Advissa Ludvinka sends me Nemucod

-> Will update along debugging. Javascript is heavily scrambled so not that easy to read.

Out of curiosity I decided to have a better look at an attachment that came with a spam message this week. The message has no written content and a subject “Receipt 7068-586205”

Apparently the mail was sent from a mailserver in Saudi Arabia. A total spam score of 130 seems to be not enough to pass the message to my inbox.

From – Sat Oct 08 16:11:10 2016
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <alissa.ludvinka@gmail.com>
Delivered-To: bart@bartdecker.nl
Received: from xxxxxx.nl
by xxxxxx.nl (Dovecot) with LMTP id WD6tC6pA9le+cQAAEaLD6Q
for <bart@bartdecker.nl>; Thu, 06 Oct 2016 14:23:59 +0200
Return-path: <alissa.ludvinka@gmail.com>
Envelope-to: bart@bartdecker.nl
Delivery-date: Thu, 06 Oct 2016 14:23:59 +0200
Received: from [172.80.212.249] (port=18241)
by xxxxxxxxx with esmtp (Exim 4.87)
(envelope-from <alissa.ludvinka@gmail.com>)
id 1bs7iQ-0003wp-JI
for bart@bartdecker.nl; Thu, 06 Oct 2016 14:23:59 +0200
Message-ID: <2987b8b6.3ab41d91.19cce.d9ef@mx.google.com>
Date: Thu, 06 Oct 2016 15:53:51 +0430
X-Google-Original-Date: Thu, 06 Oct 2016 15:53:51 +0430
MIME-Version: 1.0
From: alissa.ludvinka@gmail.com
To: bart@bartdecker.nl
Subject: Receipt 7068-586205
Content-Type: multipart/mixed;
boundary=–boundary_117_28089751-6289-1a9f-c770-0c20fb9c6442
X-Original-To: bart@bartdecker.nl
SPFCheck: Soft Fail, 30 Spam score
ReverseDNS: No reverse DNS for mailserver at 172.80.212.249, +100 Spam score
SpamTally: Final spam score: 130

Now the attachment. Uploading it to virustotal gives me 31/54 detections with results ranging from JS:Trojan.JS.Nemucod.DA to HEUR/Suspar.gen. In general, most detections refer to a trojan called Nemucod. Probably no coincidence finding a blog post on welivesecurity with the title “” Nemucod is back and servering an ad-clicking backdoor instead of ransomeware”

From reading I learn that Nemucod is the downloader for the actual Trojan called Win32/Kovter. In the comments at welivesecurity I read that aside of downloading Win32/Kovter, it still encrypts files.

So let’s have a closer look in a lab environment. The “Receipt” attachment is a ZIP file which contains a windows script file (WSF) named 6562871224.wsf

You can check binary files using a tool called binwalk.

 binwalk

So let’s extract the zip file and move the extracted file over to an isolated Windows 7 machine.

Will add to this when analysis progresses ->

TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk=

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Pages that seem to hold files to download ->

keygamepc.com 103.7.41.178
kv6j.net 69.161.143.154
naturesagro.com 184.154.142.202
drsearscoach.com 23.235.217.84
stenokeid.org
oofyming.com
veddanagor.net

 

dump /\

Some functions

global
Maze, abbida, efioppocsonny5achievment, efioppocsonny5lololosh, efioppocsonnyEmptyVara, efioppocsonnyREPONAFT, unpack

«dirs»()

«shuffle»(array)

parameter
array
variable
counter

«random»(array)

parameter
array
variable
element, i

«Zhido»(a1a, b2b)

parameter
a1a, b2b

unpack(xs)

parameter
xs

efioppocsonny5achievment(efioppocsonny5bidttt)

parameter
efioppocsonny5bidttt

Using SQLMap for SQL injection in SOAP Service

I spent way too much time behind the terminal lately. Since setting up my test lab with Kali, Metasploitable2, Mutillidae (2.6.40) it’s all terminal and no gardening. As posted before, Mutillidae is “a a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest.” You can find the whole feature list at the Mutillidae site. Today I’m going to show you how to use SQLMAP to exploit a vulnerability in one of Mutillidae’s web services, namely “Lookup User”.

