Disclaimer & Caveat Lector: This article is for educational purposes only. The author is not responsible for any misuse or wrong doing. Always follow the law, whitehat hacking ethics, good business practice as well as industry standards.
- By Shiva @ CPH:SEC : https://cph-sec.github.io/
- Quality Control by xxx @ xxxx
This is the first part of a series on how to build a covert pentesting infrastructure. Part 1 will focus on setting up the attackers localhost, that will then be able to connect to the attack VPS cloud server covertly using a mix of socks5 -, DNS -proxies and VPN. The knowledge in these articles comes in handy for red teaming or engagements that require anonymity. As a reader you will learn a state of the art modern method thats is not costly to build a pentesting infrastructure. The article series is as suchs:
- Part 1: Attacker Localhost Setup (This article)
- Part 2: Workhorse VPS /Cloud Installation and Setup
- Part 3: Custom Attack / Explotation Software
See the below illustration to get an overview of this project. Part 1 covers "Hacker Host", Proxies and VPN.
The last chapter "Surf" includes a large reference of links, should the reader be interested.
The attackers localhost is the machine that must never be compromised or traced as it will reveal the identity of the operating agent. One could argue that part 1 is therefore the most important of the 3 parts.
A short primer checklist before the actual deepdive into tech anonymity:
- Change MAC address of network cards using "macchanger"
- Close all apps and background services connected to the web (use netstat)
- All tracking in browser and OS are turned off and blocked (hardened)³³⁻³⁶
- Bitcoins are properly mixed and using a third-party wallet
- Connect to (multiple) scraped anon socks5 proxy and secured DNS proxy
- Connect to a logless VPN that was obtained covertly
- Connect to the internet through Tor or other browser that does not allow fingerprinting
- DNS settings are configured to use a logless DNS
- Logged out of all online accounts
- Emails are sent using burner accounts
- New accounts registered and logged in with burner emails
- Search with DuckDuckGo or StartPage
- Use foreign hardware, if at all possible. Preferly other than your neighbours WiFi.*
*Note that WiFi hotspots in e.g. cafés often user more tracking than the average 4G data connection.
In order to setup a proxy server (see Redsocks chapter) with random proxies first some proxies must be fetched. This is done by using the tool "fetch-some-proxies"¹. Simply run ./fetch.sh to fetch proxies which will execute the following commands:
sudo python fetch-some-proxies/fetch.py | tee proxyscrape.tmp
sudo grep -e "elite" proxyscrape.tmp > proxyscrape2.tmp
sudo grep -e "socks5" proxyscrape2.tmp > proxyscrape.lst
rm proxyscrape*.tmp
cat proxyscrape.lst
Only socks5 proxies of the elite type is of interest as several protocols must be routed to the proxy and with as high an anonymity as possible.
As unwanted proxies are now filtered away a proxy with short latency is chosen from "proxyscrape.lst", e.g. socks5://178.62.59.71:4076 . Now that the proxy list is populated the next chapter will show how to use a scraped proxy with redsocks.
"Redsocks is the tool that allows you to proxify (redirect) network traffic through a SOCKS4, SOCKS5 or HTTPs proxy server. It works on the lowest level, the kernel level (iptables). The other possible way is to use application level proxy, when the proxy client is implemented in the same language as an application is written in. Redsocks operates on the lowest system level, that’s why all running application don’t even have an idea that network traffic is sent through a proxy server, as a result it is called a transparent proxy redirector." ¹⁴
sudo apt-get install redsocks
sudo nano /etc/redsocks.conf
Then insert redsocks.conf file included (see below) and continue:
sudo redsocks -c /etc/redsocks.conf
redsocks.conf :
base {
log_debug = on;
log_info = on;
log = "stderr";
daemon = off;
redirector = iptables;
}
redsocks {
local_ip = 127.0.0.1;
local_port = 12345;
// socks5://178.62.59.71:4076
ip = 178.62.59.71;
port = 4076;
type = socks5;
// known types: socks4, socks5, http-connect, http-relay
// login = username;
// password = password;
}
dnstc {
// fake and really dumb DNS server that returns "truncated answer" to
// every query via UDP, RFC-compliant resolver should repeat same query
// via TCP in this case.
local_ip = 127.0.0.1;
local_port = 5300;
}
// you can add more `redsocks' and `redudp' sections if you need.
