Limited Route Bypass

[molotov477]

If you have a VPN access to a network and a few routes are defined on that you have access to, you can ping the machines on those specific routes but nothing else, how ever, if you run masscan with -e and use the interface the VPN is connected on, you can find other machines and open ports on them, same goes with Nmap scan where you define the interface to use, it will find same open ports and ping those machines, if you use simple ping command, you cannot reach the other machines on that network/subnet or even a different subnet, but if you use -I and interface of VPN, you can ping all the machines nmap and massscan found.

I tried to add those routes but as I am using a commerical VPN to connect, I cannot add routes on the client side, my machine, tried using iptables to manipulate but no that did not work as well. Is there a way to overcome such a restriction or tool to be able to connect to those machines that nmap and massscan are finding or the open ports?

 

[Эрмано]

If you have a VPN access to a network and a few routes are defined on that you have access to, you can ping the machines on those specific routes but nothing else, how ever, if you run masscan with -e and use the interface the VPN is connected on, you can find other machines and open ports on them, same goes with Nmap scan where you define the interface to use, it will find same open ports and ping those machines, if you use simple ping command, you cannot reach the other machines on that network/subnet or even a different subnet, but if you use -I and interface of VPN, you can ping all the machines nmap and massscan found.

I tried to add those routes but as I am using a commerical VPN to connect, I cannot add routes on the client side, my machine, tried using iptables to manipulate but no that did not work as well. Is there a way to overcome such a restriction or tool to be able to connect to those machines that nmap and massscan are finding or the open ports?

Maybe need to try NetExec or SoftPerfect Network Scanner?

 

[molotov477]

Maybe need to try NetExec or SoftPerfect Network Scanner?

SoftPerfect is not an option as I am on a linux host, plus I dont want to just scan them, scanning is already being done with nmap/masscan, I want to find a way to bypass the firewall restriction to connect to the open ports/ services.

 

[Эрмано]

Hmm, could you bring screenshots?

 

[molotov477]

What screenshots do you want to see?

 

[Эрмано]

if you use simple ping command, you cannot reach the other machines on that network/subnet or even a different subnet, but if you use -I and interface of VPN, you can ping all the machines nmap and massscan found.

This, and a question - u scanning from ur own machine or from machine in network

 

[molotov477]

I am not scanning from a machine in the network, I have a VPN, I connect to the network via the VPN, I am given a 192.168.*.* ip address, some static routes are added of internal IPs, 10.*.*.* and 172.*.*.*, which I am able to access, if I log on to the 172 machine, I can access others machines from there but from my own machine, the 192 one, if I ping them or run normal scans, nothing is found, I cant reach them but if i run ping 172.*.*.* -I tun0, I can ping them, I can find open ports as well when running with masscan and specifying which interface to use which is -e tun0 otherwise no. So I cant use ssh or any other thing to directly reach these other machines.

I hope that somewhat makes sense.

 

[molotov477]

This, and a question - u scanning from ur own machine or from machine in network

unfortunately I dont have any screenshots, next time I will be sure to take them.

 

[Эрмано]

I am not scanning from a machine in the network, I have a VPN, I connect to the network via the VPN, I am given a 192.168.*.* ip address, some static routes are added of internal IPs, 10.*.*.* and 172.*.*.*, which I am able to access, if I log on to the 172 machine, I can access others machines from there but from my own machine, the 192 one, if I ping them or run normal scans, nothing is found, I cant reach them but if i run ping 172.*.*.* -I tun0, I can ping them, I can find open ports as well when running with masscan and specifying which interface to use which is -e tun0 otherwise no. So I cant use ssh or any other thing to directly reach these other machines.

I hope that somewhat makes sense.

Ok, if i understand it right, u have this scheme:
you->VPN->10.x.x.x,172.x.x.x

yes?

 

[molotov477]

Yes, me > VPN 192.168.*.* > 10.*.*.*, 172.*.*.*

 

[shrekushka]

Commercial VPN clients often aren’t so friendly about policy based routing.
Эрмано is going for the classic pentester pivot or jumpbox approach, to the idea of scanning from an internal host or pivoting through it. If you can't add routes, your best bet would be to pivot via a box you do have access to (ssh/rdp) + forward traffic through it. In pentest terms, that’s standard operating procedure.

 

[molotov477]

Well yeah, I mean if you access to a box then you can use a number of approaches to make a pivot but I was talking strictly in terms of being dropped into a network via VPN like FortiVPN etc.

 

[RWTH]

добавь у себя роуты до всех хостов которые тебе нужны
root@molotov:~# ip route add 172.*.*.* via 192.168.*.* dev tun0
root@molotov:~# ip route add 10.*.*.* via 192.168.*.* dev tun0

 

[molotov477]

добавь у себя роуты до всех хостов которые тебе нужны
root@molotov:~# ip route add 172.*.*.* via 192.168.*.* dev tun0
root@molotov:~# ip route add 10.*.*.* via 192.168.*.* dev tun0

Already tried, but these do not add any route as I am on client side of the VPN, the routes are enforced by the VPN Device/ Server.

 

[Эрмано]

Yes, me > VPN 192.168.*.* > 10.*.*.*, 172.*.*.*

Can u bring output from:
ip route list
ifconfig