As a defender, it is always recommended to NOT interact with a suspicious (threat actor) IP from your own network. However, since we need to investigate the threat actor's IP(s), to learn something about the threat and or the device from which the attack is occurring, what can we do? The reality is there are many things we can do. One of these is to use tools such as ProxyChains as we will do in this post.
In this post, I am using Kali 2020.3. Proxychains is installed on Kali by default.
Here is my Kali version:
kali@securitynik:~$ lsb_release --all No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2020.3 Codename: kali-rolling
Before we start using proxychains, let's first take a look at the configuration. Specifically, I have changed the configuration from "strict_chain" to "random_chain". This was achieved by commenting "strict_chain" while uncommenting "random_chain". Here I use "grep" to show what the change looks like:
kali@securitynik:~$ cat /etc/proxychains.conf | grep --perl-regex "^# strict_chain|^random_chain" # strict_chain random_chain
Additionally, we look at the last 6 lines of the "/etc/proxychains.conf" file with a focus on the "[ProxyList]" section.
kali@securitynik:~$ cat /etc/proxychains.conf | tail --lines 6 [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050
We see above it is using 127.0.0.1 9050 and defaults to "tor". Let's see if tor is listening on port 9050.
kali@securitynik:~$ ss --numeric --listening --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
Above we see port 9050 is not listening. Let's verify if tor is installed.
kali@securitynik:~$ which tor kali@securitynik:~$
Looks like tor is not installed. Let's install tor.
kali@securitynik:~$ sudo apt-get install tor ....
Once "tor" is installed, we look at the help.
kali@securitynik:~$ tor --help Copyright (c) 2001-2004, Roger Dingledine Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson Copyright (c) 2007-2020, The Tor Project, Inc. tor -f <torrc> [args] See man page for options, or https://www.torproject.org/ for documentation.
Let's now start tor
kali@securitynik:~$ tor Jul 28 22:12:39.646 [notice] Tor 0.4.3.6 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.4.5. Jul 28 22:12:39.647 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Jul 28 22:12:39.647 [notice] Read configuration file "/etc/tor/torrc". Jul 28 22:12:39.650 [notice] Opening Socks listener on 127.0.0.1:9050 Jul 28 22:12:39.651 [notice] Opened Socks listener on 127.0.0.1:9050 Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. Jul 28 22:12:39.000 [notice] Bootstrapped 0% (starting): Starting Jul 28 22:12:40.000 [notice] Starting with guard context "default" Jul 28 22:12:40.000 [notice] Bootstrapped 5% (conn): Connecting to a relay Jul 28 22:12:40.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay Jul 28 22:12:40.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay Jul 28 22:12:40.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done Jul 28 22:12:40.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors Jul 28 22:12:41.000 [notice] Bootstrapped 59% (loading_descriptors): Loading relay descriptors Jul 28 22:12:41.000 [notice] Bootstrapped 69% (loading_descriptors): Loading relay descriptors Jul 28 22:12:42.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit Jul 28 22:12:43.000 [notice] Bootstrapped 100% (done): Done
Now that we see above the last line says "Done", let's run "ss" again, to see if port 9050 is now listening.
kali@securitynik:~$ ss --numeric --listening --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:*
Let's now use "ncat" to make a request to "www.securitynik.com" on port 443. Here is what that looks like without proxy chains.
kali@securitynik:~$ ncat --verbose www.securitynik.com 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Connected to 172.217.2.115:443.
If we do a "ping" on "www.securitynik.com", we see it returns the address above.
kali@securitynik:~$ ping www.securitynik.com PING ghs.googlehosted.com (172.217.2.115) 56(84) bytes of data.
Let's now run that command one more time by prepending "proychains" to it.
kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443 ProxyChains-3.1 (http://proxychains.sf.net) Ncat: Version 7.80 ( https://nmap.org/ncat ) |DNS-request| www.securitynik.com |R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| www.securitynik.com is 172.217.22.211 |R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK Ncat: Connected to 172.217.22.211:443.
Looks like both the DNS and HTTPS traffic has been proxied as seen by the "|R-chain|" above.
Let's run this one more time to see if the proxy changes as this was configured for "random".
kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443 ProxyChains-3.1 (http://proxychains.sf.net) Ncat: Version 7.80 ( https://nmap.org/ncat ) |DNS-request| www.securitynik.com |R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| www.securitynik.com is 172.217.22.211 |R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK Ncat: Connected to 172.217.22.211:443.
Above it seems a new IP.
Let's run this one final time.
kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443 ProxyChains-3.1 (http://proxychains.sf.net) Ncat: Version 7.80 ( https://nmap.org/ncat ) |DNS-request| www.securitynik.com |R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| www.securitynik.com is 216.58.207.147 |R-chain|-<>-127.0.0.1:9050-<><>-216.58.207.147:443-<><>-OK Ncat: Connected to 216.58.207.147:443.
Looks like each instance, we used a random IP address for our proxy chain.
Well hopefully the blog post above has made your job easier as a defender, as you look to learn about suspicious hosts.
References:
No comments:
Post a Comment