Mutillidae

SOAP/WDSL

First thing you need to do is to download a tool that will enable you to play around with the SOAP message. You can use SoapUI for this purpose. It will enable you to load the WDSL which gives you more information about the services delivered by the mutillidae web-service.

Wiki:

The WDSL is an XML-based interface definition language that is used for describing the functionality offered by a web service

The Mutillidae webservice supports several services as you can see from the WDSL below. You can find the following four webvices: GetUser, CreateUser, UpdateUser and DeleteUser.

We’ll use the CreateUser operation in the example.

&amp;amp;amp;lt;?xml version="1.0" encoding="ISO-8859-1"?&amp;amp;amp;gt;
&amp;amp;amp;lt;definitions xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="urn:ws-user-account" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="urn:ws-user-account"&amp;amp;amp;gt;
&amp;amp;amp;lt;types&amp;amp;amp;gt;
&amp;amp;amp;lt;xsd:schema targetNamespace="urn:ws-user-account"
&amp;amp;amp;gt;
 &amp;amp;amp;lt;xsd:import namespace="http://schemas.xmlsoap.org/soap/encoding/" /&amp;amp;amp;gt;
 &amp;amp;amp;lt;xsd:import namespace="http://schemas.xmlsoap.org/wsdl/" /&amp;amp;amp;gt;
&amp;amp;amp;lt;/xsd:schema&amp;amp;amp;gt;
&amp;amp;amp;lt;/types&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="getUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="getUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="createUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="password" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="signature" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="createUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="updateUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="password" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="signature" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="updateUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="deleteUserRequest"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="username" type="xsd:string" /&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="password" type="xsd:string" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;message name="deleteUserResponse"&amp;amp;amp;gt;
  &amp;amp;amp;lt;part name="return" type="xsd:xml" /&amp;amp;amp;gt;&amp;amp;amp;lt;/message&amp;amp;amp;gt;
&amp;amp;amp;lt;portType name="ws-user-accountPortType"&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="getUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;Fetches user information is user exists else returns error message
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Length: 458
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Host: localhost
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Connection: Keep-Alive
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:getUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Jeremy&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:getUser&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
        &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;&amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:getUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:getUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="createUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;Creates new user account
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Length: 587
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Host: localhost
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Connection: Keep-Alive
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:createUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Joe2&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;password xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Holly&amp;amp;amp;amp;amp;lt;/password&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;signature xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Try Harder&amp;amp;amp;amp;amp;lt;/signature&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:createUser&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;&amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:createUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:createUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="updateUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;If account exists, updates existing user account else creates new user account
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Content-Length: 587
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Host: localhost
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;Connection: Keep-Alive
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:updateUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Joe2&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;password xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Holly&amp;amp;amp;amp;amp;lt;/password&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;signature xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Try Harder&amp;amp;amp;amp;amp;lt;/signature&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:updateUser&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;&amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:updateUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:updateUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="deleteUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;documentation&amp;amp;amp;gt;If account exists, deletes user account
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Sample Request (Copy and paste into Burp Repeater)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;POST /mutillidae/webservices/soap/ws-user-account.php HTTP/1.1
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Accept-Encoding: gzip,deflate
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Type: text/xml;charset=UTF-8
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Content-Length: 587
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Host: localhost
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;Connection: Keep-Alive
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;soapenv:Envelope xmlns:xsi=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema-instance&amp;amp;amp;amp;amp;quot; xmlns:xsd=&amp;amp;amp;amp;amp;quot;http://www.w3.org/2001/XMLSchema&amp;amp;amp;amp;amp;quot; xmlns:soapenv=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/envelope/&amp;amp;amp;amp;amp;quot; xmlns:urn=&amp;amp;amp;amp;amp;quot;urn:ws-user-account&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Header/&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;urn:deleteUser soapenv:encodingStyle=&amp;amp;amp;amp;amp;quot;http://schemas.xmlsoap.org/soap/encoding/&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;username xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Joe&amp;amp;amp;amp;amp;lt;/username&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;         &amp;amp;amp;amp;amp;lt;password xsi:type=&amp;amp;amp;amp;amp;quot;xsd:string&amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;gt;Holly&amp;amp;amp;amp;amp;lt;/password&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;      &amp;amp;amp;amp;amp;lt;/urn:deleteUser&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;   &amp;amp;amp;amp;amp;lt;/soapenv:Body&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;amp;lt;br/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;/soapenv:Envelope&amp;amp;amp;amp;amp;gt;
            &amp;amp;amp;lt;/documentation&amp;amp;amp;gt;
    &amp;amp;amp;lt;input message="tns:deleteUserRequest"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;output message="tns:deleteUserResponse"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
&amp;amp;amp;lt;/portType&amp;amp;amp;gt;
&amp;amp;amp;lt;binding name="ws-user-accountBinding" type="tns:ws-user-accountPortType"&amp;amp;amp;gt;
  &amp;amp;amp;lt;soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="getUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#getUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="createUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#createUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="updateUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#updateUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
  &amp;amp;amp;lt;operation name="deleteUser"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:operation soapAction="urn:ws-user-account#deleteUser" style="rpc"/&amp;amp;amp;gt;
    &amp;amp;amp;lt;input&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/input&amp;amp;amp;gt;
    &amp;amp;amp;lt;output&amp;amp;amp;gt;&amp;amp;amp;lt;soap:body use="encoded" namespace="urn:ws-user-account" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/&amp;amp;amp;gt;&amp;amp;amp;lt;/output&amp;amp;amp;gt;
  &amp;amp;amp;lt;/operation&amp;amp;amp;gt;
&amp;amp;amp;lt;/binding&amp;amp;amp;gt;
&amp;amp;amp;lt;service name="ws-user-account"&amp;amp;amp;gt;
  &amp;amp;amp;lt;port name="ws-user-accountPort" binding="tns:ws-user-accountBinding"&amp;amp;amp;gt;
    &amp;amp;amp;lt;soap:address location="http://xxx.xx.1.1x/mutillidae/webservices/soap/ws-user-account.php"/&amp;amp;amp;gt;
  &amp;amp;amp;lt;/port&amp;amp;amp;gt;
&amp;amp;amp;lt;/service&amp;amp;amp;gt;
&amp;amp;amp;lt;/definitions&amp;amp;amp;gt;

