# vpn-attacks ##### Attack Machine Environment * C++ * libtins (http://libtins.github.io/download/) ## Server-side attack #### Requirements * VPN client connected to a VPN server * Attack machine sitting somewhere in between VPN server and client forwarding all traffic between the two ***Note:*** Full virtual test environment setup for the server-side attack is detailed in the README within the `virt-lab` folder #### Running the DNS Attack Script 1. Change to udp-dns attack folder - `cd other-end-attack/dnuss/full_scan` 2. Compile attack script - `make` 3. Check to make sure vpn server has a conntrack entry for some vpn client's dns lookup (on vpn-server vm): `sudo conntrack -L | grep udp` 3. Try to inject from attack router - `sudo ./uud_send ` ## Client-side attack #### Requirements * VPN client connected to a VPN server * Reverse path filtering disabled on the VPN client machine * Attack router acting as the local network gateway for the victim (VPN client) machine #### Running the Full Attack Script * Rebuild all the attack scripts: `./rebuild_all.sh` * `cd full_attack` * Change `attack.sh` vars to appropriate values * `sh attack.sh ` ***Note:*** `remote_ip` specifies the IP address of the HTTP site. #### Testing Indivual attack phases ##### Phase 1 - Infer victim's private address * `cd first_phase` * `python3 send.py ` ***Note:*** `private_ip_range` specifies a `/24` network such as `10.7.7.0`. ##### Phase 2 - Infer the port being used to talk to some remote address * `cd sec_phase` * Edit `send.cpp` to use the correct MAC addresses * `g++ send.cpp -o send -ltins` * `./send ` ***Note:*** `` is the address we wanna check if the client is connected to and the `` is almost always 80 or 443. The `` is the public address of the victim and `` was found in phase 1. If the scripts not sniffing any challenge acks, then edit the `send.cpp` file to uncomment the `cout` line that prints out the remainder to check if the size of the encrypted packets has slightly changed on this system. ##### Phase 3 - Infer exact sequence number and in-window ack * `cd third_phase` * Edit `send.cpp` to use the correct MAC addresses * `g++ send.cpp -o send -ltins` * `./send ` ***Note:*** `` was found in phase 2. This script currently just injects a hardcoded string into the TCP connnection but could be easily modified. ## Tested operating systems, applications, and VPN providers ##### Operating systems * iOS (up to v12.4.1) * Android (up to v10) * Ubuntu (v20.04) * Fedora (v31) * Debian (v10.2) * Arch (v2019.05) * Manjaro (v18.1.1) * MX Linux (v19) * Slackware (v14.2) * Void Linux (rolling) * Devuan (v2.1) * Deepin (v15.11) * FreeBSD (v12.1) * OpenBSD (v6.6) * macOS (Sierra, High Sierra, Mojave) ##### VPN Providers and applications * Mullvad * PIA * ProtonVPN * PureVPN * FrootVPN * VyperVPN * ExpressVPN * SlickVPN * TunnelBear * SoftEther * Hotspot Shield * Betternet * SecurityKiss * Spotflux * CyberGhost * Surfshark * IPVanish * TorGuard * StrongVPN * Wang VPN * Pupa VPN * Thunder VPN * Galaxy VPN * SecureVPN * Panda VPN Pro * NordVPN * SuperVPN Free * VPN Free * Wuma VPN PRO * Xiaoming VPN * SurfVPN * BlueWhale VPN * Orbot * Lantern * Psiphon #### Source Code License Copyright (C) 2018-2021 Breakpointing Bad unless otherwise noted. Where another license is included, please follow the licensing and redistribution clauses of the author. These program are free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see .