2. Global Protect Abuse 2/2

#globalprotect #redteaming #globalprotect #VPNabuse

Introduction

In part 1 on this blog post we explored how to collect usernames, certificates, credentials and how to bypass MFA with the aim of gaining access to the target network.

In this blog post we will see how we can connect to the target network and how we can harden our VPN configuration in order to stop attackers using this attack vector.

Connecting to the target network

With all the information we have now all that is left to do is to login the portal, download the VPN client and connect to the target network.

In our lab the GlobalProtect Portal can be found on https://192.168.198.250/global-protect/login.esp

Using the credentials captured previously through our sliver implant we can login.

We can then download the vpn client on our attacking machine

Once the client is installed all we will need is the portal url, credentials and potentially get the user to authenticate again if we get prompted for Multi Factor Authentication.

When the client is installed we will see the following on the bottom right of our screen. If not we can click on the global protect icon showing up next to the time and date.

We type in the portal IP or DNS name and hit connect. We will then get a prompt to type in our credentials.

And that's it we are in.

We can now run our favourite tooling without worrying about any sort of endpoint protection. (Obviously that doesn't include any network level protection.)

Defending against this type of attack

There are a number of ways this attack could stop be stopped.

Use machine certificates for client authentication.
Make use of Host Information Profile (HIP)

Machine Certificates

When using machine certificates for authentication they are much harder to extract than user certificates. Machine Certs require Local / Domain Administrator privileges to extract. Although not impossible to get, it is considerably harder to achieve straight after getting foothold on the network.

Host Information Profile (HIP)

The Host Information Profile (HIP) feature allows you to collect information about the security status of your endpoints, and the decision is based on whether to allow or deny access to a specific host based on adherence to the host policies you define.

HIP allows for granular checks on the endpoint. One example is to check the use of Anti-Malware solutions. A default windows installation would pass this check since Defender comes pre installed. Global Protect gives the administrator the option of specifying the following parameters for the Anti-Malware object.

Firstly we can set up the vendor and the product as shown below

We can then add additional checks such as the definitions being up to date, last scan was not greater than 10 days etc.

Additional Checks regarding the host can be added as shown below:

After setting up the HIP and applying it we receive the following pop up message from GlobalProtect.

I have set up a notification to pop up when the HIP checks fail. In a real world environment a security policy should be set up to isolate the machine from the network.

Ideally HIP policy should be as strict and granular as possible. That will make the life of an attacker very difficult if they are trying to match the target environment.

Conclusion

This technique is a viable solution to join an attacker controlled machine to a target network. In the references section I have listed all the articles / videos I have read to prepare my lab environment and test the attack scenario.