proxycannon / proxycannon-ng Goto Github PK

A private botnet using multiple cloud environments for pentesters and red teamers. - Built by the community during a hackathon at the WWHF 2018 security conference

Shell 77.07% HCL 22.93%

proxycannon-ng's Introduction

ProxyCannon-NG

Thank you Wild West Hackin' Fest for your help and support in our community-driven hackathon! We've created a on-demand proxy tool that leverages cloud environments giving a user the ability to source (all) your traffic from an endless supply of cloud based IP address. Think of it as your own private TOR network for your redteam and pentest engagements. No more defenses throttling and blocking you!

Hackathon sponsored by Sprocket Security and hosted at Wild West Hackin' Fest 2018

Hackathon Results

In two days, we built the initial release of proxycannon-ng. We're in the process of ironing out final changes and will continue to improve the tool.

Objectives:

~~VPN Server Build (scripted)~~
~~Client VPN (Full Tunnel)~~
~~Terraform Node Management (Build, Destroy, Routing)~~
~~AWS Multipath Node Routing (Load Balanced Exit Nodes)~~
Node VPN Tunnels
Support multiple cloud environments (initial release only supports AWS)

Implementation Diagram

Video Demo

Setup

The control-server is a OpenVPN server that your workstation will connect to. This server always remains up. Exit-nodes are systems connected to the control-server that provides load balancing and multiple source IP addresses. Exit-nodes can scale up and down to suite your needs.

AWS (setup the control-server)

1. Create a separate SSH key pair

In the AWS console, go to services (upper left)
Select EC2 under the Compute section.
Select Key Pairs in the nav on the left.
Select Create Key Pair and name it 'proxycannon'.
Download and save the key to ~/.ssh/proxycannon.pem

2. Launch the control-server instance

Launch (1) Ubuntu Server t1-micro instance, recommend public AMI ami-0f65671a86f061fcd, and use the "proxycannon" keypair.
Login to the control-server and download proxycannon-ng:
git clone https://github.com/proxycannon/proxycannon-ng
cd into proxycannon-ng/setup and run sudo ./install.sh

3. Create a new IAM user, set the needed permissions, and copy over your keys. It's quick:

In the AWS console, go to services (upper left)
Select IAM under the Security, Identity & Compliance section
In IAM, select Users in the nav on the left.
Select Add user
Fill out a User name, and for access type, select programmatic access. Click Next.
Select the tab/box that's labeled Attach existing policies directly. Add the following policy: AmazonEC2FullAccess. Click Next, than Create user
Copy the access key and secret for the control-server and paste it in ~/.aws/credentials ex:

[default]
aws_access_key_id = REPLACE_WITH_YOUR_OWN
aws_secret_access_key = REPLACE_WITH_YOUR_OWN
region = us-east-2

4. Setup terraform

Perform the following on the control-server:

Copy your proxycannon.pem SSH key into ~/.ssh/proxycannon.pem
cd into proxycannon-ng/nodes/aws and edit the variables.tf file updating it with the subnet_id. This is the same subnet_id that your control server is using. You can get this value from the AWS console when viewing the details of the control-server instance. Defining this subnet_id makes sure all launched exit-nodes are in the same subnet as your control server.
Run terraform init to download the AWS modules. (you only need to do this once)

5. Copy OpenVPN files to your workstation

Copy the following files from the control-server to the /etc/openvpn directory on your workstation:

~/proxycannon-client.conf
/etc/openvpn/easy-rsa/keys/ta.key
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client01.crt
/etc/openvpn/easy-rsa/keys/client01.key

Test OpenVPN connectivity from your workstation by running:

openvpn --config proxycannon-client.conf

Setup Completed! yay! From now on you'll only need to connect to the VPN to use proxycannon-ng. The next section details how to add and remove exit-nodes (source IPs):

Managing exit-nodes

Scaling of exit-nodes is controlled on the control-server using terraform.

Scale up exit-nodes

To create AWS exit-nodes, do the following:

cd into proxycannon-ng/nodes/aws
Edit the count value in variables.tf to the number of exit-nodes (source IPs) you'd like
run terraform apply to launch the instances.