Download the WDSL by saving the webpage as XML. The saved XML is to be loaded into SoapUI or your tool of preference.

As you can see in the image below, the WDSL is loaded and showing all possible operations/services provided by the Mutillidae web-service. You can also see the SOAP message for creating a user. Just hit the play button to see what happens. In the left window you’ll see the response of the web-service. In my case user ? already exist. Just because I hit the play button already too often.

Hybrid Cloud Security

BurpSuite

What we now want is to capture the SOAP request going to the web-service with burpsuite. We can use the captured data together with SQLMAP to check if SQL Injection is possible in one of the parameters used in the request. (username, password or signature).

In SoapUI go to File -> Preferences -> Proxy Settings and change the proxy to the same proxy as set in Burpsuite. Proxy -> last tab “Options”is where you set the proxy in Burpsuite. Please make sure the “Intercept Client Request” & “Intercept Server Responses” is set correctly (I have unchecked everything @ both client/server, added “url is in target scope” and upped it to be the first item. In Tab “Target” add the ip/url you use for Mutillidae as in scope)

Check if the listener is up & running by using netstat -l | grep “portnumber you use for proxy”. Once you confirmed the listener is up and running you can go back to SoapUI and hit the play button again to send the SOAP message to the web-service. This time burpsuite intercepts the request. What you see in Burpsuite is the SOAP message with the header for the post request added to it.

Hybrid Cloud Security

SQLMAP

Save the whole request to a file (right click “copy to file”). The file will be input for the Sqlmap -r parameter.

Start a terminal window and use the following command to start of sqlmap ->

sqlmap -r /pathtoyoursavedfile/savedfile.txt –technique B -p username –current-user

Hybrid Cloud Security

This command uses the saved text file as a request to the web-service to see if parameter (the -p) username is exploitable using an SQL injection. The technique used here is boolean-based blind. The –current-user parameter tells SQLMAP to see if it can bring back the current user which is in our case root@locahost. You can play around with the command line with some help from the SQLMAP parameter page.

SQLMAP is an easy to use tool to check for SQL injection points. Once you know how to assemble the request package or what target to hit, SQLMAP does the rest. It saves a lot of time. The downside to using such a tool is that you don’t have to be very knowledge to use it. The above is more like trick which learned you nothing about what SQL injections are about.

