Proxying

Proxying¶

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.

Socks Proxy¶

Introducing resocks - An Encrypted Back-Connect SOCKS Proxy for Network Pivoting

Proxying a single HTTP Connections¶

Run burp
Set Proxy settings on Browser

Firefox:

In Firefox select Preferences -> General | Network settings and add 127.0.0.1 and 8888 for the port.

Chrome:

google-chrome --proxy-server="https://192.168.1.10:8888"

Proxying HTTP Connection to multiple endpoints with the same port without put setting up a proxy¶

Setup a DNS Rebinding Attack using dnschef or your personal DNS rebinder.

sudo python2 ./dnschef.py --interface=127.0.0.1 "--nameservers=1.1.1.1#53" --fakedomains=dev.generalzero.org --fakeip=127.0.0.1

sudo ./dns_proxy_from_zonefile.py -z good_zones --tcp

good_zones:

>>> cat /opt/Hacking/Notes/Mobile/Proxy/backup_zones 
www.google.com.         55      IN      A       172.217.7.4
playatoms-pa.googleapis.com. 2122    IN      CNAME   googleapis.l.google.com.
2.android.pool.ntp.org. 25      IN      A       204.2.134.162
accounts.google.com.    0       IN      A       172.217.10.237
play.google.com.        287     IN      A       172.217.10.14
history.google.com.     10209   IN      CNAME   history.l.google.com.

Set you DNS to localhost

>>> cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1

Setup Burp with Proxy on the specified endpoints. Proxy -> Options -> Proxy Listeners -> Add -> Set Bind to Port to the Port needed. Set Bind to address to the Specific Address as specified in the DNS endpoint. Go to Request handling and set the true IP address of the endpoint and the port in the Redirect to host and the Redirect to port respectively.

Proxying TCP Connection to endpoint¶

https://github.com/jrmdev/mitm_relay

Use step 1 and 2 from above

Setup the Reverse TCP proxy.

>>> sudo ./ssl_tcp_reverse_proxy.py -c burp.pem -d cnn.com:443         
Initializing CertificateAuthority ca_file=burp.pem cache_dir=ssl_cache
Gettting Server Certificate
Got Server Certificate
Creating and signing cert common_name=turner-tls.map.fastly.net
{'certfile': 'ssl_cache/fake_cert-turner-tls.map.fastly.net.pem', 'keyfile': 'ssl_cache/fake_cert-turner-tls.map.fastly.net.key'}
SSL on localhost:443 forwarding to SSL cnn.com:443
0.0.0.0:443 -> cnn.com:443

Proxying TCP Connection to multiple endpoints on the same port¶

Add another IP to an Ethernet address to the interface and add the route to be the same as the other IP address.

sudo ip addr add 10.3.116.1 dev wlp3s0:0 
sudo ip route add 10.3.116.1 via 10.3.116.0 dev wlp3s0

Use DNS rebinding like in Proxying HTTP Connection to multiple endpoints with the same port without put setting up a proxy above.

>>> cat domains                                                        
[A]
generalzero.org=10.0.3.15
dev.generalzero.org=10.0.2.15

[AAAA]
generalzero.org=fe80::e007:c0ad:d23:9ce8
dev.generalzero.org=fe80::b312:9a08:f148:e3ea

>>> sudo python2 ./dnschef.py --file=domains "--nameservers=1.1.1.1#53"

Setting up DNS Rebinding with DNSChef¶

DNSChef

Intercept all responses¶

For IPV4:

./dnschef.py --fakeip 192.168.1.5 -q

For IPv4 and 6:

./dnschef.py --fakeip 127.0.0.1 --fakeipv6 ::1 -q

Single DNS rebinding:**¶

Record	Description	Argument	Example
A	IPv4 address	--fakeip	--fakeip 192.0.2.1
AAAA	IPv6 address	--fakeipv6	--fakeipv6 2001:db8::1
MX	Mail server	--fakemail	--fakemail mail.fake.com
CNAME	CNAME record	--fakealias	--fakealias www.fake.com
NS	Name server	--fakens	--fakens ns.fake.com

Filtering domains:

External Definitions File¶

Example File:

[A]
*.google.com=192.0.2.1
thesprawl.org=192.0.2.2
*.wordpress.*=192.0.2.3

Example Command:

./dnschef.py --file dnschef.ini -q
[*] DNSChef started on interface: 127.0.0.1 
[*] Using the following nameservers: 8.8.8.8
[+] Cooking A replies for domain *.google.com with '192.0.2.1'
[+] Cooking A replies for domain thesprawl.org with '192.0.2.2'
[+] Cooking A replies for domain *.wordpress.* with '192.0.2.3'
[00:43:54] 127.0.0.1: cooking the response of type 'A' for google.com to 192.0.2.1
[00:44:05] 127.0.0.1: cooking the response of type 'A' for www.google.com to 192.0.2.1
[00:44:19] 127.0.0.1: cooking the response of type 'A' for thesprawl.org to 192.0.2.2
[00:44:29] 127.0.0.1: proxying the response of type 'A' for www.thesprawl.org
[00:44:40] 127.0.0.1: cooking the response of type 'A' for www.wordpress.org to 192.0.2.3
[00:44:51] 127.0.0.1: cooking the response of type 'A' for wordpress.com to 192.0.2.3
[00:45:02] 127.0.0.1: proxying the response of type 'A' for slashdot.org

Proxying Client Authentication Connections¶

https://github.com/square/ghostunnel