WebApp pen-testing from within the deeps of TOR.
Thursday, September 12, 2013
0
comments
Disclaimer: The following information is for educational uses only. Only preform testing on your own equipment or that which you have permission to. If you don't understand what TOR is. How TOR network works. The risk of information going through TOR networks. You should really not follow these steps as most likely you will fuck something up and get your self in trouble. bitches.
/Disclaimer.
When Pen-testing a web application you may need to stay anonymous. This could be for many reasons. Mainly making sure your scans and testing doesn't trigger an investigation into the origin of the traffic.
One of the main tools I use along with almost everyone else is Burp Suite. They have a free version but if you are using this for commercial reasons make sure you buy a copy as it has some features that are really useful (i.e. Automated XSS/SQL injection testing.).
Other tools of the trade, Nikto, OWASP DirBuster, NMAP, etc.
Now its time to setup an environment in which we can use all these applications and more through TOR.
Install your favorite Virtual machine software. I will be using Virtual Box in this blog post as its free. However, I have VMware workstation that I mostly use.
Install your favorite Linux distro. I suggest using xubuntu or ubuntu server. I will reference this install as VMtor for the rest of this post.
Once you have your linux box running in virtual box do all your updates/patches. Make sure everything is running smoothly. Install a few needed apps. "curl, screen, htop, openssh-server, privoxy, default-jre (or your favorite opensource java)"
$ sudo apt-get update
$ sudo apt-get install curl screen htop openssh-server privoxy default-jre
Now on your host machine (has to be Linux). Open a terminal and ssh into your VMtor with forwarding X windows. (This will let you open VMtor apps inside your host desktop.)
$ssh -X <user>@ip_address_of_VMtor
We are going to be using someone elses script to install TOR, and configure iptables to forward all traffic on the machine through TOR. Download it here: https://github.com/ericpaulbishop/iptables_torify
Direct link: https://github.com/ericpaulbishop/iptables_torify/archive/master.zip
Unzip it, run the script as root.
$ sudo ./debian_install.sh
Once its finished. open fire fox and go to https://check.torproject.org
Make sure you are on the TOR network.
Now we need to configure the local web proxy privoxy that you installed above.
edit /etc/privoxy/config
uncomment the following line:
forward-socks5 / 127.0.0.1:9050 .
Or just add it to the end of the file.
Now start the privoxy service.
$ sudo /etc/init.d/privoxy start
Privoxy runs on 127.0.0.1:8118
I use screen so I have better control of whats running and keep applications running on SSH disconnects. Learn more about screen here.
$ screen -S burp
$ java -jar burpsuite_free1.5.jar
screen command CTL+A+D to detach from screen.
Go to the proxy tab and than options tab. Double check proxy listener is setup on 127.0.0.1:8080
Go to Options Tab along the top. Click on Add under Upstream Proxy Servers.
Leave Destination host empty
Proxy host: 127.0.0.1
Proxy port: 8118
Authentication type: None
Click okay.
Now lets open a web browser on VMtor and configure it.
$ screen -S firefox
$firefox
screen command CTL+A+D to detach from screen.
Go to edit -> preferences.
Advanced -> Network tab -> Click on Settings...
Select Manual proxy configurations:
HTTP Proxy: 127.0.0.1 Port: 8118
SSL Proxy: 127.0.0.1 Port: 8118
FTP Proxy: leave empty
SOCKS Host: 127.0.0.1 Port: 9050
Browse to a site. It should be captured in burp now.
That is it.
Now any time you use a application from within VMtor it will be routed through the TOR network.
Other Tips & Notes:
Use proxychains for nmap or zmap traffic:
http://www.commondork.com/2009/06/26/tunneling-nmap-through-tor/
Don't use the same browser on the host as you do in VMtor. For example in my host I only use google-chrome and in VMtor I only use firefox. This is to insure I don't make a mistake and use the wrong browser.
Take a snapshot of your VM after you set it up.
Why not just use tails either directly or in a VM? Yes it does to torify everything using IP Tables like above. Also, it is way more secure then the setup I have suggested above. It is also a lot easier to setup and use. However, the web proxy installed in tails wont work with burp. I had tried many of nights and hours trying to get it to work. Also, because its so customized installing third party apps like privoxy to make it work could cause damaged unknown.