Some recommended sources to go through to get a more deeper understanding of SQL Injections:

  1. Testing for SQL Inject @ OWASP.org
  2. Watch the whole web pen testing workshop given by Jeremy Duin & Conray Reynolds.
  3. Vulnerable by Design -> great source for vulnerable VM images

How to change screen resolution for Kali on Hyper-v

Changing the screen resolution for Kali Linux running on Hyper-v is very simple ->

  1. Open Terminal
  2. Type: sudo vi /etc/default/grub (or use nano or other editor)
  3. Find the line starting with GRUB_CMDLINE_LINUX_DEFAULT, and add video=hyperv_fb:[the resolution you want].  The resolution I want is 1280×720.  So my line ends up looking like this:GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash video=hyperv_fb:1280×720″
  4. sudo update-grun
  5. Reboot your system and finished.

 

Update Mutillidea to version 2.6.40 on Metasploitable 2

Update -> I just found out that if you’re going to update multillidae on metasploit 2 it will render some of the exploitable features of metasploitable 2 invalid. The new version of multilidea needs a newer version of PHP since an existing bug in PHP 5.2. With the combination of old PHP & new multillidae, you’re able to create an account on the multillidae site but you cannot login. Jeremy Duin marked this bug as “won’t fix”.

What is Mutillidea?

And then something completely different. In having some more spare time I picked up the interest in capture the flag like online “hacking”games. See root-me.org or ctf365.com for examples. These sites host several challenges, either stand alone challenges (forensics, realist challenges, cracking, cryptography, webapp vulnerability), or capture the flag challenges. With capture the flag challenges you’re in a room with an x number of people with a virtual machine running in that environment. The virtual machine runs service and web applications which are intentionally made vulnerable to several exploits, the person who captures the flag first (first hack) wins the challenge. Subsequently the virtual machine is shutdown and a new round starts. Root-me.org has about 20-25 virtual machines from which you can chose. Most of them are also downloadable as a virtual machine to be spinned up in your own testing environment.

As said the vulnerabilities are present in either services (mysql, iis, dns) or web applications. Mutillidae is more like a platform running on Metasploitable 2 which gives you and almost endless possibilities to learn about application penetration testing. (XSS, SQL injection, HTML Injection, Session hijacking, the whole OWASP top 10 and many more.

Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an “assess the assessor” target for vulnerability software.

mutillidae hack

There are a lot of tutorials on how to install Metasploitable 2 in your own lab.

Updating Mutillidea on Metasploitable 2

The version that comes with Metasploitable 2 is not the latest one. So if you need to update mutillidae on your Metasploitable 2 machine, then follow the steps below ->

  1. Check out latest version at the sourceforge page
  2. Login to your metasploitable machine as msfadmin
  3. go to your /var/www directory
  4. rename the mutillidae directory into mutillidea.bak (use sudo, else access denied)
  5. download latest version of mutillidae with wget (replace x.x.x. with latest version found in step 1 -> wget http://sourceforge.net/projects/mutillidae/files/mutillidae-project/LATEST-x.x.xx.zip/download –no-check-certificate
  6. unzip the downloaded file (unzip LATEST……, use sudo)
  7. Test the site, you need to refresh the database to make it work
  8. The following warning will appear which is easy to fix, just install php5-curl.Warning: Detected PHP Curl is not installed on the server. This may cause issues detecting or downloading remote files. The server operating system seems to be Linux. You may be able to install with sudo apt-get install php5-curl
  9. The apt-get for php5-curl will throw a 404 error. Please follow the small tutorial made to change the repository location for Ubuntu.

Continue reading

Containers for the Virtualization Admin (webinar)

Thursday, June 16
10:00 PST | 13:00 EST

As the use of containers becomes more popular for the enterprise, what does it mean for VMs?

In this webinar Mike Coleman, Technical Marketing Engineer and Chris Hines, Product Marketing Manager at Docker, will discuss the difference between containers and virtual machines, and explain how the two can coexist. Get your questions answered during the Q&A.

Speakers:

Mike Coleman, Sr. Technical Marketing Engineer at Docker. Mike creates and delivers technical content to Docker’s customers and community.

Chris Hines, Product Marketing Manager at Docker. Chris helps to develop and share the Docker story with the world. He works closely with Docker customers to understand how Docker is enabling enterprises to build, ship and run their applications, anywhere.

