VPN Hack - NordVPN

EDB-ID:

47533

CVE:

N/A

Author:

anonymous

Type:

papers

Platform:

eZine

Published:

2018-03-05

#   _     _
#  (c).-.(c)
#   / ._. \
# __\( Y )/__
#(_.-/'-'\-._)
#   ||   ||
# _.' `-' '._
#(.-./`-'\.-.)
# `-'     `-'
root@vm-fi6:~# lxc-ls
fi30.nordvpn.com
fi31.nordvpn.com
fi32.nordvpn.com
fi33.nordvpn.com
root@vm-fi6:~# lxc-console --name fi30.nordvpn.com
root@fi30:~# cat /etc/openvpn/server.cfg
# This file is managed by puppet

dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/fi30.nordvpn.com.crt
key /etc/openvpn/keys/fi30.nordvpn.com.key
dh /etc/openvpn/keys/dh2048.pem
username-as-common-name
client-cert-not-required
push "redirect-gateway def1"
push "sndbuf 524288"
push "rcvbuf 524288"
sndbuf 524288
rcvbuf 524288
topology subnet

push "dhcp-option DNS 78.46.223.24"
push "dhcp-option DNS 162.242.211.137"
keepalive 60 180
comp-lzo
persist-key
persist-tun
fast-io
cipher AES-256-CBC
auth SHA512
status-version 2
tls-auth /etc/openvpn/keys/static.key 0

config /etc/openvpn/server-local.cfg
root@fi30:~# cat /etc/openvpn/server-local.cfg
# This file is managed by puppet

