* Attack machine sitting somewhere in between VPN server and client forwarding all traffic between the two
* Attack machine sitting somewhere in between VPN server and client forwarding all traffic between the two
***Note:*** Full virtual test environment setup for the server-side attack is detailed in the README within the `virtual-test-environment` folder
***Note:*** Full virtual test environment setup for the server-side attack is detailed in the README within the `virt-lab` folder
#### Running the DNS Attack Script
#### Running the DNS Attack Script
1. Change to udp-dns attack folder - `cd server-side-attack/dns-sside/full_scan`
1. Change to udp-dns attack folder - `cd other-end-attack/dnuss/full_scan`
2. Compile attack script - `make`
2. Compile attack script - `make`
3. Check to make sure vpn server has a conntrack entry for some vpn client's dns lookup (on vpn-server vm): `sudo conntrack -L | grep udp`
3. Check to make sure vpn server has a conntrack entry for some vpn client's dns lookup (on vpn-server vm): `sudo conntrack -L | grep udp`
3. Try to inject from attack router - `sudo ./uud_send <dns_server_ip> <src_port (53)> <vpn_server_ip> <start_port> <end_port>`
3. Try to inject from attack router - `sudo ./uud_send <dns_server_ip> <src_port (53)> <vpn_server_ip> <start_port> <end_port>`
@ -34,7 +37,8 @@
* VPN client connected to a VPN server
* VPN client connected to a VPN server
* Reverse path filtering disabled on the VPN client machine
* Reverse path filtering disabled on the VPN client machine
* Attack machine acting as the local network gateway for the victim (VPN client) machine using hostapd, create_ap, or Ubuntu's built-in hotspot feature.
* Attack router acting as the local network gateway for the victim (VPN client) machine
#### Running the Full Attack Script
#### Running the Full Attack Script
@ -77,79 +81,3 @@
***Note:*** `<victim_port>` was found in phase 2. This script currently just injects a hardcoded string into the TCP connnection but could be easily modified.
***Note:*** `<victim_port>` was found in phase 2. This script currently just injects a hardcoded string into the TCP connnection but could be easily modified.
## Tested operating systems, applications, and VPN providers
##### Operating systems
* iOS (up to v12.4.1)
* Android (up to v10)
* Ubuntu (v20.04)
* Fedora (v31)
* Debian (v10.2)
* Arch (v2019.05)
* Manjaro (v18.1.1)
* MX Linux (v19)
* Slackware (v14.2)
* Void Linux (rolling)
* Devuan (v2.1)
* Deepin (v15.11)
* FreeBSD (v12.1)
* OpenBSD (v6.6)
* macOS (Sierra, High Sierra, Mojave)
##### VPN Providers and applications
* Mullvad
* PIA
* ProtonVPN
* PureVPN
* FrootVPN
* VyperVPN
* ExpressVPN
* SlickVPN
* TunnelBear
* SoftEther
* Hotspot Shield
* Betternet
* SecurityKiss
* Spotflux
* CyberGhost
* Surfshark
* IPVanish
* TorGuard
* StrongVPN
* Wang VPN
* Pupa VPN
* Thunder VPN
* Galaxy VPN
* SecureVPN
* Panda VPN Pro
* NordVPN
* SuperVPN Free
* VPN Free
* Wuma VPN PRO
* Xiaoming VPN
* SurfVPN
* BlueWhale VPN
* Orbot
* Lantern
* Psiphon
#### Source Code License
Copyright (C) 2018-2021 Breakpointing Bad unless otherwise noted.
Where another license is included, please follow the licensing and
redistribution clauses of the author.
These program are free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
