Disclaimer & Caveat Lector: This article is for educational purposes only. The author is not responsible for any misuse or wrong doing. Always follow the law, whitehat hacking ethics, good business practice as well as industry standards.
- By Shiva @ CPH:SEC : https://cph-sec.github.io/
- Quality Control by Martin Thirup @ Hackerone: https://hackerone.com/mthirup
This is the first part of a series on how to build a covert pentesting infrastructure. Part 1 will focus on setting up the attacker's localhost, which will then be able to connect to the attack VPS cloud server covertly using a mix of socks5 -, DNS -proxies and VPN. The knowledge in these articles comes in handy for red teaming or engagements that require anonymity. As a reader, you will learn a state of the art modern method to build a pentesting infrastructure. The article series is as such:
- Part 1: Attacker Localhost Setup (This article)
- Part 2: Work VPS /Cloud Installation and Setup
- Part 3: Custom Attack / Explotation Software
See the below illustration to get an overview of this project. Part 1 covers "Hacker Host", Proxies and VPN.
The last chapter "Surf" includes a large reference of links, should the reader be interested.
The attacker's localhost is the machine that must never be compromised or traced as it will reveal the identity of the operating agent. One could argue that part 1 is, therefore, the most important of the 3 parts.
A short primer checklist before the actual deep-dive into tech anonymity:
- Change MAC address of network cards using "macchanger"
- Close all apps and background services connected to the web (use netstat)
- All tracking in browser and OS are turned off and blocked (hardened)³³⁻³⁶
- Bitcoins are properly mixed and using a third-party wallet
- Connect to (multiple) scraped anon socks5 proxy and secured DNS proxy
- Connect to a log less VPN that was obtained covertly
- Connect to the internet through Tor or other browser that does not allow fingerprinting
- DNS settings are configured to use a log less DNS
- Logged out of all online accounts
- Emails are sent using burner accounts
- New accounts registered and logged in with burner emails
- Search with DuckDuckGo or StartPage
- Use foreign hardware, if at all possible. Preferably other than your neighbors WiFi.*
*Note that WiFi hotspots in e.g. cafés often user more tracking than the average 4G data connection.
In order to setup a proxy server (see Redsocks chapter) with random proxies first some proxies must be fetched. This is done by using the tool "fetch-some-proxies"¹. Simply run ./fetch.sh to fetch proxies which will execute the following commands:
sudo python fetch-some-proxies/fetch.py | tee proxyscrape.tmp
sudo grep -e "elite" proxyscrape.tmp > proxyscrape2.tmp
sudo grep -e "socks5" proxyscrape2.tmp > proxyscrape.lst
rm proxyscrape*.tmp
cat proxyscrape.lst
Only socks5 proxies of the elite type are of interest as several protocols must be routed to the proxy and with as high anonymity as possible.
As unwanted proxies are now filtered away, a proxy with short latency is chosen from "proxyscrape.lst", e.g. socks5://178.62.59.71:4076 . Now that the proxy list is populated, the next chapter will show how to use a scraped proxy with redsocks.
"Redsocks is the tool that allows you to proxify (redirect) network traffic through a SOCKS4, SOCKS5 or HTTPs proxy server. It works on the lowest level, the kernel level (iptables). The other possible way is to use an application-level proxy when the proxy client is implemented in the same language as an application is written in. Redsocks operates on the lowest system level, that’s why all running applications don’t even have an idea that network traffic is sent through a proxy server, as a result, it is called a transparent proxy redirector." ¹⁴
sudo apt-get install redsocks
sudo nano /etc/redsocks.conf
Then insert redsocks.conf file included (see below) and continue:
sudo redsocks -c /etc/redsocks.conf
redsocks.conf :
base {
log_debug = on;
log_info = on;
log = "stderr";
daemon = off;
redirector = iptables;
}
redsocks {
local_ip = 127.0.0.1;
local_port = 12345;
// socks5://178.62.59.71:4076
ip = 178.62.59.71;
port = 4076;
type = socks5;
// known types: socks4, socks5, http-connect, http-relay
// login = username;
// password = password;
}
dnstc {
// fake and really dumb DNS server that returns "truncated answer" to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
local_ip = 127.0.0.1;
local_port = 5300;
}
// you can add more `redsocks' and `redudp' sections if you need.
