Welcome to hacking a rise today is a real treat as are very own Shiva mead pentestinfa that way to anon ur network with out tor or vpn this tool is going to gave 4nonmizer a run for its money to find out more check Shivas blog CLICK HERE
Introduction
This is the first part of a series on how to build a covert pentesting infrastructure. Part 1 will focus on setting up the attacker’s localhost, that will then be able to connect to the attack VPS cloud server covertly using a mix of socks5 -, DNS -proxies and VPN. The knowledge in these articles comes in handy for red teaming or engagements that require anonymity. As a reader you will learn a state of the art modern method to build a pentesting infrastructure. The article series is as suchs:
Part 1: Attacker Localhost Setup (This article)
Part 2: Work VPS /Cloud Installation and Setup
Part 3: Custom Attack / Explotation Software
See the below illustration to get an overview of this project. Part 1 covers “Hacker Host”, Proxies and VPN.
The last chapter “Surf” includes a large reference of links, should the reader be interested.
Attacker Localhost Setup
The attacker’s localhost is the machine that must never be compromised or traced as it will reveal the identity of the operating agent. One could argue that part 1 is therefore the most important of the 3 parts.
Check List
A short primer checklist before the actual deepdive into tech anonymity:
Change MAC address of network cards using “macchanger”
Close all apps and background services connected to the web (use netstat)
All tracking in browser and OS are turned off and blocked (hardened)³³⁻³⁶
Bitcoins are properly mixed and using a third-party wallet
Connect to (multiple) scraped anon socks5 proxy and secured DNS proxy
Connect to a logless VPN that was obtained covertly
Connect to the internet through Tor or other browser that does not allow fingerprinting
DNS settings are configured to use a logless DNS
Logged out of all online accounts
Emails are sent using burner accounts
New accounts registered and logged in with burner emails
Search with DuckDuckGo or StartPage
Use foreign hardware, if at all possible. Preferably other than your neighbours WiFi.*
*Note that WiFi hotspots in e.g. cafés often user more tracking than the average 4G data connection.
Scraping Proxies
In order to setup a proxy server (see Redsocks chapter) with random proxies first some proxies must be fetched. This is done by using the tool “fetch-some-proxies”¹. Simply run ./fetch.sh to fetch proxies which will execute the following commands:
sudo python fetch-some-proxies/fetch.py | tee proxyscrape.tmp
sudo grep -e “elite” proxyscrape.tmp > proxyscrape2.tmp
sudo grep -e “socks5” proxyscrape2.tmp > proxyscrape.lst
rm proxyscrape*.tmp
cat proxyscrape.lst
Only socks5 proxies of the elite type is of interest as several protocols must be routed to the proxy and with as high an anonymity as possible.
As unwanted proxies are now filtered away, a proxy with short latency is chosen from “proxyscrape.lst”, e.g. socks5://178.62.59.71:4076 . Now that the proxy list is populated, the next chapter will show how to use a scraped proxy with redsocks.
Redsocks Install & Setup
“Redsocks is the tool that allows you to proxify (redirect) network traffic through a SOCKS4, SOCKS5 or HTTPs proxy server. It works on the lowest level, the kernel level (iptables). The other possible way is to use application level proxy, when the proxy client is implemented in the same language as an application is written in. Redsocks operates on the lowest system level, that’s why all running applications don’t even have an idea that network traffic is sent through a proxy server, as a result it is called a transparent proxy redirector.” ¹⁴
sudo apt-get install redsocks
sudo nano /etc/redsocks.conf
Then insert redsocks.conf file included (see below) and continue:
sudo redsocks -c /etc/redsocks.conf
redsocks.conf :
base {
log_debug = on;
log_info = on;
log = “stderr”;
daemon = off;
redirector = iptables;
}
redsocks {
local_ip = 127.0.0.1;
local_port = 12345;
// socks5://178.62.59.71:4076
ip = 178.62.59.71;
port = 4076;
type = socks5;
// known types: socks4, socks5, http-connect, http-relay
// login = username;
// password = password;
}
dnstc {
// fake and really dumb DNS server that returns “truncated answer” to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
local_ip = 127.0.0.1;
local_port = 5300;
}
// you can add more `redsocks’ and `redudp’ sections if you need.
