Make a DIY Firewall with pfSense

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another episode of hacking with friends today we're going to go into something we've got a lot of requests for my name is cody kinsey i'm a security researcher with varonis this is michael my friend and security gremlin and today we in response to a lot of requests about this cool networking tool are going to be covering pf sense now i don't know a lot about this topic but fortunately for us michael does because he set this up for our house and has gone through a lot of trouble understanding how it works and also what it's capable of now initially i didn't really understand what pfsense was for so michael what would you for a beginner who's never heard of this before what would you describe pf sense as uh being useful for uh in two words enterprise well three words i guess enterprise grade wire uh firewall is what it is um so i i really see this useful for like two sets of people and those are the main two sets of people that watch this show um for like pimp pin testers wannabe hackers like ethical hackers of any sort it's great for setting up a home lab test environment because legitimately this is one of the two most commonly used firewalls out there so it is going to create a very very realistic environment that you can hack at will and not ever have to worry about like legal consequences because it's your network you have given yourself permission to hack it right um and then on the flip side of that it's great uh for basically companies of any size um to really beef up their security right like it's very friendly to set up on your home network but i've heard of companies like all the way up to like you know uh credit card companies using this firewall at their their institution so like this is a corporate level in impre like when i say enterprise i mean like fortune 500 companies using this firewall and to be completely clear it's free and open source so like you know if if you're in a small medium-sized business business you're a sys admin of any sort you can use this to hopefully lock down your network we also in a previous stream talked about some of the top mistakes that businesses make and we threw a lot of shaded businesses that make mistakes when it comes to configuring the router and setting it up and a lot of them are just kind of going with the default stuff that they get from the internet service provider and not really modifying it any further and this leaves them in a pretty vulnerable configuration so uh really when we're telling people that they need to beef up their security and we don't really have like a particular vendor we're recommending this is a pretty good alternative for setting your stuff up more securely and taking a lot of the recommendations we've previously made for businesses who are making cyber security mistakes that could get them in trouble so yeah if you are working at a business that's maybe doing things wrong this could be a viable suggestion for how to beat things up and maybe not have all the security cameras on a network that anybody who's accessing the shared internet like a customer at a coffee shop can log into without a password maybe you don't want that so uh yeah this is a really valuable thing for anyone if you're concerned about maybe you're in a shared living situation and you have some iot devices that you don't want other people messing with if you are living if you are in a public space or if you're setting up a public space and you want to make sure that you know things that are like maybe 3d printers are segmented i know i've been to a hackerspace before where i was attending like a hackaday uh meetup it was super cool i scanned the network like octoprint what's that yeah and i log in and i see that oh i can control all the 3d printers in this place from the free open wi-fi that anybody on the street can access and those sorts of misconfigurations could be prevented by a vlan or just by making sure that these are truly separate networks and i think some just like the most important note at least on like the small business or like home front is the fact that anything at all above and beyond like your isp provided like uh router is going to be like much much more uh defensive or are useful uh then like most people don't change their uh default credentials like so just setting up your own firewall and just the inherent level of knowledge you get from just setting that up is going to set you leagues ahead of everyone else wow now this is not a project i have set up before typically when i'm looking at like router or firewall stuff i'm looking at like open wrt or stuff like that so how would this compare to like an open wrt project yes so this is bsd based i think it's freebsd i forget like there's a difference between free and open bsc i forget which one i think it's freebsd it's based on um but yeah so it it's a firewall based on freebsd and uh since it's open source there's no like licensing fees or anything like that so if you are uh at a corporation or somewhere where you're like hey i want to make increase our security it's a very easy argument to make to your boss because you can take a spare server you can even set up um pfsense as a virtual machine i'll touch on that briefly later but i mean it's very popular to do that especially just to try it out but like as we've experienced before setting up network interfaces on a vm can be a nightmare sometimes and also then you get like performance and overhead issues because you have that extra layer of uh vm that you're having to go through for all of the network traffic right so that's not necessarily something you always want to have in place but my main point there is like you can easily take this and and i'll show you the hardware now actually yeah let me there um to my screen and so this is the pf sense website um but the heart so pfsense um is run by like netgate netgate is like the company that sells the hardware and that's how they make money and they maintain the project but the project itself is open source if that makes sense um so they do offer their own hardware which you can buy um and i think this one's like low hundred dollars and then they go up from there um and you can and you certainly do that if you want right but so this is what like we get a lot of people who are like listen i don't want to upload all this matrix code into a pie can i just buy one that's pre-configured for a thing right like this is effectively for pfsense like that that's what you ask questions it's like you don't want to deal with any matrix code or flipping any switches then like you can just get one and it'll be set up and you can then go in and start messing with what you want but you don't need to worry about