October 10, 2011 at 4:06 pm #6895
Interesting dilemma, I don’t know if this is possible.
(windows XP box)
IPSec VPN tunnel is up between remote VPN router and corp HQ. Windows machine is directly connected to the internal side of the router, but no default gateway is set.
I can SSH into the router and ping the windows box, but cannot ping the windows box directly.
Is there a way to set the gateway FROM the router since that’s the only way I can communicate to it? The alternative is flying to the remote site and setting the gateway. Ouch.
Any help would be appreciated. I have tried a few things without success (for example, enable NAT on the router to do translation; does NOT work because the order NAT is applied versus the VPN tunnel).
Hacks are welcome as long as the remote site is recoverable afterward! 🙂
October 10, 2011 at 7:39 pm #42595
So you’re trying to remotely set the gateway of the Windows box but since it doesn’t have a gateway, you can only get to it from the router which is on the same local network, right? Just want to be sure.
Are there any other windows boxes on that network that DO have a gateway set? What type of router are you dealing with? You can PM me if you don’t want to broadcast it 🙂
October 10, 2011 at 10:37 pm #42596
No worries, consider this to be a generic remote office setup. Windows XP box sitting behind a Cisco router, running the most up to date Cisco IOS 15.X. Users use the system locally as a standalone box. VPN is for remote training, troubleshooting, administration, updates, etc. In this case the installer forgot to set that one little setting…..default gw.
You are correct in your understanding, so you know what my problem is. No gateway = no routing. One way traffic is fine, but the responses never come back. I can get to the server from the router itself, as you say.
October 10, 2011 at 10:51 pm #42597
All the boxes on the remote LAN have no default gateway?
October 10, 2011 at 11:01 pm #42598
There is only one box, so, correct.
October 10, 2011 at 11:11 pm #42599
Is the remote box running ssh or telnet? Otherwise you’re looking at using port forwarding on the Cisco with an ACL. This assumes you’ve got services even running on that box. If you have SMB running for example, you could use psexec or if the box isnt patched you could use an exploit to get a shell on it.
If you use port forwarding, and you’re opening up 445 to it, make sure your ACL is tight, you dont want that thing on the Internet.
Ugh just realized that PAT wont work if that box has no default gateway. hmmm. Let me think.
October 11, 2011 at 12:14 am #42600
No ssh or telnet, but windows file sharing is on. I was thinking port forwarding, but i think the problem with the gateway still persists since the source addr is not changed, or am I wrong?
October 11, 2011 at 12:19 am #42601
Other things I’ve thought of:
There is somewhat of a port of netcat for IOS called IOScat, though it has limited functionality and even still it would be the same as port forwarding.
No return traffic rules out TCP, but UDP should work? Maybe there’s an exploit that can use entirely UDP, sort of like blind sql injection but with packets, lol.
If there was a way of embedding shell + netsh command into a payload, capturing the packets and then replaying them from the router, not sure how to do that though.
October 11, 2011 at 1:39 pm #42602
Yeah but you’d still need a bind shell listening on that problem XP box. Is there any human being sitting at this PC? If so, I’d just send a bind shell on a usb drive, or better yet, a netsh command in a batch file and have them open it or setup an autorun script (assuming they dont have that patched).
If you can get a bind shell on that box you could use that IOScat to interface with the PC.
October 11, 2011 at 2:10 pm #42603
October 11, 2011 at 2:54 pm #42604
He has no way to get a remote command shell on the box though, that’s the problem.
October 11, 2011 at 3:00 pm #42605
Yeah, thanks for the suggestions but you are right. If only there were a way to invoke WSH or WMI from the router… ugh.
October 11, 2011 at 3:09 pm #42606
As you can probably tell, it really irks me that such a simple thing is getting in my way. I keep telling myself there MUST BE A WAY. It’s just networking. I have Cisco IOS, I have admin credentials for the box at the other end, just no way to get a TCP connection because return traffic is being dropped.
October 11, 2011 at 3:10 pm #42607
No human at the other end? I would just have someone go over and do it!
October 11, 2011 at 4:30 pm #42608
October 11, 2011 at 5:51 pm #42609
In my case there are humans, but they don’t have access to the configuration settings, nor would they have the expertise. I will continue to think about it, otherwise we’ll just have to wait for some one to be in the area.
Thanks cd1zz and l33t5h@rk!!
October 11, 2011 at 6:00 pm #42610
Then just send them a batch file with the netsh commands on it…..change the pw after they’re done if you have to give him admin creds
October 11, 2011 at 6:11 pm #42611
What cd1zz said. Find the best user there, whether it be most technical or just whoever you have the best relationship with, walk over using the sneaker net and run the netsh commands.
- You must be logged in to reply to this topic.