This concludes the installation and setup of redsocks. However, to route all traffic trough redsocks and the scraped proxy iptables are required. For installing iptables and setting up with redsocks refer to “debian manpages”¹⁶ and stackexchange¹⁵. In any case, using the script included with this project both redsocks and iptables can be started using “./startREDsocks.sh”:
#!/usr/bin/env bash
sudo ./restartDNScrypt.sh
sudo ./iproute.sh
echo “Starting redsocks…”
sudo redsocks -c /etc/redsocks.conf
sudo ./resetiproute.sh
sudo ./myip.sh
While DNScrypt and secure DNS in general will be covered in the next chapter “Secure DNS”, ./iproute.sh routes traffic through redsocks proxy with iptables and “./resetiproute.sh” stops the routing through redsocks. A closer look:
#!/usr/bin/env bash
echo “Routing selected ports trough redsocks proxy”
echo ” ”
sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT –to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp –dport 443 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp –dport 80 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp –dport 22 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp –dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp –dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDSOCKS
Note that depending on what ports should be forwarded it might be necessary add or change dport lines. As for “resetiproute.sh” it works like so:
#!/usr/bin/env bash
echo “Resetting IPtables i.e. stop routing trough redsocks proxy”
echo ” ”
sudo iptables -F
sudo iptables -X
sudo iptables -Z
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t nat -Z
killall redsocks
For more information on iptables please refer to “How to force all Linux apps to use SOCKS proxy” ¹².
Redsocks with Multiple Proxies
Adding additional proxies to redsocks doesnt necessarily lead to higher anonymity or security, as the proxies are not chained and still DNS leak, but will help balacing the load. As before “/etc/redsocks.conf” file must be edited, this time with additional chapters, like so:
**More proxies**
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11080;
port = 1080;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11081;
port = 1081;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11082;
port = 1082;
}
Furthermore, “iproute.sh” needs to be updated accordingly:
iptables … -m random –mode random –probability 0.3333333333 -j REDIRECT –to-ports 11080
iptables … -m random –mode random –probability 0.3333333333 -j REDIRECT –to-ports 11081
iptables … -j REDIRECT –to-ports 11082
Now enjoy seemless proxy rotation.
The purpose of this project is to be covert and despite the use of socks5 proxy there is still DNS leak, although IP is now spoofed. To test different scenarios “dnsleaktest.com” ⁹ is utilized and although origin IP is spoofed, showing IP of the proxy, a “dnsleaktest.com” extended test still shows original IP. To avoid this, DNS must be covert, and so this is covered in the next chapter “Secure DNS”.
Secure DNS
Proxies and IP-spoofing is pointless without a secure DNS as DNS leak will reveal the origin IP. (Good) VPNs setup their own DNS and could VPNs be trusted, scraped proxy and secure DNS would not be required. As this is not the case read on.
DNS over Proxy
There are several services that deliver DNS over proxy. For more information on DNS via proxy please refer to the surf section “Anon DNS Servers” ²⁴ ²⁵. Setting up a DNS proxy is quite straightforward, in the following example https://dns.watch ²⁴ DNS servers are applied. First update the resolver configuration:
sudo nano /etc/resolvconf/resolv.conf.d/base
nameserver 84.200.69.80
nameserver 84.200.70.40
sudo resolvconf -u
Then set DNS for both IPv4 and IPv6 using the NetworkManager²³ (use 84.200.69.80 and not 8.8.8.8):
Search ‘ Network Connection’
Open it
Then select either WiFi or Ethernet, or whatever you are using, and click on edit. You’ll get this:
https://github.com/CPH-SEC/CPH-SEC.github.io/blob/master/pics/networkcon2.png
Select ipv4 in tabs
Select addresses only in method
Enter your DNS name below, and save it (dont use 8.8.8.8, its Google transparent DNS, but e.g. 84.200.69.80)
Repeat 4-6 for IPv6 also for all interfaces
Restart NetworkManager “sudo service network-manager restart”
Go test on dnsleaktest.com
Testing with “dnsleaktest.com” result will now be as intended:
https://github.com/CPH-SEC/CPH-SEC.github.io/blob/master/pics/dnsleakfixed.png
Next chapter shows how to use DNSCrypt to add an extra level of DNS anonymity.