local 185.212.149.9
root@fi30:~# cat /etc/openvpn/keys/fi30.nordvpn.com.key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCzaJjab0JyVyqz
b8YbC77ucC3nqC4GVilEiTik0xXog9MwM4TQnf0SW0++npFZcOCTaytUUGtDxknL
ZpPbLvZyv7GRLqgBJSO7ysNyYmCyHy1mR8qh6VNxP+i7CuTT35UXRf/9E2xxAU5z
0Y8Gy0jlmvnfwmj/A9heDjXAtW7wO4FtCX/XANDZxNUlMFPCcHNfp58oaeRxrWa8
pTnaFZh8Wog7U6QmyS7krzCqZ9qzKOVsSXFlUt0MjXnREDb7NY7htwQKAm4M+QOj
HpyVjrHplhyWJH3QiAS3TowU3do9+uQE9HpWunLqA7K+6Ftv4G9UAEFThFSjfRvT
gJLWFfKZAgMBAAECggEAKkfrRgdUfIfoa1NbN8KD48OSPfcXqayimyFPtSB+GEcA
/WoW0ed53dqhJ4ZNMOv2MSfflUZCkT1o5MOu8sfVkuN0YIfDVkm/ayF1AD8JFNFe
LK2cpp3LaXQrT/FYTkpx44M+uhDazKMHLypi77H24w2r97zka70nP7tPlbPsijbG
vCCnTWU6pfkJUDPvhb81X2G6ypRwUvS9wrDTMzip5bOQcht357LmbCw56h6lICd0
TA/hynUNWEQLIeNws6AsjFQlk2Sx4KbEUMz9bo+uWHoEJrydcMe6P/kQ/m13o7OV
gyLeJHNR5hCNfHNE7SNq8u01Cwdye7YMefxjcKUL9QKBgQDhcOfE553VM0ZHUQmm
tOr1ZeFDt/9P7DMpi2paeTnVLYpWYqqo29uMFUlY63JTeOTjjyWoZdbY0irKkiPY
ZDSVx+IGdVkjNLqxrYOmy++Ot2zlor65gT8sscwekY4CDEn33t9lpcWD3KyzqQVV
hYRL3ArCiaa1392lSW4eGPXvqwKBgQDLuk5kfvdxrVySFaJyFZ1O7RwhMIycMGWw
2FhtcQE0KR07jFE70PCeEYmkp/5Xj7dpP/CnZRunMAlKDpCRUx1pq2ou5hbqH8lq
6W8qTfACF9m+dHyv4gDPAnzTdQy/fqDXWhJXYi9azKgr3vYk9B3qLgx3+OnxhS0g
P+bGI0SyywKBgEjX6ou9K0qQXsz8alnra2APo1H2ShDRCVcLLTo+oWk4ZdKz3uDg
6XfCCQkqSq6eCZdd0ZUwEtPMVPdPcTWiaztacrYThNHTX9+5aSikDKvYqN8qTuYx
1O/kI0hdT71pqxzkbtqxTbjlvQfwPUD8+1pnpzJkt/FcfInDyEkBV7YxAoGAN9iJ
VrkLQYkhQBZYImfUaGdM97gkQ0htB842Z0G77715evJa7ke3Pc1W6uD2MrB9uYdC
g9COhQUA9uEJNh0PigDoKZT/IQy3nOwCghk9OoWpNbEe4OPWDukCqMCETxX6Jy5U
qsmKa5yAWQ5UcQrODHy1BEoibwdvuFBsBVJzqYMCgYAaUyx07+DT37KU5jEB4Ca2
H3PCFZ6qBR5SG5U5RGtYm81AuosBytl7zkofEUIBQQri5nrShZK9BRQlztc9E2lU
JvI1kNKcAhLfm/k7775x9UjLTZcxFCoxwG8K3+rcwRUk+WVMNRVEYv0blcSXrrCM
vJ6arBwiH9l6XFrEMSWTpQ==
-----END PRIVATE KEY-----
root@fi30:~# cat /etc/openvpn/keys/ca.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXkEwyH/x0RS+8
YGx+JNU9+rfkc0mUR7iR/KIns4qPLuDouAnugz3ACtk4rb9vMKiqcfj6Kdf5CzzZ
XWyL8svTDEEePve+pCmCQaXl1EqPx505DgINmE3JpgLEz2hkz8yYlPcsyl2jiBB5
YqhxFJAwb92wJdhDKv5YbrUuv+ncSt1n/Q2IT1vmsCjSjqD60TmigEzLhEw/J/GX
95l/UHPy7fZ5bHqHsaHV/jrh0XGxOncTCePErV1srhhJ4ml0vJpC6muowI3ceK4V
8khMI/0VZCByswbkIA7IXhvW7iyRwono5mP7T2N1bR3UJ08d8xCX/E3GBO63Jx7v
xacUNvP/AgMBAAECggEAL5MpPebRUNf0MR8W0sBOT9+FtmW7V358vbuEDj8R1YgD
G1mC16Eff8LlLh0qot+aWgPNb2jMwao5Q7/atQhg87NAq+w5wVl5z8WtV4wC6Lil
enIdAeMbR+XbtpQP9i/md8ZoxvnisLTW7fNYOZzQNeB6jOXNVQWoHNxSIH86neN/
8HUyPu07WaAaASUzLYoIZ1K86LIigSIYgjIYFsviHOMf7F+R0gTs23rQKIq9BBgg
yFhjMN0bjh2p7GqGTH86s+lV+74cy+8HctMDJofySmeTGynoPmqH8zAgAAbJegrn
MOkvW9sx2OLubiOuKP/kXe77NKcQ0bzpmLAdQ2qIAQKBgQD+3n0zVXyzmsPl3nM3
VOLLUyHmuu6ThXMjZJCCDPgUss2/KhGKVuECLn+R1Hum0Bo3uGmjHlZg95TJ9MbN
itpC+BCBXZOzHb+PLaNStSDm4ZFoNCuoZcTQmrNQogrE/UM7IfAY93GE3pGIhMOE
j33PBaMGFZlHgW8M+hommkId1wKBgQDYhSkmTXObtwwygbbOIXMjzuNrzy+TkfqU
69oqi8L5tvigYXzz2A7xxWBvygb37TY/6Xj3/Y5FUhqUYla/MAQyI7M6D+q4lbwt
CLCNfeUyMjuK4tRV2ca9pwLO4qTvfp1Nt/JS2uawW5ZbPPIEGhpmbKAyq0hw9yzT
RsW7mYkGGQKBgQCySceBYnrSVSBWrA8jFMF2BFiBxCBimAbcKlwgbZwZNp9Q68fL
Y00Rrp9UzzQUlBzS/7D+B5nbSTYPNKjhXhGiqU86f9BziwrWyNEoaUZz3DVQlLY5
nb9ZQe7QKBqqhJRESFBh1q7ViLB7tIvlLk+Ow12wQumvqK6bgFVMzboUjwKBgBdE
wDZYjnsGge4PmJiwaZJIkpIsct12C6rjac+2s15otnFt6KK/7mM3JfT9jiAowvK9
