ProxyCannon-Revival – A tool for IPS evasion

Today we are releasing a tool called ProxyCannon-Revival and it is for IPS evasion. The original ProxyCannon is a tool written by Shellntel and released back in 2015. It coordinates virtual machines on cloud platforms and local routing policies so that penetration testers can simulate a real attackers ability to come from multiple IP addresses. This ability is crucial in avoiding IPS technologies and not worrying about getting caught by IP address blocking techniques.

TL;DR
The tool has been brought up to date, had new features added, and had a load of bug fixes/code clean-up. It is now in a dedicated repository here.

The catalyst to the Revival

During a penetration test some of our standard not-trying-to-be-quiet infrastructure was blocked by Fail2Ban. After a bit of investigating, we got in contact with our customer. The conversation went a bit like this:

[Us] “Tick, well-done customer, now please can you whitelist our source IP addresses.”

[Them] “Actually, we would like you to act like a real attacker, and that means you have to overcome this defensive capability.”

[Us] “Ok then, that should not be hard.”

We had a look around at what projects already exist, asked some fellow pen testers about what was around, and none of the projects found fit the requirements. There are a few that appear abandoned, such as the original ProxyCannon. Others seem massively complex, requiring Terraform and multiple layers of Proxy server. And then, there were both complex and abandoned projects such as ProxyCannon-NG. We just wanted a tool that worked with minimal effort – a classic pop-pop bang-bang affair.

We took the best fit of the projects we found and tried to get it to work, but it did not. It probably worked fine until relatively recently, as blog posts were raving about it until early 2019. As it is now 2021, we guess that the OS world has moved on and left it behind.

The update

At first, the plan was to bug-fix it and do the minimal to get it up and running again. By the time it was apparent that it would not be that easy, we were already far too emotionally invested in getting the project up and running to make the sensible decision to use a different project. Cue far too much engineering effort.

There is an issue tracker in the GitHub repo for full details, but the highlights are:

  • converted to Python 3
  • added a ton of debug output, so when it goes wrong, there is a chance of dealing with it
  • code consistency improvements and general clean-up
  • refactoring the network configurations deployed to be in line with modern OSs.

The extension – cache busting

The concept of the tool is great but works best against an IP subnet of targets rather than a single IP address. That means doing an infrastructure scan would be fine, but, a web app penetration test would end up without having randomised routes.

This routing behaviour is a result of the way current Linux OS’s do route caching. Essentially, in Equal Cost Multi Path (ECMP) routing, when the connection is made to the destination a route is calculated and stored for future use. Where you have ECMP, that route is calculated for every destination IP address so you would get random routes, but not each time you connect to the same IP address.

The ProxyCannon-Revival tool now has an optional cache busting function which can be enabled with the command line switch “-b”. This function continually changes the route weights so that, strictly speaking, it isn’t ECMP anymore. In practice it will still be pretty-much ECMP when averaged out over a period of time. The use of routes in this fashion along with a cache flush mean that the routes are used more evenly against a single IP address.

The extension – link health monitor

During testing it was plain to see that sometimes, for reasons outside the scripts control, one of the routes would be unhealthy and not function properly. This means that the user ends up with confusing timeouts or a bias towards particular routes.

There is now a network link health monitor in place that continually checks to see if the links are behaving as expected and if not, marks them as down so that the script doesn’t try to use them.

This functionality is on by default, but, can be turned off if so desired with the -m command line argument.

The extension – faster tunnel IP rotating

The process of asking AWS (the only currently supported cloud provider) for a new IP address takes approximately 2 minutes to complete. This might be sufficiently quick for some purposes but that might not be the case for other use cases, such as against application-layer IPS detection capabilities in web applications.

The tunnel host IP rotating functionality is now put into a queue with its own pool of thread workers which means that more than one host can have its IP rotated at once. This is limited to 50% of the number of tunnel hosts so that there isn’t a tragic loss of routes / source IP address entropy.

Tunnel host IP address rotation threading is enabled automatically if you run both the -b and -r command line arguments together. It is assumed if you want this level of IP address fluctuation that changing the hosts IP addresses quickly is important to you.

Adoption

You Gotta Hack That has adopted this project but welcomes the original authors and newcomers to join in with it if they wish. Hopefully, it will be useful for a while yet to come and plenty of you will be able to demonstrate that simple IPS evasion is easily achievable.

How you can perform IPS evasion with ProxyCannon-Revival

The tools is intended to be really easy to use. It is simply a case of getting an AWS account and security tokens, installing the python dependancies and executing the appropriate command. The command syntax is currently:

-id, default='ami-d05e75b8', Amazon AMI image ID
-t, default='t2.nano', Amazon AMI image type
--region, default='us-east-1', Select the region
-r, Enable Rotating AMI hosts
-b, Enable multi-path cache busting
-m, Disable link state monitor
-v, Enable verbose logging
--name, Set the name of the instance in the cluster
-i, default='detect', Interface to use, default will result in detecting the default gateway and using that
-l, Enable logging of WAN IP's traffic is routed through

num_of_instances, The number of instances you'd like to launch.

You have to tell ProxyCannon-Revival how many instances you want, but all the rest are optional. Highly recommend -l for logging external IPs and -r for rotating those IP addresses periodically.

Usual disclaimer

Please don’t use this script for nefarious purposes. Pentesters == good, law enforcement == good. Bad people == bad.

This entry was posted in Penetration Testing, Projects and tagged , . Bookmark the permalink.