Longchen · 2014/03/20 12:04

0 x00 background


(Editor: In this article, Chris Crowley provides some useful details and script configurations on how to use Tor for penetration testing, especially his discussion of Privoxy, thanks!)

By Chris Crowley

I think the real value of penetration testing is that it simulates real world attacks, so penetration testers should try to match their behavior to those attackers. But unlike a real attacker, we are still supposed to be careful and sensitive about our target system, and the attacker will certainly leave it alone.

In this article, I share a method I often use to hide source IP. In general, penetration testers need to hide their real IP for two reasons. First, during the testing process, the resources we need to access may be illegal malicious resources (or suspected of being malicious). Second, we need to hide the source of the test or attack during the test as much as possible.

To study the behavior characteristics of a malicious attacker or malware, we may need to access some of the attacker’s controlled resources. For example, a common scenario is that users on Facebook or a social media site will be tricked by attackers into accessing some urls. We are not sure how the attackers successfully control these redirects, and these resources contain many additional links and javascript. Because we were penetration testing such a scenario, we had to impersonate an ordinary user to access these resources without being detected by an attacker.

It is not wise to access these malicious sites directly through our real IP, because it is effectively telling the attacker that we are researching your site. In addition, if we make a request that looks like it was made by an anonymous user, this is a sure signal to the attacker that the fish is hooked. This also allows an attacker to access our system, so hiding our source IP is very important.

In some cases, malware only works when it receives specific instructions. We can try all kinds of commands to trigger it, but connecting it to a real network is the fastest way to trigger it. However, we do not want attackers to notice that the malware is already running on our system, so that the attackers will not invade our system. We just need the behavioral information and the entire attack. We want to reconstruct the attack, but we want to disconnect the malware as soon as we get this information.

Attackers have a variety of virtual systems, and they don’t have to worry about their source IP being exposed. For an penetration tester, a virtual IP address is very important to simulate a real attacker. Here are a few scenarios to illustrate this: first, site check-outs. A skilled attacker will not scan a site using the same IP address. The second is the type of scanning service. If a site finds someone scanning it repeatedly, it will log those scans. Imagine a scan coming from all directions, scanning only those services that are commonly used. An attacker will use some fake IP addresses to scan the target and then use others to perform infiltration. The real bad guys only go after one thing, and that’s sensitive information. You think a smart guy would leave his real information behind? He would use different systems to create chaos. Fourth, something that will be common to penetration testers this year. Penetration testers will increasingly focus on mobile devices.

The approach outlined below can be implemented in several different ways. I’m just going to outline one approach that you can use, and you can tailor it to your own needs.

Here are some relevant government section more mind Tor some loopholes in the process of installation, (such as blog.torproject.org/blog/tor-se… , www.mozilla.org/security/an,…). For us, of course, Tor has been enough. If you’re looking for advice on how to evade federal surveillance of the Tor network, I’m afraid this isn’t for you.

0 x01 details


Here are the basic steps

Privoxy: Privoxy: Privoxy: Privoxy: Privoxy: Privoxy: Privoxy: Privoxy: Privoxy: Privoxy: PrivoxyCopy the code

Although I demonstrated the above steps on Linux, the setup is pretty much the same on other systems, such as Windows, MAC Ox X. The combination of Privoxy and Tor makes it easy to fly around the Tor network as an anonymous node, which is not quite the same concept as an IP address. If someone wants to monitor your data packets through the Tor network, they probably know who you’re communicating with, but that’s not my focus. The point is that no one knows where we’re originating the communication.

Install and configure Privoxy

Privoxyd is a caches free Web proxy tool with advanced filtering, modification of web data and HTTP headers, access control, and advertising blocking, according to the software’s website (www.privoxy.org/). Privoxy has flexible configuration and can be highly customized to meet your needs. It is available on both single-player and multiplayer operating systems.

It’s very easy to install, if not go here to www.privoxy.org/user-manual… Find your own system and follow the steps. For example, in Fedora you just need to:

#! bash yum -y install privoxyCopy the code

Of course, you can also use other HTTP proxy tools, such as Polipo.

2. Install and configure Tor

Tor’s website (www.torproject.org/) introduces her as follows: Tor was originally designed by the NAVAL Research Laboratory as a third-generation Onion routing project. She was originally developed by the U.S. Navy to protect the privacy of government communications. Today, all ordinary people all over the world can use it to do all kinds of things, such as soldiers, journalists, government personnel, politicians and so on.

There is a Tor work background here: www.torproject.org/about/overv…

If it aroused your curiosity, you can download here: www.torproject.org/docs/docume…

Here are some Tor warnings and limitations: www.torproject.org/download/do…

For those who are already familiar with Tor, but perhaps because we all know some reasons, such as wall, such as the connection is not on the Tor the proprietary network of people, you can see here to see how the bridge to connect to the Tor network: www.torproject.org/docs/bridge…

3. Configure Privoxy to point to Tor

The main reason I chose to use the Privoxy/Tor combination was DNS. If I want to control local DNS requests so that all my DNS requests do not reveal my information, I can switch between public DNS servers (such as 8.8.8.8). But Privoxy provides additional functionality to block requests, and it also blocks requests that might expose our IP.