DNSCrypt-Proxy Install & Setup
Although DNS leak was fixed by the configuration in the last chapter, some might still want to implemented DNSCrypt as an additional level of protection, although its not strictly needed. First install DNSCrypt proxy like so:
sudo apt purge dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy
sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy
sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf
Then edit “NetworkManager.conf” to look like this:
[main]
dns=default
plugins=ifupdown,keyfile
[ifupdown]
managed=false
[device]
WiFi.scan-rand-mac-address=no
And finally run “./restartDNScrypt.sh”, which does the following:
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy
In the next chapter another level of anonymity is presented as the use of VPN is discussed.
Virtual Private Network
In the earlier chapters it was shown how to spoof both IP address and avoid DNS leak. However, so far the traffic has not been encrypted and could be wiretapped, although our SSH connection in part 2 to the VPS will be encrypted. By using a VPN, wiretapping is avoided and so it is important to use a good VPN to make sure the encryption is strong enough. Furthermore, the effectiveness of a VPN is different compared to if the VPN is used before or after proxy servers. What is even more important is to obtain the VPN service covertly as the us of a credit card VPN, that also keep logs(!), defeats most of efforts to be anonymous and acting covertly on the net. Some points that need to be considered choosing a VPN:
Can be obtained covertly e.g. with cryptocurrency payment
Logless
Strong encryption
Big Keys
No leak, DNS, IP, WebRTC or other
ExpressVPN and NordVPN, and others, are believed to be such VPNs.
PROXY and VPN vs VPN and PROXY
While it could seem trivial whether to use proxy in front of the VPN or vice versa it is in fact crucial in a world were VPNs cant be trusted. In this article a proxy is used in front of the VPN (seen from the hosts side) meaning “not exisiting” VPN logs will not show the IP of client origin. This only works if the VPN is obtained covertly, as discussed in the laster chapter. One way to obtain VPN covertly is covered in the next chapter.
Bitcoin Mixing / Tumbling / Washing
There are several ways to obtain VPN and VPS covertly but if no other method is available, buying a service with bitcoin is a possibility, when done correctly! As this is not an article about bitcoins please refer to the internet for background information regarding bitcoin and/or cryptocurrency. Here, the interest is in obtaining and using bitcoin anonymously and for a full guide please refer to the surf section³⁸. Note also that some cryptocurrencies are believed to be more anonymous than bitcoin, while not as extensively used among vendors. Shortly, to mix/tumble/wash bitcoins a service suchs a ‘Bitblender’ or ‘Bitmixer’ is required. The process is a such³⁸:
Choose a bitcoin mixing service e.g. ‘Bitblender’ or ‘Bitmixer’
Use Tor- Onion Router to stay anonymous
Use Logless VPN (NordVPN is believed to be such a VPN)
Aquire New Address for Transactions
Buy/Sell Bitcoins in Cash using fake identiy using tools such as
LocalBitcoins.com
Fake Name Generator
Guerilla Mail
Burner phone or service
For extra safety try JoinMarket and trade
Following this procedure flawlessly its possible to buy services such as VPN or VPS anonymously using bitcoin. Using bitcoin is only recommendable if other more covert methods are not available since blockchain leaves a “paper trail” that could possibly, in the future could be traced using so far unknown computing power and algorithms. This is somewhat “tinfoil hat” speculation of course. Regardless how the VPN is obtained it must be tested and this is the topic of the next chapter.
Testing VPNs
Sadly, a large percentage of VPNs are useless and not as secure as advertised. In general there are 4 well known ways VPN can leak origin host information:
IP Leak
DNS Leak
WebRTC Leak
MSLeak Test*
*MSLeak is only relevant for users of Microsoft Windows, which is not recommendable to use for anonymity.
In this article 3 tools are used to test anonymity:
https://ipleak.net/
https://www.privacytools.io/
https://www.perfect-privacy.com
Testing a covertly obtained VPN gives results as below:
Result shows VPN location, so test passed.
https://github.com/CPH-SEC/CPH-SEC.github.io/raw/master/pics/pp_vpn_webrtc.png
No WebRTC leak, so test passed.
No DNS leak, so test passed. Note that the DNS Leak test will show proxy or VPN IP depending on which is placed in front (last).
