#Virtual Private Network Lab
网络拓扑
网络拓扑使用之前VPN的composer文件构造,拓扑结构如下:
使用三个主机:
- client 10.9.0.5
- server 10.9.0.11
- 内网主机host 192.168.60.5
composer文件"docker-compose.yml"内容如下
version: "3"
services:
VPN_Client:
image: handsonsecurity/seed-ubuntu:large
container_name: client-10.9.0.5
tty: true
cap_add:
- ALL
devices:
- "/dev/net/tun:/dev/net/tun"
volumes:
- ./volumes:/volumes
networks:
net-10.9.0.0:
ipv4_address: 10.9.0.5
command: bash -c "
tail -f /dev/null
"
Host1:
image: handsonsecurity/seed-ubuntu:large
container_name: host-192.168.60.5
tty: true
cap_add:
- ALL
networks:
net-192.168.60.0:
ipv4_address: 192.168.60.5
command: bash -c "
ip route del default &&
ip route add default via 192.168.60.11 &&
/etc/init.d/openbsd-inetd start &&
tail -f /dev/null
"
Host2:
image: handsonsecurity/seed-ubuntu:large
container_name: host-192.168.60.6
tty: true
cap_add:
- ALL
networks:
net-192.168.60.0:
ipv4_address: 192.168.60.6
command: bash -c "
ip route del default &&
ip route add default via 192.168.60.11 &&
/etc/init.d/openbsd-inetd start &&
tail -f /dev/null
"
Router:
image: handsonsecurity/seed-ubuntu:large
container_name: server-router
tty: true
cap_add:
- ALL
devices:
- "/dev/net/tun:/dev/net/tun"
sysctls:
- net.ipv4.ip_forward=1
volumes:
- ./volumes:/volumes
networks:
net-10.9.0.0:
ipv4_address: 10.9.0.11
net-192.168.60.0:
ipv4_address: 192.168.60.11
command: bash -c "
ip route del default &&
ip route add default via 10.9.0.1 &&
tail -f /dev/null
"
networks:
net-192.168.60.0:
name: net-192.168.60.0
ipam:
config:
- subnet: 192.168.60.0/24
net-10.9.0.0:
name: net-10.9.0.0
ipam:
config:
- subnet: 10.9.0.0/24
一. VPN部分
Step 1,2: Run VPN Server and VPN Client
在server上运行vpnserver,在client上运行vpnclient (执行后会阻塞窗口,需要重新打开终端)
vpnserver.c和vpnclient.c需要去官网下载并编译(需要修改IP地址)SEED Project (seedsecuritylabs.org)
分别在server和 client中开启tun0接口
# server
ifconfig tun0 192.168.53.1/24 up
# client
ifconfig tun0 192.168.53.5/24 up
-
server:
-
client:
Step 3: Set Up Routing on Client and Server VMs
在client上,将所有进入专用网络(192.168.60.0/24)的数据包指向tun0接口
route add -net 192.168.60.0/24 tun0
Step 4: Set Up Routing on Host V
在内网主机host 192.168.60.5中添加路由
ip route add 192.168.53.0/24 via 192.168.60.11
Step 5: Test the VPN Tunnel
在client中ping 192.168.60.5(成功)
telnet连接(成功)
之前挂起的客户端也成功检测到VPN隧道中有数据包传输
在wireshark中可以看到由ping命令产生的ICMP数据包被tun0隧道得到后被放入了UDP包中,IP地址也变成了tun0隧道的两个节点
Step 6: Tunnel-Breaking Test
telnet连接成功后关闭服务器,输入内容,telnet程序不响应
查看wireshark
telnet实际上还在运行,发送数据包,但是由于vpn服务器停止运行,无法发送到目标地址,因此会收到ICMP错误消息
二. TLS 部分
从官网下载tlsserver.c,tlsclient.c和相关文件
原来的服务器证书过期了,需要重新使用cacert.pem生成证书,密码是seed
SEED Project (seedsecuritylabs.org)
#生成key和csr
openssl req -newkey rsa:2048 -sha256 \
-keyout server.key -out server.csr \
-subj "/CN=www.hyl2022.com/O=hyl57119419 Inc./C=UN" \
-passout pass:seed \
-addext "subjectAltName = DNS:www.hyl2022.com"
# 生成crt
openssl ca -config myCA_openssl.cnf -policy policy_anything -md sha256 -days 3650 -in server.csr -out server.crt -batch -cert cacert.pem -keyfile cakey.pem
#将crt和key变成pem格式
openssl rsa -in server.key -out server_key.pem
openssl x509 -in server.crt -out server_cert.pem
将生成的server_key.pem和server_cert.pem放在/volumes/cert_server文件夹中
修改相关文件路径
使用make来编译tlsserver.c和tlsclient.c
在client中添加DNS映射
在server端运行tlsserver
在client端运行tlsclient
./tlsclient www.hyl2022.com 4433
- 实验结果:
server端成功建立连接,收到client的request
client端成功发送request并接收到server发送html信息
将html文件内容复制到本地打开
在wireshark中可以看到VPN客户端对VPN服务器证书进行身份验证的过程
同时查看application Data的数据包,可以发现传输的数据经过了加密
三. 客户端身份密码认证部分
课件PDF中给出了示例登录代码
在本部分我们先测试该代码程序,然后将登录部分加入我们的TLS程序中
登录代码例子如下:
#include <stdio.h>
#include <string.h>
#include <shadow.h>
#include <crypt.h>
int login(char *user, char *passwd)
{
struct spwd *pw;
char *epasswd;
pw = getspnam(user);
if (pw == NULL) {
return -1;
}
printf("Login name: %s\n", pw->sp_namp);
printf("Passwd : %s\n", pw->sp_pwdp);
epasswd = crypt(passwd, pw->sp_pwdp);
