Application of Linux Transparent agent in red team infiltration

The decision to write this article was made after I had solved all the problems and decided to document the process, so a lot of details may have been overlooked.

Problem a: dozen often will be WAF blocked IP how to do? Problem 2: What if I only want to proxy some destination addresses on the Intranet? I think most people’s solution to problem 1 is to keep changing the exit IP address to avoid being blocked, while the solution to problem 2 May be Proxifier or Proxycap.

Proxifier is software that implements the global proxy. The Proxifier supports Http, Https, Socks4a, and Socks5 proxies.

In the process of Windows infiltration, I often use Proxifier to implement Intranet infiltration by agents of process units. By using rules, global traffic of the system can be prevented from being imported into agents. Traffic flows into the Intranet to expose some information about itself.

The above two issues are not a problem on Windows, I used to use Kali Linux a lot for infiltration, but since the update, it has set up the system agent to write its own PAC file, which adds a little bit of a learning barrier and doesn’t seem to work very well. I’ve been using Arch Linux for a while now, installing it on my work machine, my home computer, and I really like the operating system and its ecosystem.

As a result, I have had to start fully adapting to more infiltrated scenarios on Linux, and this has been a rewarding experience for me. This article documents how I learned to build transparent agents myself for a pleasant working environment.

0x01 Transparent Proxy What is a Transparent proxy?

Transparent proxy means that the client does not need to be aware of the presence of a proxy server, which changes your request fields and sends real IP addresses, often used in router NAT forwarding.

Why use a transparent proxy?

Because it allows my machine to be “on” the Intranet, it also allows my machine to be “anywhere in the world.”

As we all know, in Linux under the conventional Intranet penetration needs to use some tools such as: Proxychains to achieve the specified process access to Intranet resources, equivalent to a layer of agents for the program.

Its implementation principle is as follows:

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies.

LD_PRELOAD is a LD_PRELOAD that maintains Linux permissions

The downside is that every command must be preceded by Proxychains, so Bash shell may not work properly to give us parameter prompts.

All I have to do is use iptables to implement a transparent proxy and have all of my machine’s traffic related to the destination address be imported into the SOcks5 proxy port.

Quiet_mode (#) before the quiet_mode (#) in /etc/proxychains.

The 2020-11-13-20-18-48

Setting up the metasploit global proxy

Metasploit Proxies can be set to proxies to proxies for all subsequent traffic to achieve internal penetration.

The figure illustrates the setup of a layer 2 proxy

0x02 Iptables Firewall under Linux Iptables is a user-space utility that allows a system administrator to configure IP packet filter rules for Linux kernel firewalls implemented as different Netfilter modules. Filters are organized in different tables that contain chains of rules about how network traffic packets are handled. Currently, different kernel modules and programs are used for different protocols. Iptables is for IPv4, ip6tables is for IPv6, arptables is for ARP, and ebtables is for Ethernet frames.

Learning Iptables is a bit of a hurdle and requires some understanding of the relationships between tables, rule chains, actions, and so on. Without further preparation, you can search for articles about Iptables on your own.

Traffic is imported into the Socks proxy

Incoming traffic can be easily redirected by inserting rules into the PREROUTING chain of the NAT table.

Such as:

Iptables -t NAT -a PREROUTING -i eth0 -p TCP –dport 80 -j REDIRECT –to-port 8080 All traffic accessing port 80 of eth0 is redirected to port 8080.

Unlike port forwarding, REDIRECT’s –dport port is not listened on by Iptables.

Redsocks is open source software that redirects socks proxies. It allows us to listen on a port on the system, convert to a remote SOCKS port, and support SOCKs5 authentication, which is really cool. Later, I found that some new Redsocks were still being maintained, but the old version was enough to meet my needs, so I didn’t download it.

