We’ve been hardening as we go, so there really wasn’t much to do here in the first iteration when I was using Kali 2016.1. By default RPCBIND was bound to all interfaces on port 111 so I ran the following commands to disable it.
systemctl stop rpcbind.service systemctl disable rpcbind.service
Now there’s even less to do as it looks like in the 2016.2 release RPCBIND is disabled by default. A review of active servers shows only the connections listening on localhost that we’ve enabled, even without running the above.
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:22 0.0.0.0:* LISTEN 670/sshd tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 794/(squid-1) tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 762/Xtightvnc
We can verify this by scanning from the Raspberry Pi I’ve been using as a test outbound proxy server.
pi@raspberrypi:~ $ nmap -p- 192.168.1.253
Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-14 18:19 UTC Nmap scan report for 192.168.1.253 Host is up (0.00087s latency). All 65535 scanned ports on 192.168.1.253 are closed
Squid does open a high UDP port for DNS management.
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:36778 0.0.0.0:* 794/(squid-1) udp 0 0 0.0.0.0:68 0.0.0.0:* 1212/dhclient udp6 0 0 :::51863 :::* 794/(squid-1)
According to the following article it should be possible to change the address binding (http://linuxplayer.org/2012/02/why-squid-listen-on-high-udp-port-number). I may consider testing the effect of this modification on proxied web application tests sometime in the future, but for now I have left the default configuration in tact.
We could go a step further and block ICMP or filter incoming traffic to the RIPT Server, but we don’t want to make things overly difficult for ourselves either. This is a penetration testing device after all and at some point we’ll want it to perform ARP spoofing, accept reverse shells, etc…
OK, now to setup our RIPT Client and start controlling the RIPT Server remotely, or as I like to call it “How to perform an internal penetration test from <INSERT FAVORITE COFFEE SHOP/PUB HERE>”.