Cross-Platform VPN Persistence(and phishing!) with Viscosity

Taking advantage of built-in functionality for malicious purposes.

Viscosity is a popular cross platform OpenVPN client that markets itself as an easy to use solution for users of all skill levels. It allows users to import 'configuration bundles' to easily add new connection settings. When combined with Viscosity's ability to run scripts on several VPN events, an attacker could create a configuration bundle containing malicious code that uses VPN connection events to achieve persistence.

Both the Windows and OSX Versions of Viscosity include scripting support, which can execute commands upon three different triggers. The triggers are:

  • Before Connect
  • On Connect
  • On Disconnect

The scripts can be selected by editing the properties of the configuration you want to execute the script on and clicking the "Advanced" tab. As you can see in the screenshot below, it asks to select a script file and associates it with the specific trigger.

Viscosity-1

As you can see in the screenshot, the Windows version of Viscosity supports the executing of VBS and Batch files. Meanwhile, the OSX Version of Viscosity supports the executing of commands via Applescript.

Viscosity-2-1

The best part is, you don't need GUI access in order to take advantage of this. Viscosity takes advantage of configuration files that can be modified via command line or terminal.

The configuration files for each version can be found at the following locations:

Windows
%APPDATA%\Roaming\Viscosity\OpenVPN\

OSX
/Users/%username%/Library/Application Support/Viscosity/OpenVPN/

Inside the folder you'll see something similar dependant on how many connections you've had and whether you've deleted any.
Viscosity-3-1

Every time a new connection is added, a new folder is created with the number incremented. For example, the first connection that the user adds will be in directory 1, the second in directory 2, and the third in directory 3. If the user deletes the second VPN connnection, the OpenVPN folder will contain the directories 1 and 3, while further connections added will start at 4.

That's a little annoying, but you can further identify which connection you're looking at if you're not sure by going into the directory and looking at the config.conf file. There will be a line that contains the viscosity name which contains the user gave the connection. Alternatively you can use either of the following commands from inside the connection folder depending on which OS you are on.
grep "#viscosity name" config.conf
gc .\config.conf | Select-String "viscosity name"

The config.conf file can be modified directly in order for us to force viscosity to load our code in order to maintain access to victim machines. The first step is for us to create the file we want executed and to drop it in the same directory. When attacking an OSX machine, viscosity isn't worried about the extension so it will accept whatever extension you want to give the applescript (useful in bypassing security products). Meanwhile, in Windows you seem to be limited to .bat and .vbs in order for your code to be executed.

This example will be demonstrating creating and executing a payload using OSX, however, Windows machines will be executed in basically the exact same way only substituting applescript with a batch or vbs file. First we launch empire and create a listener, then we generate a launcher using applescript.

Empire-1

Next we take the output from empire and drop it into the directory of the VPN connection we want to take advantage of. Mine will be placed in the "3" directory. Once the file has been populated with our payload, we'll run one or multiple of the following commands.

echo "#viscosity connectedscript payload.ext" >> config.conf
echo "#viscosity preconnectscript payload.ext" >> config.conf
echo "#viscosity disconnectedscript payload.ext" >> config.conf

Optional sed command to ensure that the VPN connection starts:
sed -i '' 's/startonopen false/startonopen true/g' config.conf"

The following screenshot should give you an idea of what the config file will look like when you're finished modifying it.

Viscosity-4

Now we wait, depending on which trigger you choose we just need to wait for it to execute. In this example I chose the disconnectedscript trigger so that my code executes after the VPN connection closes. Finally, we'll see that the payload executed and an agent checked in from the Empire control panel.

Empire-2

Phishing

With a little bit of creativity this same idea can be used when attempting to phish a target you believe uses Viscosity for VPN connections.

Viscosity allows you to create bundles that can be sent to any user and all it requires is for them to click it for their connection to be added.

From the viscosity menu, select the VPN connection you want to export. Select "Export Connection". By default Viscosity will not include any script files when exporting, but we can add them manually for our purposes.

Export-1

From here you should receive a .visc file, which on OSX will look like one file and on windows will be a folder. Drop your vbs/bat/applescript payload in the folder and modify the config.conf file like previously outlined.

Now using a tool such as 7zip, Right Click .visc file and select "Add to archive" and select the compression type as tar.

Zip-11

Next, reselect the visc.tar file and "Add to archive" again this time select the gzip compression format.
Zip-2

Finally, rename the the file extension from ".visc.tar.gz" to ".visz" and you should have a fully functional Viscosity VPN payload.

Zip-3

Note: G-mail does block the payloads from being sent to or from their addresses, so you'll need to host them online.

e-mail1

Checky

Checky is a former Web Application Tester turned Red Teamer. On a never ending quest to figure out how stuff works. <script>alert(1)</script>

Read More