Breakpointing-Bad-Public
/
vpn-attacks
7
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 Commits
1 Branch
0 Tags
530 MiB
Tree: 0a4e3bb714
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0a4e3bb714'
${ noResults }
vpn-attacks/README.md

154 lines
4.6 KiB
Raw Normal View History

Initial commit
4 years ago
adding original attack test scripts and demos
4 years ago
Update 'README.md'
4 years ago
adding original attack test scripts and demos
4 years ago
Update 'README.md'
4 years ago
adding original attack test scripts and demos
4 years ago
Update 'README.md'
4 years ago
adding original attack test scripts and demos
4 years ago
Update 'README.md'
4 years ago
Update 'README.md'
4 years ago
Update 'README.md'
4 years ago
Update 'README.md'
4 years ago
Update 'README.md'
4 years ago
Update 'README.md'
4 years ago
Update 'README.md'
4 years ago
Update 'README.md'
4 years ago
  1. # vpn-attacks
  4. ##### Attack Machine Environment
  6. * C++
  7. * libtins (http://libtins.github.io/download/)
  10. ## Server-side attack
  13. #### Requirements
  15. * VPN client connected to a VPN server
  16. * Attack machine sitting somewhere in between VPN server and client forwarding all traffic between the two
  18. ***Note:*** Full virtual test environment setup for the server-side attack is detailed in the README within the `virtual-test-environment` folder
  21. #### Running the DNS Attack Script
  23. 1. Change to udp-dns attack folder - `cd server-side-attack/dns-sside/full_scan`
  24. 2. Compile attack script - `make`
  25. 3. Check to make sure vpn server has a conntrack entry for some vpn client's dns lookup (on vpn-server vm): `sudo conntrack -L | grep udp`
  26. 3. Try to inject from attack router - `sudo ./uud_send <dns_server_ip> <src_port (53)> <vpn_server_ip> <start_port> <end_port>`
  30. ## Client-side attack
  33. #### Requirements
  35. * VPN client connected to a VPN server
  36. * Reverse path filtering disabled on the VPN client machine
  37. * Attack machine acting as the local network gateway for the victim (VPN client) machine using hostapd, create_ap, or Ubuntu's built-in hotspot feature.
  39. #### Running the Full Attack Script
  41. * Rebuild all the attack scripts: `./rebuild_all.sh`
  42. * `cd full_attack`
  43. * Change `attack.sh` vars to appropriate values
  44. * `sh attack.sh <remote_ip>`
  46. ***Note:*** `remote_ip` specifies the IP address of the HTTP site.
  49. #### Testing Indivual attack phases
  52. ##### Phase 1 - Infer victim's private address
  54. * `cd first_phase`
  55. * `python3 send.py <victim_public_ip> <private_ip_range>`
  57. ***Note:*** `private_ip_range` specifies a `/24` network such as `10.7.7.0`.
  60. ##### Phase 2 - Infer the port being used to talk to some remote address
  62. * `cd sec_phase`
  63. * Edit `send.cpp` to use the correct MAC addresses
  64. * `g++ send.cpp -o send -ltins`
  65. * `./send <remote_ip> <remote_port> <victim_wlan_ip> <victim_priv_ip>`
  67. ***Note:*** `<remote_ip>` is the address we wanna check if the client is connected to and the `<remote_port>` is almost always 80 or 443. The `<victim_wlan_ip>` is the public address of the victim and `<victim_priv_ip>` was found in phase 1. If the scripts not sniffing any challenge acks, then edit the `send.cpp` file to uncomment the `cout` line that prints out the remainder to check if the size of the encrypted packets has slightly changed on this system.
  70. ##### Phase 3 - Infer exact sequence number and in-window ack
  72. * `cd third_phase`
  73. * Edit `send.cpp` to use the correct MAC addresses
  74. * `g++ send.cpp -o send -ltins`
  75. * `./send <remote_ip> <remote_port> <victim_wlan_ip> <victim_priv_ip> <victim_port>`
  78. ***Note:*** `<victim_port>` was found in phase 2. This script currently just injects a hardcoded string into the TCP connnection but could be easily modified.
  80. ## Tested operating systems, applications, and VPN providers
  82. ##### Operating systems
  84. * iOS (up to v12.4.1)
  85. * Android (up to v10)
  86. * Ubuntu (v20.04)
  87. * Fedora (v31)
  88. * Debian (v10.2)
  89. * Arch (v2019.05)
  90. * Manjaro (v18.1.1)
  91. * MX Linux (v19)
  92. * Slackware (v14.2)
  93. * Void Linux (rolling)
  94. * Devuan (v2.1)
  95. * Deepin (v15.11)
  96. * FreeBSD (v12.1)
  97. * OpenBSD (v6.6)
  98. * macOS (Sierra, High Sierra, Mojave)
  100. ##### VPN Providers and applications
  102. * Mullvad
  103. * PIA
  104. * ProtonVPN
  105. * PureVPN
  106. * FrootVPN
  107. * VyperVPN
  108. * ExpressVPN
  109. * SlickVPN
  110. * TunnelBear
  111. * SoftEther
  112. * Hotspot Shield
  113. * Betternet
  114. * SecurityKiss
  115. * Spotflux
  116. * CyberGhost
  117. * Surfshark
  118. * IPVanish
  119. * TorGuard
  120. * StrongVPN
  121. * Wang VPN
  122. * Pupa VPN
  123. * Thunder VPN
  124. * Galaxy VPN
  125. * SecureVPN
  126. * Panda VPN Pro
  127. * NordVPN
  128. * SuperVPN Free
  129. * VPN Free
  130. * Wuma VPN PRO
  131. * Xiaoming VPN
  132. * SurfVPN
  133. * BlueWhale VPN
  134. * Orbot
  135. * Lantern
  136. * Psiphon
  138. #### Source Code License
  140. Copyright (C) 2018-2021 Breakpointing Bad unless otherwise noted.
  141. Where another license is included, please follow the licensing and
  142. redistribution clauses of the author.
  144. These program are free software: you can redistribute it and/or modify
  145. it under the terms of the GNU General Public License as published by
  146. the Free Software Foundation, either version 3 of the License, or
  147. (at your option) any later version.
  149. This program is distributed in the hope that it will be useful,
  150. but WITHOUT ANY WARRANTY; without even the implied warranty of
  151. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  152. GNU General Public License for more details.
  154. You should have received a copy of the GNU General Public License
  155. along with this program. If not, see <http://www.gnu.org/licenses/>.