YX2tJxP2DdsyckYbn+fPhFxSB5SMqutgCrE5/V6WnWWAmPcc70nEX/3hx33haoBG
q2kSE0aSoSbu9sdQEtQ9Cj5HwAI73fpambdeeaZJAoGBAOlP/D5cCuRB+BtrsxiA
EEaNY7u0xocP1FsALuP5rw3uw0wQOso/WPqvXXf6m/NeRQ7/eYPQwst4qDkukmMp
GV8oWrcINXsjfrquo0w+/dRodidQv67QH/z4XyXQ/Q8A1y716HjyYaje1JIh83Od
pcNR9NnJEdrkhPGJoLgCOl/C
-----END PRIVATE KEY-----
root@fi30:~# grep -A2 -B2 secret /etc/strongswan.d/charon/eap-radius.conf
        localhost {
                address = 185.212.149.9
                secret = nordvpnedef6bb3
                auth_port = 1812
                acct_port = 1813
root@fi30:~# openssl x509 -noout -text -in /etc/squid3/crt/star.nordvpn.com.crt|grep CN=.*nord
        Subject: OU=Domain Control Validated, CN=*.nordvpn.com
root@fi30:~# openssl x509 -noout -modulus -in /etc/squid3/crt/star.nordvpn.com.crt|openssl md5
(stdin)= daf8540081ed5add6b2ac7cba0931a72
root@fi30:~# openssl rsa -noout -modulus -in /etc/squid3/crt/star.nordvpn.com.key|openssl md5
(stdin)= daf8540081ed5add6b2ac7cba0931a72
root@fi30:~# cat /etc/squid3/crt/star.nordvpn.com.key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5JmdFbf5YX8Xn
5g81JZa11shQXv7BafU1CkwZszLxb5trnmqMASjDXJHdwfjUPeS2VVtCr7YmKiu8
R8pZRo/y9XMxyItX0saah4wgkvKr2FuzMr+QuOY1NAglYftrSoas6I3oMDv9n/nm
+cy8+qgCtRjZLxaiOIcV/N0Vdq5l7BCU3IstJPy70TMa1bG4BfvJ+MtIrOnivHhO
cDi+0tEBM0eIVfUi2LomS+9KOclPCLIkIwWtjFgFsxlKup049FRkK7xmmve8BTAc
Oz73x/ehuBKeKdg2/X9BA5Pu82kMRIqGXyARzvr+fp3O88L/UEuc5aubnqMjLgsL
euO0EwsVAgMBAAECggEANZwJCvFuU+hnRV43yQu5N62ZEqxu11H2zgTNRCO+/Gl0
dxTHhQJQ60BCfBNOGSZSsvjEE+sMssBDKaEf1fm4dIDdeey3bBZ7qwLUcBocaeWb
p6dqEF15Sq5mLWzRf590n1w2uqQ8upM3qMlrnsx1GVOWfkxEIXR8qMEuwqg6lwfk
hTcNDu31aWUC+rP0aSeh4+AxdaovJwNL2xJEtHFq8xHE7AHnpxNLT6eAHYns99jL
f8UPxE9SgGwnBqQPuA7zwbw3OVjAlNCOFPWhQuVDEY2ww67Pw8/W7oGrhTR3poxe
MlH5LK5m7GyL0NhA72U/2Edn0G0onAaIhfml7YcpgQKBgQDxZQd18bw0fS1iu7Vh
NYoG0pG6OdKHax2f0ohOCu5F09lWWpr267LGyfJwloBZMVMyAF0abgJranJMADz1
JW13o61xw+YoI5hhhLMWseGFyp1MHGq7VSagsUPNDixQYCX5Asr2mSabP8k/5ZB6
jvDP0++P1EmOIwpnWIGSNTfZowKBgQDEWjLynXkg3ElryeEU+UGHKJaypt8RgbuD
5GdFs5gj8IaD/NsbBLUHLedQApcxED+ZteWnxqyVnygYJ1+RP5QV8X30b4y+k3Hy
x9Uh5flb8oHr1KOnNSnTyo+BtniRndGpRn2O8JGpNEz/1egB99gnot+on8OxJzhM
wg3hJ+hD5wKBgBBptiAm140aFcPoz2RUp5XfK1lmJRJgDhuXzPzBcYH97YEZl//B
9t3dTUaqdP+bgvSbYbkyUafMDQlt2rcwXEkOL/TURQnloa6/vw2D+rmGFTvfksI5
/+5dHycKF6k/YFWWAwbRUvarV5uomDI9FdKLrnYxEO9BIqv0MJsoUyvRAoGAZpHj
yV8/lk3cwMTdonIuq+clCcAoCOInTVe0JvIRSLzt1+bvoiaMVmrBSceAqW2ee7JM
fJ9JKoPQkwWGY769odTcAiN/d1JYlQWUrbeP0ltVSRd0QfWAmxVWb+EdDJxPmMis
8E11GdmrW32nS9fnf5USluiWdmVRgK9iRrrtFwMCgYEAxgnuDFwh+RK9BeuK38H9
r5uTL+scRk5j3v8wSxkuLWUTwUWaynwlo3V9gbnyoami+Hvoi8zEx+tBH1VZmppF
zsIwMhG7arpaY1Bg9b/dyWvNJt2bAKuFiXI8i+fdM4NY2KWysToq3j+ExEzHrc9C
BebFeEbGY8vqS1TaUXfFAfk=
-----END PRIVATE KEY-----
root@fi30:~# cat /etc/radiusclient/servers
# This file is managed by puppet and Ansible

185.212.149.9 nordvpnedef6bb3

51.254.143.6 a60d88bd24b6202c619a602b144b29fd
104.239.249.237 a87740c4cc1800329a84ccf3bf26a6af
104.239.249.236 5e87a87fca15a6e4dd2dae27f1e1fb03
51.254.143.61 ffce7511e51d6b3d8576deb6e3c4911b
104.239.249.235 beb59236494df4e9f7bba7381bd1ce94
51.254.143.60 914dd58f0db154b4d98991bdb52b7d28
104.130.29.20 d3928d016ffe4d0989c6499243b59dd5