if (strcmp(epasswd, pw->sp_pwdp)) {
return -1;
}
return 1;
}
void main(int argc, char** argv)
{
if (argc < 3) {
printf("Please provide a user name and a password\n");
return;
}
int r = login(argv[1], argv[2]);
printf("Result: %d\n", r);
}
编译并执行后的结果
gcc login.c -lcrypt
sudo ./a.out seed dees
- 将登录部分加入我们的TLS
修改tlsclient.c
在client中,我们首先给client添加了两个参数用户名和密码,在TLS建立连接了发送用户名和密码,用户名仅经过TLS加密,而密码经过两次加密(一次TLS,一次加密参数与时间有关)
tlsclient.c:
//tlsclient.c
#include <arpa/inet.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <netdb.h>
#define CHK_SSL(err) if ((err) < 1) { ERR_print_errors_fp(stderr); exit(2); }
#define CA_DIR "ca_client"
int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
char buf[300];
X509* cert = X509_STORE_CTX_get_current_cert(x509_ctx);
X509_NAME_oneline(X509_get_subject_name(cert), buf, 300);
printf("subject= %s\n", buf);
if (preverify_ok == 1) {
printf("Verification passed.\n");
} else {
int err = X509_STORE_CTX_get_error(x509_ctx);
printf("Verification failed: %s.\n",
X509_verify_cert_error_string(err));
}
}
SSL* setupTLSClient(const char* hostname)
{
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
SSL_METHOD *meth;
SSL_CTX* ctx;
SSL* ssl;
meth = (SSL_METHOD *)TLSv1_2_method();
ctx = SSL_CTX_new(meth);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
if(SSL_CTX_load_verify_locations(ctx,NULL, CA_DIR) < 1){
printf("Error setting the verify locations. \n");
exit(0);
}
ssl = SSL_new (ctx);
X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set1_host(vpm, hostname, 0);
return ssl;
}
int setupTCPClient(const char* hostname, int port)
{
struct sockaddr_in server_addr;
struct hostent* hp = gethostbyname(hostname);
int sockfd= socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
memset (&server_addr, '\0', sizeof(server_addr));
memcpy(&(server_addr.sin_addr.s_addr), hp->h_addr, hp->h_length);
server_addr.sin_port = htons (port);
server_addr.sin_family = AF_INET;
// Connect to the destination
connect(sockfd, (struct sockaddr*) &server_addr,
sizeof(server_addr));
return sockfd;
}
int main(int argc, char *argv[])
{
char *hostname = "yahoo.com";
int port = 443;
char *Id;
char *pwd;
if (argc < 3) printf("please in put userID and passwd");
if (argc > 1) hostname = argv[1];
if (argc > 2) port = atoi(argv[2]);
Id=argv[3];
pwd=argv[4];
/*----------------TLS initialization ----------------*/
SSL *ssl = setupTLSClient(hostname);
/*----------------Create a TCP connection ---------------*/
int sockfd = setupTCPClient(hostname, port);
/*----------------TLS handshake ---------------------*/
SSL_set_fd(ssl, sockfd);
int err = SSL_connect(ssl); CHK_SSL(err);
printf("SSL connection is successful\n");
printf ("SSL connection using %s\n", SSL_get_cipher(ssl));
/*----------------Send/Receive data --------------------*/
char buf[9000];
char sendBuf[200];
int len;
strcpy(sendBuf,Id);
SSL_write(ssl, sendBuf, strlen(sendBuf));
strcpy(sendBuf,pwd);
SSL_write(ssl, sendBuf, strlen(sendBuf));
len = SSL_read (ssl, buf, sizeof(buf) - 1);
buf[len] = '\0';
printf("%s\n",buf);
sprintf(sendBuf, "GET / HTTP/1.1\nHost: %s\n\n", hostname);
SSL_write(ssl, sendBuf, strlen(sendBuf));
do {
len = SSL_read (ssl, buf, sizeof(buf) - 1);
buf[len] = '\0';
printf("%s\n",buf);
} while (len > 0);
}
在server端我们插入了PDF中给的登录程序代码,同时对接收到的加密密码进行解密
//tlsserver,c
#include <arpa/inet.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <shadow.h>
#include <crypt.h>
#define CHK_SSL(err) if ((err) < 1) { ERR_print_errors_fp(stderr); exit(2); }
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
int setupTCPServer(); // Defined in Listing 19.10
void processRequest(SSL* ssl, int sock); // Defined in Listing 19.12
int login(char *user, char *passwd);
int main(){
SSL_METHOD *meth;
SSL_CTX* ctx;
SSL *ssl;
int err;
// Step 0: OpenSSL library initialization
// This step is no longer needed as of version 1.1.0.