Azure VPN Gateway (Resource Manager) problem

Azure VPN GatewaySince my previous post about setting up pfsense/vpn for use with Azure, I have rebooted my system several time. Usually I only power on my testlab when working on it.

After every reboot, at least when trying with short intervals, I was unable to get the VPN up and running again. I had the same problem yesterday, but not seeing the pattern of the reboot, I just recreated the site to site VPN @ azure side. After recreation connection, initiated from the pfsense box, was able to connect again.

So today same problem. I found an article explaining how to reset an Azure VPN Gateway using powershell. However, the article describes how to reset a Azure VPN Gateway which was created in the classic model, so not the resource manager model.

I cannot find how to reset an Azure VPN Gateway, resource manager model, using powershell so I figured changing something to the VPN Gateway @ azure side of things would maybe reset or refresh the config. And indeed this works. (????) No 100% proof since I can’t be bothered too much. Already too much time spent on getting the comtrend 3223u modem in bridge mode.

Please leave a message if you know a way on how to reset Azure VPN Gateway, resource model, with powershell….

 

Setting up site-to-site VPN to Azure with Pfsense

Hybrid CloudSo this is finally the first part of creating a hybrid cloud using Pfsense to hook up the on premise resources to the cloud (azure). The best way to go is off course to implement azure stack locally to go full hybrid using the same technology stack on premise as used in Azure itself. Going hybrid without Azure Stack using a VPN tunnel or, for larger customers Expressroute  is a good intermediate step to prepare for the future full hybrid and multi cloud scenario’s. It creates the possibility to have some of your workloads in the cloud (dev & test environments) while keeping your old monitoring tools, or mix both old and new (for example SCOM & OMS).

I struggled a bit with my Comtrend 3223U router from Tele2. There is not much documentation available on how to put this ADSL modem in bridge mode. After “hacking” the modem (see previous post) I got admin access to the modem. But even then it’s hard to figure out how to put this modem in bridge mode in a way it still works with my ISP.

I ultimately decided to just route the traffic behind pfsense through the ADSL modem instead of using pfsense as the “modem”. If I want I can use the DMZ Host option of my ADSL modem to make sure all packets from internet end up @ the pfsense virtual machine.

Quick Pfsense howto ->

1. Download the pfsense iso @ Pfsense.org
2. Unpack the file and create a 512MB, Generation 1 VM and use the downloaded and unpacked iso as an image for the VM.
3. Add two virtual switches. One Private virtual switch and an External virtual Switch. Add two network adapters and hook one up to the private virtual switch and the other one to the external virtual switch.

4. Boot from the downloaded Pfsense image and configure both the WAN and the LAN interface.

  • In bridge mode you can set the WAN interface to DHCP. It will receive an IP from your ISP.
  • I used a static IP address which is in the same subnet as the ISP Modem for the WAN interface
  • I used a static Ip address which is in my local lan subnet for the LAN interface.
  • I have added an upstream gateway on the WAN interface to point to the IP of the ISP Modem

5. Once done you can access the Pfsense WebGui to adjust or check your pfsense config and to configure IPSEC to connect to Azure. Accessing the Pfsense web GUI is done by typing the LAN interface IP in your web browser.

Pfsense Azure

 

6. In the Pfsense GUI go to VPN -> Ipsec.

7. Click on add P1, you will see the screen below

Azure PFsense

  • The only things you need to fill out here are 1. Remote Gateway IP 2. pre-shared key. Leave the browser open, we will come back to this in just a second.

Configure Azure site to site VPN using an ARM template.

  1. You can use the below code and deploy the template using powershell or visual studio. Or you can just hit the button below to get redirected to the Azure Portal ->

