Category Archives: Projects

ProxyCannon-Revival – A tool for IPS evasion

Today we are releasing a tool called ProxyCannon-Revival and it is for IPS evasion. The original ProxyCannon is a tool written by Shellntel and released back in 2015. It coordinates virtual machines on cloud platforms and local routing policies so that penetration testers can simulate a real attackers ability to come from multiple IP addresses. This ability is crucial in avoiding IPS technologies and not worrying about getting caught by IP address blocking techniques.

TL;DR
The tool has been brought up to date, had new features added, and had a load of bug fixes/code clean-up. It is now in a dedicated repository here.

The catalyst to the Revival

During a penetration test some of our standard not-trying-to-be-quiet infrastructure was blocked by Fail2Ban. After a bit of investigating, we got in contact with our customer. The conversation went a bit like this:

[Us] “Tick, well-done customer, now please can you whitelist our source IP addresses.”

[Them] “Actually, we would like you to act like a real attacker, and that means you have to overcome this defensive capability.”

[Us] “Ok then, that should not be hard.”

We had a look around at what projects already exist, asked some fellow pen testers about what was around, and none of the projects found fit the requirements. There are a few that appear abandoned, such as the original ProxyCannon. Others seem massively complex, requiring Terraform and multiple layers of Proxy server. And then, there were both complex and abandoned projects such as ProxyCannon-NG. We just wanted a tool that worked with minimal effort – a classic pop-pop bang-bang affair.

We took the best fit of the projects we found and tried to get it to work, but it did not. It probably worked fine until relatively recently, as blog posts were raving about it until early 2019. As it is now 2021, we guess that the OS world has moved on and left it behind.

The update

At first, the plan was to bug-fix it and do the minimal to get it up and running again. By the time it was apparent that it would not be that easy, we were already far too emotionally invested in getting the project up and running to make the sensible decision to use a different project. Cue far too much engineering effort.

There is an issue tracker in the GitHub repo for full details, but the highlights are:

  • converted to Python 3
  • added a ton of debug output, so when it goes wrong, there is a chance of dealing with it
  • code consistency improvements and general clean-up
  • refactoring the network configurations deployed to be in line with modern OSs.

The extension – cache busting

The concept of the tool is great but works best against an IP subnet of targets rather than a single IP address. That means doing an infrastructure scan would be fine, but, a web app penetration test would end up without having randomised routes.

This routing behaviour is a result of the way current Linux OS’s do route caching. Essentially, in Equal Cost Multi Path (ECMP) routing, when the connection is made to the destination a route is calculated and stored for future use. Where you have ECMP, that route is calculated for every destination IP address so you would get random routes, but not each time you connect to the same IP address.

The ProxyCannon-Revival tool now has an optional cache busting function which can be enabled with the command line switch “-b”. This function continually changes the route weights so that, strictly speaking, it isn’t ECMP anymore. In practice it will still be pretty-much ECMP when averaged out over a period of time. The use of routes in this fashion along with a cache flush mean that the routes are used more evenly against a single IP address.

The extension – link health monitor

During testing it was plain to see that sometimes, for reasons outside the scripts control, one of the routes would be unhealthy and not function properly. This means that the user ends up with confusing timeouts or a bias towards particular routes.

There is now a network link health monitor in place that continually checks to see if the links are behaving as expected and if not, marks them as down so that the script doesn’t try to use them.

This functionality is on by default, but, can be turned off if so desired with the -m command line argument.

The extension – faster tunnel IP rotating

The process of asking AWS (the only currently supported cloud provider) for a new IP address takes approximately 2 minutes to complete. This might be sufficiently quick for some purposes but that might not be the case for other use cases, such as against application-layer IPS detection capabilities in web applications.

The tunnel host IP rotating functionality is now put into a queue with its own pool of thread workers which means that more than one host can have its IP rotated at once. This is limited to 50% of the number of tunnel hosts so that there isn’t a tragic loss of routes / source IP address entropy.

Tunnel host IP address rotation threading is enabled automatically if you run both the -b and -r command line arguments together. It is assumed if you want this level of IP address fluctuation that changing the hosts IP addresses quickly is important to you.

Adoption

You Gotta Hack That has adopted this project but welcomes the original authors and newcomers to join in with it if they wish. Hopefully, it will be useful for a while yet to come and plenty of you will be able to demonstrate that simple IPS evasion is easily achievable.

How you can perform IPS evasion with ProxyCannon-Revival

The tools is intended to be really easy to use. It is simply a case of getting an AWS account and security tokens, installing the python dependancies and executing the appropriate command. The command syntax is currently:

-id, default='ami-d05e75b8', Amazon AMI image ID
-t, default='t2.nano', Amazon AMI image type
--region, default='us-east-1', Select the region
-r, Enable Rotating AMI hosts
-b, Enable multi-path cache busting
-m, Disable link state monitor
-v, Enable verbose logging
--name, Set the name of the instance in the cluster
-i, default='detect', Interface to use, default will result in detecting the default gateway and using that
-l, Enable logging of WAN IP's traffic is routed through

num_of_instances, The number of instances you'd like to launch.

