Escolar Documentos
Profissional Documentos
Cultura Documentos
Os exemplos partem do principio que vc esteja em uma distro debian based, com
systemd como init system.
Use uma conexão cabeada com roteador proprio.
----------------------------------------------------------------
----------------- INTRODUÇÃO AO DNS EXPOSED --------------------
----------------------------------------------------------------
Preciso comecar de algum ponto, então o cenario sera esse: vc abre seu
terminal e instala o tor, proxychains ou torsocks.
Vejamos esse exemplo de requisição:
torsocks wget www.google.com
ou
proxychains wget www.google.com
O que vc acha que ocorreu "por detras dos panos"? Usaremos o comando abaixo
para conferir.
tcpdump -nSai any -s 0 -vvv | grep UDP
Novamente:
torsocks wget www.google.com
ou
proxychains wget www.google.com
Vejamos: por default, o dns sera resolvido de acordo com a configuração do seu
isp, provavelmente 8.8.8.8 ou cloudflare.
Vc não tem nenhuma regra de firewall impedindo udp, logo, vc usa udp para
resolver dns.
Vc ira resolver o dns expondo seu ip real(fornecido pelo seu isp), ja que a
rede onion não suporta udp.
Mesmo se tentar impedir udp, ainda assim vc seria exposto, ja que a
configuração default não força a conexão pela rede onion.
----------------------------------------------------------------
----------------------------------------------------------------
----------------------------------------------------------------
----------------------------------------------------------------
----------------- PARTE 1 - proxy e network conf ---------------
----------------------------------------------------------------
Exemplos de dns:
duckduckgo 52.142.124.215 40.114.177.156
dnscrypt 3.64.163.50
opendns 208.67.222.222
emeraldonion 185.199.108.153
-> Em /etc/proxychains.conf
echo 'socks5 127.0.0.1 9050' >>/etc/proxychains.conf
sed -i 's/strict_chain/#strict_chain/g' /etc/proxychains.conf
sed -i 's/#random_chain/random_chain/g' /etc/proxychains.conf
sed -i 's/socks4\ /#socks4\ /g' /etc/proxychains.conf
-> Em /usr/bin/proxychains3
sed -i 's/echo "ProxyChains/#echo "ProxyChains/g' /usr/bin/proxychains3
sed -i 's/export LD_PRELOAD=libproxychains.so.3/export
LD_PRELOAD=\/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.3/g'
/usr/bin/proxychains3
#chattr +i /etc/proxychains.conf /usr/bin/proxychains3
Irei partir do principio que vc tenha as interfaces com nome "eth0" e "lo".
Isso varia conforme a placa de rede.
-> Para saber o nome das interfaces de rede, use o comando:
ip -c a
-> Para alteracao do mac address, usaremos macchanger para esse proposito.
Exemplo:
macchanger -r eth0
#include <stdio.h>
#include <stdlib.h>
int main(void){
system("macchanger -r eth0");
system("iptables -F");
system("iptables -t raw -A PREROUTING -m state --state ESTABLISHED -p udp
-j DROP");
system("iptables -t raw -A PREROUTING -m state --state ESTABLISHED -p icmp
-j DROP");
system("iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-
ports 9053");
system("iptables -t nat -A PREROUTING -p tcp --dport 5353 -j REDIRECT -
-to-ports 9053");
system("iptables -t nat -A PREROUTING -p tcp --destination 0.0.0.0/0 -m
multiport --dport 80,443,8080 -j ACCEPT");
system("iptables -t nat -A PREROUTING -p tcp -m multiport --dport
4:52,54:79,81:442,444:5352,5354:8079,8081:9049,9200:65533 -j REDIRECT --to-
ports 9050");
system("iptables -t raw -A PREROUTING -p udp -m udp -j DROP");
system("iptables -t raw -A PREROUTING -p icmp -j DROP");
system("iptables -P INPUT DROP");
system("iptables -A INPUT -m state --state ESTABLISHED -p udp -j DROP");
system("iptables -A INPUT -m state --state ESTABLISHED -p icmp -j DROP");
system("iptables -t filter -A INPUT -p udp --destination 0.0.0.0/0 -j
DROP");
system("iptables -t filter -A INPUT -p icmp --destination 0.0.0.0/0 -j
DROP");
system("iptables -A INPUT -m state --state INVALID -j DROP");
system("iptables -A INPUT -m conntrack --ctstate INVALID -j DROP");
system("iptables -A INPUT -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP");
system("iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j
DROP");
system("iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j
DROP");
system("iptables -A INPUT -f -j DROP");
system("iptables -A INPUT -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP");
system("iptables -A INPUT -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG NONE -j DROP");
system("iptables -A INPUT -p tcp -j ACCEPT");
system("iptables -A INPUT -j DROP");
system("iptables -A INPUT -p tcp --destination 0.0.0.0/0 -m multiport -
-dport 80,443,8080,9050,9051,9053 -j ACCEPT");
system("iptables -A OUTPUT -m state --state ESTABLISHED -p udp -j DROP");
system("iptables -A OUTPUT -m state --state ESTABLISHED -p icmp -j DROP");
