[UPDATE] Creating your own private botnet for scanning.

by | Sep 26, 2015 | #_shellntel, Blog, Penetration Testing

This is an update to an older post that can be found here.  Since createProxy’s initial release, we’ve received some great feedback and, as a result, we made some improvements.   There were several shortcomings with the previous version, all of which rested on the use of ProxyChains.  ProxyChains is old, outdated, and failed to support  protocols such as  UDP or ICMP or Java apps (i.e. Burp).  So it was re-written, code can be found: https://github.com/Shellntel/scripts/blob/master/proxyCannon.py

The original version used SSH’s ability to create SOCKS proxies; however, as it turns out SSH also supports the ability to create both layer 2 and layer 3 tunnels.  These are different than SOCKS connection, in that a fully-fledged network tunnel is established between the two endpoints.  Find more details on how to set this up here.

The new proxyCannon script takes advantage of this feature by building VPN tunnels to each EC2 instance and round robining locally generated traffic between each one.  Since we’re using the local systems routing table all session information will be retained (i.e. TCP streams are not split between systems).  Furthermore, now we can push any network based traffic across it: TCP, UDP, ICMP and more.

Below are some pictures of proxyCannon in use:

An example of the script starting up 3 ami-d05e75b8 (ubuntu) instances on t2.micro hardware in the us-east-1 region.

Next, in a new tab we verify that our connections are up

Here we can see that 3 SSH connections are successfully established to each public IP of the ec2 instances started

And here we can see that 3 new interfaces were created, one for each SSH tunnel established with everything stood up, we run a simple test.  In one tab we run a simple ping with a count of 3.

We can see that each ICMP packet is sent through a different EC2 node.  Also note the time stamps on the packet each node is used randomly!

That it!  Browsers, pentesting tools, whatever, should all work seamlessly.  To close down the proxy, just go back to your first tab and hit enter.

Any questions, comment or bugs, please feel free to submit them to github.  Thanks!