Link to this headingProxying

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.

Link to this headingSocks Proxy

Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting

Link to this headingProxying a single HTTP Connections

  1. Run burp
  2. Set Proxy settings on Browser

Firefox:

In Firefox select Preferences -> General | Network settings and add 127.0.0.1 and 8888 for the port.

Chrome:

google-chrome --proxy-server="https://192.168.1.10:8888"

Link to this headingProxying HTTP Connection to multiple endpoints with the same port without put setting up a proxy

  1. Setup a DNS Rebinding Attack using dnschef or your personal DNS rebinder.
sudo python2 ./dnschef.py --interface=127.0.0.1 "--nameservers=1.1.1.1#53" --fakedomains=dev.generalzero.org --fakeip=127.0.0.1
sudo ./dns_proxy_from_zonefile.py -z good_zones --tcp

good_zones:

>>> cat /opt/Hacking/Notes/Mobile/Proxy/backup_zones www.google.com. 55 IN A 172.217.7.4 playatoms-pa.googleapis.com. 2122 IN CNAME googleapis.l.google.com. 2.android.pool.ntp.org. 25 IN A 204.2.134.162 accounts.google.com. 0 IN A 172.217.10.237 play.google.com. 287 IN A 172.217.10.14 history.google.com. 10209 IN CNAME history.l.google.com.
  1. Set you DNS to localhost
>>> cat /etc/resolv.conf # Generated by NetworkManager nameserver 127.0.0.1
  1. Setup Burp with Proxy on the specified endpoints. Proxy -> Options -> Proxy Listeners -> Add -> Set Bind to Port to the Port needed. Set Bind to address to the Specific Address as specified in the DNS endpoint. Go to Request handling and set the true IP address of the endpoint and the port in the Redirect to host and the Redirect to port respectively.

Link to this headingProxying TCP Connection to endpoint

Use step 1 and 2 from above

  1. Setup the Reverse TCP proxy.
>>> sudo ./ssl_tcp_reverse_proxy.py -c burp.pem -d cnn.com:443 Initializing CertificateAuthority ca_file=burp.pem cache_dir=ssl_cache Gettting Server Certificate Got Server Certificate Creating and signing cert common_name=turner-tls.map.fastly.net {'certfile': 'ssl_cache/fake_cert-turner-tls.map.fastly.net.pem', 'keyfile': 'ssl_cache/fake_cert-turner-tls.map.fastly.net.key'} SSL on localhost:443 forwarding to SSL cnn.com:443 0.0.0.0:443 -> cnn.com:443

Link to this headingProxying TCP Connection to multiple endpoints on the same port

  1. Add another IP to an Ethernet address to the interface and add the route to be the same as the other IP address.
sudo ip addr add 10.3.116.1 dev wlp3s0:0 sudo ip route add 10.3.116.1 via 10.3.116.0 dev wlp3s0
  1. Use DNS rebinding like in Proxying HTTP Connection to multiple endpoints with the same port without put setting up a proxy above.
>>> cat domains [A] generalzero.org=10.0.3.15 dev.generalzero.org=10.0.2.15 [AAAA] generalzero.org=fe80::e007:c0ad:d23:9ce8 dev.generalzero.org=fe80::b312:9a08:f148:e3ea >>> sudo python2 ./dnschef.py --file=domains "--nameservers=1.1.1.1#53"

Link to this headingSetting up DNS Rebinding with DNSChef

DNSChef

Link to this headingIntercept all responses

For IPV4:

./dnschef.py --fakeip 192.168.1.5 -q

For IPv4 and 6:

./dnschef.py --fakeip 127.0.0.1 --fakeipv6 ::1 -q

Link to this headingSingle DNS rebinding:

RecordDescriptionArgumentExample
AIPv4 address--fakeip--fakeip 192.0.2.1
AAAAIPv6 address--fakeipv6--fakeipv6 2001:db8::1
MXMail server--fakemail--fakemail mail.fake.com
CNAMECNAME record--fakealias--fakealias www.fake.com
NSName server--fakens--fakens ns.fake.com

Filtering domains:

Link to this headingExternal Definitions File

Example File:

[A] *.google.com=192.0.2.1 thesprawl.org=192.0.2.2 *.wordpress.*=192.0.2.3

Example Command:

./dnschef.py --file dnschef.ini -q [*] DNSChef started on interface: 127.0.0.1 [*] Using the following nameservers: 8.8.8.8 [+] Cooking A replies for domain *.google.com with '192.0.2.1' [+] Cooking A replies for domain thesprawl.org with '192.0.2.2' [+] Cooking A replies for domain *.wordpress.* with '192.0.2.3' [00:43:54] 127.0.0.1: cooking the response of type 'A' for google.com to 192.0.2.1 [00:44:05] 127.0.0.1: cooking the response of type 'A' for www.google.com to 192.0.2.1 [00:44:19] 127.0.0.1: cooking the response of type 'A' for thesprawl.org to 192.0.2.2 [00:44:29] 127.0.0.1: proxying the response of type 'A' for www.thesprawl.org [00:44:40] 127.0.0.1: cooking the response of type 'A' for www.wordpress.org to 192.0.2.3 [00:44:51] 127.0.0.1: cooking the response of type 'A' for wordpress.com to 192.0.2.3 [00:45:02] 127.0.0.1: proxying the response of type 'A' for slashdot.org

Link to this headingProxying Client Authentication Connections

A simple SSL/TLS proxy with mutual authentication for securing non-TLS services.