Tailscale for Pentesting purposes

Hello and welcome to my first blogpost,

this post is about Tailscale - A VPN Service Built on WireGuard Protocol.

What is Tailscale?

Tailscale utilizes the WireGuard protocol to establish encrypted networks between devices, forming a mesh network that facilitates direct and efficient device-to-device communication. This service enables users to easily set up a virtual private network without the complex configurations typically associated with traditional VPNs. Tailscale integrates with familiar identity providers for authentication, enhancing security and simplifying user management.

Key features of Tailscale include Access Control Lists (ACLs), which provide fine-grained permissions to control which devices and services can communicate over the network. Magic DNS, another significant feature, simplifies the connection process by allowing users to access devices using easy-to-remember names rather than IP addresses. Additionally, Tailscale supports automatic device and service discovery within the network, making it easier to manage connections and access resources securely and efficiently.

How to get started with Tailscale?

Using Tailscale is pretty simple - just log on with one of the available OAuth options (Google, O365, Github, ...) and you're already logged in and able to see your Dashboard.

To add your first device, simply click on the "Add device" button. You'll be then presented with various systems, that are supporting Tailscale. At the time of writing this blogpost, those are Linux, Windows, macOS, iPhone & iPad, Android and Synology. The page will basically give you pretty good instructions on how to set it up - it's pretty simple though.

If you want to install Tailscale on a linux device for example, you simply run the following command:

curl -fsSL https://tailscale.com/install.sh | sh

After that, you can start Tailsacle with sudo tailscale up, authenticate and voilà - you have your first device online in your Tailscale network.

Using Tailscale SSH

Besides allowing you to build that own VPN network, Tailscale also offers a pretty convinient SSH service, called Tailscale SSH. To use it, simply start tailscale with the --ssh option, so sudo tailscale up --ssh.

What this will allow you to do is connect via SSH with only your Tailscale account as authentication. No need to save passwords, no need to upload public keys or manage keys at all. Tailscale handles everything in the background.

As of right now, Tailscale SSH only works on Linux devices.

So how does this relate to pentesting?

In my opinion, Tailscale is awesome for pentesting. One option would be to use it for your regular pentesting infrastructure. Running Tailscale SSH as an example even allows you to deactivate the regular SSH service on the server. That way, your server would have no exposed ports to the internet - however, within your tailscale network, you can still access the server. You can even just put the installation in an ansible script for your servers and just have everything connected that way.

The reason, why I find this particulary useful though, is for building a pentesting dropbox. That's especially relevant, because Tailscale almost always manages to find a way out, as long as it's connected to the internet in some kind of way - even with complicated firewall rules. That is, because it will either (if possible) connect directly peer to peer or can alternatively use DERP relays to forward traffic. More information on the tech side of this can be found here.

That means, you can easily just install a copy of your favorite OS (like Kali or Parrot) on a Raspberry Pi, load Tailscale on there and send it to your customer to do internal network tests. Just let him connect the device to the network and Tailscale will do the rest.

Even in physical assessments and red teaming on premises, this will be a powerful tool to deploy in a covert way - just stick it under a desk, plug in an ethernet cable and you'll have your remote access to the network via Tailscale SSH.

And yes, there are things like NAC that could make this much harder, but often it's worth a try and I've seen enough situations, where this works out without any issues.

Anything else?

There's much more about Tailscale to talk about, like ACL's to deal with exact user permissions on different machines in the network, Magic DNS for unique DNS entries within the Tailscale network, and much more. However, I don't want to make this first blogpost too long.

If you're interested to know more about Tailscale or want a full tutorial to set up a Raspberry Pi as a Pentesting Dropbox, let me know in the comments or just shoot me an email.

Let me know, how you liked this first blog post. Do you like it more technical? Should it be more in depth, or maybe less?