transocks - a transparent SOCKS5 proxy

Features

• IPv4 and IPv6
  Both IPv4 and IPv6 are supported. Note that nf_conntrack_ipv4 or nf_conntrack_ipv6 kernel modules must be loaded beforehand.
• SOCKS5 and HTTP proxy (CONNECT)
  We recommend using SOCKS5 server if available. Take a look at our SOCKS server usocksd if you are looking for.
  HTTP proxies often prohibits CONNECT method to make connections to ports other than 443. Make sure your HTTP proxy allows CONNECT to the ports you want.
• Graceful stop & restart
  • On SIGINT/SIGTERM, transocks stops gracefully.
  • On SIGHUP, transocks restarts gracefully.
• Library and executable
  transocks comes with a handy executable. You may use the library to create your own.

Install

go get -u github.com/cybozu-go/transocks/...

Usage

Configuration file format

# listening address of transocks.
listen = "localhost:1081"    # default is "localhost:1081"

proxy_url = "socks5://10.20.30.40:1080"  # for SOCKS5 server
#proxy_url = "http://10.20.30.40:3128"   # for HTTP proxy server

[log]
filename = "/path/to/file"   # default to stderr
level = "info"               # critical", error, warning, info, debug
format = "json"              # plain, logfmt, json

Redirecting connections by iptables

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:TRANSOCKS - [0:0]
-A OUTPUT -p tcp -j TRANSOCKS
-A TRANSOCKS -d 0.0.0.0/8 -j RETURN
-A TRANSOCKS -d 10.0.0.0/8 -j RETURN
-A TRANSOCKS -d 127.0.0.0/8 -j RETURN
-A TRANSOCKS -d 169.254.0.0/16 -j RETURN
-A TRANSOCKS -d 172.16.0.0/12 -j RETURN
-A TRANSOCKS -d 192.168.0.0/16 -j RETURN
-A TRANSOCKS -d 224.0.0.0/4 -j RETURN
-A TRANSOCKS -d 240.0.0.0/4 -j RETURN
-A TRANSOCKS -p tcp -j REDIRECT --to-ports 1081
COMMIT

KumaSocks

Usage

listen-addr = "0.0.0.0:1234"
proxy-addr = "socks5://192.168.1.210:1080"

Advanced Usage

go build -ldflags "-s -w"

upx --best KumaSocks

FAQS

go get github.com/xsm1997/KumaSocks
cd src\github.com\xsm1997\KumaSocks
SET GOOS=linux
SET GOARCH=mipsle
go build

go get github.com/xsm1997/KumaSocks
cd src/github.com/xsm1997/KumaSocks
GOOS=linux GOARCH=mipsle go build

go build -ldflags "-s -w"

upx --best KumaSocks

How it works

Usage

python proxymyphone.py 

Other ways

Android

• ProxyDroid (Source) (need root)
• Brook
• BifrostV

iOS

• Brook
• Potatso

About kalitorify

What is Tor?

What is Transparent Proxy through Tor?

Install

Install dependencies:

sudo apt update && sudo apt full-upgrade -y

sudo apt install tor -y

Install kalitorify:

git clone https://github.com/brainfucksec/kalitorify

cd kalitorify/

sudo make install

Security

Please read this section carefully before starting kalitorify

Hostname and MAC Address security risks

Transparent Proxy with kalitorify and Tor Browser

Checking for leaks

ip -o addr

tcpdump -D

ss -ntp | grep "$(cat /var/run/tor/tor.pid)"

tcpdump -n -f -p -i eth0 not arp and not host IP.TO.TOR.GUARD

Usage

kalitorify -h

Options:

show this help message and exit

start transparent proxy through tor

reset iptables and return to clearnet navigation

check status of program and services

show public IP

restart tor service and change IP

Demo

Credits

• kalitorify is KISS version of Parrot AnonSurf Module, developed by Parrot Project Team. Thank you guys for give me the way in developing this program.
• This program could not exist without:
• The guides of the Tor Project official website
• The Whonix Team and their documentation
• All the people who contribute: [Code Contributors]

Main Features

• WiFi networks scanning, deauthentication attack, clientless PMKID association attack and automatic WPA/WPA2 client handshakes capture.
• Bluetooth Low Energy devices scanning, characteristics enumeration, reading and writing.
• 2.4Ghz wireless devices scanning and MouseJacking attacks with over-the-air HID frames injection (with DuckyScript support).
• Passive and active IP network hosts probing and recon.
• ARP, DNS and DHCPv6 spoofers for MITM attacks on IP based networks.
• Proxies at packet level, TCP level and HTTP/HTTPS application level fully scriptable with easy to implement javascript plugins.
• A powerful network sniffer for credentials harvesting which can also be used as a network protocol fuzzer.
• A very fast port scanner.
• A powerful REST API with support for asynchronous events notification on websocket to orchestrate your attacks easily.
• A very convenient web UI.
• More!

