[RedTeam] Rotating Source IPs (Part 2) — Cloud Proxy

Intro

I talked about a technique to rotate the source IPs using AWS API Gateways in one of my previous blogs:

This time, I will demonstrate another way to hide the source IPs using multiple cloud VMs + establishing SOCKS proxies + rotating the proxies automatically. I will use AWS as the cloud provider and two (2) opensource tools for this demonstration: cloud-proxy (creating VMs + establishing SOCKS proxy) and proxy-ng (making use of multiple SOCKS proxies in a random order).

Installation

AWS Setup

  1. Login to your AWS account
  2. Create an Access Key

3. Install AWS CLI (*I am using MacOS for this setup)

$ curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"$ unzip awscli-bundle.zip$ sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws

4. Configure Secret Keys with AWS CLI

$  aws configure
AWS Access Key ID: <YOUR KEY ID>
AWS Secret Access Key: <YOUR SECRET ACCESS KEY>
Default region name [us-east-2]: us-east-2
Default output format [json]: json

5. Configure SSH Key with AWS

### Create a New Key Pair
### Download the .pem file to your $HOME directory 
$ mv ~/Downloads/bigb0ss_cloudproxy.pem $HOME/.ssh/
### Change the permission
$ chmod 600 $HOME/.ssh/bigb0ss_cloudproxy.pem
### Create a Public Key associated with .pem
$ ssh-keygen -y -f bigb0ss_cloudproxy.pem > $HOME/.ssh/id_rsa_bigb0ss_cloudproxy.pub
-y: This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.

6. Set All the AWS Regions to Environment Variable

$ AWS_REGIONS="$(aws ec2 describe-regions --query 'Regions[].RegionName' --output text)"$  echo $AWS_REGIONS
eu-north-1 ap-south-1 eu-west-3 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2

7. Deploy SSH Public Key to Each AWS Region

$ for each_region in ${AWS_REGIONS} ; do aws ec2 import-key-pair --key-name bigb0ss_cloudproxy --public-key-material fileb:///$HOME/.ssh/id_rsa_bigb0ss_cloudproxy.pub --region $each_region ; done

Install cloud-proxy

$ git clone https://github.com/tomsteele/cloud-proxy 
$ go get golang.org/x/crypto/sha3
$ go build main.go regions.go templates.go
$ mv main cloud-proxy

Install proxy-ng Setup

### Compile the Sourcecode$ git clone https://github.com/jamesbcook/proxy-ng.git
$ make
or### Download the Binary from the Release Page (https://github.com/jamesbcook/proxy-ng/releases)$ wget https://github.com/jamesbcook/proxy-ng/releases/download/0.2.0/proxy-ng-darwin

Install Terraform

[WARNING] cloud-proxy is currently compatible with Terraform v0.12 ONLY! You will run into syntax errors if you are trying to run cloud-proxy with the latest Terraform.

### Terraform Download: https://www.terraform.io/downloads.html$ wget https://releases.hashicorp.com/terraform/0.12.24/terraform_0.12.24_darwin_amd64.zip$ unzip terraform_0.12.24_darwin_amd64.zip$ sudo mv terraform /usr/local/bin && sudo chmod +x /usr/local/bin/terraform

Running Cloud Proxy

Update cloud-proxy Config

### Create secrets.tfvars
$ cd ~/tools/cloud-proxy/
$ vi secrets.tfvars
do_token = "YOUR_DO_TOKEN" # We don't need this
do_ssh_fingerprint = "YOUR:SSH:FINGERPRINT" # We don't need this
aws_access_key = <YOUR KEY ID>
aws_secret_key = <YOUR SECRET ACCESS KEY>
aws_key_name = "bigb0ss_cloudproxy"

Initiating Terraform

### Necessary File Creation
$ ./cloud-proxy -aws -count 3
--> This will fail and get you warning... Then run...### Initiating Terraform
$ terraform init
--> This will initiate the form created by cloud-proxy: .tf files

Running cloud-proxy

### Creating 3 AWS EC2 Instances & Establish SOCKS
$ ./cloud-proxy -aws -count 3 -key-location "$HOME/.ssh/bigb0ss_cloudproxy.pem"
cloud-proxy running

Now, we have successfully created 3 EC2 cloud VMs and the tool established SOCKS proxy tunnel for those VMs via SSH dynamic tunnel functionality.

func createTunnels() (cloud-proxy main.go)

Netcat to check:

Running proxy-ng

### Config File (*If you ran more than 4 EC2 instances, you can add more proxy ports)
$ cat socks5-proxies.json

{
"Proxies": [
"127.0.0.1:55555",
"127.0.0.1:55556",
"127.0.0.1:55557",
"127.0.0.1:55558"
]
}
### Running proxy-ng
$ ./proxy-ng -socksFile socks5-proxies.json

Netcat to check:

Proxy-ng opens the following ports:
* 9292 for the local socks proxy
* 9293 for the local http proxy
* You can also automatically rotate the user-agents by configuring the tool with "useragents.json" file

Example Usage

With the current cloud proxy setup:

  • 3 AWS EC2 VMs are running
  • Those VMs are established with local SOCKS proxy on port 55555, 5555, 55557
  • proxy-ng created another local proxy on port 9292 to randomly rotate those VM SOCKS proxies.

To use this, you can utilize proxychains tool. Update the /etc/proxychains.conf file to add socks5 127.0.0.1 9292 at the end of the file.

$ vi /etc/proxychains.conf...snip...[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9292

Then, you can do something like doing network scan using proxychains:

$ proxychains nmap -Pn --open -sV -sC -iL enemy_ips.txt 

or

Allow your browser to use the local SOCKS to pass your traffic through them.

Using FoxyProxy for Browser Proxy Configuration
Using Burp’s SOCKS Proxy for Browser Proxy Configuration

Final Testing

I created another cloud VM and started simple Python web server to host a simple web page which will display “[+] Proxy Testing.” And then I browsed the page via the VM’s public IP while my browser was configured to use the Cloud Proxy. And you can see that as I was browsing the page, the source IPs were being changed.

Thanks for reading!

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store