trying to load it yourself or whatever yeah and so like my order of operations here would be like if you're at home you just want to try it if you're at a business and you have a very small it budget uh you know you can try it in a vm first show off like hey this is why we should do this and then once you're ready to actually get some dedicated hardware sure this stuff's nice like it's gonna be a little more expensive um but for like most people uh who are just running like a standard gigabit connection or something like that um what i actually recommend is something that serve the home recommended in in their article and that's this hp t620 plus basically it's an old thin client and you'll find these all over the place and in fact i've got an example here on ebay right so like this one's even more expensive like this is uh 236 dollars and that's purely because they're branding it for pf sets right um but really all you need um is a computer uh so you can get one of these for 144 dollars and then you need a nick or a network interface card um i recommend some four port gigabit one like these so like twenty dollars so if you want to do completely diy build build a little thin client uh you can do that obviously you could you could do a full full like custom build but none of that's necessary because this is very efficient like you could run this like all of these pf synths hardware it's all like arm processors i think through here and then could you run it on a raspberry pi um so that is a very good question unfortunately no you cannot um just because of the way arm works i mean i there's probably someone out there who has uh gotten the source code and modified it and compiled it to run on a raspberry pi but um with arm it's not like x86 like you would have with your intel or eight uh you know other cpus um yeah amd cpus um it has to be really custom configured for that arm processor and in that setup so no it doesn't run on raspberry pi um but yeah you don't my point there is you don't need a lot of processing power so like this is like 200 for this firewall could probably pretty easily handle like two gigabit traffic and and still do like full deep packet inspection and everything you would possibly want to do um and that's why i really stress that this is great for like pin testers and stuff like that um because what it would allow you to do is to see like the blue team side of things as well so you can see okay not only was my attack successful but how loud was my attack you know it's a good point a lot of the stuff that we teach people about are really basic intro attacks and some of the more sophisticated stuff really requires a better knowledge of how networking works and how to go kind of low and slow when it comes not being detected now if you're just attacking some coffee shop odds are any sort of configuration they have is going to be like you know baked in to whatever the internet service provider gave them but if you're going after if you're really doing pen testing against a business that has defenses then you're going to need to be aware of what kind of signature you're creating when you're actually doing the attack if you're firing off a bunch of alarm bells in the first you know minute of your attack you're probably going to get caught or at the very least you're going to cause your target to harden dramatically so i would say that's a great way of making sure that something that you're accustomed to doing that's highly successful isn't also incredibly easy to detect like mass deothing or some of the other attacks we've shown right before and i'll touch on that later when we actually uh dig into the pf synth stuff but there's ways to detect things like arp spoofing because i know that's a very uh useful attack that we've demonstrated in previous live streams and um you know you mentioned the coffee shop and oftentimes when you do go to coffee shops and stuff like they'll have the captive portal and all that like oftentimes what's handling that behind the scenes is pf sense it's either going to be pf sense or ubiquity equipment those are two very common uh pieces of platforms installed by um like if i were a coffee shop i contacted a local it company i had them come and saw it odds are they're going to install pf sense or uh ubiquity equipment or they might install pfsense and then use like the ubiquit ubiquity switches and access points and stuff like that um but yeah so basically you get gather your hardware um and then you can go where are the downloads here download just go to pfsense and you're going to select your download architecture amd a little confusing it'll work on intel cpus as well basically 64-bit and then um you're going to need like a usb stick i mean i guess you could go really old school and do a cd image you can use a iso image and a virtual machine mortgage loan too right that is true because i have not done the virtual machine setup but yes that is probably what that is more useful for uh and if y'all do have interest like we can show like the virtual machine setup but that's not really what i was going to focus on today um so yeah you just go and then you select uh serial or vga like whatever console access your system has um for me what oh for the internet for it to provide an interface to uh yeah yeah well i mean it's not really important uh like um that's if like i was taking my laptop out to a server rack and plugging in and connecting to it right so siri you know if you have a serial connection whatever um then you're just gonna download this um i do i have etcher right here and then you're going to open up a program like etcher and you know flash that over so you'll select the image you'll select the usb stick that's the way i installed mine is a usb stick um and then you just flash it over um now where do i have i have my image right here so this is our uh rat's nest of a network called it at our a home right um so michael's really into abstract cabling yeah yeah no it's a dream of mine to get a an actual proper rack and and uh purify this however we're renting so i have limited capabilities on what i can do but generally this is what you're going to do so as you can see i'm using one of the thin clients i recommended um so what you're going to do is plug in the usb stick boot it up and then you'll just have like a standard um wizard pop up and it's just gonna ask you a couple questions uh just stick with the defaults going all the way through i don't know if i mentioned this earlier i was thinking of it when you were talking but like you're talking about how like defaults are normally insecure and one of the points that the netgate people make on a lot of their live streams is that if if something is insecure by default then they make the secure