Redsocks installation

Install necessary libraries:

ArchLinux: yaourt -s –noconfirm redsocks-git Debian: apt install GCC libevent-dev CentOS: Yum install libevent-devel git GCC

Git clone github.com/darkk/redso… CD redsocks make After the installation is complete, the current directory generates the binary executable file Redsocks. Copy the binary executable file to the environment variable directory, for example, /usr/bin/redsocks

Copy the configuration file redsocks.conf to /etc/redsocks.conf

The RedSocks proxy server is configured

In /etc/redsocks5, lines 61 to 62 are used to set the IP address and port of the Socks5 server:

// ip’ and port’ are IP and tcp-port of proxy-server // You can also use hostname instead of IP, only one (random) // address of multihomed host will be used. ip=; port=; Configure the Redsocks startup identity

To avoid data loopback after port traffic redirection is enabled, use iptables to filter the egress traffic of Redsocks based on UID.

Add a Redsocks group with a Redsocks user:

Groupadd redsocks useradd -g redsocks redsocks change the startup user name and user group of /etc/redsocks.conf.

user = redsocks; group = redsocks; Corresponding firewall rules:

iptables -t nat -A OUTPUT -p tcp -m owner ! — uID-owner Redsocks -j Redsocks does this to push all traffic generated by users other than Redsocks through the Redsocks chain.

0x04 Dodging Mode – Configuring proxy Chain Create custom rule chain

iptables -t nat -N REDSOCKS

Establish REDSOCKS chain

iptables -t nat -A PREROUTING -p tcp -j REDSOCKS

Pass all TCP traffic through the REDSOCKS chain

iptables -t nat -A REDSOCKS -d <SOCKS_API_SERVER> -j RETURN

Permit the API server that obtains the Socks proxy

Iptables -t NAT -a REDSOCKS -d 10.0.0.0/8 -j RETURN

Release Intranet Address

Iptables -t NAT -a REDSOCKS -d 127.0.0.0/8 -j RETURN

Release Intranet Address

Iptables -t NAT -a REDSOCKS -d 169.254.0.0/16 -j RETURN

Release Intranet Address

Iptables -t NAT -a REDSOCKS -d 172.16.0.0/12 -j RETURN

Release Intranet Address

Iptables -t NAT -a REDSOCKS -d 192.168.0.0/16 -j RETURN

Release Intranet Address

iptables -t nat -A REDSOCKS -p tcp -j REDIRECT –to-port 31338

Redirect all TCP traffic to port 31338 after passing through the REDSOCKS chain.

iptables -t nat -A OUTPUT -p tcp -m owner ! –uid-owner redsocks -j REDSOCKS

All outgoing traffic except that generated by Redsocks will be prepared to pass through the Redsocks chain

A separate chain is created to make it easy to empty and create, without contaminating the rules of the built-in chain.

31338 is the default port for Redsocks.

Start the redsocks

Sudo /usr/bin/redsocks -c /etc/redsocks.conf After starting Redsocks, the process owner is automatically changed to Redsocks.

If you access the public network and view the egress IP address, the IP address becomes the egress IP address of the Socks5 proxy server to implement transparent proxy in dot mode.

0x05 Intranet Mode – Configuring the Proxy Chain The Intranet mode is different from the dotted mode, which implements the proxy within the specified IP address range. The dotted mode is “What to put”, and the Intranet mode is “What to want”.

Iptables -t NAT -n REDSOCKS iptables -t NAT -f REDSOCKS # Empty

Iptables -t NAT -a PREROUTING -p TCP -j REDSOCKS iptables -t NAT -a REDSOCKS -p TCP -d 10.0.0.0/8 -j REDIRECT –to-port 31338 iptables -t NAT -a REDSOCKS -p TCP -d 172.0.0.0/8 -j REDIRECT –to-port 31338 iptables -t NAT -a REDSOCKS -p TCP -d 192.168.0.0/16 -j REDIRECT –to-port 31338 iptables -t NAT -a OUTPUT -p TCP -m owner! — uID-owner $redsocks_user -j REDSOCKS

10.0.0.0/8 172.0.0.0/8 192.168.0.0/16 To add an ENTERPRISE network address, you can manually add the following:

Iptables -t NAT -a REDSOCKS -p TCP -d xxx.xxx.xx.xx.XX/XX -j REDIRECT –to-port 31338 Nmap can be used to detect ports, customized tools can be used to work on the Intranet, and VMS running on the local host can be switched to NAT mode to stay on the Intranet.