Azure Deploy

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vpnType": {
            "type": "string",
            "metadata": {
                "description": "Route based or policy based"
            },
            "defaultValue": "RouteBased",
            "allowedValues": [
                "RouteBased",
                "PolicyBased"
            ]
        },
        "localGatewayName": {
            "type": "string",
            "defaultValue": "onpremVPNGateway01",
            "metadata": {
                "description": "Aribtary name for gateway resource representing "
            }
        },
        "localGatewayIpAddress": {
            "type": "string",
            "defaultValue": "X.X.X.X",
            "metadata": {
                "description": "Public IP of your local GW"
            }
        },
        "localAddressPrefix": {
            "type": "string",
            "defaultValue": "192.168.0.0/16",
            "metadata": {
                "description": "CIDR block representing the address space of the OnPremise VPN network's Subnet"
            }
        },
        "virtualNetworkName": {
            "type": "string",
            "defaultValue": "Vnet01",
            "metadata": {
                "description": "Arbitrary name for the Azure Virtual Network"
            }
        },
        "azureVNetAddressPrefix": {
            "type": "string",
            "defaultValue": "10.10.0.0/16",
            "metadata": {
                "description": "CIDR block representing the address space of the Azure VNet"
            }
        },
        "subnetName": {
            "type": "string",
            "defaultValue": "Subnet01",
            "metadata": {
                "description": "Aribtrary name for the Azure Subnet"
            }
        },
        "subnetPrefix": {
            "type": "string",
            "defaultValue": "10.10.2.0/24",
            "metadata": {
                "description": "CIDR block for VM subnet, subset of azureVNetAddressPrefix address space"
            }
        },
        "gatewaySubnetPrefix": {
            "type": "string",
            "defaultValue": "10.10.1.0/29",
            "metadata": {
                "description": "CIDR block for gateway subnet, subset of azureVNetAddressPrefix address space"
            }
        },
        "gatewayPublicIPName": {
            "type": "string",
            "defaultValue": "VPNGatewayIP",
            "metadata": {
                "description": "Aribtary name for public IP resource used for the new azure gateway"
            }
        },
        "gatewayName": {
            "type": "string",
            "defaultValue": "VPNGateway01",
            "metadata": {
                "description": "Arbitrary name for the new gateway"
            }
        },
        "connectionName": {
            "type": "string",
            "defaultValue": "Site-To-Site",
            "metadata": {
                "description": "Arbitrary name for the new connection between Azure VNet and other network"
            }
        },
        "sharedKey": {
            "type": "securestring",
            "metadata": {
                "description": "Shared key (PSK) for IPSec tunnel"
            }
        }
    },
    "variables": {
        "Location": "[resourceGroup().location]",
        "vnetID": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
        "gatewaySubnetRef": "[concat(variables('vnetID'),'/subnets/','GatewaySubnet')]",
        "subnetRef": "[concat(variables('vnetID'),'/subnets/',parameters('subnetName'))]",
        "api-version": "2015-06-15"
    },
    "resources": [
        {
            "apiVersion": "[variables('api-version')]",
            "type": "Microsoft.Network/localNetworkGateways",
            "name": "[parameters('localGatewayName')]",
            "location": "[variables('location')]",
            "properties": {
                "localNetworkAddressSpace": {
                    "addressPrefixes": [
                        "[parameters('localAddressPrefix')]"
                    ]
                },
                "gatewayIpAddress": "[parameters('localGatewayIpAddress')]"
            }
        },
        {
            "apiVersion": "[variables('api-version')]",
            "name": "[parameters('connectionName')]",
            "type": "Microsoft.Network/connections",
            "location": "[variables('location')]",
            "dependsOn": [
                "[concat('Microsoft.Network/virtualNetworkGateways/', parameters('gatewayName'))]",
                "[concat('Microsoft.Network/localNetworkGateways/', parameters('localGatewayName'))]"
            ],
            "properties": {
                "virtualNetworkGateway1": {
                    "id": "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('gatewayName'))]"
                },
                "localNetworkGateway2": {
                    "id": "[resourceId('Microsoft.Network/localNetworkGateways', parameters('localGatewayName'))]"
                },
                "connectionType": "IPsec",
                "routingWeight": 10,
                "sharedKey": "[parameters('sharedKey')]"
            }
        },
        {
            "apiVersion": "[variables('api-version')]",
            "type": "Microsoft.Network/virtualNetworks",
            "name": "[parameters('virtualNetworkName')]",
            "location": "[variables('location')]",
            "properties": {
                "addressSpace": {
                    "addressPrefixes": [
                        "[parameters('azureVNetAddressPrefix')]"
                    ]
                },
                "subnets": [
                    {
                        "name": "[parameters('subnetName')]",
                        "properties": {
                            "addressPrefix": "[parameters('subnetPrefix')]"
                        }
                    },
                    {
                        "name": "GatewaySubnet",
                        "properties": {
                            "addressPrefix": "[parameters('gatewaySubnetPrefix')]"
                        }
                    }
                ]
            }
        },
        {
            "apiVersion": "[variables('api-version')]",
            "type": "Microsoft.Network/publicIPAddresses",
            "name": "[parameters('gatewayPublicIPName')]",
            "location": "[variables('location')]",
            "properties": {
                "publicIPAllocationMethod": "Dynamic"
            }
        },
        {
            "apiVersion": "[variables('api-version')]",
            "type": "Microsoft.Network/virtualNetworkGateways",
            "name": "[parameters('gatewayName')]",
            "location": "[variables('location')]",
            "dependsOn": [
                "[concat('Microsoft.Network/publicIPAddresses/', parameters('gatewayPublicIPName'))]",
                "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
            ],
            "properties": {
                "ipConfigurations": [
                    {
                        "properties": {
                            "privateIPAllocationMethod": "Dynamic",
                            "subnet": {
                                "id": "[variables('gatewaySubnetRef')]"
                            },
                            "publicIPAddress": {
                                "id": "[resourceId('Microsoft.Network/publicIPAddresses',parameters('gatewayPublicIPName'))]"
                            }
                        },
                        "name": "vnetGatewayConfig"
                    }
                ],
                "gatewayType": "Vpn",
                "vpnType": "[parameters('vpnType')]",
                "enableBgp": "false"
            }
        }
    ]
}

