Differences

This shows you the differences between two versions of the page.

Link to this comparison view

using_proxychains_with_tor_on_kali_linux_2016_en [2019/08/08 15:24] (current)
Line 1: Line 1:
 +====== ​ Using Proxychains with Tor on Kali Linux 2016 ======
  
 +===== What is proxychains?​ =====
 +
 +The simplified and quick explanation would be that [[http://​proxychains.sf.net/​|proxychains]] is a nifty little tool that allows you to pipe TCP connections through a proxy, or a chain of multiple proxies, effectively masquerading your public IP address. I’m not going to dig into the more technical details here, but if you’re interested you can find more information on the project [[http://​proxychains.sf.net/​|homepage]] or [[https://​github.com/​haad/​proxychains|Github]] page.
 +
 +
 +===== What is Tor? =====
 +
 +I assume, that since you’ve found and are reading this blog post, that you have at least some kind of hunch what Tor is. So, for those who are interested in the more detailed explanation,​ I’m again going to provide you a link for the project [[https://​www.torproject.org/​about/​overview.html.en|homepage]]. But in case you are not that familiar, let’s just say that Tor (if used correctly) is a project that aims to help people anonymize their TCP traffic. For our needs it’s going to provide us the relays which we can use with proxychains.
 +
 +
 +===== What is Privoxy =====
 +
 +[[https://​www.privoxy.org|Privoxy]] is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks. ​
 +
 +
 +===== Setting things up =====
 +
 +Let's install the packages but let's update the repositories
 +<sxh bash>
 +apt-get update && apt-get install tor tor-geoipdb privoxy proxychains -y
 +</​sxh>​
 +
 +Now let's change the tor configuration
 +<sxh bash>
 +vim /​etc/​tor/​torrc
 +[...]
 +SOCKSPort 9050 # Default: Bind to localhost:​9050 for local connections.
 +[...]
 +## Logs go to stdout at level "​notice"​ unless redirected by something
 +## else, like one of the below lines. You can have as many Log lines as
 +## you want.
 +##
 +## We advise using "​notice"​ in most cases, since anything more verbose
 +## may provide sensitive information to an attacker who obtains the logs.
 +##
 +## Send all messages of level '​notice'​ or higher to /​var/​log/​tor/​notices.log
 +Log notice file /​var/​log/​tor/​notices.log
 +## Send every possible message to /​var/​log/​tor/​debug.log
 +Log debug file /​var/​log/​tor/​debug.log
 +## Use the system log instead of Tor's logfiles
 +Log notice syslog
 +## To send all messages to stderr:
 +#Log debug stderr
 +</​sxh>​
 +
 +
 +Now we need to configure the proxychains to use tor and let's change the they proxy chains handle each connection.
 +<sxh bash>
 +vim /​etc/​proxychains.conf
 +[...]
 +# The option below identifies how the ProxyList is treated.
 +# only one option should be uncommented at time,
 +# otherwise the last appearing option will be accepted
 +#
 +dynamic_chain
 +#
 +# Dynamic - Each connection will be done via chained proxies
 +# all proxies chained in the order as they appear in the list
 +# at least one proxy must be online to play in chain
 +# (dead proxies are skipped)
 +# otherwise EINTR is returned to the app
 +#
 +#​strict_chain
 +[...]
 +[ProxyList]
 +# add proxy here ...
 +# meanwile
 +# defaults set to "​tor"​
 +#​socks4 ​        ​127.0.0.1 9050
 +socks5 127.0.0.1 9050 .
 +</​sxh>​
 +
 +Now we need to configure the privoxy to enable the binding on every ip address available on this host, you can use the default one that is localhost, but sometimes we need to use the tor in another host so let's configure it.
 +<sxh bash>
 +vim /​etc/​privoxy/​config
 +[...]
 +#      Suppose you are running Privoxy on an IPv6-capable machine and
 +#      you want it to listen on the IPv6 address of the loopback
 +#      device:
 +#
 +#        listen-address [::1]:8118
 +#
 +listen-address ​ 0.0.0.0:​8118
 +#​listen-address ​ 127.0.0.1:​8118
 +#​listen-address ​ [::1]:8118
 +[...]
 +#      To chain Privoxy and Tor, both running on the same system, you
 +#      would use something like:
 +#
 +        forward-socks5t ​  / ​              ​127.0.0.1:​9050 .
 +</​code>​
 +
 +Now we need to enable tor and privoxy on the boot time
 +<sxh bash>
 +systemctl enable tor
 +systemctl enable privoxy
 +</​sxh>​
 +
 +Now we need to restart the services