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
// Step 1: SSL context initialization
meth = (SSL_METHOD *)TLSv1_2_method();
ctx = SSL_CTX_new(meth);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
// Step 2: Set up the server certificate and private key
SSL_CTX_use_certificate_file(ctx, "./cert_server/server_cert.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "./cert_server/server_key.pem", SSL_FILETYPE_PEM);
// Step 3: Create a new SSL structure for a connection
ssl = SSL_new (ctx);
struct sockaddr_in sa_client;
size_t client_len;
int listen_sock = setupTCPServer();
while(1){
int sock = accept(listen_sock, (struct sockaddr*)&sa_client, &client_len);
if (fork() == 0) { // The child process
close (listen_sock);
SSL_set_fd (ssl, sock);
int err = SSL_accept (ssl);
CHK_SSL(err);
printf ("SSL connection established!\n");
char username[300];
int username_len = SSL_read (ssl, username, sizeof(username) - 1);
username[username_len]='\0';
char mypwd[300];
int pwd_len = SSL_read (ssl,mypwd, sizeof(mypwd) - 1);
mypwd[pwd_len] = '\0';
time_t timep;
struct tm *p;
time (&timep);
p=gmtime(&timep);
char text[300];
int i;
for (i = 0; i < pwd_len; i++)
{
text[i] = mypwd[i] - i - (int)(p->tm_mday);
}
text[i] = '\0';
char*word;
if(login(username,text)<0)
{
word="!!!login failed!!!\n\n\n";
printf (word);
SSL_write(ssl, word, strlen(word));
close(sock);
}
else
{
word="!!!login succeed!!!\n\n";
printf (word);
SSL_write(ssl, word, strlen(word));
processRequest(ssl, sock);
close(sock);
}
return 0;
} else { // The parent process
close(sock);
}
}
}
int setupTCPServer()
{
struct sockaddr_in sa_server;
int listen_sock;
listen_sock= socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
CHK_ERR(listen_sock, "socket");
memset (&sa_server, '\0', sizeof(sa_server));
sa_server.sin_family = AF_INET;
sa_server.sin_addr.s_addr = INADDR_ANY;
sa_server.sin_port = htons (4433);
int err = bind(listen_sock, (struct sockaddr*)&sa_server, sizeof(sa_server));
CHK_ERR(err, "bind");
err = listen(listen_sock, 5);
CHK_ERR(err, "listen");
return listen_sock;
}
void processRequest(SSL* ssl, int sock)
{
char buf[1024];
int len = SSL_read (ssl, buf, sizeof(buf) - 1);
buf[len] = '\0';
printf("Received: %s\n",buf);
// Construct and send the HTML page
char *html =
"HTTP/1.1 200 OK\r\n"
"Content-Type: text/html\r\n\r\n"
"<!DOCTYPE html><html>"
"<head><title>Hello World 571194</title></head>"
"<style>body {background-color: black}"
"h1 {font-size:3cm; text-align: center; color: white;"
"text-shadow: 0 0 3mm yellow}</style></head>"
"<body><h1>Hello, world!</h1></body></html>"
"<body><h1>57119419 hyl</h1></body></html>"
"<body><h1>57119429 cdw</h1></body></html>";
SSL_write(ssl, html, strlen(html));
SSL_shutdown(ssl); SSL_free(ssl);
}
int login(char *user, char *passwd)
{
struct spwd *pw;
char *epasswd;
pw = getspnam(user);
if (pw == NULL) {
return -1;
}
epasswd = crypt(passwd, pw->sp_pwdp);
if (strcmp(epasswd, pw->sp_pwdp)) {
return -1;
}
printf("Login name: %s\n", pw->sp_namp);
printf("Passwd : %s\n", pw->sp_pwdp);
return 1;
}
需要修改makefile才能编译
编译好后测试结果:
# 在server端运行tlsserver
./tlsserver
#client端
./tlssever www.hyl2022.com seed dees #正确密码
./tlssever www.hyl2022.com seed asffsa #错误密码
- 输入正确的用户名和密码
server端:
client端:
- 输入错误的用户名和密码
server端
client端
由于多客户端+进程间通信是选做,所以。。。(懒狗是决不会做的)