Malware Development
  • Golang Malware Development
  • Malware Development In Golang - Introduction
    • Golang Programming Intro
      • 1. Preparing the Go Environment
      • 2. Hello World
      • 3. Calling MessageBox winAPI from GO
      • 4. Shellcode Runner
  • Code Injection Techniques
    • Shellcode Injection
      • 1. Classic Shellcode Injection
      • 2. Process Hollowing
      • 3. QueueUserAPC
    • DLL Injection
      • 1. Dll Injection
      • 2. Reflective DLL Injection
  • Payloads
    • Payloads
      • 1. Basic DLL using Golang
      • 2. Malicious DLL using Golang
      • 3. Malicious XLL using Golang
    • Shellcode development
      • 1. Keystone Engine
      • 2. Windows x64 Shellcode Development intro
      • 3. Transforming DLLs into Shellcode
  • Evasion
    • AV Bypass
      • 1. Introduction
      • 2. Remove the shellcode from the payload
      • 3. Delay Execution
        • 1. time.Sleep() 1/2
        • 2. time.Sleep() 2/2
        • 3. Custom Sleep function
      • 4. XOR Encryption
      • 5. AMSI Bypass
    • EDR Bypass
      • 1. Setting up a testing environment
      • 2. Userland Hooks
        • 1. What are userland hooks?
        • 2. Load a fresh copy of the dll from disk
        • 3. Programmatically detect ntdll hooks
        • 4. Direct and Indirect Syscalls (shellcode runner)
      • 3. VPN abuse for Endpoint Protection Evasion
        • 1. Global Protect Abuse 1/2
        • 2. Global Protect Abuse 2/2
Powered by GitBook
On this page
  • Introduction
  • Pre-Requisites
  • Initial foothold
  • User Credentials
  • Global Protect Enumeration
  • GUI
  • CLI
  • User Certificate
  • Obtain the certificate from the victim
  • Obtain the certificate through the beacon
  • Additional considerations before connecting to the portal
  • Attacker
  • Victim

Was this helpful?

  1. Evasion
  2. EDR Bypass
  3. 3. VPN abuse for Endpoint Protection Evasion

1. Global Protect Abuse 1/2

#globalprotect #redteaming #globalprotect #VPNabuse

Last updated 1 year ago

Was this helpful?

Introduction

The motivation for this blog comes after attending a Mandiant social gathering in London. The presenter, Rohan (), described how the VPN could be abused to join an attacker controlled machine on the target Network after initial access is achieved.

In this blog I will explore how we can abuse Palo Alto's Global Protect to achieve just that.

Pre-Requisites

  • Initial foothold is required

  • VPN configuration details

  • User Credentials

Initial foothold

For the sake of simplicity we will assume that we compromised a user and we have a sliver session on the target machine. Anything demonstrated below can be achieved using a C2 of your choice since most functionality comes from Beacon Object Files and C# executables.

User Credentials

Once we have a foothold on the target machine we could capture user credentials in a number of different ways. The easiest way is to just ask for them :) Let's see how that's done using sliver.

Armory offers a wide range of that are officially supported by sliver. Luckily for us bof prompts the victim for their credentials.

When the command is executed the following prompt will appear on their desktop:

OneDrive.exe is specified from the bof. That could be anything but something that is relevant to the user would be ideal.

This is how it looks from the attacker's perspective:

Please note that this bof doesn't validate if the credentials are correct.

Global Protect Enumeration

GUI

The easiest way to obtain information regarding the VPN is through the client app installed on the host machine.

The portal login page can be identified by the settings button as shown below:

Potential gateways to connect to are identified in the Connection Tab:

Information on the Host Profile on the respective tab. That will help us identify what sort of endpoint configuration / hardening we will need prior to a connection to the target network. If the endpoint doesn't meet the minimum requirements it might be isolated from the target network even though a successful connection was established.

CLI

The PanGPA.log located at C:\Users\<username>\AppData\Local\Palo Alto Networks\GlobalProtect is very verbose and includes all the information needed to successfully create a remote connection.

User Certificate

In order to login into the paloalto portal we need a client certificate (this is not always the case). Let's find a few potential targets using shodan.

The GlobalProtect Portal Login page ends with "/global-protect/login.esp" so using google dorks or shodan we can identify multiple instances.

