Dropbox 15 – Dropbox Server (Boot Parameters)

By placing the configuration settings on a USB, we can dynamically change how the system boots. If necessary, we can send the client replacement files via email. This is critical if things don’t work after the device has already been deployed and we are still not able to connect. We can also use this functionality if we need to test multiple VLANs during a single engagement.

The settings that we will dynamically control include the following:

  • Network settings
    • Static/DHCP
    • Default gateway
    • DNS
  • Proxy settings
    • Authentication (Basic/NTLM)
  • authorized_keys

First let’s locate where the partition on the USB drive that we labeled ‘USB’ is mounted.

mount | grep USB

You should see something like the following.

/dev/sdb1 on /media/root/USB type vfat (rw,nosuid,nodev,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=utf8,shortname=mixed,showexec,utf8,flush,errors=remount-ro,uhelper=udisks2)

In the above case the mount point would be /media/root/USB

Now we need the ID of the vfat partition (/dev/sdb1).

ls -l /dev/disk/by-id | grep -w sdb1

You should see something similar to the following.

lrwxrwxrwx 1 root root 10 Sep 13 19:51 usb-SanDisk_Ultra_Fit_4C530146140423118490-0:0-part1 -> ../../sdb1

With that information we can now automount the partition without root logging in by adding the following to fstab.

vi/vim/nano /etc/fstab

/dev/disk/by-id/usb-SanDisk_Ultra_Fit_4C530146140423118490-0:0-part1 /media/root/USB vfat defaults 0 0

Now let’s create our example config files (some of these will look familiar from our work with tunnels).

If the Dropbox Server will be using DHCP in the client environment then the configuration is easy; it’s one line of code.

vi/vim/nano /root/configs/example-network-dhcp.conf

nmcli con add con-name dbox ifname eth0 type ethernet

If we need to assign the Dropbox Server a static IP address then we take the information the client gives us and create a configuration file similar to the following.

vi/vim/nano /root/configs/example-network-static.conf

nmcli con add con-name dbox ifname eth0 type ethernet ip4 192.168.1.67/24 gw4 192.168.1.1
nmcli con mod dbox ipv4.dns 8.8.8.8
nmcli con mod dbox +ipv4.dns 8.8.8.4

If we have a direct connection out to the Internet then we will create the following config file for our SSH tunnels. This is exactly what we used in our previous configuration to test our tunnels.

Note: This is assuming Dropbox Server 01. Modify for 02, 03, 04…by changing the IdentityFile and RemoteForward ports accordingly.

vi/vim/nano /root/configs/example-connection-direct.conf

Host dbox*
 HostName localhost
 AddressFamily inet
 User dbox-relay
 Port 22
 IdentityFile /root/.ssh/dbox-01.id_rsa
 ProxyCommand /usr/bin/ncat --ssl-verify <FQDN of Dropbox Relay> 443
 ServerAliveInterval 10
 ServerAliveCountMax 3
 ExitOnForwardFailure yes
 StrictHostKeyChecking yes
 UserKnownHostsFile /root/.ssh/known_hosts

Host dbox-ssh-tunnel
 RemoteForward 11095 localhost:22

Host dbox-vnc-tunnel
 RemoteForward 11096 localhost:5901

Host dbox-squid-tunnel
 RemoteForward 11097 localhost:3128

Host dbox-socks-tunnel
 RemoteForward 11098 localhost:9999

Host client
 HostName localhost
 AddressFamily inet
 User root
 Port 22
 IdentityFile /root/.ssh/dbox-01.id_rsa
 LocalForward 9999 192.168.1.69:3306
 ServerAliveInterval 10
 ServerAliveCountMax 3
 ExitOnForwardFailure yes
 NoHostAuthenticationForLocalhost yes

If we have to go through an outbound proxy then we will use the following config file for our SSH tunnels. Note that ncat ostensibly supports proxies, but would not create a connection to the HAProxy. I think it may have something to do with the CONNECT directive. No worries, though, as proxytunnel works just fine. Unfortunately, proxytunnel doesn’t support certificate checking by default. There is a fork by yarinb (https://github.com/yarinb/proxytunnel) if you want to pursue that. I’m not too concerned as it only affects connections where we’re using an outbound proxy and even if an attacker performs a MitM on our SSL/TLS connection we’re still performing strict host key checking on the SSH server. The certificate verification is honestly probably overkill.

Note: Again, this is assuming Dropbox Server 01. Modify for 02, 03, 04…by changing the IdentityFile and RemoteForward ports accordingly.

vi/vim/nano /root/configs/example-connection-proxy.conf

Host dbox*
 HostName localhost
 AddressFamily inet
 User dbox-relay
 Port 22
 IdentityFile /root/.ssh/dbox-01.id_rsa
 ProxyCommand /usr/bin/proxytunnel -v -p 192.168.1.69:3128 -P pentester:squidward -d <FQDN of Dropbox Relay>:443 -e
 ServerAliveInterval 10
 ServerAliveCountMax 3
 ExitOnForwardFailure yes
 StrictHostKeyChecking yes
 UserKnownHostsFile /root/.ssh/known_hosts

Host dbox-ssh-tunnel
 RemoteForward 11095 localhost:22

Host dbox-vnc-tunnel
 RemoteForward 11096 localhost:5901

Host dbox-squid-tunnel
 RemoteForward 11097 localhost:3128

Host dbox-socks-tunnel
 RemoteForward 11098 localhost:9999

Host client
 HostName localhost
 AddressFamily inet
 User root
 Port 22
 IdentityFile /root/.ssh/dbox-01.id_rsa
 LocalForward 9999 192.168.1.69:3306
 ServerAliveInterval 10
 ServerAliveCountMax 3
 ExitOnForwardFailure yes
 NoHostAuthenticationForLocalhost yes