2. The ARM template will create the following:

a. Vnet01, which will be the Azure local network

b. VPNGateway, which holds the config of the VPN @ Azure aside of things

c. VPNGatewayIP -> The external IP from Azure. This is the Remote Gateway IP you need to fill out @ Pfsense

d. OnPremVPNGateway01 -> This defines the local, on premise network. This resource holds the local, on premise network ranges. All ranges defined here will be routed using the created VPN. The IP Address belonging to the OnPremVPNGateway01 itself is off course your own public IP address.

e. Site-to-Site -> This holds the pre-shared key which you need for PFsense config.

3. You can accept all the defaults here. Only changes needed here are to fill out your local VPN gateway’s IP address and the localadressprefix (which is the local IP range).

You also have the option between the following two VPN types ->

  • Policy-based VPN type: Policy-based VPNs were previously called static routing gateways in the classic deployment model. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on premises network and the Azure VNet. The policy (or traffic selector) is usually defined as an access list in the VPN device configuration. The value for a policy-based VPN type is PolicyBased.
  • Route-based VPN type: Route-based VPNs were previously called dynamic routing gateways in the classic deployment model. Route-based VPNs use “routes” in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. The policy (or traffic selector) for route-based VPNs are configured as any-to-any (or wild cards). The value for a route-based VPN type is RouteBased.

Ok, the Azure site to site VPN deployment will run for a while. I don’t know if the speed depends upon the subscription, I have a free visual studio developer subscription, but it takes quite long.

3. Once completed gather the external IP given by Azure (VPNGatewayIP) and the pre-shared key. (Site-to-Site resource -> shared key)

4. Go back to your browser and complete the phase 1 IPSEC config with both Azure Gateway IP & Shared Key. Click on Save.

5. Now add phase 2 (Add p2) to the phase 1 ipsec config. Here you have to define the remote network. Leave all defaults except fill out the remote network. (This is the range that belongs to Azure vnet01 with the accompanied subnet) Hit save

6. The end result should be like this ->

Ipsec Azure7. In the Status -> Gateway you can hit connect to test the connection

Pfsense Azure

In Part II we’re going to deploy some servers to the cloud and on Premise and link them to each other (SCOM,OMS)

Please feel free to ask any question regarding Azure, Pfsense, Hybrid Cloud scenario’s.

Get admin acces to your Tele2 3223u ADSL Modem

Just a quick post about getting access to your Comtrend Tele2 3223u ADSL Modem. There are several post on the internet about getting admin access. The best post is probably the one found here. However this did not work form me.

Follow the guide on the link above but use ->

<AdminPassword notification=”2″>BASE64encodedpwd=</AdminPassword>

instead of the adminpassword line showed in the guide. I constantly get an illegal image error when following that post. The above will give you admin access to your Comtrend Tele2 3223u ADSL Modem