version the default right so one of the great things about as you're going through this wizard is if you just stick with default all the way through and then make a good password you're done like for 99 of people like if i was just a small business and i just wanted to you know have a good firewall that's all i would have to do um when it comes to firewalls that i feel like setting everything to to secure by default may cause issues oh no yeah certainly there are like you you you could target things a little better as a hacker or whatnot right but like it it prevents everything from like being open to the internet like if i had like i know it's very common for like cameras to get accidentally exposed to the internet like security cameras either by intentionally or unintentionally but like all of that would be stopped by pfsense it doesn't allow any ports to be open to the internet by default um but yeah so in a setup like this this is kind of what you might see in your house so we have ethernet wiring in the walls right here and then we have our patch panels so i have all my patch panels going into my switch unfortunately this is not a managed switch i didn't have a big budget for our setup and that'll be important to note later if you want to set up vlans if you're going to do vlans it's important to have a managed switch because that will allow you to say okay i want you know th this particular interface on this switch to be on its own lan right um and then i have my psense build here like i said plug in the memory stick boot it up if you have uh with the bios usually on those systems you have to press something a certain key and to get the bios and choose the memory stick as the boot option because like normally when you buy this off ebay it's going to come with like windows 7 or something like that installed on it uh so you you need to look up i think it was like changing the boot order yeah it's like f6 or something like that um yeah so you change your boot order go through the wizard um on the i didn't show it here because i have you know a bunch of stickers and i didn't want to reveal my stuff but uh you're gonna have your network interface card and that's got your four ports um it's really easy by default it should basically be able to detect what is lan and what is when uh by detecting what it what has like gateway and internet access so basically on the back you're just gonna take your modem your isp provided modem and you're gonna have ethernet out from that and you're gonna plug that into the back of your pfsense build and that's gonna be your wan wan zero um then you'll have one ethernet coming out from that going to your switch it is important to have a switch i i don't know if this is fact but at least in my experience in this setup i wasn't able to just plug my laptop directly into one of the ports on the nic on the back of the pf sense build it had to go actually through a access point or a switch of some sort interesting i don't know that probably something uh with the way it was handling packets or whatnot but yeah when i was playing directly into it um it was not working that's probably with like the way it's detecting the networks and whatnot like i probably could have configured that to work but by default if you're like just testing it plug plug in the switch and then plug your laptop into the switch and it'll work like that that would have saved me like 30 minutes of time when i was setting that up um now an important use case of the pfsense build like this that i really didn't touch on before is the ability to set up things like load balancing and failover and so what i mean is imagine like you're a pin tester right and you're hacking into a system and maybe you know you're doing it late at night because you're a night owl right and oh darn my isp is doing its monthly midnight maintenance on the network and my network goes down i've screwed up my whole pen test now like you know i've gotten halfway through the engagement or something like that um or you can just imagine like you're in the middle of a meeting with a client or whatever reason you you might not want your internet to go down what you can do with pf sense is you can install a second when third when infinite wans right um and i'll touch on how to do that later but that would allow you to instantly switch over to those secondary wands when your primary one failed so an actual scenario where we use this was we moved to an area with incredibly slow internet and our options were satellite internet with incredible latency that wasn't able to handle which was also capped at a certain uh amount of data uh and then a landline which was also terrible but at least steady and then cellular internet which was intermittent but generally faster than the other ones right so what we had configured basically we needed to upload videos and that's actually the origin of why we originally didn't do these videos live is because we were out in the middle of nowhere and when we had to upload these videos it was like an hour per gigabyte and these videos would be like multiple gigabytes so we would have to upload them overnight and if our let's say the satellite internet cut out or for some reason the the cellular data went down because the tower was performing its nightly maintenance or the internet other internet service provider went out for no reason it would kill the upload and we would wake up the next morning and we would not be able to potentially do a live stream because the data hadn't been uploaded so that our editor could stream it so like this was a nightmare for us so if you're living in a rural area or if you're going to live in a rural area that has internet problems the only way you're going to approach like a normal seeming situation is if you have failover and that's what we had to do so between those three sources we were able to get like decent internet um by rural standards i was gonna say you're kind of touching on it there but that would also incorporate elements of load balancing and so what load balancing is is so normally let's say i just have one wan it's a hundred megabit right that's okay-ish right but let's say i'm downloading a file and using that 400 megabit you can't use the internet now right by incorporating load balancing if i had say 100 megabit connection and a 50 megabit connection then say i i'm i'm streaming something that's taking up the full 100 megabit you'd still be able to use that set all your packets would be going through that 50 megabit connection right um or better yet if i'm doing something like if i'm uploading to a certain site like doing torrenting or something like that which would allow multiple connections then i could get an aggregated speed of 150 megabits even though technically