In the above we are connecting to the client’s proxy server at 192.168.1.69 on port 3128 using Basic Auth as the user “pentester” with the password “squidward” and establishing a connection to our Dropbox Relay. For more information on proxytunnels or how to authenticate using NTLM instead, you can RTFM (http://proxytunnel.sourceforge.net/usage.php)

Finally, we’ll import the authorized_keys file. This will be the public key from your Dropbox Client. This is important if we lose access to our private key or if a consultant becomes unavailable and we need to grant access to another tester.

vi/vim/nano /root/configs/example-authorized-keys.conf

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkr4DSPepiL5adKD0n3f9CLmOjOEDO5UrfQsZkUihh8Sf9G7UQk42ohQSljssThE41CEk9yiyd+z+Kw6/LePGyAn6MTcr2jDYC24w8ZC380ItOatsjQSem1dWycjqjk4zBxkpFBEKCcYJ4Z/wtPcQTgBPVQoxbUU9hf6iVwi6HJq6prrMktBtP4mW41vtd1gBJJ6ff+2+7W7JcB72LEf3nMEqO2WrA/ekqC2oP+70rnDQlK8zKDrBb01pazJcPE/O0nawmZBrywyH1teZIUVevEiIFsC7gNmNXK3K+RzzDozPLCRuV5zGkHN+a7zFyiF0K6RmiFyo/w6NKSrgPQ/2SQ== dbox_client

As we run commands from the config files as root, we have to encrypt everything!

If an attacker tries to replace a gpg encrypted config file with a direct command, e.g., cat /etc/shadow, then it will produce the following error message:

gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: eof

If the attacker tries to gpg encrypt a command with a random passphrase/key, then it will produce the following error message:

gpg: decryption failed: bad key

So, let’s encrypt all of our example config files and place them in a subdirectory of the config directory. The gpg passphrase can be anything you want. We will use the same passphrase in our script files to decrypt the configs. Note, I’ve used one passphrase for the dhcp/static files, another passphrase for the direct/proxy files, and yet another passphrase for authorized_keys, but you can use the same for all.

gpg -c example-network-dhcp.conf

gpg -c example-network-static.conf

gpg -c example-connection-direct.conf

gpg -c example-connection-proxy.conf

gpg -c example-authorized-keys.conf

mkdir /root/configs/gpg/

mv *.gpg /root/configs/gpg/

Let’s put some encrypted configuration files on the USB drive.

mkdir /media/root/USB/configs/

cp /root/configs/gpg/example-network-dhcp.conf.gpg /media/root/USB/configs/network.conf.gpg

cp /root/configs/gpg/example-connection-direct.conf.gpg /media/root/USB/configs/connection.conf.gpg

cp /root/configs/gpg/example-authorized-keys.conf.gpg /media/root/USB/configs/authorized.conf.gpg

Now we’ll write the scripts that will process those configs.

Configure the Network

This will delete the connection ‘dbox’ if it already exists, otherwise there will be multiple like named connections and that just gets ugly. It will also decrypt the network config file and setup the new ‘dbox’ connection.

vi/vim/nano /root/scripts/netset.sh

#!/bin/bash
CONF=$(gpg --decrypt --passphrase=<PASSPHRASE> -q /media/root/USB/configs/network.conf.gpg)
nmcli connection delete id dbox
sleep 5

while read -r command; do
 $command
 sleep 5
done <<< "$CONF"

nmcli con up dbox

Configure the Outbound Connection

This will create our SSH config file and restart all of our tunnel services to use the new configurations.

vi/vim/nano /root/scripts/connection.sh

#!/bin/bash
CONF=$(gpg --decrypt --passphrase=<PASSPHRASE> -q /media/root/USB/configs/connection.conf.gpg)

echo "$CONF" > /root/.ssh/config
sleep 5
service dbox-ssh-tunnel restart
sleep 5
service dbox-vnc-tunnel restart
sleep 5
service dbox-squid-tunnel restart
sleep 5
service dbox-socks-tunnel restart

Import the Authorized Keys

This will overwrite the existing authorized_keys.

vi/vim/nano /root/scripts/auth.sh

#!/bin/bash
CONF=$(gpg --decrypt --passphrase=<PASSPHRASE> -q /media/root/USB/configs/authorized.conf.gpg)
echo "$CONF" > /root/.ssh/authorized_keys
sleep 5

We’ll now add all of these scripts to a master script that will run on boot.

Script of Scripts

vi/vim/nano /root/scripts/launcher.sh

#!/bin/bash
sleep 60
/root/scripts/auth.sh
sleep 5
/root/scripts/netset.sh
sleep 10
/root/scripts/connection.sh

Make all of the scripts executable.

chmod 700 /root/scripts/*.sh

To have the launcher script run at boot add it to crontab.

crontab -e

Add the following line to the end and save.

@reboot /root/scripts/launcher.sh

The encrypted configs we uploaded in the example above will configure the Dropbox Server for a direct connection to the Internet via DHCP and allow connections with the Dropbox Client’s private key.

Reboot and see if things come up as expected. We could now jump right into remote control, but first we’ll do some logging and troubleshooting in the next section.

Leave a Reply

Your email address will not be published. Required fields are marked *