This concludes the installation and setup of redsocks. However, to route, all traffic trough redsocks and the scraped proxy iptables are required. For installing iptables and setting up with redsocks refer to "Debian manpages"¹⁶ and stackexchange¹⁵. In any case, using the script included with this project both redsocks and iptables can be started using "./startREDsocks.sh":
#!/usr/bin/env bash
sudo ./restartDNScrypt.sh
sudo ./iproute.sh
echo "Starting redsocks..."
sudo redsocks -c /etc/redsocks.conf
sudo ./resetiproute.sh
sudo ./myip.sh
While DNScrypt and secure DNS, in general, will be covered in the next chapter "Secure DNS", ./iproute.sh routes traffic through redsocks proxy with iptables and "./resetiproute.sh" stops the routing through redsocks. A closer look:
#!/usr/bin/env bash
echo "Routing selected ports trough redsocks proxy"
echo " "
sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 22 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDSOCKS
Note that depending on what ports should be forwarded it might be necessary add or change dport lines. As for "resetiproute.sh" it works like so:
#!/usr/bin/env bash
echo "Resetting IPtables i.e. stop routing trough redsocks proxy"
echo " "
sudo iptables -F
sudo iptables -X
sudo iptables -Z
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t nat -Z
killall redsocks
For more information on iptables please refer to "How to force all Linux apps to use SOCKS proxy" ¹².
Adding additional proxies to redsocks doesn't necessarily lead to higher anonymity or security, as the proxies are not chained and still DNS leak, but will help to balance the load. As before "/etc/redsocks.conf" file must be edited, this time with additional chapters, like so:
**More proxies**
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11080;
port = 1080;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11081;
port = 1081;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11082;
port = 1082;
}
Furthermore, "iproute.sh" needs to be updated accordingly:
iptables … -m random --mode random --probability 0.3333333333 -j REDIRECT --to-ports 11080
iptables … -m random --mode random --probability 0.3333333333 -j REDIRECT --to-ports 11081
iptables … -j REDIRECT --to-ports 11082
Now enjoy seamless proxy rotation.
The purpose of this project is to be covert and despite the use of socks5 proxy, there is still DNS leak, although IP is now spoofed. To test different scenarios "dnsleaktest.com" ⁹ is utilized and although origin IP is spoofed, showing IP of the proxy, a "dnsleaktest.com" extended test still shows original IP. To avoid this, DNS must be covert, and so this is covered in the next chapter "Secure DNS".
Proxies and IP-spoofing are pointless without a secure DNS as the DNS leak will reveal the origin IP. (Good) VPNs setup their own DNS and could VPNs be trusted, scraped proxy and secure DNS would not be required. As this is not the case read on.
There are several services that deliver DNS over proxy. For more information on DNS via proxy please refer to the surf section "Anon DNS Servers" ²⁴ ²⁵. Setting up a DNS proxy is quite straightforward, in the following example https://dns.watch ²⁴ DNS servers are applied. First, update the resolver configuration:
sudo nano /etc/resolvconf/resolv.conf.d/base
nameserver 84.200.69.80
nameserver 84.200.70.40
sudo resolvconf -u
Then set DNS for both IPv4 and IPv6 using the NetworkManager²³ (use 84.200.69.80 and not 8.8.8.8):
- Search ' Network Connection'
- Open it
- Then select either WiFi or Ethernet, or whatever you are using, and click on edit. You'll get this:
- Select ipv4 in tabs
- Select addresses only in method
- Enter your DNS name below, and save it (dont use 8.8.8.8, its Google transparent DNS, but e.g. 84.200.69.80)
- Repeat 4-6 for IPv6 also for all interfaces
- Restart NetworkManager "sudo service network-manager restart"
- Go test on dnsleaktest.com
Testing with "dnsleaktest.com" result will now be as intended:
Next chapter shows how to use DNSCrypt to add an extra level of DNS anonymity.