This concludes the installation and setup of redsocks. However, to route all traffic trough redsocks and the scraped proxy iptables are required. For installing iptables and setting up with redsocks refer to "debian manpages"¹⁶ and stackexchange¹⁵. In any case, using the script included with this project both redsocks and iptables can be started using "./startREDsocks.sh":
#!/usr/bin/env bash
sudo ./restartDNScrypt.sh
sudo ./iproute.sh
echo "Starting redsocks..."
sudo redsocks -c /etc/redsocks.conf
sudo ./resetiproute.sh
sudo ./myip.sh
While DNScrypt and secure DNS in general will be covered in the next chapter "Secure DNS", ./iproute.sh routes traffic through redsocks proxy with iptables and "./resetiproute.sh" stops the routing through redsocks. A closer look:
#!/usr/bin/env bash
echo "Routing selected ports trough redsocks proxy"
echo " "
sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
sudo iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 22 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDSOCKS
Note that depending on what ports should be forwarded it might be necessary add or change dport lines. As for "resetiproute.sh" it works like so:
#!/usr/bin/env bash
echo "Resetting IPtables i.e. stop routing trough redsocks proxy"
echo " "
sudo iptables -F
sudo iptables -X
sudo iptables -Z
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t nat -Z
killall redsocks
For more information on iptables please refer to "How to force all Linux apps to use SOCKS proxy" ¹².
Adding additional proxies to redsocks doesnt necessarily lead to higher anonymity or security, as the proxies are not chained and still DNS leak, but will help balacing the load. As before "/etc/redsocks.conf" file must be edited, this time with additional chapters, like so:
**More proxies**
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11080;
port = 1080;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11081;
port = 1081;
}
redsocks {
local_ip = 127.0.0.1; ip = 127.0.0.1; type = socks5;
local_port = 11082;
port = 1082;
}
Furthermore, "iproute.sh" needs to be updated accordingly:
iptables … -m random --mode random --probability 0.3333333333 -j REDIRECT --to-ports 11080
iptables … -m random --mode random --probability 0.3333333333 -j REDIRECT --to-ports 11081
iptables … -j REDIRECT --to-ports 11082
Now enjoy seemless proxy rotation.
The purpose of this project is to be covert and despite the use of socks5 proxy there is still DNS leak, although IP is now spoofed. To test different scenarios "dnsleaktest.com" ⁹ is utilized and although origin IP is spoofed, showing IP of the proxy, a "dnsleaktest.com" extended test still show original IP. To avoid this DNS must be covert and so this is covered in the next chapter "Secure DNS".
Proxies and IP-spoofing is pointless without a secure DNS as DNS leak will reveal the origin IP. (Good) VPNs setup their own DNS for same and could VPNs be thrusted solely scraped proxy and secure DNS would not be required. As this is not the case read on.
There are several services that delivers DNS over proxy. For more information on DNS via proxy please refer to the surf section "Anon DNS Servers" ²⁴ ²⁵. Setting up a DNS proxy is quite straightforward, in the following example https://dns.watch ²⁴ DNS servers are applied. First update the resolver configuration:
sudo nano /etc/resolvconf/resolv.conf.d/base
nameserver 84.200.69.80
nameserver 84.200.70.40
sudo resolvconf -u
Then set DNS for both IPv4 and IPv6 using the NetworkManager²³ (use 84.200.69.80 and not 8.8.8.8):
- Search ' Network Connection'
- Open it
- Then select either WiFi or Ethernet, or whatever you are using, and click on edit. You'll get this:
- Select ipv4 in tabs
- Select addresses only in method
- Enter your DNS name below, and save it (dont use 8.8.8.8, its Google transparent DNS, but e.g. 84.200.69.80)
- Repeat 4-6 for IPv6 also for all interfaces
- Restart NetworkManager "sudo service network-manager restart"
- Go test on dnsleaktest.com
Testing with "dnsleaktest.com" result will now be as intended:
Next chapter shows how to use DNSCrypt to add an extra level of DNS anonymity.