0x06 Automated Implementation #! /bin/bash redsocks_bin_path=”/usr/bin/redsocks” redsocks_config_file_path=”/etc/redsocks.conf” socks_api_url=’*****’ shell_log_path=”/tmp/socks-switch.log”

ssh port

ssh_port=”22″ redsocks_user=”redsocks”

socks_loging(){ current_time=
( d a t e + (date +”%Y-%m-%d %H:%M:%S”); echo “[*] ” current_time “: ”
1 > > 1 >> shell_log_path echo “[*] “
c u r r e n t t i m e : current_time “: ” 1 }

change_socks(){ local socks_ip= 1; localsocksport=1; local socks_port=1; localsocksport=2; socks_loging “Change Socks: 1,Port:1, Port: 1,Port:2”; Line # 61 is Socks IP sed -i ’61 d redsocksconfigfilepathsed – I “61 I IP = redsocks_config_file_path sed -i” 61 I \ IP = redsocksconfigfilepathsed – I “61 I IP = socks_ip;” $redsocks_config_file_path

Socks Port sed -I '62d' $redsocks_config_FILe_path sed -I "62i\ Port =$socks_port;" $redsocks_config_file_path pkill redsocks socks_loging "Run redsocks...." $redsocks_bin_path -c $redsocks_config_file_pathCopy the code

}

Start_pentest (){uninstall_iptables iptables -t NAT -n REDSOCKS iptables -t NAT -f REDSOCKS # Empty

Iptables -t NAT -a PREROUTING -p TCP -j REDSOCKS iptables -t NAT -a REDSOCKS -p TCP -d 10.0.0.0/8 -j REDIRECT --to-port 31338 iptables -t NAT -a REDSOCKS -p TCP -d 172.0.0.0/8 -j REDIRECT --to-port 31338 iptables -t NAT -a REDSOCKS -p TCP -d 192.168.0.0/16 -j REDIRECT --to-port 31338 unset_iptables set_iptables local socks_ip=$1; -d 192.168.0.0/16 -j REDIRECT --to-port 31338 unset_iptables set_iptables local socks_ip=$1; local socks_port=$2; change_socks $socks_ip $socks_port socks_loging "Change Socks: $1, Port: $2";Copy the code

}

Install_iptables (){iptables -t NAT -f OUTPUT iptables -t NAT -f PREROUTING # If no new local IS_REDsocks =iptables -t nat -nL –line-number |grep REDSOCKS if [ -z “is_redsocks” ]; Then iptables -t NAT -n REDSOCKS fi iptables -t NAT -f REDSOCKS # Clear iptables -t NAT -a PREROUTING -p TCP -j REDSOCKS iptables -t nat -A REDSOCKS -p tcp –dport ssh_port -j RETURN iptables -t nat -A REDSOCKS -d -j RETURN iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN iptables -t NAT -a REDSOCKS -d 127.0.0.0/8 -j RETURN iptables -t NAT -a REDSOCKS -d 169.254.0.0/16 -j RETURN iptables -t NAT -a REDSOCKS -d 172.16.0.0/12 -j RETURN iptables -t NAT -a REDSOCKS -d 192.168.0.0/16 -j RETURN iptables -t NAT -a REDSOCKS -p TCP -j REDIRECT –to-port 31338 socks_loging “Install Success!” }

uninstall_iptables(){ iptables -t nat -F OUTPUT iptables -t nat -F PREROUTING socks_loging “Uninstall iptables …” is_redsocks=iptables -t nat -nvL REDSOCKS |wc -l if [ “$is_redsocks”!=”0″ ]; then iptables -t nat -F REDSOCKS iptables -t nat -X REDSOCKS fi }

set_iptables(){ iptables -t nat -A OUTPUT -p tcp -m owner ! –uid-owner $redsocks_user -j REDSOCKS }

unset_iptables(){ ids=iptables -t nat -nL OUTPUT –line-number | grep REDSOCKS | awk ‘{print $1}’ if [ -z ” ids”]; thensocksloging”NoSetIptables…” returnfiidarray=(ids” ]; then socks_loging “No Set Iptables …” return fi id_array=(ids”]; thensocksloging”NoSetIptables…” returnfiidarray=({ids//\n/ }) socks_loging “REDSOCKS OUTPUT Chian ID : Idarray “foridinid_array” for id in idarray “foridin {id_array [@]} do id = echo $id | egrep -o” [0-9] {1, 4} “if [id! =” “); Theniptables – tnat – DOUTPUTid! = “”); then iptables -t nat -D OUTPUT id! = “”); Theniptables – tnat – DOUTPUTid fi done}

