SANS SEC575 Virtual Lab Access Information

Installing OpenVPN on the Kali Linux Course VM


To verify that the OpenVPN software is pre-installed, do the following:
  1. Login to the Kali Linux host:
    username: root 
    password: toor
    
  2. Click on the Terminal icon in the toolbar

  3. You need to install a package called resolvconf so the OpenVPN client can update the DNS settings. Type the following command to update the list of available packages:
    root@kali:~# apt-get update
    You should see output similar to:
    root@kali:/etc/openvpn# apt-get update
    Get:1 http://http.kali.org kali Release.gpg [819 B]
    Get:2 http://security.kali.org kali/updates Release.gpg [819 B]
    Get:3 http://http.kali.org kali Release [21.1 kB]          
    Err http://http.kali.org kali Release              
      
    Get:4 http://security.kali.org kali/updates Release [11.0 kB]
    Err http://security.kali.org kali/updates Release
      
    Fetched 1,640 B in 1s (1,367 B/s)
    Reading package lists... Done
    W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://http.kali.org kali Release: The following signatures were invalid: KEYEXPIRED 1425567400 KEYEXPIRED 1425567400 KEYEXPIRED 1425567400
    
    W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.kali.org kali/updates Release: The following signatures were invalid: KEYEXPIRED 1425567400 KEYEXPIRED 1425567400 KEYEXPIRED 1425567400
    
    W: Failed to fetch http://http.kali.org/kali/dists/kali/Release  
    
    W: Failed to fetch http://security.kali.org/kali-security/dists/kali/updates/Release  
    
    W: Some index files failed to download. They have been ignored, or old ones used instead.
    root@kali:/etc/openvpn#
    
  4. Type the following command to install the resolvconf package:
    root@kali:~# apt-get install resolvconf
    You should see output similar to:
    root@kali:/etc/openvpn# apt-get install resolvconf
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following NEW packages will be installed:
      resolvconf
    0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
    Need to get 0 B/69.0 kB of archives.
    After this operation, 135 kB of additional disk space will be used.
    Preconfiguring packages ...
    Selecting previously unselected package resolvconf.
    (Reading database ... 345389 files and directories currently installed.)
    Unpacking resolvconf (from .../resolvconf_1.67_all.deb) ...
    Processing triggers for man-db ...
    Setting up resolvconf (1.67) ...
    Processing triggers for resolvconf ...
    root@kali:/etc/openvpn#
    
  5. Type the following command:
    root@kali:~# openvpn --version
    You should see output similar to:
    root@kali:~# openvpn --version
    OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
    Originally developed by James Yonan
    Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
    
      $ ./configure --build=i486-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=i486-linux-gnu --build=i486-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
    
    Compile time defines:  ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
    root@kali:~# 
    
  6. From within the Kali Linux VM, launch IceWeasel and download your user specific OpenVPN configuration file (unique link provided via email). Go to the URL provided in the email you received that had the subject "SEC575 Virtual Lab Access". The URL is in the "User Authentication" section of the message. From the 'VPN Config' row in the table, save the file for the Kali VM in /root/Desktop.

  7. Switch back to your Terminal window, and type the following command:
    root@kali:~# cd /root/Desktop
  8. Type the following command:
    root@kali:~/Desktop# ls -l *.ovpn
    You should see output similar to:
    root@kali:~/Desktop# ls -l *.ovpn
    -rw-r--r-- 1 root root 6100 May  8 12:33 sec575-XXXXX-YYYYYY-kali.ovpn
    
    where XXXXX is your event-id and YYYYYY is your SD number for your SANS portal account.

  9. Type the following command:
    root@kali:~/Desktop# mv sec575<tab>/etc/openvpn/.
    You should see output similar to:
    root@kali:~/Desktop# mv sec575-XXXXX-YYYYYY-kali.ovpn /etc/openvpn/.
    root@kali:~/Desktop#
    

