going to wait for that to spin up and if this works what we expect to see is a public IP address assigned to this client so you can see there ethernet zero I've got an IP 23 93 Etc you can see I've got my default route pointing out that VPN adapter now I'm going to boot up my VPN connection and any luck it'll connect and there it is all right so vpn's established the client currently has a public IP address assign to it as part

of the attack like we saw earlier so that's all looking great now we're going to do a route print just to see what current state is you can see there I'm still using the VPN there's a default route out the VPN adapter nothing's changed as far as that's concerned I'm going to do my Trace rout out to the internet still using the VPN path so from the end user perspective it this looks status quo right now everything's the same other than the IP address assigned to the desktop however when we go to acme.com things start to be a little bit broken reason for this of course is my own error and you're going to see me kind of

scramble and panic as I'm recording this um the engine X instance that I'm running is only listening Port 80 and I was trying to access port 443 on the last page so I recognize that and you can see my scrolling everywhere so I go HTTP acme.com and now I've got an AC Bank fake website so if I was of course a little bit more polished I could create an identical replication of the existing site throw in some additional content that the user would likely interact with so you can see that's loal net attack in a

nutshell yeah absolutely would have been yep correct yep no you're absolutely right I'm going to hold uh hold off on answering that for just a moment but it is something I will address because it's it's very relevant um yeah you don't mind all right so um the next the last piece of this local net attack that I'm just walking through is in the soft ether client since the uh vulnerability was disclosed the soft the people who developed this product released a mitigation to this attack that's called the tunnel crack protection you can see it's nice little simple checkbox so um in the soft ether client I enabled that checkbox uh now I got to restart the

client and I'm just going to run through this exact same attack uh from the client's perspective to see what

happens so you can see I'm connected the VPN with that I accept and now I go to acme.com and in this case I'm actually just blocked so the way that the mitigation was implemented by Soft ether is very heavy-handed uh basically anything on the local area network the the VPN client is is not going to let you talk to directly so that's their their their mitigation again I said that was a heavy-handed approach because if you have legitimate reason to access something on your local network now you're that's broken if you can imagine the executive of a large oil and gas company now who can't print locally or can't connect to their uh their big TV that they stream to or

something they're probably not going to be all that happy with that mitigation right okay so that was the local net attack and um quickly running out of time so I'm going to zip through this uh demo and w [Music] up so I might fast forward just a little bit in interest of time so this is the server IP attack again the second vulnerability um what I'm going to Showcase here very quickly client again is connected to an IP address or rather client has retrieved an IP address that's completely irrelevant to this attack in this case it's 17216 I'm showing that the tunnel crack protection has been disabled it's not not relevant to this client right

now we're going to do a trace route just to show what path this traffic would take it's going out the VPN the 30.1 is our next top that's all great this is working as expected in the moment for the end user what we're going to point out here now this time though more specifically is two two specific routes on this uh this endpoint first one is that default route which Ms but the second one that I didn't talk about in the in the last demo is this very specific IP address 2066 47. 237 and that's what tunnel crack. c.ca resolves to so that's the real IP address and you can see just by the output of that routing table that's

treated specially right that's a that's a special address that I don't want to send traffic through the tunnel so that route exists purely for the purpose of steering that out of the tunnel keeping it local and that's there for very legitimate technical reasons all right so we'll go to acme.com this time we'll use an incognito window just make sure you get no cash you can see everything works great all right we jump to Cali fast forwarding just a little bit so we're going to do first we are to set up our DNS spoofing with u DNS Chef important to note very simple command very simple syntax I'm not going to go over everything but basically I I