Use duckduckgo.com as your search engine. Google tends to block TOR connections due to abuse.
Finally, Don't be stupid.
/Disclaimer.
When Pen-testing a web application you may need to stay anonymous. This could be for many reasons. Mainly making sure your scans and testing doesn't trigger an investigation into the origin of the traffic.
One of the main tools I use along with almost everyone else is Burp Suite. They have a free version but if you are using this for commercial reasons make sure you buy a copy as it has some features that are really useful (i.e. Automated XSS/SQL injection testing.).
Other tools of the trade, Nikto, OWASP DirBuster, NMAP, etc.
Now its time to setup an environment in which we can use all these applications and more through TOR.
Install your favorite Virtual machine software. I will be using Virtual Box in this blog post as its free. However, I have VMware workstation that I mostly use.
Install your favorite Linux distro. I suggest using xubuntu or ubuntu server. I will reference this install as VMtor for the rest of this post.
Once you have your linux box running in virtual box do all your updates/patches. Make sure everything is running smoothly. Install a few needed apps. "curl, screen, htop, openssh-server, privoxy, default-jre (or your favorite opensource java)"
$ sudo apt-get update
$ sudo apt-get install curl screen htop openssh-server privoxy default-jre
Now on your host machine (has to be Linux). Open a terminal and ssh into your VMtor with forwarding X windows. (This will let you open VMtor apps inside your host desktop.)
$ssh -X <user>@ip_address_of_VMtor
We are going to be using someone elses script to install TOR, and configure iptables to forward all traffic on the machine through TOR. Download it here: https://github.com/ericpaulbishop/iptables_torify
Direct link: https://github.com/ericpaulbishop/iptables_torify/archive/master.zip
Unzip it, run the script as root.
$ sudo ./debian_install.sh
Once its finished. open fire fox and go to https://check.torproject.org
Make sure you are on the TOR network.
Now we need to configure the local web proxy privoxy that you installed above.
edit /etc/privoxy/config
uncomment the following line:
forward-socks5 / 127.0.0.1:9050 .
Or just add it to the end of the file.
Now start the privoxy service.
$ sudo /etc/init.d/privoxy start
Privoxy runs on 127.0.0.1:8118
I use screen so I have better control of whats running and keep applications running on SSH disconnects. Learn more about screen here.
$ screen -S burp
$ java -jar burpsuite_free1.5.jar
screen command CTL+A+D to detach from screen.
Go to the proxy tab and than options tab. Double check proxy listener is setup on 127.0.0.1:8080
Go to Options Tab along the top. Click on Add under Upstream Proxy Servers.
Leave Destination host empty
Proxy host: 127.0.0.1
Proxy port: 8118
Authentication type: None
Click okay.
Now lets open a web browser on VMtor and configure it.
$ screen -S firefox
$firefox
screen command CTL+A+D to detach from screen.
Go to edit -> preferences.
Advanced -> Network tab -> Click on Settings...
Select Manual proxy configurations:
HTTP Proxy: 127.0.0.1 Port: 8118
SSL Proxy: 127.0.0.1 Port: 8118
FTP Proxy: leave empty
SOCKS Host: 127.0.0.1 Port: 9050
Browse to a site. It should be captured in burp now.
That is it.
Now any time you use a application from within VMtor it will be routed through the TOR network.
Other Tips & Notes:
Use proxychains for nmap or zmap traffic:
http://www.commondork.com/2009/06/26/tunneling-nmap-through-tor/
Don't use the same browser on the host as you do in VMtor. For example in my host I only use google-chrome and in VMtor I only use firefox. This is to insure I don't make a mistake and use the wrong browser.
Take a snapshot of your VM after you set it up.
Why not just use tails either directly or in a VM? Yes it does to torify everything using IP Tables like above. Also, it is way more secure then the setup I have suggested above. It is also a lot easier to setup and use. However, the web proxy installed in tails wont work with burp. I had tried many of nights and hours trying to get it to work. Also, because its so customized installing third party apps like privoxy to make it work could cause damaged unknown.
Use duckduckgo.com as your search engine. Google tends to block TOR connections due to abuse.
Finally, Don't be stupid.
Labels:
bitches,
burp,
hack,
hacking,
pen testing,
pen-testing,
scripts,
tor,
vmware,
webapp,
webapp hacking