You have to tell ProxyCannon-Revival how many instances you want, but all the rest are optional. Highly recommend -l for logging external IPs and -r for rotating those IP addresses periodically.

Usual disclaimer

Please don’t use this script for nefarious purposes. Pentesters == good, law enforcement == good. Bad people == bad.

How QRCodes can be used for a cyber attack | Social Experiment

On a train recently I became fascinated by the hacking opportunities presented by QRCode. Those 2D barcodes that marketing folks seem to be putting on everything.  They strike me as a potentially brilliant method of infecting the smartphones of the general public. 

Using QRCode for malicious attacks

From a tech point of view, the idea is simple; the victim scans the QRCode which then directs them to a malicious web site which delivers the payload.

I ended up with an internal dialogue about the social aspects of this.  Questions popped up like

“What sort of person would actually visit these links?”

“How would the placement of the QRCode affect the level of response?”

“Would a stand-alone QRCode get any hits at all?” and so on. 

Whilst the marketing industry has jumped on this bandwagon. I am yet to see any compelling statistics that actually show that people are using QRCode.  I decided to try and find out the answer to some of these questions. Hopefully, I will find some other data with a social experiment.

Creation of QRCode social experiment

So to be clear before you start asking questions.

My experiment is going to contain no malicious actions or intent whatsoever – this is just an anonymous data-gathering exercise.

This weekend I produced the technical bits behind my project.  I decided to run a sort of middle man operation, the idea is simple.

Create my own QRCodes on stickers to put over the top of other companies QRCodes. 

My QRCodes would send people to a unique page on a web site of my own creation. This website will record their visit and instantly forward them on to the original QRCodes destination without the user even knowing.  I would pre-populate my database with data about the placement of the QRCode and not just the location either… 

I hope to be able to identify many qualities about the QRCodes that have been installed. Some examples are: the time and date the sticker was installed; whether it has been placed neatly so that it’s not noticeable; sloppily so anyone who pays attention will notice; whether its a large sticker or a small one; whether I make use of the error correction facilities available in QRCodes and place an image in the code itself; and so on.

It was obvious pretty quickly that this method was going to be a bit limited.  I would only be able to place my stickers over the top of existing QRCodes.

To get a more interesting spread of data I would also like to add stickers randomly in public places and see what response these get, again collecting the same placement data.  If in 6 months time I have a reasonable amount of data – I would hope to be able to analyse it and pull some interesting trends.

Social experiment legal issues

In the meantime, there are legal questions to which I am not sure I know the answer.  I believe that potentially I could be told off / given an on-the-spot fine by the police for littering. I suspect that some of the companies’ QRCodes I will inevitably cover with my own stickers may not be very happy – don’t know what this would be classed as but I am sure they will come up with something.  For the record folks – all the stickers I have so far / will get in the future are designed to be removable for these very reasons.  I hope that should I end up in bother about this, I can at least state truthfully that it is just a social experiment and that it was designed to cause as little if any damage.

Watch this space for the data analysis – my bet; hardly any of the stickers will get scanned.

Mozilla Firefox Single Sign On

One of the projects I am working on is to get a multi-tenanted URL filtering proxy to work. That in itself has not been particularly difficult. It’s just a case of knowing where to find the various Linux config files in the product we have chosen: NetSweeper.  This project is now fully load-balanced with high availability (HA) failover and works with Internet Explorer and a few other mainstream browsers perfectly.  It even does Man-In-The-Middle style SSL intercepting to make sure it filters as much as possible.

Mozilla Firefox has been my downfall on this project.  Usually, I hold Firefox high, but for all its greatness, it sucks at listening to the operating system for proxy settings and using Window’s built-in authentication methods. 

There will be another article in a couple of weeks or so when I next look at this project about how I bully Firefox into doing SSL stuff. Also, forcing it to use Proxy settings but at the moment I haven’t had time to work on that.  What I have done though is get Firefox to work with Windows Single Sign On (SSO).

Basically you can manually set sites to which you want to use SSO. Simply, by visiting a special URL in the browser:

about:config

First of all you get a warning telling you that you need to be careful.  But then you get a very long list of configurable variables.  For SSO you need the variable called:

network.automatic-ntlm-auth.trusted-uris

(use the filter bar at the top and search for ntlm)

If you double click this setting you can url’s to which you want to enable SSO like so:

http://internalserver     or     http://www.google.co.uk

If you need more than one URL, just seperate them by a comma.

Now that’s all well and good. But the fact is that in a domain situation you probably need to do this on hundreds of computers.  I found a vbs script online that claimed to fix this problem and it works very well with only one problem.  Because some of our users have non-standard profile locations we needed to modify it a little.  You can find our version here:

Firefox NTLM Authentication / Single Sign On

Please note, to put that into production you will need to rename the extension to .vbs, put it in a network share and play with group policies.  That bit is down to you!

I wish I could take credit for this script but I found the original online and then one of my colleagues had a bored 10 minutes so he modified the script for me.

Edit (20151017): The vbs script I referenced is no longer available, here is a Google Cache copy of the article.

Learn how YGHT can help you increase your cybersecurity