The configuration is actually quite simple. On Linux, simply configure Privoxy to link to Tor, and Privoxy will forward all DNS and HTTP requests to the Tor network.

To get Tor to forward requests for you, just configure it like this in Privoxy:

The forward - socks5/127.0.0.1:9050Copy the code

Here is the full configuration file for Privoxy (without comments). It is clear from inside that it does not listen on all ports, but forwards requests directly to Tor.

#!bash
$ grep -v "^#" /etc/privoxy/config
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
listen-address :8123
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forward-socks5 / 127.0.0.1:9050 .
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok
Copy the code

4. Access the Internet through an agent

A) Configure environment variables (http_proxy, https_proxy, ftp_proxy) and command line tools to access the Internet through proxy.

For example, wget: Wget is a command-line browser. It can make cross-domain and recursive requests to specific addresses, such as:

8123 $$export http_proxy = 127.0.0.1: wget - nc - nd http://www.willhackforsushi.com/subscriptions.xmlCopy the code

In the example above, I wanted to see Josh’s LIST of RSS feeds, but I didn’t want him to know I was reading them. I’ll make a request every minute or so

 * * * * * wget -nc -nd http://www.willhackforsushi.com/subscriptions.xml 
Copy the code

To monitor the page in case it changes.

Now, Wget is a nice Web robot to me. First it will request the site’s robots.txt file in accordance with the regulations, and strictly comply with the content defined in the file. Also, wGET has the NC option, which I used in my previous examples. This option means “no-clobber,” or don’t re-download files that have already been downloaded. In fact, it downloads but does not save. So how does Wget know if the file has been downloaded? No doubt it monitors the file system. so

#! bash touch robots.txt; wget -nc -nd http://www.willhackforsushi.com/subscriptions.xmlCopy the code

Wget will be told not to save the robots.txt file for willhackforsushi.com, but to save an empty robots.txt file that was already saved.

B) Use the -http-proxy option to start android VIRTUAL machines

A good way to do penetration testing is to install some apps on an Android VIRTUAL machine. When you type commands into the virtual machine, you will probably use “-http-proxy ipaddr:port”.

Make sure you run Privoxy first. These Settings are invalidated if the virtual machine cannot access privoxy’s local port. There will also be graphical warnings.

Here’s an example:

#! Bash emulator-avd icecreamsandwich-partition -size 256-qemu-http-proxy 127.0.0.1:8123Copy the code

All virtual machine packets are now forwarded to the Tor network via Privoxy.

Not to be overlooked: Before starting a virtual machine, you must start Privoxy and ensure that local port listening is normal. If the virtual machine cannot connect to the Privoxy port after startup, it will ignore these proxy options, and the virtual machine will use the local network directly to communicate with the outside world, exposing our source IP.

C) Configure an application (or device) to use the proxy

The HTTP_proxy environment variable is useful for command-line tools because it is used by most command-line tools. However, unlike BASH’s environment variables, windowing tools have their own independent proxy Settings. So you can connect to the proxy through a configured application. In Chrome, for example:

Open Chrome, type "Chrome :// Settings /" and select advanced options. In Web Options, click the" Change Proxy Settings "button to configure HTTP and HTTPS proxies to 127.0.0.1:8123Copy the code

(All major browsers have similar Settings.)

D) Data packets are allocated using iptables rules

If your application does not use command line proxy environment variables, and you cannot configure an application to connect to the proxy, you can also configure iptables to use NAT to translate packets to the proxy.

Here is a bash script I often use:

#! bash #! /bin/bash ## CHECK FOR ROOT wai=`whoami` if [[ "$wai" != "root" ]] then echo " You need to be uid 0. Re-run as: sudo $0 " exit fi ## SET SYSTEM TO PREROUTING IP PACKETS echo "1" > /proc/sys/net/ipv4/ip_forward ## HTTP TRAFFIC iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8123 ## HTTPS TRAFFIC iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8123 ## CHECK FOR BURP pgrep -fl privoxy 2>&1 > /dev/null || echo "Are you sure privoxy is running? \nOr maybe you intend to use something else I didn't check for."Copy the code

When I thought I had it set up, I tested it to see how it looked. Let’s go to Wget and Google,

#! bash wget http://www.google.comCopy the code

Then I used tcpdump to grab a packet and look at it

#! bash tcpdump -Xnnv -i eth0 port 80 or port 443 or port 53Copy the code

Because if my agent works properly, I shouldn’t be able to catch any packets locally using tcpdump.

Notice that my request was redirected to Google.fr because I’m in the anonymous node of Tor.

Now, you can do whatever you want! Big black rich guys! Make sure your visits are authorized… For example, you can take a look at how some of the best apps work with your home network.

Now that you have a degree of anonymity (provided you have a degree of authorization), you can use crawlers to crawl targeted sites, download malware to research, or run apps you’re testing, all without worrying about your source location being exposed.

from:http://pen-testing.sans.org/blog/pen-testing/2014/03/16/tor-nonymous-using-tor-for-pen-testing