Scale down exit-nodes

If you want to stop all exit-nodes run terraform destroy.
OR
Scaling down exit-nodes can be done by reducing the count value in variables.tf and running terraform apply again. Terraform will automatically remove X number of exit-node instances.

Developers:

@jarsnah12 - original proxycannon v1 author
@w9hax - mad openVPN skillz
@caseycammilleri - Gets lost deep in iptables
@jaredhaight - Streamlining install and a ton of improvements

Special thanks to @i128 (@jarsnah12 on twitter) for developing the original proxycannon tool that is our inspirartion.

Known Issues and Troublshooting

See Wiki

proxycannon-ng's People

Contributors

Stargazers

Watchers

Forkers

dannymas secretsquirrel zard777 analyticsearch raystyle orf53975 404ram slowmistio qsdj johnjohnsp1 wisdark yourdomainadmin fo0nikens killvxk w9hax hapazores jaredhaight ro9ueadmin a-min3 flatl1neapt slooppe w00t3k open-sec ellerbrock cloud-architecture unsecureio gavz inosec offseccat rev-lulz soldie 1nf1natel00p3r a-tyler tuxcmd blancloup imulmul sh1nu11bi ryanbreed thomashillman mepreet superuser5 er4z0r fracturelabs libertyunix 3453-315h shiriskumar hawkeyeone nigeldaniels jg789346bnfgewrew09876345 jakuta-tech fuckup1337 yazzou matbogdan79 meodz jandress nextgenhacker rev10d shinoby92 chanpu9 snifer-l4b-s blacklanternsecurity y0d4a on1-tech r0secr01x myhkho sumodgeorge fdlucifer omaramin17 mijobar n8tr0n fulanah-binti-fulanah darksidesfear cleristonfreitas kymb0 r3dc4t0x00 dev0x41 joker-xiaoyan rafaeljimenez85 jedigh0st pianomanx sec99 bl4cklabel88 pandora-research ly4e tnfsmith pantyhose-x testitok cyberopsninja s4lt5 dtnguyen22 natecrisler chgsyh promiselander net-protect

proxycannon-ng's Issues

race condition on route deletion scripts

the terraform local provisioner will execute the del_route.bash script on destruction of an exit-node. The way the del_route.bash script is written a race condition can exist and an exit-node IP will be removed but later added by another executing instance of del_route.bash.

engineering notes:
fix this by serializing script execution. try pidof del_script.bash

Error: Incorrect attribute value type

I am getting the 'list of string required' below. I tried replacing /root with ~ without help.

on main.tf line 5, in provider "aws":
│ 5: shared_credentials_files = "/root/.aws/credentials"
│
│ Inappropriate value for attribute "shared_credentials_files": list of string required.

Sexy

y'all too sexy

Can we use VPC/subnets instead of instances?

I think its worth investigating to see if we can ditch instances altogether and just launch multiple VPCs or subnets to achieve the same desired results of exit-nodes (simple routing and NATing).

note - this only would apply if the control-server and exit-nodes are in the same cloud provider (AWS).

Terraform Mods do not Properly Update .routecmd

When using terraform destroy and terraform apply, the AWS changes execute successfully but the proxycannon-ng/nodes/aws/.routecmd does not get updated to purge the old hosts out of the route table loadb set. The effect is that random packets get dropped as a result of being routed to hosts that don't exist anymore. Took me awhile to figure it out but manually reconciling it fixed the problem as a stopgap.

install script contains non persistent commands

If the control server is rebooted after running install.sh the following commands will not persist a reboot. This will cause connectivity issues.

ip rule add from 10.10.10.0/24 table loadb
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Modify these commands so they persist reboots.

missing files

Perhaps you can help: could not find the follwing files:
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client01.crt
/etc/openvpn/easy-rsa/keys/client01.key

move to t2.nano instances

currently proxycannon-ng uses t2.mirco instances. test change with t2.nano to reduce cost.

Error while running terraform apply command.

Hey Folks,

I have installed the setup using all the steps mentioned on the page. After setting up things, I am getting a following error.

My Aws credentail File Setting:

I have used the AMI ID mentioned on this blog: https://medium.com/@devinjaystokes/using-proxycannon-ng-to-create-unlimited-rotating-proxies-fccffa70a728

Can someone help me to troubleshoot this?

