VPN client from EC2, Lambda, etc.

[andresriancho]

The initial implementation of vpc-vpn-pivot is starting a VPN server in AWS Client VPN. In order to do that, the compromised AWS credentials require rather uncommon privileges (unless you have *:*).

A great improvement for this tool would be to:

• Start https://ngrok.com/ on the attacker workstation (this allows the attacker server to be behind a NAT and doesn't require port forwarding at the edge router)
• Start VPN server in attacker workstation
• Run VPN client in EC2, Lambda, Fargate, LightSail, etc.
• Pivot into the target VPC

If the attacker has privileges to create the AWS Client VPN, then the initial method should be used, else:

• Try to start an EC2 instance in the target VPC with a specific user-data to connect to the VPN
• Try to run a lambda function that connects to the VPN. This implementation will have the challenge of handling lambda function timeouts.
• Use Fargate

[andresriancho]

There are multiple VPN client-servers, I need to choose one that is easy to install in Lambda and does real VPN networking, not just port forwarding.

https://github.com/0x36/VPNPivot https://blog.rapid7.com/2011/12/29/jumping-into-another-network-with-vpn-pivoting/ https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html https://artkond.com/2017/03/23/pivoting-guide/ https://medium.com/@6c2e6e2e/network-pivoting-like-a-pro-2fa04a569d8c