About the 1.x Legacy Version

• bettercap can now be distributed as a single binary with very few dependencies, for basically any OS and any architecture.
• 1.x proxies, although highly optimized and event based, used to bottleneck the entire network when performing a MITM attack, while the new version adds almost no overhead.
• Due to such performance and functional limitations, most of the features that the 2.x version is offering were simply impossible to implement properly (read as: without killing the entire network ... or your computer).

Documentation and Examples

This feature adds Linux 2.2-like transparent proxy support to current kernels.
To use it, enable the socket match and the TPROXY target in your kernel config.
You will need policy routing too, so be sure to enable that as well.

From Linux 4.18 transparent proxy support is also available in nf_tables.

1. Making non-local sockets work
================================

The idea is that you identify packets with destination address matching a local
socket on your box, set the packet mark to a certain value:

# iptables -t mangle -N DIVERT
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# iptables -t mangle -A DIVERT -j MARK --set-mark 1
# iptables -t mangle -A DIVERT -j ACCEPT

Alternatively you can do this in nft with the following commands:

# nft add table filter
# nft add chain filter divert "{ type filter hook prerouting priority -150; }"
# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept

And then match on that value using policy routing to have those packets
delivered locally:

# ip rule add fwmark 1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100

Because of certain restrictions in the IPv4 routing output code you'll have to
modify your application to allow it to send datagrams _from_ non-local IP
addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket
option before calling bind:

fd = socket(AF_INET, SOCK_STREAM, 0);
/* - 8< -*/
int value = 1;
setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
/* - 8< -*/
name.sin_family = AF_INET;
name.sin_port = htons(0xCAFE);
name.sin_addr.s_addr = htonl(0xDEADBEEF);
bind(fd, &name, sizeof(name));

A trivial patch for netcat is available here:
http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch


2. Redirecting traffic
======================

Transparent proxying often involves "intercepting" traffic on a router. This is
usually done with the iptables REDIRECT target; however, there are serious
limitations of that method. One of the major issues is that it actually
modifies the packets to change the destination address -- which might not be
acceptable in certain situations. (Think of proxying UDP for example: you won't
be able to find out the original destination address. Even in case of TCP
getting the original destination address is racy.)

The 'TPROXY' target provides similar functionality without relying on NAT. Simply
add rules like this to the iptables ruleset above:

# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
  --tproxy-mark 0x1/0x1 --on-port 50080

Or the following rule to nft:

# nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept

Note that for this to work you'll have to modify the proxy to enable (SOL_IP,
IP_TRANSPARENT) for the listening socket.

As an example implementation, tcprdr is available here:
https://git.breakpoint.cc/cgit/fw/tcprdr.git/
This tool is written by Florian Westphal and it was used for testing during the
nf_tables implementation.

3. Iptables and nf_tables extensions
====================================

To use tproxy you'll need to have the following modules compiled for iptables:
 - NETFILTER_XT_MATCH_SOCKET
 - NETFILTER_XT_TARGET_TPROXY

Or the floowing modules for nf_tables:
 - NFT_SOCKET
 - NFT_TPROXY

4. Application support
======================

4.1. Squid
----------

Squid 3.HEAD has support built-in. To use it, pass
'--enable-linux-netfilter' to configure and set the 'tproxy' option on
the HTTP listener you redirect traffic to with the TPROXY iptables
target.

For more information please consult the following page on the Squid
wiki: http://wiki.squid-cache.org/Features/Tproxy4

frm https://www.kernel.org/doc/Documentation/networking/tproxy.txt

HowTo install:

HowTo use TorTP:

cli

Documentation

Contributing

1. Fork it!
2. Create your feature branch: git checkout -b my-new-feature
3. Commit your changes: git commit -am 'Add some feature'
4. Push to the branch: git push origin my-new-feature
5. Submit a pull request 🤩

IITG Transparent Proxy would like to thank the following for their contributions:

(Past, present and future) Users, Testers and Debuggers
Redsocks (http://darkk.net.ru/redsocks/) - an opensource transparent socks redirector that wouldn't work by itself in IITG.

ProxyDroid (http://code.google.com/p/proxydroid/) - the open source android app that worked and showed how it can be done.