i i didn't have any connection faster than 100 megabits right so that's a very useful thing and then [Music] obviously incorporated into that is inherent uh failover so and then also i'll show when we actually get to pf sense about like you can do it tiered too so i can be like okay i have two gigabit connections and i want to combine those to give myself a two gigabit connection but then if either if like those go down for some reason like they're the same isp and that isp you know has a server rack fire or whatever um then i want it to fail over to the lte network and i don't want to use that lte network normally because that's really expensive data right so it's never going to use that unless it has to fail over to it right um but yeah so that's the basic setup once you get it all set up you're going to go to 192.168.1.1 that's going to be your default um now obviously that's a very popular ip address as far as like home networks so when you do go there what i might recommend doing is especially if you know you plan on making a vpn connection to another uh like maybe your grandma's house or like a relative's house because you want to help provide some i.t support for them or or you have an office that you're going into um i might recommend using a different uh ip set so like you know uh 192.168. and so when you go to this uh the first time uh you're going to go through a wizard and basically just default default unless you do want to change something like that that's where you would do that um that's awesome wait can we switch to my screen for a second because this is what happens when i try to go to p sense yes so it is why why does it happen so it's a self-signed certificate um so generally chrome and firefox unless like i think you've pre-loaded in that certificate or whatever um it's gonna say that so that's a good point you have to click it proceed to on that the one under that but an attacker could be intercepting my connection yeah there's there's ways to get around all that in the future um by default the first time you log in the it's admin and pf sense that has been changed and when you go through the wizard this first time um it'll prompt you to change that it's very very important to set up very secure password here right because this is the keys to the the city right like if someone has admin access to this firewall they they could like seriously control everything that's going on on your network right type it in oh um yeah type it in no no no no you you you're trying to freaking type it into the main thing oh yeah switch over your freaking screen i don't trust you anymore okay all right now you type here now you type it in admin admin and admin b see no we're not the yeah i can't see because of the glare just don't hit tab again and type your password in plain text there we go all right cool okay um but yeah so where was i um yeah i think i've covered be sorry been a little rambly about the actual setup process this is cool so like we just needed to understand like what this is for how you do it you stick it on a usb stick you get an old freaking computer you cram that in there yeah and then you plug it in boom you got this thing yeah yeah um after you do the boot order on it remember uh you're going to plug in your interfaces it should auto detect them and then um you can set up the interfaces in in this so this is kind of like the landing page i've modified it slightly um normally it would only be two columns i've added three um but this will be over here where you can see a lot of just uh system info uh such as like what cpu you're using um some important stuff to remember is like uh the memory usage disk space and um such like it's very minimal for me right now because i don't have a bunch of like you know client inspection like deep packet inspection i'm not like saving pcap files or anything like that actively right now so this the usage would obviously go up a lot and so that's something you want to look out for is if you know you're going to be doing those things obviously you need to build a system with enough hardware headroom to allow for those sorts of things but um yeah so if you do want to spoof up your uh pf sense build oh wait i'm on yours oh whoops yeah i didn't think you could see whatever yeah yeah um so the first thing you're going to want to do obviously the most important thing on here is no wait not advanced general setup scroll down to the bottom click on your theme and switch it to dark this is tiny this is tiny enlarge it greatly for our audience audience i'm sorry for your eyes control p shift b no just command plus plus plus shift you're doing command equals shift plus command also you also press command shift command plus ah you're doing you were doing command equals equals equals okay there yeah there you go oh sorry audience for your eyeballs yes but now my joke whatever uh i do like dark theme it's a little easier on the eyes um but yeah some of the stuff you're going to want to set up in the general setup is obviously your host name and domain that that'll be done during the wizard but you can always change that um you know maybe if you're setting up like your grandma's firewall or something you might just change the hostname to firewall or something like just think about who's going to be using this uh what name might be easier for them to understand um dns go back up what's what you're in general set up very cool yeah yeah general setup um so the dns servers are going to be pretty important i know a lot of people by default will be using their isp provided dns and that that can be a problem sometimes because a lot of times those isps will sell that that data it's telling everyone where you're going or where your users are going um so i like i mean obviously i have google on here so i don't really care about that too much because i am giving google that data um but primarily i'm sending it to cloudflare which is 1.1.1 they tend to have lower times i know another popular one is 9.9 quad 9 is a very popular one the reason i have so many is actually because i have failover set up and when you do have multiple wands you have to provide each brand a unique uh dns so i can actually go here um yeah i think it's an assignment hey cool okay i'm going to do something right after you're done go on go on um yeah what was i talking i was talking about when assignments uh yeah so you can is it i think it is is it routing yeah so when you're making uh your gateways and your gateway groups and all that you have to provide each one a unique dns because basically it's painting that to check the status of that interface or or that wan connection um you know so it wouldn't be able to tell whether it's that dns server being down or if it's that uh connection