Starting OpenVPN on the Kali Linux Course VM


  1. If you do not currently have a root-level Terminal window open, bring up a new Terminal window and in the Terminal window, type:
    [~] sudo su -
  2. In the root-level Terminal window, run the command:
    root@kali:~# openvpn --config /etc/openvpn/sec575<tab>
    When prompted, enter the password
    VpnPassword
    If the password is entered correctly, you should see output similar to:
    root@kali:~# openvpn --config /etc/openvpn/sec575-XXXXX-YYYYYY-kali.ovpn 
    Fri May  8 13:09:25 2015 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
    Fri May  8 13:09:25 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Fri May  8 13:09:25 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Enter Private Key Password:
    Fri May  8 13:09:27 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Fri May  8 13:09:27 2015 LZO compression initialized
    Fri May  8 13:09:27 2015 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Fri May  8 13:09:27 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
    Fri May  8 13:09:27 2015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Fri May  8 13:09:27 2015 Local Options hash (VER=V4): 'd79ca330'
    Fri May  8 13:09:27 2015 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Fri May  8 13:09:27 2015 UDPv4 link local: [undef]
    Fri May  8 13:09:27 2015 UDPv4 link remote: [AF_INET]66.35.59.70:1194
    Fri May  8 13:09:37 2015 TLS: Initial packet from [AF_INET]66.35.59.70:1194, sid=b9e943a3 3d91333d
    Fri May  8 13:09:37 2015 VERIFY OK: depth=1, /C=US/ST=Maryland/L=Bethesda/O=SANS/OU=SEC575_LAB/CN=lab-sec575/emailAddress=noc@sans.org
    Fri May  8 13:09:37 2015 VERIFY OK: depth=0, /C=US/ST=Maryland/O=SANS/OU=SEC575_LAB/CN=lab-sec575/emailAddress=noc@sans.org
    Fri May  8 13:09:37 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri May  8 13:09:37 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri May  8 13:09:37 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri May  8 13:09:37 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri May  8 13:09:37 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Fri May  8 13:09:37 2015 [lab-sec575] Peer Connection Initiated with [AF_INET]66.35.59.70:1194
    Fri May  8 13:09:39 2015 SENT CONTROL [lab-sec575]: 'PUSH_REQUEST' (status=1)
    Fri May  8 13:09:39 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.10.10,dhcp-option DOMAIN sec575.org,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.76.1 255.255.0.0'
    Fri May  8 13:09:39 2015 OPTIONS IMPORT: timers and/or timeouts modified
    Fri May  8 13:09:39 2015 OPTIONS IMPORT: --ifconfig/up options modified
    Fri May  8 13:09:39 2015 OPTIONS IMPORT: route-related options modified
    Fri May  8 13:09:39 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Fri May  8 13:09:39 2015 TUN/TAP device tap0 opened
    Fri May  8 13:09:39 2015 TUN/TAP TX queue length set to 100
    Fri May  8 13:09:39 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Fri May  8 13:09:39 2015 /sbin/ifconfig tap0 10.10.76.1 netmask 255.255.0.0 mtu 1500 broadcast 10.10.255.255
    Fri May  8 13:09:41 2015 Initialization Sequence Completed
    
  3. Open another Terminal window, and type the command
    [~] ping -c 3 10.10.0.1
    If you see output similar to:
    root@kali:~# ping -c 3 10.10.0.1
    PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data.
    64 bytes from 10.10.0.1: icmp_req=1 ttl=64 time=51.0 ms
    64 bytes from 10.10.0.1: icmp_req=2 ttl=64 time=43.1 ms
    64 bytes from 10.10.0.1: icmp_req=3 ttl=64 time=43.2 ms
    
    --- 10.10.0.1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 43.119/45.805/51.027/3.693 ms
    root@kali:~# 
    
    then congratulations, you have successfully configured the VPN and connected to lab network, and can now do the Day 1-6 exercises.

  4. Leave OpenVPN running in the Terminal window until you no longer need the active OpenVPN connection.

Stopping OpenVPN on the Kali Linux Course VM

  1. Bring the original Terminal window where you started OpenVPN back up.
  2. Within that window, hit Ctrl-C (press and hold Ctrl and then hit the c key). You should see output similar to:
     
    Fri May  8 13:09:41 2015 Initialization Sequence Completed
    ^CFri May  8 13:13:32 2015 event_wait : Interrupted system call (code=4)
    Fri May  8 13:13:32 2015 TCP/UDP: Closing socket
    Fri May  8 13:13:32 2015 Closing TUN/TAP interface
    Fri May  8 13:13:32 2015 /sbin/ifconfig tap0 0.0.0.0
    Fri May  8 13:13:32 2015 SIGINT[hard,] received, process exiting
    root@kali:~/Desktop# 
    
    If so, then the VPN is disconnected.