Although DNS leak was fixed by the configuration in the last chapter, some might still want to implemented DNSCrypt as an additional level of protection, although its not strictly needed. First install DNSCrypt proxy like so:
sudo apt purge dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy
sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy
sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf
Then edit "NetworkManager.conf" to look like this:
[main]
dns=default
plugins=ifupdown,keyfile
[ifupdown]
managed=false
[device]
WiFi.scan-rand-mac-address=no
And finally run "./restartDNScrypt.sh", which does the following:
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy
In the next chapter another level of anonymity is presented as the use of VPN is discussed.
In earlier chapters it was shown how to spoof both IP address and avoid DNS leak. However, so far traffic has not been encrypted and so could be wiretapped, although our SSH connection in part 2 to the VPS will be encrypted. By using a VPN wiretapping is avoided and so it is important to use a good VPN to make sure encryption is strong enough. Furthermore, the effectiveness of a VPN is much different if VPN is used before or after proxy servers. What is even more important is to obtain VPN service covertly as the us of a credit card VPN, that also keep logs(!), defeats most of efforts to be anonymous and acting covertly on the net. Some points that need to be considered choosing a VPN:
- Can be obtained covertly e.g. with cryptocurrency payment
- Logless
- Strong encryption
- Big Keys
- No leak, DNS, IP, WebRTC or other
ExpressVPN and NordVPN, and others, are believed to be such VPNs.
PROXY and VPN vs VPN and PROXY
While the it could seem trivial whether to use proxy in front of the VPN or vice versa it is in fact crucial in a world were VPNs cant be trusted. In this article a proxy is used in front of the VPN (seen from the hosts side) meaning "not exisiting" VPN logs will not show the IP of client origin. This only works if the VPN is obtained covertly, as discussed in the laster chapter. One way to obtain VPN covertly is covered in the next chapter.
There are several ways to obtain VPN and VPS covertly but if no other method is available buying a service with bitcoin is a possibility, when done correctly! As this is not an article about bitcoins please refer to the internet for background information regarding bitcoin and/or cryptocurrency. Here, the interest is in obtaining and using bitcoin anonymously and for a full guide please refer to the surf section³⁸. Note also that some cryptocurrencies are believed to be more anonymous than bitcoin, while not as extensively used among vendors. Shortly, to mix/tumble/wash bitcoins a service suchs a 'Bitblender' or 'Bitmixer' is required. The process is a such³⁸:
- Choose a bitcoin mixing service e.g. 'Bitblender' or 'Bitmixer'
- Use Tor- Onion Router to stay anonymous
- Use Logless VPN (NordVPN is believed to be such a VPN)
- Aquire New Address for Transactions
- Buy/Sell Bitcoins in Cash using fake identiy using tools such as
- LocalBitcoins.com
- Fake Name Generator
- Guerilla Mail
- Burner phone or service
- For extra safety try JoinMarket and trade
Following this procedure flawlessly its possible to buy services such as VPN or VPS anonymously using bitcoin. Using bitcoin is only recommendable if other more covert methods are not available since blockchain leaves a "paper trail" that could possibly, in the future could be traced using so far unknown computing power and algorithms. This is somewhat "tinfoil hat" speculation of course. Regardless how the VPN is obtained it must be tested and this is the topic of the next chapter.
Sadly, a large percentage of VPNs are useless and not as secure as advertised. In general there are 4 well known ways VPN can leak origin host information:
- IP Leak
- DNS Leak
- WebRTC Leak
- MSLeak Test*
*MSLeak is only relevant for users of Microsoft Windows, which is not recommendable to use for anonymity.
In this article 3 tools are used to test anonymity:
Testing a covertly obtained VPN gives results as below:
Result shows VPN location, so test passed.
No WebRTC leak, so test passed.
No DNS leak, so test passed. Note that the DNS Leak test will show proxy or VPN IP depending on which is placed in front (last).
In this article it was described how to secure the origin host/client, used by the operating agent in a covert pentesting assignment. Each step must be executed perfectly but the included scripts makes it possible.
