Tuesday, August 11, 2020

Beginning Proxychains - Keeping a low profile

As a defender, it is always recommended to NOT interact with a suspicious (threat actor) IP from your own network. However, since we need to investigate the threat actor's IP(s), to learn something about the threat and or the device from which the attack is occurring, what can we do? The reality is there are many things we can do. One of these is to use tools such as ProxyChains as we will do in this post. 

In this post, I am using Kali 2020.3. Proxychains is installed on Kali by default.

Here is my Kali version:

kali@securitynik:~$ lsb_release --all
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2020.3
Codename:       kali-rolling

Before we start using proxychains, let's first take a look at the  configuration. Specifically, I have changed the configuration from "strict_chain" to "random_chain". This was achieved by commenting "strict_chain" while uncommenting "random_chain". Here I use "grep" to show what the change looks like:

kali@securitynik:~$ cat /etc/proxychains.conf | grep --perl-regex "^# strict_chain|^random_chain"
# strict_chain
random_chain

Additionally, we look at the last 6 lines of the "/etc/proxychains.conf" file with a focus on the "[ProxyList]" section.

kali@securitynik:~$ cat /etc/proxychains.conf | tail --lines 6
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

We see above it is using 127.0.0.1 9050 and defaults to "tor". Let's see if tor is listening on port 9050. 

kali@securitynik:~$ ss --numeric --listening --tcp
State       Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process  

Above we see port 9050 is not listening. Let's verify if tor is installed.

kali@securitynik:~$ which tor
kali@securitynik:~$

Looks like tor is not installed. Let's install tor.

kali@securitynik:~$ sudo apt-get install tor
....

Once "tor" is installed, we look at the help.

kali@securitynik:~$ tor --help
Copyright (c) 2001-2004, Roger Dingledine
Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
Copyright (c) 2007-2020, The Tor Project, Inc.

tor -f <torrc> [args]
See man page for options, or https://www.torproject.org/ for documentation.

Let's now start tor

kali@securitynik:~$ tor
Jul 28 22:12:39.646 [notice] Tor 0.4.3.6 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.4.5.
Jul 28 22:12:39.647 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 28 22:12:39.647 [notice] Read configuration file "/etc/tor/torrc".
Jul 28 22:12:39.650 [notice] Opening Socks listener on 127.0.0.1:9050
Jul 28 22:12:39.651 [notice] Opened Socks listener on 127.0.0.1:9050
Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jul 28 22:12:39.000 [notice] Bootstrapped 0% (starting): Starting
Jul 28 22:12:40.000 [notice] Starting with guard context "default"
Jul 28 22:12:40.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Jul 28 22:12:40.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors
Jul 28 22:12:41.000 [notice] Bootstrapped 59% (loading_descriptors): Loading relay descriptors
Jul 28 22:12:41.000 [notice] Bootstrapped 69% (loading_descriptors): Loading relay descriptors
Jul 28 22:12:42.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Jul 28 22:12:43.000 [notice] Bootstrapped 100% (done): Done

Now that we see above the last line says "Done", let's run "ss" again, to see if port 9050 is now listening.

kali@securitynik:~$ ss --numeric --listening --tcp
State       Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process      
LISTEN      0            4096                   127.0.0.1:9050                  0.0.0.0:*                   

Let's now use "ncat" to make a request to "www.securitynik.com" on port 443. Here is what that looks like without proxy chains.

kali@securitynik:~$ ncat --verbose www.securitynik.com 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 172.217.2.115:443.

If we do a "ping" on "www.securitynik.com", we see it returns the address above. 

kali@securitynik:~$ ping www.securitynik.com
PING ghs.googlehosted.com (172.217.2.115) 56(84) bytes of data.

Let's now run that command one more time by prepending "proychains" to it.

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 172.217.22.211
|R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK
Ncat: Connected to 172.217.22.211:443.

Looks like both the DNS and HTTPS traffic has been proxied as seen by the "|R-chain|" above.

Let's run this one more time to see if the proxy changes as this was configured for "random".

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 172.217.22.211
|R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK
Ncat: Connected to 172.217.22.211:443.

Above it seems a new IP.

Let's run this one final time.

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 216.58.207.147
|R-chain|-<>-127.0.0.1:9050-<><>-216.58.207.147:443-<><>-OK
Ncat: Connected to 216.58.207.147:443.

Looks like each instance, we used a random IP address for our proxy chain.

Well hopefully the blog post above has made your job easier as a defender, as you look to learn about suspicious hosts.

References:


No comments:

Post a Comment