itself being down if that makes sense so you need to provide it unique ones i went ahead and uh it's very common for people to do like this the same ones but the different server addresses so like 1.1.1 but then also 1.0.0.1 which are both cloudflare dns i decided that's a little risky because if clout cloudflare has been getting like denial service attacks and stuff against like its dns so i went ahead and set it up with the google and cloudflare one thing i recently learned i think you can also do is if you go into the networking stuff and go into dhcp server um you can also set up the dns servers that you want clients to be using like yeah you can force them yeah which is really cool i didn't know you could do that yeah so if you were a hacker you could also potentially use this to insert uh dns settings into clients so if you had like a rogue dns server and you were like a pen tester and you were using this for evil it's kind of cool that not only can you set it for the router you can also push that setting to clients as well well also i think that's an important point of why this is useful uh for pin testers uh or ethical hackers in general to learn is like okay there's a lot of focus on like getting access to the network like us particularly on our channel but like what about once i get access to the network right like if if you can get access to the firewall right like then and you're familiar with this you know your way around the net network in the sense of like knowing your way around pf sense so if they have a pf sense setup like you know you're the the master of that town as it were um but yeah did you say you had something that you wanted to show almost almost okay um what was i gonna say i was gonna say something about dns before we got sidetracked on that yeah i don't know how forceful the dns is because i know like you can use dhcp to issue dns so like by default that's what i have this doing is issuing uh the google and cloudflare dns but i think on each individual system as well you can say okay hey i don't want to use the dhc dhcp provided dns i want to use cloudflare right because like that's something i don't think i've covered it on a live stream before but setting up the pie hole did we do a pie hole live stream no we did not okay but on like the pie hole uh that's a dns server right we're actually usually not allowed to show the pie hole because everything um that we every show that we do relies on ads but not this one so yeah um yeah so if you're not familiar that's a raspberry pi that acts as a dns server and it blocks ads it works as a network-wide dns black hole basically so you give it a list of ips that you don't want it to resolve and it won't resolve those so it can be a very powerful thing you can do the same thing in pf sensor however because pf sense has unbound which is using as its dns resolver um and so you can just set a blacklist for that resolver and be like hey you know here's a list of known malicious sites i know like you know the security community dumps on um like black lists a lot but they they are useful to some degree right like um so you can you can use that to block things because that way if something malicious does get on your network you know it can't phone home if it happens to be on your blacklist for example okay so one thing that um i think is really funny is changing your mac address to be terrifying so um let's go ahead and switch to my screen for a second so people often say hey you've got a mac computer but on the network it's my it says it's a dell and also it's mac addresses from a is of adele well we can kick that up a notch also because the pf sense lets us do some max moving so if you wanted to have a really scary computer that no one would ever want to see near them you could always make it a uh well we can just go to a mac address vendor look up something scary and in this case the um drs tactical systems inc they make vertical launch systems so if you if you see one close to you you know that there's a vertical launch system that's training in on you yeah of course we could also do lockheed martin ultra electronics practical communication systems yeah i think i would be more afraid of like lockheed martin yeah it's also more recognizable yeah let's all right let's do lockheed mart so we uh there's lots of different websites you can go to to look up vendors and stuff you can also i think the first one here can also generate one for you which is cool so here i just generate generate max boom random ones but now if i go into pf sense in the interfaces section i can pick any of these interfaces and i can basically spoof it so i can just put this in here uh and this is the beginning part of the mac address of any lockheed martin tactical networks device so if i just take one of these randomly generated macs and take the last part out and drop that in i now have a valid mac address for a lockheed martin tactical network device and any nearby uh person who's scanning this let's say that we want to scare hackers away from this device connected to a coffee shop well here's like a little way i could press save and i'm not going to do that because it's going to change our network configuration i think that would technically be a safe thing to say but i'm not going to risk it yeah it's probably fine i'm just going to give it but i often get people who are who like can't believe that like a device they're seeing on a scan like um isn't really what it says it is i as a hacker love changing my network devices to say that there's stuff that they're not so um just another little layer of deception you want to throw people off your trail security through obscurity is no security at all but my mindful like if you want to have fun and like so the the there's a double-edged sword there like realistically i would avoid things like that simply on the like it technical support like helping people when things are intentionally mislabeled it just it makes a nightmare of communication like you imagine you're trying to tell like some small business like okay i want you to uh connect to the vertical launch system and they're like wait why why i don't understand no no no michael i i disagree on that i think if you want to change the mac address to spoof it to be whatever you want it would not cause any technical problems because it's just a mac address no technical problems but communication problems okay okay but it's not yeah it's yeah you know most of this stuff isn't going to be found by mac address it's like you have an ip address you associate with it so like i don't think it'll cause too many issues and yes this is not really security like like this is not something to do to enhance the security of the device this is something to do to camouflage it on