proxycannon / proxycannon-ng Goto Github PK

When using terraform destroy and terraform apply, the AWS changes execute successfully but the proxycannon-ng/nodes/aws/.routecmd does not get updated to purge the old hosts out of the route table loadb set. The effect is that random packets get dropped as a result of being routed to hosts that don't exist anymore. Took me awhile to figure it out but manually reconciling it fixed the problem as a stopgap.

Error: Invalid variable name
│
│ on variables.tf line 6, in variable "count":
│ 6: variable "count" {
│
│ The variable name "count" is reserved due to its special meaning inside module blocks.

I am getting the 'list of string required' below. I tried replacing /root with ~ without help.

on main.tf line 5, in provider "aws":
│ 5: shared_credentials_files = "/root/.aws/credentials"
│
│ Inappropriate value for attribute "shared_credentials_files": list of string required.

If the control server is rebooted after running install.sh the following commands will not persist a reboot. This will cause connectivity issues.

ip rule add from 10.10.10.0/24 table loadb
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Modify these commands so they persist reboots.

Hey guys,

I followed all the steps to setup proxycannon and I am able to connect to the instance using openvpn as well. But I don't see any IPs getting assigned when I do "while true;do curl ifconfig.co;done". It is giving me "curl: (6) Could not resolve host: ifconfig.co" error. I can also see all the instances running properly on AWS.

Using Kali linux for openvpn connection
Here is my openvpn trace:
Wed Jul 17 10:48:09 2019 WARNING: file 'client01.key' is group or others accessible Wed Jul 17 10:48:09 2019 WARNING: file 'ta.key' is group or others accessible Wed Jul 17 10:48:09 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 30 2018 Wed Jul 17 10:48:09 2019 library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10 Wed Jul 17 10:48:09 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Jul 17 10:48:09 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Jul 17 10:48:09 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:09 2019 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Jul 17 10:48:09 2019 Attempting to establish TCP connection with [AF_INET]3.13.170.173:443 [nonblock] Wed Jul 17 10:48:10 2019 TCP connection established with [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:10 2019 TCP_CLIENT link local: (not bound) Wed Jul 17 10:48:10 2019 TCP_CLIENT link remote: [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:10 2019 TLS: Initial packet from [AF_INET]3.13.170.173:443, sid=5aee4d31 12ce02c7 Wed Jul 17 10:48:10 2019 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, [email protected] Wed Jul 17 10:48:10 2019 VERIFY KU OK Wed Jul 17 10:48:10 2019 Validating certificate extended key usage Wed Jul 17 10:48:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Jul 17 10:48:10 2019 VERIFY EKU OK Wed Jul 17 10:48:10 2019 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, [email protected] Wed Jul 17 10:48:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Wed Jul 17 10:48:10 2019 [server] Peer Connection Initiated with [AF_INET]3.13.170.173:443 Wed Jul 17 10:48:11 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Jul 17 10:48:11 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.0.0.0 255.0.0.0 net_gateway,route 172.16.0.0 255.240.0.0 net_gateway,route 192.168.0.0 255.255.0.0 net_gateway,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5,peer-id 0,cipher AES-256-GCM' Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: timers and/or timeouts modified Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: --ifconfig/up options modified Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: route options modified Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: peer-id set Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: adjusting link_mtu to 1626 Wed Jul 17 10:48:11 2019 OPTIONS IMPORT: data channel crypto options modified Wed Jul 17 10:48:11 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Jul 17 10:48:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jul 17 10:48:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jul 17 10:48:11 2019 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:a3:fd:32 Wed Jul 17 10:48:11 2019 TUN/TAP device tun0 opened Wed Jul 17 10:48:11 2019 TUN/TAP TX queue length set to 100 Wed Jul 17 10:48:11 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Jul 17 10:48:11 2019 /sbin/ip link set dev tun0 up mtu 1500 Wed Jul 17 10:48:11 2019 /sbin/ip addr add dev tun0 local 10.10.10.6 peer 10.10.10.5 Wed Jul 17 10:48:11 2019 /sbin/ip route add 3.13.170.173/32 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 0.0.0.0/1 via 10.10.10.5 Wed Jul 17 10:48:11 2019 /sbin/ip route add 128.0.0.0/1 via 10.10.10.5 Wed Jul 17 10:48:11 2019 /sbin/ip route add 10.0.0.0/8 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 172.16.0.0/12 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 192.168.0.0/16 via 10.0.2.2 Wed Jul 17 10:48:11 2019 /sbin/ip route add 10.10.10.1/32 via 10.10.10.5 Wed Jul 17 10:48:11 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Jul 17 10:48:11 2019 Initialization Sequence Completed
Any help would be appreciated :)

Thanks

currently proxycannon-ng uses t2.mirco instances. test change with t2.nano to reduce cost.

I think its worth investigating to see if we can ditch instances altogether and just launch multiple VPCs or subnets to achieve the same desired results of exit-nodes (simple routing and NATing).

note - this only would apply if the control-server and exit-nodes are in the same cloud provider (AWS).

As a user I would like to use multiple cloud providers. This would require a VPN tunnel so traffic could be routed out various exit-nodes.

Engineering notes:
there is a blocking issue: the intrarouting with OpenVPN is prevented TCP traffic from traversing the tunnel when destin to the Internet (0.0.0.0/0).

We're tried adding an iroute statement in the ccd for exit-nodes with iroute 0.0.0.0 128.0.0.0
but this isn't helping. UDP and ICMP traffic work ok, but TCP doesn't. Odd. Problem appears to be with traffic being accepted on the tun interface of the exit-node.

TODO:

• Troubleshoot openvpn configs, perhaps we had something wrong with our configs.
• Possibly ditch layer 3 tunneling for layer 2. Not optimal, but would probably work. This would require some tweaking to multi-path routing.

Perhaps you can help: could not find the follwing files:
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client01.crt
/etc/openvpn/easy-rsa/keys/client01.key

the terraform local provisioner will execute the del_route.bash script on destruction of an exit-node. The way the del_route.bash script is written a race condition can exist and an exit-node IP will be removed but later added by another executing instance of del_route.bash.

engineering notes:
fix this by serializing script execution. try pidof del_script.bash

y'all too sexy

Hey Folks,

I have installed the setup using all the steps mentioned on the page. After setting up things, I am getting a following error.

My Aws credentail File Setting:

I have used the AMI ID mentioned on this blog: https://medium.com/@devinjaystokes/using-proxycannon-ng-to-create-unlimited-rotating-proxies-fccffa70a728

Can someone help me to troubleshoot this?

Thanks