Defeating VPN Always-On

Presented at DEF CON 31 (2023), Aug. 12, 2023, 10 a.m. (45 minutes)

VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunneled. We will review the relevant Windows API, the practicalities of this feature, look at popular VPN software; we will then consider ridiculously complex exfil methods and... finally bypass it with unexpectedly trivial tricks. We will exploit design, implementation and configuration issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks. REFERENCES: VPN on untrusted networks, captive portals: - ANSSI (France) Recommandations sur le nomadisme numérique ("3.4.3 Maîtrise des flux réseaux sur le poste de travail"): https://www.ssi.gouv.fr/uploads/2018/10/guide_nomadisme_anssi_pa_054_v1.pdf (I will translate the relevant part in my slide) Understanding "Windows Filtering Platform": - Microsoft documentation : https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page - Pavel Yosifovich : https://scorpiosoftware.net/2022/12/25/introduction-to-the-windows-filtering-platform/ - Pavel Yosifovich : https://github.com/zodiacon/WFPExplorer - Sagie Dulce : https://github.com/zeronetworks/wtf-wfp Reverse Engineering of Windows Filtering Platform and its implementation in Windows VPN agents: - Ole André V. Ravnas - https://frida.re/ - James Forshaw - https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtObjectManager

Presenters:

• Maxime Clementz - Cybersecurity Senior Manager at PwC Luxembourg
  Maxime Clementz is a Senior Manager within the Cybersecurity Advisory team of PwC Luxembourg. He develops his ethical hacker skills by committing himself to various assignments for big companies, banks and European institutions. As a technical specialist, he leads penetration tests, red-teaming, digital forensics and incident response missions. He contributes to the development of the team’s hacking capabilities by sharing the results of his technology watch and R&D and is now leading the CSIRT and Threat Intelligence initiatives of PwC Luxembourg. He especially enjoys sharing knowledge by presenting the results of each mission or by giving talks (Hack.lu 2012, 2015, 2017) and training courses. Maxime teaches IT security at a French engineering school and organizes a Capture the Flag event for the students.

Links:

• https://forum.defcon.org/node/245750

Similar Presentations:

• DEF CON 31 (2023) / #NoFilter: Abusing Windows Filtering Platform for privilege escalation
• Still Hacking Anyway (SHA2017) / Run your own VPN provider: workshop how to deploy: Let's Connect VPN
• Disobey 2020 / We Pwn VPN: Exploiting client-side vulnerabilities in commercial VPNs