the network or what i would say is if i was someone who was going around just war driving and i'm looking for vulnerable network configurations maybe i have an exploit for a particular type of networking device now i've changed the type of networking device that it says it is it's not going to affect any of my local connections but to an outsider this network now looks very very different from what it might look like if it was something you know where i know how to trick this dev or maybe i know the wi-fi of this configuration is vulnerable it at least will cause um some automatic detection to fail yeah um cool uh yeah i was gonna say one of the things i would definitely uh do first though realistically is user manager um because you were kind of alluding to this by default that the admin is the only user one of the things i would do first even for like a home network is added user and so like i'm just gonna say michael and then i'm gonna set you know password um but the the the reason i suggest that you set up a another user is because a very common attack is say like i'm in a restaurant right and i i have permission to audit their network one of the things i'm first going to do is you know scan for the router and then on the router i can run a simple brute force attack right against the admin user now what the value of sending of another user is is that we can say you know create michael um and then i make michael an admin user then i log in as michael and disable admin so what that means is anyone that's trying to just do a simple like exploratory attack by brute forcing admin with the you know million most common passwords it's never it's gonna it's gonna be a waste of their time because admin is not even enabling yeah getting rid of the the default credentials is a really important thing for anything that's gonna be uh connected to other people so if anybody else has the opportunity to knock on the door you wanna make sure you don't have the default keys yeah exactly ah don't say that um but yeah from there what else uh i'm it looks really easy to set up a vpn yeah yeah like that's a whole like just a tab where if you have an open uh oh yeah a commercial vpn that works with an open vpn account yeah uh or openvpn protocol you can just add it absolutely simply here which is really cool so that means you know if also you're worried about stuff that's coming out of your network being intercepted by your internet service provider right michael touched on the fact that it's not illegal for them to capture your traffic and then sell it to whoever wants it that's just data for them to have and eat and they love it so if you want to deny them that which you absolutely should because it sucks and it should be illegal to burrow through someone's tech trash uh then slap on a vpn like you are gonna be trusting the vpn over your internet service provider but your internet service provider uh makes money off of that data the vpn makes money off of not abusing that data well and and something like i know this is a little more hardcore even than that but you know everyone recommends oh get a vpn you know spend five ten dollars whatever but you know you always hear about vpns like doing things they said they wouldn't do or whatever you know who i trust most out of everyone in the world myself and with pf sense you can set up your own vpn right literally for that five dollars a month you can go to amazon web services or you know another cloud hosting provider buy a server for five dollars a month and set up your own vpn to that so you trust amazon all right mind you you gotta trust them to some degree yeah right whatever i mean it's the same thing with any any internet or vpn service provider yeah it's like if they're if you're worried about them if you're going to do a bunch of sketchy stuff that's going to get you in trouble then like you know you're just handing that evidence over to someone else you don't know if they're logging or not there's people you can go through and see like black marks against a lot of different vpns where like maybe the data was used in a certain case that shows they do some logging but if you're just the average person that doesn't want their stuff sold or aggregated by like commercial entities then like a vpn is still a better choice than having no vpn and if you're worried about people on your local network smooth snooping on stuff then it's another good thing to have on there as well um yeah and so just real quick let's see if it yeah something i try to communicate to people is that pfsense by itself is great but what makes it amazing is all the add-ons you can add to it right all the additional stuff you can do so if you go to the system impact manager um i don't have any packages installed currently but there's a whole list here of like pre-approved like pre-certified um stuff that you can do and for example earlier i alluded to the fact that i could uh monitor arp messages or uh arp packets um and be able to detect someone like cody trying to do an arp spoofing attack so like i think in one of our previous live streams you know we talked about art spoofing and in fact like it's what your your computer's trying to tell the entire network hey actually i'm the router you're gonna send all your stuff to me and so what arp watch would allow you to do is monitor all of those messages and set alarms if there's you know a new router or something like that on the network um from what i understand it can be a little annoying if you have it on a network like a home wi-fi network where you have a lot of new devices joining like so if you have guests coming over all the time then you're gonna get all kinds of like messages oh new devices join whatnot right um but if you have a more static environment this is great because the second anything changes you're gonna know about it that's useful because most people have no idea when a new device turns their own right and that's why if someone were to get access to it they would probably be able to get away with staying connected for a very long time and literally all you have to do to do that is install and confirm and you know ta-da it's going to be installed for me and then i i can configure that and [Music] i should now yes i think i should be able to see it on the installed packages yep and then [Music] it's my first time using that one so i don't know but it would normally pop up here somewheres um i'm not gonna dig into that because i we're running out of time and that would be like another live stream but more of what i wanted to show off is just all these packages that you can use um some of the other ones i think are very valuable um cellular that allows you to actually put a cellular modem in your your physical hardware build and