 +<sxh bash>
 +systemctl restart tor
 +systemctl restart privoxy
 +</​sxh>​
 +
 +Now let's check if everything is working
 +<sxh bash>
 +netstat -natup | egrep "​(tor|privo)"​
 +tcp        0      0 0.0.0.0:​8118 ​           0.0.0.0:​* ​              ​LISTEN ​     4625/​privoxy
 +tcp        0      0 127.0.0.1:​9050 ​         0.0.0.0:​* ​              ​LISTEN ​     4616/tor
 +</​sxh>​
 +
 +Now we can check if everything is working properly so configure the browser to use the **proxy ip address as: 127.0.0.1** and the **port as: 8118** we can check use this proxy server for all protocols and select ok.
 +
 +Now we can access http://​check.torproject.org and check if everything is working. Today 11/15/2015 if you check the configuration the message will be: Congratulations. This browser is configure to use Tor.
 +
 +Now we can use the proxychains to access some services such as ssh as below.
 +<sxh bash>
 +proxychains ssh douglas@200.200.200.10 -p 2221
 +ProxyChains-3.1 (http://​proxychains.sf.net)
 +|D-chain|-<>​-127.0.0.1:​9050-<><>​-200.200.200.10:​2221-<><>​-OK
 +The authenticity of host '​[200.200.200.10]:​2221 ([200.200.200.10]:​2221)'​ can't be established.
 +ECDSA key fingerprint is SHA256:​7/​lTNalX5BKbwFN1+lY7fdiZeNupWMKnqFyTfx7kGwc.
 +Are you sure you want to continue connecting (yes/no)? yes
 +Warning: Permanently added '​[200.200.200.10]:​2221'​ (ECDSA) to the list of known hosts.
 +douglas@servidor.com.br'​s password:
 +</​sxh>​
 +
 +
 +We can use the torify to do the same
 +<sxh bash>
 +torify ssh douglas@200.200.200.10 -p 2221
 +douglas@servidor.com.br'​s password:
 +</​sxh>​
 +
 +
 +Let's test proxychains with nmap
 +<sxh bash>
 +proxychains nmap -sS 200.236.31.3 -T4
 +ProxyChains-3.1 (http://​proxychains.sf.net)
 +
 +Starting Nmap 7.31 ( https://​nmap.org ) at 2016-11-15 11:16 BRST
 +Nmap scan report for debian.c3sl.ufpr.br (200.236.31.3)
 +Host is up (0.014s latency).
 +Not shown: 994 closed ports
 +PORT    STATE    SERVICE
 +21/​tcp ​ open     ftp
 +22/​tcp ​ open     ssh
 +25/​tcp ​ filtered smtp
 +53/​tcp ​ open     ​domain
 +80/​tcp ​ open     http
 +873/tcp open     rsync
 +
 +Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds
 +</​sxh>​
 +
 +We can use the proxychains with the metasploit but we need to comment the proxy_dns line otherwise the metasploit will not be able to connect to the database.
 +<sxh bash>
 +sed -i '​s/​proxy_dns/#​proxy_dns/​g'​ /​etc/​proxychains.conf
 +</​sxh>​
 +
 +
 +Now we can start the metasploit with proxychains.
 +<sxh bash>
 +proxychains msfconsole
 +ProxyChains-3.1 (http://​proxychains.sf.net)
 +
 +
 +         ​. ​                                        .
 + .
 +
 +      dBBBBBBb ​ dBBBP dBBBBBBP dBBBBBb ​ .                       o
 +       ' ​  ​dB' ​                    BBP
 +    dB'​dB'​dB'​ dBBP     ​dBP ​    dBP BB
 +   ​dB'​dB'​dB'​ dBP      dBP     ​dBP ​ BB
 +  dB'​dB'​dB'​ dBBBBP ​  ​dBP ​    ​dBBBBBBB
 +
 +                                   ​dBBBBBP ​ dBBBBBb ​ dBP    dBBBBP dBP dBBBBBBP
 +          .                  .                  dB' dBP    dB'.BP
 +                             ​| ​      ​dBP ​   dBBBB' dBP    dB'.BP dBP    dBP
 +                           ​--o-- ​   dBP    dBP    dBP    dB'.BP dBP    dBP
 +                             ​| ​    ​dBBBBP dBP    dBBBBP dBBBBP dBP    dBP
 +
 +                                                                    .
 +                .
 +        o                  To boldly go where no
 +                            shell has gone before
 +
 +
 +Save 45% of your time on large engagements with Metasploit Pro
 +Learn more on http://​rapid7.com/​metasploit
 +
 +       =[ metasploit v4.12.41-dev ​                        ]
 ++ -- --=[ 1597 exploits - 912 auxiliary - 274 post        ]
 ++ -- --=[ 458 payloads - 39 encoders - 8 nops             ]
 ++ -- --=[ Free Metasploit Pro trial: http://​r-7.co/​trymsp ]
 +
 +msf >
 +</​sxh>​
 +
 +
 +Be careful with these tools.
 +====== References ======
 +  - http://​www.privoxy.org/​
 +  - http://​www.privoxy.org/​user-manual/​index.html
 +  - http://​www.privoxy.org/​man-page/​privoxy-man-page.html
 +  - https://​www.torproject.org/​
 +  - https://​www.torproject.org/​docs/​documentation.html.en
 +  - https://​www.torproject.org/​docs/​debian.html.en#​ubuntu
 +  - http://​proxychains.sourceforge.net/​~