Mini fake DNS server (http://code.activestate.com/recipes/491264-mini-fake-dns-server/) - a small fake dns server conforming to protocol.

Me (Suhail Sherif) and Ajaykumar Kannan - for developing it.
iptables - for being so awesome.

TODO - Removing cache entries, Licensing, GUI, packaging and Improvements (Includes analysis of the working of the IITG DNS)

HOWTO:
(Most of these commands may need superuser priveleges)

The easy way (aka the noob way :D)
./easyStart.sh to start the transparent proxy and ./easyStop.sh to stop the proxy. You can edit easyStart.sh if you don't want to enter the proxy details each time.I've included an example.

The more difficult way:
One-time : In the redsocks folder, "make" to get the executable. If make fails, you will need to compile libevent. I've included the tar file for it. Or you can download it online. 
Run the following:
./script start
sudo python fakeDNS.py
(defaultIPs has some domains and ip addresses that you might want to have preconfigured)
sh redsocksConfig.sh 
(username and password are optional. You can edit this file to make it prompt you for the username and password if you don't like your credentials in plaintext in your history. And have it delete the redsocksauto.conf that it creates in the redsocks folder.)

To stop:
Run sh script stop
(Optionally) stop fakeDNS and redsocks.

IMPORTANT:
Edit /etc/resolv.conf and add a line 'nameserver 127.0.0.1' at the top. Or add 127.0.0.1 to your DNS serverlist. The former seems cooler.

Beware! Non-authentic DNS servers can be used VERY convincingly for phishing. Make sure you are in control of your configuration.

frm https://github.com/suhailsherif/IITG-Transparent-Proxy

Author

Why I Built This

Simple Setup

0. Configure a virtual machine (Trudy has been tested on a 64-bit Debian 8 VM) to shove all traffic through Trudy. I personally use a Vagrant VM that sets this up for me. The Vagrant VM is available here. If you would like to use different --to-ports values, you can use Trudy's command line flags to change Trudy's listening ports.
   iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8888 -m tcp -j REDIRECT --to-ports 8080
   iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -m tcp -j REDIRECT --to-ports 6443
   iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp -j REDIRECT --to-ports 6666
   ip route del 0/0
   route add default gw 192.168.1.1 dev eth1
   sysctl -w net.ipv4.ip_forward=1
1. Clone the repo on the virtual machine and build the Trudy binary.
   git clone https://github.com/kelbyludwig/trudy.git
   cd trudy
   go install
2. Run the Trudy binary as root. This starts the listeners. If you ran the iptables commands above, iptables will forward traffic destined for port 443 to port 6443. Trudy listens on this port and expects traffic coming into this port to be TLS. All other TCP connections will be forwarded through port 6666.
   sudo $GOPATH/bin/trudy
3. Setup your host machine to use the virtual machine as its router. You should see connections being made in Trudy's console but not notice any traffic issues on the host machine (except TLS errors).
4. In order to manipulate data, just implement whatever functions you might need within the module package. The default implementations for these functions are hands-off, so if they do not make sense for your situation, feel free to leave them as they are. More detailed documentation is in the module package and the data flow is detailed below.
5. To access the interceptor, visit http://:8888/ in your web browser. The only gotcha here is you must visit the interceptor after starting Trudy but before Trudy receives a packet that it wants to intercept.

• Wilma application is the highly configurable Service Virtualization tool
• Wilma Message Search application (optional component) provides high performance searching capability of the request-response pairs that were logged by Wilma application.

Quick intro for end users

Wilma application

Requirements

• JRE 8 (pls use earlier Wilma releases than V1.6.x when you need to use Java 7 version)
• The latest release of Wilma application downloaded and extracted into a folder.

Configuring Components/Services to use Wilma

JAVA_PROXY_FLAGS=-Dhttp.proxyHost=[wilma-url] -Dhttp.proxyPort=[wilma-proxy-port] -Dhttps.proxyHost=[wilma-url] -Dhttps.proxyPort=[wilma-proxy-port]
java ${JAVA_PROXY_FLAGS} ...

Configure and run Wilma

Docker Image of Wilma

• Docker image of Wilma is available on DockerHub, see details here

Contact, questions and answers

Wilma Message Search application

• Running Wilma Message Search application is optional, Wilma itself does not require it.
• This optional component just makes your life easier in case you would like to run quick searches on the messages logged by Wilma.
• To run Wilma Message Search application, java JDK must be used. With JRE, it will not work properly.
• Docker image of combined Wilma and Wilma Message Search application is available on DockerHub, see details here

Requirements

• JDK 8 (pls use earlier Wilma releases than V1.6.x when you need to use Java 7 version)
• The latest release of Wilma Message Search application downloaded and extracted into a folder.

