d3d ^ is a freelance security researcher (among other things) that ❤ exploit development, bug hunting, and writing offensive security tools.

Setting up the ‘PhanTap’

2 min read

The ‘PhanTap’ is an ‘invisible’ network tap written by the guys at NCC Group and aimed at red teams. With limited physical access to a target building, this tap can be installed inline between a network device and the corporate network. PhanTap is silent in the network and does not affect the victim’s traffic, even in networks having NAC (Network Access Control 802.1X – 2004). PhanTap will analyze traffic on the network and mask its traffic as the victim device. It can mount a tunnel back to a remote server, giving the user a foothold in the network for further analysis and pivoting.

The physical device used for our testing is currently a small, inexpensive router, the GL.iNet GL-AR150.

The GL-AR150 Router

The NCC Group explains more about their software including basic setup instructions located here.

Overview

I will be setting up the ‘PhanTap’ in the following scenario:


PhanTap scenario diagram
PhanTap scenario diagram

The device will be placed between a target workstation and the corporate network by using Ethernet cables. The ‘PhanTap’ device, after being plugged in, will auto configure itself and establish a secure VPN (Virtual Private Network) connection back to a remote OpenVPN Access Server being operated by a red team. This will allow a reverse-tunnel back into the network from the OpenVPN Access Server.

Setup

Before configuring the ‘PhanTap’ device, I am going to set up an OpenVPN Access Server so the device has a end-point to connect with.

OpenVPN Access Server

To setup the OpenVPN Access Server, I will be using a DigitalOcean droplet, using the following options:

Once the droplet instance is live, I was then able to log into the web interface of the OpenVPN Access Server. Within the web interface, you need to create a new user along with a password. This new user will be the ‘PhanTap’ device connection profile, so I named my username ‘phantap’, respectively. Make sure you check ‘Allow auto-login’, and select ‘More Settings’ to reflect the options below:

OpenVPN user settings
OpenVPN user settings

Note: If you know the target subnet before hand, add those subnets under the VPN Gateway section. This is not required however.

Once the user has been saved, you will need to grab the user configuration by logging into the OpenVPN Access Server on port 443 and log in as ‘phantap’ user to download configuration.

GL-AR150 Router

Now that we have a OpenVPN Access Server, we can focus on setting up the ‘PhanTap’ device by powering it up and connecting both WAN and LAN ports to the internet and to your workstation respectively. I was able to log into the device using IP 192.168.1.1 using user ‘root‘ without a password.

Before we can setup the ‘phantap’ package for OpenWRT, we need to make sure the device is updated to the snapshot binary provided here.

After I downloaded the snapshot above on my workstation machine, I then SCP copied BOTH the upgrade.bin and client.ovpn files to the device’s /tmp directory :

wget "https://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-glinet_gl-ar150-squashfs-sysupgrade.bin" -O upgrade.bin
scp upgrade.bin [email protected]:/tmp
scp client.ovpn [email protected]:/tmp

Once the device contains the ‘upgrade.bin’ file, we can log back into the device at 192.168.1.1 to complete the setup.

opkg update
sysupgrade -v /tmp/upgrade.bin

After the snapshot build has been installed, we can now setup openvpn as well as the phantap package.

opkg install nmap
opkg install openvpn
opkg install phantap

Next step would be to rename the file client.ovpn to client.conf, and move it into the /etc/openvpn directory. We need to make sure to enable the OpenVPN service to start when system starts.

mv /tmp/client.ovpn /etc/openvpn/client.conf
/etc/init.d/openvpn enable

Before deploying this device, I need to make sure the VPN connection gets reset if the ‘PhanTap’ device detects  when a new IP is configured.

sed -i 's/#list onnet/list onnet/g' /etc/config/phantap
/etc/init.d/openvpn restart

After restarting the OpenVPN service, you should see a VPN connection coming from the ‘PhanTap’ device to your OpenVPN Access Server. This would be the user ‘phantap’ which means the ‘PhanTap’ VPN service is working good. Now that the VPN service automatically connects on start-up, we can now enable the phantap service and mask our device on the network.

Remove the interfaces from any network interface they might be used by.

uci delete network.lan.ifname
uci delete network.wan.ifname
uci delete network.wan6.ifname

Add the interfaces to the phantap bridge and restart the network service via the following commands in the cli (assuming we are using a GL-AR150):

uci set network.phantap.ifname='eth0 eth1'
uci commit network
/etc/init.d/network reload

Now once the device reboots, it will be ready to go. As soon as you plug this device into a new network, it will automatically mask as the target device and set up a reverse VPN tunnel into the network.

d3d ^ is a freelance security researcher (among other things) that ❤ exploit development, bug hunting, and writing offensive security tools.

Brute-forcing HTTP Authentication with Python3

In this post I am going to create a tool to brute-force HTTP Authentication for both Basic and Digest authentication mechanisms which includes the...
d3d
1 min read

Setting up GNS3 on Arch Linux

GNS3 is used by hundreds of thousands of network engineers worldwide to emulate, configure, test and troubleshoot virtual and real networks. It’s also a great...
d3d
1 min read

Leave a Reply

Your email address will not be published. Required fields are marked *