This is my presentation about threat intelligence at B33F H4CK1NG in July 2024, which is the book club under B33F 50μP CTF team.

In some situations, due to the need for anonymity, it’s crucial to employ various techniques and tools to protect one’s identity and personal information.

As a red team, hiding our ip is crucial, we can use VPNs (Virtual Private Networks) or Proxies to change our IP. And red team IP addresses are often blocked by the blue teams. (And of course, you can use these tools to bypass internet firewalls like GFW, 翻牆)

Understanding and implementing these measures can significantly enhance your ability to remain anonymous in the digital world.

VPN

  • Encryption
  • Some small VPNs may be dangerous and lack of anonymity
  • Long-term connection
  • Setup your own vpn
    • Wireguard
    • OpenVPN
    • Softether VPN
    • sshuttle
  • Other VPN Solutions
    • Paid Products
      • Don’t buy them using your real identity if you are doing cyber crimes.
      • No log policy.
      • No recommendation links here XD
    • Free
      • Be aware of “free” VPNs. There is no such thing as a free lunch.
      • Warp (Though it’s not a real VPN and you can’t switch server)
      • Softether VPN Gate
      • Proton VPN

Proxy

image

  • Man in the middle
  • HTTP Proxy, Socks proxy…
  • Not enough encryption
  • Short-term connection

Where to get proxy?

  • free/paid proxy list
    • Use at your own risk
    • No recommendation links here, too
  • proxybroker2
    • docker run --rm bluet/proxybroker2 find -l 1 --types SOCKS5 --countries US

How to use proxy?

Note: Beware of proxy protocol like http://, socks://, socks5://

Easiest way: curl

$ curl --proxy "socks://188.165.223.183:43099" ipinfo.io                             
{
  "ip": "188.165.223.183",
  "hostname": "ns3044261.ip-188-165-223.eu",
  "city": "Lille",
  "region": "Hauts-de-France",
  "country": "FR",
  "loc": "50.6330,3.0586",
  "org": "AS16276 OVH SAS",
  "postal": "59000",
  "timezone": "Europe/Paris",
  "readme": "https://ipinfo.io/missingauth"
}

proxychains4

If you want to use proxy for all traffic in an application, use proxychains.

$ cat sample.conf
[ProxyList]
socks4 188.165.223.183 43099
$ proxychains4 -f sample.conf curl http://ipinfo.io/
[proxychains] config file found: sample.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.17-git-2-g821249f
[proxychains] Dynamic chain  ...  188.165.223.183:43099  ...  34.117.59.81:80  ...  OK
{
  "ip": "188.165.223.183",
  "hostname": "ns3044261.ip-188-165-223.eu",
  "city": "Lille",
  "region": "Hauts-de-France",
  "country": "FR",
  "loc": "50.6330,3.0586",
  "org": "AS16276 OVH SAS",
  "postal": "59000",
  "timezone": "Europe/Paris",
  "readme": "https://ipinfo.io/missingauth"
}

If you want to use browser, proxychains4 -f sample.conf firefox (or browser you like) will launch a browser and tunnel all traffic through that proxy, which is really powerful.

Proxychains can also proxy through many servers like Me -> Server A -> Server B -> Destination.

FoxyProxy

A great proxy browser extension. Try it on your own!

Food for thought

If you have a VPS (or compromised server), how to make VPS as a proxy?

Hint: SSH pivoting, Dynamic Port Forwarding (One easiest way)

See https://johnliu55.tw/ssh-tunnel.html for more information.

What if you don’t have ssh access, only RCE?

Reference answer: Proxy or tunnel tools like Chisel, frp…