Over the past year, we had a concept idea in mind, that got shelved due to the hesitation of the clients to have a device exposing their network to external 3rd parties, for an internal penetration testing engagement (which is fully understandable). However, due to the current circumstances (COVID-19 Lockdown), a lot of organizations are forced to adopt the work from home concept, which created the necessity for us to find a better way to perform our internal penetration tests efficiently and securely.
The basic idea was to add a device to the client’s premises, which would connect to our offices giving any member of our team the ability perform an Internal Pentest from the safety of our office or even the comfort of his/her home (provided that he has VPN access to our pentest lab). This way we could all work from home and still perform engagements that require our physical presence at the client’s premises. With the idea in mind we reached out to our head of Networks (menikos) and luckily for us, we had done “similar” implementations for some of our clients before, as a part of our IT managed services! He said: “Sure, no problem. It is just a simple EoIP over SSTP!”. Wait … what??
Technical Jargon
So, why SSTP and not any other VPN tunneling protocol? The answer is simple. Because it can pass through any firewall, compared to other VPN technologies, which might be filtered, may need to be enabled on a firewall to be able to traverse it correctly.
As Wikipedia states, Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers, except from authenticated web proxies. Information on how to configure SSTP on a RouterOS device can be found in Mikrotik’s wiki pages.
Ethernet over IP (EoIP) Tunneling on the other hand, is a MikroTik RouterOS proprietary protocol (Cisco also has a similar protocol - Pseudowire) that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP tunnel may run over IPIP, GRE/PPTP, L2TP tunnels or any other connection capable of transporting IP. When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols) is bridged just as if the hosts were on the same physical switch (or VLAN across multiple switches). In our case, if as if we had a long Ethernet cable connecting the client’s LAN to our pentest LAN. More technical information on the EoIP protocol can be found on Mikrotik’s wiki pages.
Not everything is perfect with SSTP though. The reason is the large overhead on the packet size, compared to other tunneling protocols. SSTP adds 120-bytes overhead, and if you add the rest of the packet headers (120-byte SSTP + 14-byte Ethernet + 20-byte IP), you have a whopping 154-byte overhead! This compared to GRE (42-byte) and L2TP (46-byte), looks huge, but with modern networks and bandwidths available, this doesn’t affect performance anymore.