Although DNS leak was fixed by the configuration in the last chapter, some might still want to implement DNSCrypt as an additional level of protection, although it's not strictly needed. First, install DNSCrypt proxy like so:
sudo apt purge dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy
sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy
sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf
Then edit "NetworkManager.conf" to look like this:
[main]
dns=default
plugins=ifupdown,keyfile
[ifupdown]
managed=false
[device]
WiFi.scan-rand-mac-address=no
And finally run "./restartDNScrypt.sh", which does the following:
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy
In the next chapter another level of anonymity is presented as the use of VPN is discussed.
In the earlier chapters, it was shown how to spoof both the IP address and avoid DNS leak. However, so far the traffic has not been encrypted and could be wiretapped, although our SSH connection in part 2 to the VPS will be encrypted. By using a VPN, wiretapping is avoided and so it is important to use a good VPN to make sure the encryption is strong enough. Furthermore, the effectiveness of a VPN is different compared to if the VPN is used before or after proxy servers. What is even more important is to obtain the VPN service covertly as the use of a credit card VPN, which also keeps logs(!), defeats most of the efforts to be anonymous and acting covertly on the net. Some points that need to be considered choosing a VPN:
- Can be obtained covertly e.g. with cryptocurrency payment
- Log less
- Strong encryption
- Big Keys
- No leak, DNS, IP, WebRTC or other
ExpressVPN and NordVPN, and others, are believed to be such VPNs.
PROXY and VPN vs VPN and PROXY
While it could seem trivial whether to use proxy in front of the VPN or vice versa it is, in fact, crucial in a world were VPNs can't be trusted. In this article, a proxy is used in front of the VPN (seen from the host's side) meaning "not existing" VPN logs will not show the IP of client origin. This only works if the VPN is obtained covertly, as discussed in the later chapter. One way to obtain VPN covertly is covered in the next chapter.
There are several ways to obtain VPN and VPS covertly but if no other method is available, buying a service with bitcoin is a possibility, when done correctly! As this is not an article about bitcoins please refer to the internet for background information regarding bitcoin and/or cryptocurrency. Here, the interest is in obtaining and using bitcoin anonymously and for a full guide please refer to the surf section³⁸. Note also that some cryptocurrencies are believed to be more anonymous than bitcoin, while not as extensively used among vendors. Shortly, to mix/tumble/wash bitcoins a service such as 'Bitblender' or 'Bitmixer' is required. The process is as such³⁸:
- Choose a bitcoin mixing service e.g. 'Bitblender' or 'Bitmixer'
- Use Tor- Onion Router to stay anonymous
- Use Logless VPN (NordVPN is believed to be such a VPN)
- Aquire New Address for Transactions
- Buy/Sell Bitcoins in Cash using fake identiy using tools such as
- LocalBitcoins.com
- Fake Name Generator
- Guerrilla Mail
- Burner phone or service
- For extra safety try JoinMarket and trade
Following this procedure flawlessly it's possible to buy services such as VPN or VPS anonymously using bitcoin. Using bitcoin is only recommendable if other more covert methods are not available since blockchain leaves a "paper trail" that could possibly, in the future could be traced using so far unknown computing power and algorithms. This is somewhat "tinfoil hat" speculation of course. Regardless of how the VPN is obtained, it must be tested and this is the topic of the next chapter.
Sadly, a large percentage of VPNs are useless and not as secure as advertised. In general, there are 4 well-known ways VPN can leak origin host information:
- IP Leak
- DNS Leak
- WebRTC Leak
- MSLeak Test*
*MSLeak is only relevant for users of Microsoft Windows, which is not recommendable to use for anonymity.
In this article 3 tools are used to test anonymity:
Testing a covertly obtained VPN gives results as below:
Result shows VPN location, so test passed.
No WebRTC leak, so test passed.
No DNS leak, so test passed. Note that the DNS Leak test will show proxy or VPN IP depending on which is placed in front (last).
In this article, it was described how to secure the origin host/client, used by the operating agent in a covert pentesting assignment. Each step must be executed perfectly but the included scripts make it possible.
