Yeah it could be a VPN between the Virtual Network Interface (on my host) and a VPN-Gateway/Router. The reason for this is to keep host and LAN safe, IF an attacker (from the HTB network) manged to hack into my guest system (Kali). It’s like I said, I am a noob, but I think via the VPN-Connection to the HTB-network, skilled people can access to my guest.
As a term “can” is too broad to be useful when it comes to working out risks in Information Security. Skilled people can also break into your house and steal your computer. Skilled people can kidnap your family and demand information.
The range of things which can happen is often unbounded.
There isn’t anything people can do over the HTB VPN that they cant do over any other internet connection to either your VM or your host OS.
In 2017 when this thread started, if you installed a default Kali with root/toor as the username/password, enabled SSH and turned off your firewall, it is possible for an attacker to SSH into your machine if they know your IP address.
Even then, the attack required you took active measures to expose things.
If you have an even slightly more recent build of Kali, or simply haven’t opened the SSH server, that attack no longer works and they’d need to find something else.
Simply having a machine on the network doesn’t make it vulnerable.
And after this step, they got a network-connection to my host/LAN. Or do I overlook an essential aspect?
Sort of, but mostly you may be thinking that possible = likely/probable.
If they are capable of getting a foothold on your Kali machine they still need compromise your host OS.
The only advantage they get from this attack is that you might have configured your host OS to expose vulnerable services on connections it thinks are “internal.”
If you haven’t done this, the attack is still the same as if they were on the internet.
Hmmm… theoretically I would do a portscan against my victim to find flaws. Or is this step not even possible? Via the VPN-connection to the HTB-network this could be possible…
You are oversimplifying the attacks. Try to think how you would actually do any of this.
So to do a portscan against the host OS, ask yourself how many other things you have had to do first.
You cant, on your kali instance connected to the HTB VPN, run a portscan against my Host OS while I am connected to the HTB VPN.
For even this portscan to work you’d need to:
- find my IP
- be able to access it (are you on the same VPN connection as me?)
- find a vulnerability in my Kali machine
- find a way to exploit that vulnerability
- successfully exploit the vulnerability
- get a foothold which allows you to portscan (probably root)
- run the portscan without triggering any host based protection I have on my host OS
At this point, for most builds, it is going to be beyond the effort needed for an insane box here - simply because we dont tend to build our machines with an attack path in mind.
After that I would try to hide a backdoor on the victims guest, which I just can use,
That’s some leap from portscan to backdoor. You need to exploit the host. Chances are you aren’t running Joomla/Wordpress to serve an unpatched system to internal devices.
If you have an old, unpatched, windows OS as the host, ETERNAL BLUE might work but then you’d be pwnd from the internet every 10 seconds.
Beyond that, what services are you exposing which an attacker can target like this?
if the VPN-connection to HTB is active. But it could be question of the settings of the backdoor.
Your tunnel only works while the victim is connected. The next time they connect you may not know what their IP address is. If they have AV or HIPS you have to defeat this (and good luck getting this past Windows 10 Defender).
If I could manage to get permantent connection to the victim,
How? If you can get a permanent connection via an internet attack you wouldn’t need to do this at all.
The problem with “if” statements in this is that every one makes the attack harder and less likely.
The attack path is now looking like
if a and if b and if c and if d and if e and if f - each step is a new hurdle. In mathematical terms, assuming each “if” has a massive 10% chance of being successful you’d be looking at 0.0001% chance of success.
Instead, the attacker could just attack your host over the internet.
I can access his host/LAN (if he is using a VM) via the standard network connection between guest and host/LAN.
So my point here is you need to determine what (if any) advantage this gives an attacker.
If there is one, you need to disconnect or harden everything on your network because an attacker will pop an IOT device a lot faster than they will get into Kali via a HTB VPN.
I think I am missing some basic steps… I can use nmap for example to scan my host/LAN from the guest. so… an attacker could do this step to (after he establishs a foothold on my guest). Thats the reason, why I am asking
Yes. If an attacker can find a way to compromise your Kali VM, they can use nmap to scan your network.
An nmap scan is not the same as compromising a device (as you will see on most HTB boxes).
They dont need to compromise your Kali VM to run nmap against your host but I assume you are thinking more about the different firewall postures meaning an “internal” nmap will be different from an external nmap. This is true.
If you are running from a home network, your ISP may be providing a firewall but your host probably has HIPS/Host Based Firewall as well. This can be surprisingly effective. If your home network has any other device on it (printers, alexa, TV, speakers, IoT devices etc), then these are significantly easier to compromise.
Rather than think “evil will sneak across HTB and attack”, it is orders of magnitude more likely that evil will pwn something else and attack.
The simplest answer is run HIPS on your host and dont host vulnerable services internally or externally.
Do either of them and you’ve pretty much eliminated the attack vectors.
If you dont do either of them, internet-based attackers are a million times greater risk than an HTB attacker.