system("iptables -t filter -A OUTPUT -p udp --destination 0.0.0.0/0 -j
DROP");
system("iptables -t filter -A OUTPUT -p icmp --destination 0.0.0.0/0 -j
DROP");
system("iptables -A OUTPUT -m state --state INVALID -j DROP");
system("iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP");
system("iptables -t nat -A OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports
9053");
system("iptables -t nat -A OUTPUT -p tcp --dport 5353 -j REDIRECT --to-
ports 9053");
system("iptables -t filter -A OUTPUT -p tcp --destination 0.0.0.0/0 -m
multiport --dport 80,443,8080 -j ACCEPT");
// system("iptables -t nat -A OUTPUT -p tcp -m multiport --dport
4:52,54:79,81:442,444:5352,5354:8079,8081:9049,9200:65533 -j REDIRECT --to-
ports 9050");
system("iptables -t filter -A OUTPUT -p tcp -m multiport --dport
4:52,54:79,81:442,444:5352,5354:8079,8081:9049,9200:65533 -j DROP");
system("iptables -A FORWARD -j DROP");
system("iptables -A FORWARD -m state --state ESTABLISHED -p tcp -o eth0 -j
ACCEPT");
system("iptables -A FORWARD -m state --state ESTABLISHED -p tcp -o lo -j
ACCEPT");
system("iptables -A FORWARD -m state --state ESTABLISHED -p udp -j DROP");
system("iptables -A FORWARD -m state --state ESTABLISHED -p icmp -j
DROP");
system("iptables -t filter -A FORWARD -p udp --destination 0.0.0.0/0 -j
DROP");
system("iptables -t filter -A FORWARD -p icmp --destination 0.0.0.0/0 -j
DROP");
system("iptables -A FORWARD -m state --state INVALID -j DROP");
system("iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP");
system("iptables -t mangle -A POSTROUTING -p tcp --destination 0.0.0.0/0
-m multiport --dport 80,443,8080 -j ACCEPT");
system("iptables -t mangle -A POSTROUTING -p tcp --destination 0.0.0.0/0
-m multiport --dport 4:52,54:79,81:442,444:5352,5354:8079,8081:9049,9200:65533
-j DROP");
system("iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED -p
udp -j DROP");
system("iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED -p
icmp -j DROP");
system("iptables -t mangle -A POSTROUTING -p udp -m udp --destination
0.0.0.0/0 -j DROP");
system("iptables -t mangle -A POSTROUTING -p icmp --destination 0.0.0.0/0
-j DROP");
system("ip6tables -F");
system("ip6tables -t raw -A PREROUTING --destination 0.0.0.0/0 -j DROP");
system("ip6tables -P INPUT DROP");
system("ip6tables -P OUTPUT DROP");
system("ip6tables -P FORWARD DROP");
system("ip6tables -A INPUT -j REJECT --reject-with adm-prohibited");
system("ip6tables -A INPUT --destination 0.0.0.0/0 -j DROP");
system("ip6tables -A INPUT -m state --state RELATED -p tcp -j DROP");
system("ip6tables -A INPUT -m state --state RELATED -p udp -j DROP");
system("ip6tables -A INPUT -m state --state RELATED -p icmp -j DROP");
system("ip6tables -A OUTPUT -j REJECT --reject-with adm-prohibited");
system("ip6tables -A OUTPUT --destination 0.0.0.0/0 -j DROP");
system("ip6tables -A OUTPUT -m state --state RELATED -p tcp -j DROP");
system("ip6tables -A OUTPUT -m state --state RELATED -p udp -j DROP");
system("ip6tables -A OUTPUT -m state --state RELATED -p icmp -j DROP");
system("ip6tables -A FORWARD -j REJECT --reject-with adm-prohibited");
system("ip6tables -A FORWARD -p icmp -j REJECT --reject-with icmp6-adm-
prohibited");
system("ip6tables -A FORWARD --destination 0.0.0.0/0 -j DROP");
system("ip6tables -A FORWARD -m state --state RELATED -p tcp -j DROP");
system("ip6tables -A FORWARD -m state --state RELATED -p udp -j DROP");
system("ip6tables -A FORWARD -m state --state RELATED -p icmp -j DROP");
return 0;
}
Precisamos compilar esse codigo. Partindo do principio que ele esta salvo em
/etc/rules.c
cd /etc/
gcc rules.c -o rules
rm rules.c
----------------------------------------------------------------
---------------- PARTE 3 - servicos adicionais -----------------
----------------------------------------------------------------
echo '''[Unit]
Description=ScriptInit
[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/etc/rules start
ExecStop=/etc/rules stop
ExecReload=/etc/rules restart
[Install]
WantedBy=multi-user.target
''' >/etc/systemd/system/initrules.service
chattr +i /etc/systemd/system/initrules.service
Por enquanto, as configuraçoes ate aqui serão suficientes para uso em distros
server, terminal only.
Abaixo, tem a parte 4 que aborda o bypass de firewall por meio de bridge de
rede.
----------------------------------------------------------------
-------- PARTE 4 - Bridge de rede, bypass de firewall ----------
----------------------------------------------------------------
----------------------------------------------------------------
Irei abordar esse tema assim que possivel. Sera extenuante, de ardua
compreenção, e parte do principio que vc ja tenha conhecimento previo de
forence de rede.