that way you can have the lte fill over built in the way i have it set up on my network is i have like a mophie device uh which is upstairs and then i have it etherneted in so it's provided a local ip address on the mofi's network is going into my pf sense and then i i just so the problem with that is technically it's going to be a little slower like if you look here on the main page and you're looking at the ping time that's actually why the cellular neck network's a little slower or at least it's a contributing factor because it's going through that extra layer of networking so if i were able to put it on my pf synth build i'd be able to reduce that time so okay this all looks cool but what about attacks like if i was doing that arp surfing attack how how would you actually see it what would it look like uh yeah so we would have to go and do the setup for this which hi is it extensive can we try it i have never done that before let's take a look at it i don't even know how to open it click on it package dependencies so right now with it just fresh out of the box can it detect diathing can it detect anything i'm sure it can but i don't know how to um because i know when i downloaded it it status let's see arp watch oh here our porch it's under services okay so if i go to services arp watch then i could set it up on whichever interface i want so here i have wan which is our primary gigabit internet and then i have lan 2 which is our lte for fallover and then lan is obviously our local network so i would need to customize this i believe um update most of the defaults look okay yeah um okay and then if i save that code yeah i i think i have to assign yeah i i don't know i didn't look in did you select that well i don't i'm just curious let's see so if you're like i want to oh it's not even enabled hold on that's the problem enable ah so yeah once you add it let's save and then yeah so anytime you're modifying these settings you basically have to save and then sometimes when you save there'll be like a pop-up right here and then you'll have to save it again because that's usually if it has like reboot or something like that so let's see if the while you're doing that i'm going to switch over to mine for a sec and i'm going to open up better cap okay so i'm part of the network and i want to uh trigger and trigger this by doing some arp swooping so if i take a look at what i can run i can see most of my network tools are not running yet so i'm going to do net.probe and net.sniff uh all right and then help are you ascii computer corp no that's someone else okay so um sniffing around on the network i see a bunch of stuff i don't see the pf sense though because it's on a different ip you're on wi-fi yeah i'm on wifi yeah so that's on a separate network but that's okay so it should still see it right i think you should be able to see it all right so i'm not arp swooping yet uh but let's do it so we'll do arp dot spoof yeah on and now i'm that actually may not be true because uh the way our wi-fi is set up i think the because we're repurposing the isp provided um access point so the isp provided access point i think is actually doing its own subnet thing so you would need to be on the same network because that does that make sense uh that's why i was trying not to do that because your big fancy machine can't detect my episode well if you were actually attacking the psense network but you're not right so even though it's administrating this re this is no no no no so sliding over the wi-fi network what's actually happening on our network is i have my network there's a whole house network but then the wi-fi is creating its own network and so like i'm it's isp okay i think it's what's actually going on with the way that that access point is set up because i didn't have the money to buy my own like ubiquity access points so i just had to repurpose it yeah i'm sweeping the crap out of this network yeah because on your screen you see how they're all um 11.1 yep stuff that's because of uh the fact that that access point is doing its own network hmm okay well um i guess we can't spot any attacks that sucks we probably could if we configured it differently but uh yeah no that's i can because i can do all sorts of attacks against this network so what you need to do is ethernet in yeah but if you ethernet it in then you would see it but okay you're on a different network um but yeah so just kind of to wrap up real fast um there were some other packages that i wanted to talk about um dark stack can be uh useful for monitoring like which devices are using how much bandwidth so uh particularly if you want to do more of the load balancing and maybe you have a bandwidth hog right there they're torrenting like 4k videos constantly or something like that with load balancing and stuff like that you would be able to say okay this device is got a limited bandwidth of 100 megabits right and they would never get faster speeds than 100 megabit even though your entire system has you know a gigabit available to it or something like that um you can also do other traffic shaping type things so for example what i could do is say i want our live stream traffic to youtube to be absolute top priority it goes before any other traffic right you do have to be careful when you do do things like that otherwise uh you can starve other devices on the network for bandwidth right like you can prioritize your bandwidth to set your degree that no one else on the network can access the internet uh let's see i i mailed i texted you some of the other ones that i wanted to show off interesting uh in-map you you like nmap right um there's actually yes here it is in map you can install directly onto pfsense and obviously that's going to be very powerful since you know you are the center of the network right um there is pf block or ng uh that's what i was saying you would use uh as like a um as a black hole for particular networks so if you for if you know like a certain ip address you want to ban it like that's how you would implement that um and then also um i'm not going to cover it on this one but wireshark can be integrated into uh pfsense or or so i can stream packets from pfsense to wireshark to look at or um i can go up here to diagnostics and i can do packet capture i mean i can i can do like any all packets and just start a pack of capture right now or you know i can start um filtering it by like i only want the ipv6 traffic and you know um let's see i can set promiscuous mode that's great yeah um but yeah so then i would be able to capture packets this is particularly useful if you're you know troubleshooting problems or whatnot but then also like i was always saying earlier if you are doing like pin testing and stuff and you want to maybe monitor