Let's take a look at the first example:

A message appears at the end of the page informing us that a valid certificate is required.

Another page found from shodan doesn't seem to have the same requirement.

Obtain the certificate from the victim

We can obtain the certificate from the host in a number of ways:

  • Using mmc through the GUI (low-priv user)

  • Using trustedsec's bofs (low-priv user)

  • Using mimikatz (requires elevated access)

Obtain Certificates through the GUI

We can quickly access user certificates by searching "Manage user certificates" on our host.

In this case we need the "Dave Daves" certificate to be exported in order to gain access to the VPN portal.

We can export the certificate by right clicking > All Tasks > Export...

In some cases depending on the ADCS configuration we might face the issue of not being able to export the private key of the certificate.

Alternatively we could request another certificate from the ADCS server with the export private key property being enabled.

That can be done by requesting a new certificate.

After clicking on Request Certificate with New Key the following window pops up:

  1. Expand User Certificate details

  2. Click On Properties

  3. Navigate to the 'Private Key' Tab

  4. Under Key Options, select Make private key exportable

We now have a second key that we are able to export.

In the following steps we will be asked to set up a password for the exported key and define the export directory. On an engagement instead of leaving the key lying around you can delete it once it's downloaded.

Obtain the certificate through the beacon

Two bofs will be used to request the certificate:

sa-adcs-enum will help us identify all the information needed to create a valid adcs request using remote-adcs-request.

sa-adcs-enum

This bof doesn't really require any arguments. We can just run this bof to enumerate the Certificate Authority and the template name required for the next step.

The first few lines will show all the information needed for the CA

From the above screenshot we can extract the name of the Certificate Authority CLAIRE-ALEX-DC-CA and the domain name is CLAIRE.local

The User template is the one required to authenticate to the VPN portal. Depending on the environment the template might have a different name .

remote-adcs-request

All we need now is to run the following command so the pirvate key and certificate will be dumped. 

[server] sliver (LIGHT_JOURNEY) > remote-adcs-request 'Claire.local\CLAIRE-ALEX-DC-CA' User

We can then copy the contents of the certificate to a file and convert it to a .pfx file using the following command. 

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Additional considerations before connecting to the portal

The user is expected to use the number appearing on his screen, usually in a browser, and type it into their authenticator application.

In some cases authenticator will show more information such as the connection location. We might want to match the user's location to avoid adding to the victim's suspicion.

Attacker

The user is essentially running the c# executable within the beacon's process. The executable takes 2 arguments, the user's email and the and number to type into their authenticator.

Victim

The victim will see the pop up show up on his desktop. We then hope the user will authenticate for us.

In the second part of this blog we will go through the process of connecting to the VPN and possible hardening techniques we can apply on the Firewall to stop attackers from connecting to the VPN from a non corporate laptop.

At this point we could use a tool like . That would require patching certain functions in memory and admin privileges. Also executing mimikatz on a mature environment would probably set off a few alarms.

We could use tools such as to extract the keys as demonstrated before but it's not always possible. Thankfully the same result can be achieved using beacon object files without any GUI interaction.

(I found this bof more reliable than using sa-adcs-enum-com. sa-adcs-enum-com would cause the sliver beacon to crash. I am not sure if that's the case with Cobalt Strike)

It is common nowadays to come across MFA authentication after logging in. The fact that we have foothold on the target machine we can get the user to authenticate for us. Let's take the demonstrated below:

To overcome the MFA a small was written. We can run from sliver or cobaltstrike to prompt the user with the number to match.

@Decode141
User Certificate
Beacon Object Files (bof)
c2tc-askcreds
mimikatz to extract the private key
Hidden Desktop
sa-adcs-enum
remote-adcs-request
number matching scenario
c# script
AskCreds prompt
Captured Credentials
Portal Information
Gateways
When a valid certificate is required
No certificate is required
Dave Daves User certificate
Export Certificate
Export private key greyed out.
Requesting new certificate
Request a key with private key being exportable
"Export the private key" enabled
Last step before exporting our key
sa-adcs-enum (most reliable in my experience)
Certificate Authority information
User Template
Generating the certificate
Number matching MFA
Authenticator with additional context
MFA phishing
malicious MFA pop-up