This was part 1 of a 3 part series, part 2 will demonstrate how to setup the VPS server that will run the actually tests and attack scripts; while chapter 3 will demonstrate how a custom test / attack framework could look.
- ¹ Fetch-some-proxies: https://github.com/stamparm/fetch-some-proxies
- ² https://github.com/jorgenkg/python-proxy-rotator
- ³ https://github.com/allfro/pymiproxyhttps://www.thesaurus.com/browse/necessarily
- ⁴ https://github.com/constverum/ProxyBroker
- ⁵ http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
- ⁶ http://www.haproxy.org/
- ⁷ http://blog.databigbang.com/distributed-scraping-with-multiple-tor-circuits/
- ⁸ http://www.delegate.org/delegate/
- ⁹ DNS leak test: https://www.dnsleaktest.com
- ¹⁰ Whats my IP: https://www.whatsmyip.org/
- ¹¹ Browser fingerprinting test: https://panopticlick.eff.org/
- Privacy Tools: https://www.privacytools.io/
- https://ipleak.net/
- ¹² How to force all Linux apps to use SOCKS proxy: https://superuser.com/questions/1401585/how-to-force-all-linux-apps-to-use-socks-proxy?rq=1
- ¹³ https://crosp.net/blog/administration/install-configure-redsocks-proxy-centos-linux/
- ¹⁴ https://unix.stackexchange.com/questions/71429/redirect-all-non-local-traffic-to-a-socks-proxy
- ¹⁵ https://manpages.debian.org/stretch/iptables/iptables-extensions.8.en.html#TPROXY
- ¹⁶ Escape proxy hell with Redsocks: https://jmkhael.io/escape-proxy-hell-with-redsocks/
- ¹⁷ Anonymous SSD VPS: https://anonymously.io/anonymous-vps/
- ¹⁸ Cheap Anonymous VPS Providers: https://cheapvillage.com/cheap-anonymous-vps-providers/
- ¹⁹ Dreamhost with bitcoin: https://bitlaunch.io/
- ²⁰ https://www.smarthomebeginner.com/vpn-kill-switch-with-ufw/
- ²¹ https://support.rackspace.com/how-to/changing-dns-settings-on-linux/
- ²² https://unix.stackexchange.com/questions/128220/how-do-i-set-my-dns-when-resolv-conf-is-being-overwritten/163506#163506
- ²³ https://unix.stackexchange.com/questions/494324/how-to-setup-dns-manually-on-linux
- ²⁴ Secure DNS root: https://dns.watch
- ²⁵ Secure DNS root: https://www.opennic.org/
- ²⁶ RDP Manual: https://5socks.net/Manual/rdp_eng.html
- ²⁷ RDP VPN Manual: https://5socks.net/Manual/what_is_rdp_vpn_eng.htm
- ²⁸ https://linuxize.com/post/how-to-setup-ssh-socks-tunnel-for-private-browsing/
- ²⁹ https://www.dnsflex.com/how-to-route-all-network-traffic-from-your-lan-securely-through-a-socks5-proxy-ssh-tunnel-redsocks/
- ³⁰ https://hackertarget.com/ssh-examples-tunnels/
- ³¹ Expose local servers to the internet: https://serveo.net/
- ³² Public URLs for exposing your local web server: https://ngrok.com/
- ³³ Firefox privacy, security and anti-fingerprinting: https://github.com/ghacksuserjs/ghacks-user.js
- ³⁴ The Practical Linux Hardening Guide³⁸: https://github.com/trimstray/the-practical-linux-hardening-guide
- ³⁵ how-to-stay-anonymous: https://www.hackeroyale.com/how-to-stay-anonymous/
- ³⁶ user.js - Firefox configuration hardening : https://github.com/pyllyukko/user.js
- ³⁷ How To Stay Anonymous While Hacking: https://www.tech21century.com/expressvpn-vs-nordvpn-comparison/
- ³⁸ Ways To Guarantee Anonymity When Making Bitcoin Transactions: https://coinsutra.com/anonymous-bitcoin-transactions/