NachoVPN: Popping SSL-VPNs with a Rogue Server
NachoVPN
NachoVPN is a Proof of Concept that demonstrates exploitation of SSL-VPN clients, using a rogue VPN server.
It uses a plugin-based architecture so that support for additional SSL-VPN products can be contributed by the community. It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure.
For further details, see our blog post, and HackFest Hollywood 2024 presentation [slides|video].
NachoVPN supports the following plugins and capabilities:
| Plugin | Product | CVE | Windows RCE | macOS RCE | Privileged | URI Handler | Packet Capture | Demo |
|---|---|---|---|---|---|---|---|---|
| Cisco | Cisco AnyConnect | N/A | ✅ | ✅ | ❌ | ❌ | ✅ | Windows / macOS |
| SonicWall | SonicWall NetExtender | CVE-2024-29014 | ✅ | ❌ | ✅ | ✅ | ❌ | Windows |
| PaloAlto | Palo Alto GlobalProtect | CVE-2024-5921 (partial fix) | ✅ | ✅ | ✅ | ❌ | ✅ | Windows / macOS / iOS |
| PulseSecure | Ivanti Connect Secure | N/A | ✅ | ✅ | ❌ | ✅ (Windows only) | ✅ | Windows |
URI handlers
- The Ivanti Connect Secure (Pulse Secure) URI handler can be triggered by visiting the
/pulseURL on the NachoVPN server. - The SonicWall NetExtender URI handler can be triggered by visiting the
/sonicwallURL on the NachoVPN server. This requires that the SonicWall Connect Agent is installed on the client machine.
Operating Notes
- It is recommended to use a TLS certificate that is signed by a trusted Certificate Authority. The docker container automates this process for you, using certbot. If you do not use a trusted certificate, then NachoVPN will generate a self-signed certificate instead, which in most cases will either cause the client to prompt with a certificate warning, or it will refuse to connect unless you modify the client settings to accept self-signed certificates. For the Palo Alto GlobalProtect plugin, this will also cause the MSI installer to fail.
- In order to simulate a valid codesigning certificate for the SonicWall plugin, NachoVPN will sign the
NACAgent.exepayload with a self-signed certificate. For testing purposes, you can download and install this CA certificate from/sonicwall/ca.crtbefore triggering the exploit. For production use-cases, you will need to obtain a valid codesigning certificate from a public CA, sign yourNACAgent.exepayload, and place it in thepayloadsdirectory (or volume mount it into/app/payloads, if using docker). - For convenience, a default
NACAgent.exepayload is generated for the SonicWall plugin, and written to thepayloadsdirectory. This simply spawns a newcmd.exeprocess on the current user’s desktop, running asSYSTEM. - The Palo Alto GlobalProtect plugin requires that the MSI installers and
msi_version.txtfile are present in thedownloadsdirectory. Either add these manually, or run themsi_downloader.pyscript to download them.