if [ -z ” 1″]; Thenecho “(∗) Usage: 1];” then echo “[*] Usage : 1”]; Thenecho “(∗) Usage: 0 < start | stop | clean | install | uninstall | change IP PORT | pentest IP PORT > 0 start: start the redsocks, Iptables 0start: Starts Redsocks and automatically sets iptables0 stop: starts redsocks and automatically sets iptables0 Iptables 0clean: clears all iptables rules 0 CLEAN: clears all iptables rules 0 Clean: clears all iptables rules 0 Clean: clears all iptables rules 0 Install: clears all iptables rules 0uninstall: Uninstalls the iptables rule 0uninstall: uninstalls the iptables rule 0uninstall: uninstalls the iptables rule 0 change: Change Socks’ IP and port $0 Pentest: Start Intranet penetration, pass Socks’ IP and port “exit 0 fi

if [ “$1” = “install” ]; then install_iptables exit 0 fi

if [ ” 1″=”pentest”]; thenstartpentest1″ = “pentest” ]; then start_pentest 1″=”pentest”]; Thenstartpentest2 $3 exit 0

Simple use of dotting mode (every execution, pull new proxy to API) : 2020-11-13-22-04-21

Sh install sudo./socks-switch.sh start Switch to Intranet mode: 2020-11-13-22-00-56

Sh uninstall sudo./ SOcks-switch. sh pentest Manually specify the IP address and port for SOCKS (the dot-in mode is compatible with Intranet mode) : Sudo./socks-switch.sh change 0x06 Raspberry PI realizes 6 hours to switch once exit WiFi 2020-11-13-21-36-29

This is my idea after I got familiar with transparent proxy, which is suitable for “team operation”, especially Web penetration, which consumes the most IP. Most of the partners in the lab are laptops, so I came up with the idea of using raspberry PI to achieve WiFi that switches the exit once every 6 hours. Of course, Socks penetrating the Intranet can also be turned into a WiFi 🙂

Change the redsocks listening address

If there are multiple nics, change the listening IP address of the redsocks configuration file /etc/redsocks.conf to 0.0.0.0. Otherwise, port 31338 cannot be found when traffic from wlan0 is diverted to eth0.

Local_ip = 0.0.0.0; local_port = 31338; Install the tool for creating aps

Sudo apt-get install util-linux procps hostapd iproute2 iw haveged dnsmasq sudo git clone github.com/oblique/cre… CD create_ap sudo make install create WiFi: /usr/bin/create_ap -w 2 wlan0 eth0

-w enables WPA2

Write AP service scripts

Create wifi.service in /usr/lib/systemd/system/

[Unit] Description=Create AP Service After=network.target

[Service] Type=simple ExecStart=/usr/bin/create_ap -w 2 wlan0 eth0 KillSignal=SIGINT Restart=on-failure RestartSec=5

[Install] WantedBy=multi-user. Target Write a scheduled task script

random-wifi.sh:

#! /bin/bash CD /home/pi/socks-switch systemctl stop wifi # Socks-switch. sh clean # Socks-switch. sh /socks-switch.sh start # sockctl start wifi sudo crontab -e

  • */6 * * * /home/pi/socks-switch/random-wifi.sh # Resets every six hours and obtains a new exit proxy

Shortcomings to be perfected

For example, when switching to a new exit, WiFi is turned off. Currently, the client will automatically search for the next WiFi automatic connection. If the tool is scanning, the real EXIT IP will be found.

Before switching to WiFi, DROP all the traffic of THE WLAN0 network card, so that WiFi does not need to restart.

Through hands-on practice, the pain point of work is solved, and the value of technology can be brought into full play to gain a sense of achievement.

Also implements scientific Internet access during the period of transparent agent, but has nothing to do with work, have to post on the network, harvested quite a lot, about the need to study more, perspective is changeable, as a Web forward agent thinking, though not a common technology, but can solve the problem of some scenes, promote efficiency.