Thanks

support VPN tunnels from control-server to exit-nodes

As a user I would like to use multiple cloud providers. This would require a VPN tunnel so traffic could be routed out various exit-nodes.

Engineering notes:
there is a blocking issue: the intrarouting with OpenVPN is prevented TCP traffic from traversing the tunnel when destin to the Internet (0.0.0.0/0).

We're tried adding an iroute statement in the ccd for exit-nodes with iroute 0.0.0.0 128.0.0.0
but this isn't helping. UDP and ICMP traffic work ok, but TCP doesn't. Odd. Problem appears to be with traffic being accepted on the tun interface of the exit-node.

TODO:

Troubleshoot openvpn configs, perhaps we had something wrong with our configs.
Possibly ditch layer 3 tunneling for layer 2. Not optimal, but would probably work. This would require some tweaking to multi-path routing.

IPs are not getting assigned

Hey guys,

I followed all the steps to setup proxycannon and I am able to connect to the instance using openvpn as well. But I don't see any IPs getting assigned when I do "while true;do curl ifconfig.co;done". It is giving me "curl: (6) Could not resolve host: ifconfig.co" error. I can also see all the instances running properly on AWS.

Using Kali linux for openvpn connection
Here is my openvpn trace:
Wed Jul 17 10:48:09 2019 WARNING: file 'client01.key' is group or others accessible Wed Jul 17 10:48:09 2019 WARNING: file 'ta.key' is group or others accessible Wed Jul 17 10:48:09 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 30 2018 Wed Jul 17 10:48:09 2019 library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10 Wed Jul 17 10:48:09 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Jul 17 10:48:09 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Jul 17 10:48:09 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:09 2019 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Jul 17 10:48:09 2019 Attempting to establish TCP connection with [AF_INET]3.13.170.173:443 [nonblock] Wed Jul 17 10:48:10 2019 TCP connection established with [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:10 2019 TCP_CLIENT link local: (not bound) Wed Jul 17 10:48:10 2019 TCP_CLIENT link remote: [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:10 2019 TLS: Initial packet from [AF_INET]3.13.170.173:443, sid=5aee4d31 12ce02c7 Wed Jul 17 10:48:10 2019 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, [email protected] Wed Jul 17 10:48:10 2019 VERIFY KU OK Wed Jul 17 10:48:10 2019 Validating certificate extended key usage Wed Jul 17 10:48:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Jul 17 10:48:10 2019 VERIFY EKU OK Wed Jul 17 10:48:10 2019 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, [email protected] Wed Jul 17 10:48:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Wed Jul 17 10:48:10 2019 [server] Peer Connection Initiated with [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:11 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Jul 17 10:48:11 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.0.0.0 255.0.0.0 net_gateway,route 172.16.0.0 255.240.0.0 net_gateway,route 192.168.0.0 255.255.0.0 net_gateway,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5,peer-id 0,cipher AES-256-GCM' Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: timers and/or timeouts modified Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: --ifconfig/up options modified Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: route options modified Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: peer-id set Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: adjusting link_mtu to 1626 Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: data channel crypto options modified Wed Jul 17 10:48:11 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Jul 17 10:48:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jul 17 10:48:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jul 17 10:48:11 2019 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:a3:fd:32 Wed Jul 17 10:48:11 2019 TUN/TAP device tun0 opened Wed Jul 17 10:48:11 2019 TUN/TAP TX queue length set to 100 Wed Jul 17 10:48:11 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Jul 17 10:48:11 2019 /sbin/ip link set dev tun0 up mtu 1500 Wed Jul 17 10:48:11 2019 /sbin/ip addr add dev tun0 local 10.10.10.6 peer 10.10.10.5 Wed Jul 17 10:48:11 2019 /sbin/ip route add 3.13.170.173/32 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 0.0.0.0/1 via 10.10.10.5 Wed Jul 17 10:48:11 2019 /sbin/ip route add 128.0.0.0/1 via 10.10.10.5 Wed Jul 17 10:48:11 2019 /sbin/ip route add 10.0.0.0/8 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 172.16.0.0/12 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 192.168.0.0/16 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 10.10.10.1/32 via 10.10.10.5 Wed Jul 17 10:48:11 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Jul 17 10:48:11 2019 Initialization Sequence Completed
Any help would be appreciated :)