This was part 1 of a 3 part series, part 2 will demonstrate how to setup the VPS server that will run the actual tests and attack scripts; while chapter 3 will demonstrate how a custom test/attack framework could look.
- ¹ Fetch-some-proxies: https://github.com/stamparm/fetch-some-proxies
- ² https://github.com/jorgenkg/python-proxy-rotator
- ³ https://github.com/allfro/pymiproxyhttps://www.thesaurus.com/browse/necessarily
- ⁴ https://github.com/constverum/ProxyBroker
- ⁵ http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
- ⁶ http://www.haproxy.org/
- ⁷ http://blog.databigbang.com/distributed-scraping-with-multiple-tor-circuits/
- ⁸ http://www.delegate.org/delegate/
- ⁹ DNS leak test: https://www.dnsleaktest.com
- ¹⁰ Whats my IP: https://www.whatsmyip.org/
- ¹¹ Browser fingerprinting test: https://panopticlick.eff.org/
- Privacy Tools: https://www.privacytools.io/
- https://ipleak.net/
- ¹² How to force all Linux apps to use SOCKS proxy: https://superuser.com/questions/1401585/how-to-force-all-linux-apps-to-use-socks-proxy?rq=1
- ¹³ https://crosp.net/blog/administration/install-configure-redsocks-proxy-centos-linux/
- ¹⁴ https://unix.stackexchange.com/questions/71429/redirect-all-non-local-traffic-to-a-socks-proxy
- ¹⁵ https://manpages.debian.org/stretch/iptables/iptables-extensions.8.en.html#TPROXY
- ¹⁶ Escape proxy hell with Redsocks: https://jmkhael.io/escape-proxy-hell-with-redsocks/
- ¹⁷ Anonymous SSD VPS: https://anonymously.io/anonymous-vps/
- ¹⁸ Cheap Anonymous VPS Providers: https://cheapvillage.com/cheap-anonymous-vps-providers/
- ¹⁹ Dreamhost with bitcoin: https://bitlaunch.io/
- ²⁰ https://www.smarthomebeginner.com/vpn-kill-switch-with-ufw/
- ²¹ https://support.rackspace.com/how-to/changing-dns-settings-on-linux/
- ²² https://unix.stackexchange.com/questions/128220/how-do-i-set-my-dns-when-resolv-conf-is-being-overwritten/163506#163506
- ²³ https://unix.stackexchange.com/questions/494324/how-to-setup-dns-manually-on-linux
- ²⁴ Secure DNS root: https://dns.watch
- ²⁵ Secure DNS root: https://www.opennic.org/
- ²⁶ RDP Manual: https://5socks.net/Manual/rdp_eng.html
- ²⁷ RDP VPN Manual: https://5socks.net/Manual/what_is_rdp_vpn_eng.htm
- ²⁸ https://linuxize.com/post/how-to-setup-ssh-socks-tunnel-for-private-browsing/
- ²⁹ https://www.dnsflex.com/how-to-route-all-network-traffic-from-your-lan-securely-through-a-socks5-proxy-ssh-tunnel-redsocks/
- ³⁰ https://hackertarget.com/ssh-examples-tunnels/
- ³¹ Expose local servers to the internet: https://serveo.net/
- ³² Public URLs for exposing your local web server: https://ngrok.com/
- ³³ Firefox privacy, security and anti-fingerprinting: https://github.com/ghacksuserjs/ghacks-user.js
- ³⁴ The Practical Linux Hardening Guide³⁸: https://github.com/trimstray/the-practical-linux-hardening-guide
- ³⁵ how-to-stay-anonymous: https://www.hackeroyale.com/how-to-stay-anonymous/
- ³⁶ user.js - Firefox configuration hardening : https://github.com/pyllyukko/user.js
- ³⁷ How To Stay Anonymous While Hacking: https://www.tech21century.com/expressvpn-vs-nordvpn-comparison/
- ³⁸ Ways To Guarantee Anonymity When Making Bitcoin Transactions: https://coinsutra.com/anonymous-bitcoin-transactions/