For our setup, we used a MikroTik hAP ac2 router (RBD52G-5HacD2HnD-TC), whose purpose is to be deployed on the client’s premises and a virtual MikroTik instance (CHR4) on our VMware vCenter to be deployed in our isolated pentest lab. It should be noted that the same setup can be implemented exclusively on hardware devices. The reason for selecting this specific MikroTik appliance was:
- first of all, it’s cool;
- it has dual wireless (2.4GHz and 5GHz) radios;
- it comes with 5 gig Ethernet ports;
- it has a USB port that can be used for 3G/4G dongle;
- it has IPSec hardware encryption (you never know when you will need it);
- and it’s cheap for what it does.
When using a CHR on a VMware ESXi environment5, the vSwitch that is used for the CHR router and the customer-facing interface of the VMs, must be set to Promiscuous Mode. This is to accept and bridge the packets that are not destined for them. This is configurable under vSwitch properties, in the “Security” tab, where “Promiscuous Mode”, “MAC Address Changes” and “Forget Transmits” policy exceptions should be set to “Accept”.
We have also created three Virtual Machines, let’s call them FS01 (fileserver), NESSUS (our Nessus instance) and KALI (kali virtual machine). On these three virtual machines we will need two network interfaces. One will be used in the INTERNAL LAB network and the other one would be used each time we connect to the client’s network. When the “RoadWarrior” router is attached on client’s network, the VMs will get an IP address from client’s DHCP server, just like being physically attached to the clients; network! As explained earlier, with EoIP the networks are truly bridged (same broadcast domain), where all ARPs and broadcasts can reach both sides!
One of the cool things of this setup, is that it is plug and play! All the devices in our lab, will also get an IP from client’s DHCP server, when the the client-side Mikrotik “RoadWarrior” device is plugged to the client’s network!
We can even created additional EoIP over SSTP tunnels to the CHR MikroTik (pentest lab “RoadWarrior” device), one for each pentester. When a remote pentester connects his/her “RoadWarrior device on the network where he/she is located (e.g. at home), within 10 seconds the router boots and establishes the tunnel (you don’t have time for a quick smoke, sorry). When successfully connected, the EoIP tunnels (client “RoadWarrior”, pentest lab “RoadWarrior”, and remote pentester “RoadWarrior”), will be on the same broadcast domain as well. In simple words, they will be on the same network, just like if they were physically connected on client’s network! Now each of our team members can have one “RoadWarrior” and connect from everywhere (home-quarantine) and perform the internal penetration test with their laptop and our lab resources!