Mark a domain so tunnel crack. K.C and then I Mark a fake IP address I pick whatever I want that domain to resolve to so I've picked the IP address of acme.com and I picked the domain name or the VPN endpoint itself

light it over that all right I've started the DNS Chef now you'll see I'm just doing a simple NS look up to show what acme.com resolves to which is that same address that I show showed on the previous um command so nice and simple all right now we go back to the client we're going to disconnect their VPN reestablish do a flush uh flush DNS first of course do a DNS lookup or NS lookup in this case of tunnel crack. K.C you can see it resolves to that malicious IP or the SPO IP now we'll actually connect and when we do the r print you'll notice when we compare what we saw previously to this the that special

route that I talked about that's sl32 and now is 23 23.93 instead of the original 2066 or whatever it was so with that simple change this is effectively the vulnerability in action that routing simple routing table change that I I was able to course the client to make is effectively the server IP attack and you can see in this case I've decided as as the adversary I'm going to add that IP address on the local machine so I can intercept uh traffic going to the acme.com website and I can serve up my own version of it just like I did previously I'll do a trace route to that server IP IP address and you can

see one hop away it's should be on the other side of the internet but I'm seeing it as one hop away now interesting and the same idea go to acme.com and now I get the forged or malicious version of the site so fundamentally here taking advantage of those that inherent trust between the client and the far end um server IP and in the previous vulnerability we took advantage of the client the relationship between the client and its local area network to do pretty much whatever we want in this case I decided to present a fishing website but that's just the the tip of the iceberg um Next Step here I just showed tunnel crack protection but I'm just

going to skip that so I'm going to conclude here with a a couple quick slides and then we'll get out of here so we saw the local net attack requests for acme.com we're compromised sent outside of the tunnel big check mark I accomplished my mission I'm happy we use of course the public IP dhtp assignment to the endpoint as part of the the manipulation and the coercion server IP attack we use the spoof U SPO DNS response in order to bring that traffic outside the VPN tunnel that was another big check mark that was successful and I also showed in at least the initial case uh the soft crack tunnel uh sorry soft ether tunnel crack

protection was enabled and it successfully mitigated that attack now possible mitigations of course if your VPN software has an update available introducing protection that's probably the best course of action for the local net attack though it's very difficult to fully Implement because we don't know if it's legitimate or not to talk to this local network so the best uh mitigation is likely that if a local uh IP address is assigned and it happens to be a public IP address that should really be the warning flag or the red flag that says hey this is unusual and we probably want to limit access to the local area network in that instance as opposed to the heavy-handed approach like this what

I'm what I'm showing on screen which is to basically say hey let's block everything to the local area network because you know the CEO is going to call and say hey I need to talk to this printer so that proceed with caution on that mitigation simply because it's it's very heavy-handed now the server IP attack extremely difficult to to mitigate simply because um we need to talk to that far end destination in order to actually establish the tunnel so I can't break that the best course of action is likely application aware enforcement that gets implemented down at the software level where instead of allowing anything from the client operating system to talk to that destination IP

address I just allow the VPN software itself so if a browser is running or some malicious software is running I in I elect B based on the design of the software to not allow those things to ever communicate with that IP address and enforce only the the VPN software and then in addition um some other mitigations could be using authenticated DNS that would have mitigated my DNS spoofing so that would have been a great strategy and then uh if you can pass the public IP in band uh instead of via DNS that would also completely mitigate that attack now I'm going to clude with uh with this note that so htps was was a question that was

raised and absolutely that's going to be helpful because if Sean is accessing I'm sure he's getting tired of being picked on by the way but um if Sean's accessing td.com or whatever the fqn is it of course that's going to be protected by SSL right they're not going to be serving a plain text version of td.com so that's great that does protect the end user with a warning if this is attack is being used what it doesn't Pro protect though is um in that instance wouldn't protect from being EES dropped um so in the client hand the SL handshake of course I'm still going to see that he's going to to td.com and if he's going to something maybe a little

bit more off the Beaten Track um I could be using that for blackmail or something like that so I still not saying you are Sean but uh just an example just an example um so anyway these are just some the ideas but https absolutely is going to help mitigate a lot of this uh it's just not foolproof and it doesn't solve every Edge case associated with it okay uh we are overtime so I'm just going to wrap up you can see I had a few more slides that I knew I was not going to get to and to conclude thank you so much for attending um this is us on that wonderful road trip I talked about at

the beginning everyone's happy we've avoided The Detour completely with this awesome mitigation and uh here we are so appreciate everybody's time and effort and uh [Music] awesome