Conclusion
In this article it was described how to secure the origin host/client, used by the operating agent in a covert pentesting assignment. Each step must be executed perfectly but the included scripts makes it possible.
This was part 1 of a 3 part series, part 2 will demonstrate how to setup the VPS server that will run the actual tests and attack scripts; while chapter 3 will demonstrate how a custom test / attack framework could look.
Surf (LMGTFY):
Tools
¹ Fetch-some-proxies: https://github.com/stamparm/fetch-some-proxies
² https://github.com/jorgenkg/python-proxy-rotator
³ https://github.com/allfro/pymiproxyhttps://www.thesaurus.com/browse/necessarily
⁴ https://github.com/constverum/ProxyBroker
Multiple TOR Proxies
⁵ http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
⁶ http://www.haproxy.org/
⁷ http://blog.databigbang.com/distributed-scraping-with-multiple-tor-circuits/
⁸ http://www.delegate.org/delegate/
Test
⁹ DNS leak test: https://www.dnsleaktest.com
¹⁰ Whats my IP: https://www.whatsmyip.org/
¹¹ Browser fingerprinting test: https://panopticlick.eff.org/
Privacy Tools: https://www.privacytools.io/
https://ipleak.net/
Redsocks and IPtables
¹² How to force all Linux apps to use SOCKS proxy: https://superuser.com/questions/1401585/how-to-force-all-linux-apps-to-use-socks-proxy?rq=1
¹³ https://crosp.net/blog/administration/install-configure-redsocks-proxy-centos-linux/
¹⁴ https://unix.stackexchange.com/questions/71429/redirect-all-non-local-traffic-to-a-socks-proxy
¹⁵ https://manpages.debian.org/stretch/iptables/iptables-extensions.8.en.html#TPROXY
¹⁶ Escape proxy hell with Redsocks: https://jmkhael.io/escape-proxy-hell-with-redsocks/
Anon VPS
¹⁷ Anonymous SSD VPS: https://anonymously.io/anonymous-vps/
¹⁸ Cheap Anonymous VPS Providers: https://cheapvillage.com/cheap-anonymous-vps-providers/
¹⁹ Dreamhost with bitcoin: https://bitlaunch.io/
DNS Leak Avoidance
²⁰ https://www.smarthomebeginner.com/vpn-kill-switch-with-ufw/
²¹ https://support.rackspace.com/how-to/changing-dns-settings-on-linux/
²² https://unix.stackexchange.com/questions/128220/how-do-i-set-my-dns-when-resolv-conf-is-being-overwritten/163506#163506
²³ https://unix.stackexchange.com/questions/494324/how-to-setup-dns-manually-on-linux
Anon DNS servers
²⁴ Secure DNS root: https://dns.watch
²⁵ Secure DNS root: https://www.opennic.org/
RDP
²⁶ RDP Manual: https://5socks.net/Manual/rdp_eng.html
²⁷ RDP VPN Manual: https://5socks.net/Manual/what_is_rdp_vpn_eng.htm
SSH Routing
²⁸ https://linuxize.com/post/how-to-setup-ssh-socks-tunnel-for-private-browsing/
²⁹ https://www.dnsflex.com/how-to-route-all-network-traffic-from-your-lan-securely-through-a-socks5-proxy-ssh-tunnel-redsocks/
³⁰ https://hackertarget.com/ssh-examples-tunnels/
SSH Routing with a Service
³¹ Expose local servers to the internet: https://serveo.net/
³² Public URLs for exposing your local web server: https://ngrok.com/
Browser & OS Hardening
³³ Firefox privacy, security and anti-fingerprinting: https://github.com/ghacksuserjs/ghacks-user.js
³⁴ The Practical Linux Hardening Guide³⁸: https://github.com/trimstray/the-practical-linux-hardening-guide
³⁵ how-to-stay-anonymous: https://www.hackeroyale.com/how-to-stay-anonymous/
³⁶ user.js – Firefox configuration hardening : https://github.com/pyllyukko/user.js
VPN
³⁷ How To Stay Anonymous While Hacking: https://www.tech21century.com/expressvpn-vs-nordvpn-comparison/
Bitcoin
³⁸ Ways To Guarantee Anonymity When Making Bitcoin Transactions: https://coinsutra.com/anonymous-bitcoin-transactions/
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.