uh what the target would be seeing on their network logs like that would be a very great way to capture like all the packets see what like what exactly they would be able to see um in a very uh detailed manner but yeah uh we're running out of time uh sorry i didn't really dive deep into like the technical like tutorial how to i intended for this to be more of a general uh overview of the types of things that pf sense is capable of and obviously there's a lot more that this can do i'm really just basically a novice at this but if you all let us know some of the ideas uh maybe things you would want to do with a system like this then we can create some future live streams and do tutorials around those whoa okay also sorry um i just did a packet capture it's awesome that it lets you uh just be able to see it right here and it does resolution as well so it'll attempt to resolve any ip addresses that are like actually in here so these are local ones but uh you can see that there's arp requests going out so actually you can see elements of the arp spoofing that i'm doing in this packet capture because i put it into promiscuous mode and had it watching on the uh wlan 2. so yeah it's really interesting and then you can download the capture open in wireshark and start to poke around at it which i think is really really cool so seems like for people that just want to get started also monitoring network stuff and seeing how loud your attacks are then uh this would work in-map might be a good option for that as well yeah yeah under diagnostics and nmap then being able to do an nmap scan on like 192 168 eleven one interface any scan method to syn fun whatever um uh no not pinging uh yeah we'll do the service scan yeah so let's do a service scan on the router and like well okay so to clarify again uh our access point is not set up in bridge mode so bridge mode is what i would need to have set up but the isp provided router does not allow or i shouldn't say rotter access point does not allow bridge mode so it's setting up its own network whatever row i failed the the routing and switching class all i know is that i'm going to slap a 0 24 on this and run it and see what happens if you're doing that should show nothing i think you would need one on two one six eight oh wait no yeah yeah that should be that should do this network i don't know how to do a network scan yeah but it is mostly who at the house is actually etherneted in yeah it's gonna be like you it's gonna be this laptop and maybe like one of my roommates hey oh it's going so slow i'm distressed whatever i guess it's just doing an nmap scan these are slow anyway yeah all right well anyway i think if it ever finishes we can we can go back to yours yeah um i think that's like the majority of the sorts of things i wanted to show off like it's like talking about cali linux right there's so many different things you could do with this like i don't even know what all to cover um but i think i've really covered some of the high points uh so like i was saying if you'll have ideas what what y'all want to see more of i can set that up because like today i know our one little demo live demo went a little haywire because um i didn't set up this environment really for this and i have limited capability because this is actually what we're streaming with right now um so there was a little bit limited on what i could actually do um on the network that we're currently connected to but i can set up a a better test environment you know with spare pc on its own network and whatnot and then we will be able to play around with that a lot more i'm so mad about this low end map scan but yeah aside from that i think this is a really cool way of seeing what it looks like on the other side of a firewall there's tons of options most of them are intuitively labeled and you can pretty much figure out what they're supposed to be for but if you know a little bit about what each one of these protocols really does then it's a lot easier to get started working with the options so you can kind of start with wherever you're most familiar and work with those settings and then explore to see some of the other ones some of the defensive ones i think are a really good way to understand like where you're leaving trails and what you might want to change and i still think it's hilarious to change your mac address and identify uh your device as something other than a pf sensitive device oh look at that it finally finished the end message i don't even care anymore it's just it's just itself and your computer yeah well you had it scanning a bunch of stuff and then yeah yeah so uh yeah that's pretty much all we got today if you guys were interested in this and want to see more about pfsense there's lots of different ways we could take this project we could have it being configuring a vpn we can have it sniffing traffic we can have it doing all sorts of stuff maybe bringing the traffic into wireshark and watching stuff in real time that could be cool um just let us know what you're interested in yeah i think that the next thing i would cover on pfcent is setting it up with wireshark so we can do all that pack and capture directly routed to pfc or to wireshark then also i could set up our access point in bridge mode i think maybe if i can find a way to brute force that uh so that way it would actually be on the same network um but yeah yeah no it would be fun to start setting up some monitoring tools and then seeing which attacks are actually detected and which one's alright so let us know what you guys think we always appreciate comments and suggestions for the for any upcoming shows you can reach me on twitter at codykinsey and of course at michael's legal name the underscore hoyt and yeah also if you like this you can check out some of the other great free veronas resources we highly recommend some of the new attack labs as well as the ad powershell workshop they're really great ways to check out how attackers actually go after companies and what you can do about it as well as getting started with scripting in active directory cool yeah all right well thank you guys so much for joining us today we will see you guys next time thanks for watching bye you

Info

Channel: SecurityFWD

Views: 2,036

Rating: 5 out of 5

Keywords: kody kinzie, pfsense setup, pfsense build, pfsense router, pfsense firewall, pfsense tutorial, pfsense install, pfsense router build, pfsense router build 2020, pfsense router setup, pfsense router hardware, pfsense router review, pfsense router firewall, pfsense setup 2020, pfsense build guide, build pfsense firewall, pfsense build your own, pfsense tutorial for beginners

Id: 1vH17e742yQ

Channel Id: undefined

Length: 59min 11sec (3551 seconds)

Published: Sat Sep 26 2020