Running

Quick intro for developers/contributors

• Raise an issue. Have you found something that does not work as expected? Let us know about it.
• Suggest a feature by submitting an issue or by sending an e-mail to us. It's even better if you come up with a new feature and write us about it.
• Write some code. We would love to see pull requests to this tool. Feel free to contribute (send pull request) on GitHub.

Advised working environment

• Java JDK 8
• IntelliJ / Eclipse
• Gradle, Checkstyle, Git Integration for the IDE

Building with Gradle

 

Detailed information

• Check the Wiki and Issues link on GitHub
• Check further documentation at http://epam.github.io/Wilma/

starttls-mitm is a mitm proxy that will transparently proxy and dump
both plaintext and TLS traffic. It uses a user-provided keyfile and
certificate file to impersonate remote servers. The user must
explicitly instruct the device being man-in-the-middled to trust this
certificate authority -- so this is not a security compromise.

It starts out relaying in plaintext, peeking at each packet for a
ClientHello header, at which point it converts the sockets to TLS.
This makes it suitable for proxying protocols that use STARTTLS
(plaintext handshake + SSL upgrade). It's only been tested on XMPP so
far, but it should theoretically work for IMAP and others as well.

frm https://github.com/ipopov/starttls-mitm

The name

Usage

git clone https://github.com/7sDream/jellyap
cd jellyap
chmod 755 jellyap.sh
./jellyap.sh

./jellyap.sh eth0 wlan0 NAME PASSWORD no

Enable shadowsocks transparent proxy

Connection test

• Shadowsocks server: 1 CPU, 500M RAM, 1000M Bandwidth, DightalOcean, SGP
• Local shadowsocks client: i7-4500U, 8G RAM, 10M Bandwidth, TianJin, China
• WiFi client: Oneplus 3, Android 7.1.1, OxygenOS

Dependencies

• hostapd
• dnsmasq
• nmcli (network-manager)
• rfkill (rfkill)
• ip (iproute2)
• iptables
• shadowsocks-libev (if enable shadowsocks relay, AP as a transparent proxy)
• run as root

Configure

• Transparent TCP proxy with iptables -j REDIRECT
• Support multiple SOCKSv5/HTTP backend proxy servers
• SOCKS/HTTP-layer alive & latency probe
• Prioritize backend servers according to latency
• Full IPv6 support
• Multiple listen ports, each for a subset of proxy servers
• Remote DNS resolving for TLS with SNI (extract domain name from TLS handshaking)
• Optional try-in-parallel for TLS (try multiple proxies and choose the one first response)
• Optional status web page (latency, traffic, etc. w/ curl-friendly output)
• Optional Graphite support (to build fancy dashboard with Grafana for example)
• Customizable proxy selection algorithm with Lua script (see conf/simple_scroe.lua).

+------+  TCP  +----------+       SOCKSv5   +---------+
| Apps +------>+ iptables |    +------------> Proxy 1 |
+------+       +----+-----+    |            +---------+
           redirect |          |
                 to v          |      HTTP  +---------+
               +----+----+     |   +--------> Proxy 2 |
               |         +-----+   |        +---------+
               | moproxy |---------+             :
               |         +------------...        :
               +---------+  choose one  |   +---------+
                I'M HERE                +---> Proxy N |
                                            +---------+

Usage

Print usage

moproxy --help

Examples

moproxy --port 2080 --socks5 2001 2002 2003 --http 3128 192.0.2.0:3128

# redirect local-initiated connections
iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 2080
# redirect connections initiated by other hosts (if you are router)
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 2080

# or the nft equivalent
nft add rule nat output tcp dport {80, 443} redirect to 2080
nft add rule nat prerouting tcp dport {80, 443} redirect to 2080

Server list file

[server-1]
address=127.0.0.1:2001 ;required
protocol=socks5 ;required

[server-2]
address=127.0.0.1:2002
protocol=http
test dns=127.0.0.53:53 ;use remote's local dns server to caculate delay
listen ports=8001

[server-3]
address=127.0.0.1:2003
protocol=http
; server-3 serves for port 8001 & 8002, while server-2 is only for
; port 8001. server-1 accepts connections coming from any ports specified
; by CLI argument --port.
listen ports=8001,8002

[backup]
address=127.0.0.1:2002
protocol=socks5
score base=5000 ;add 5k to pull away from preferred server.

Install

# Install Rust
curl https://sh.rustup.rs -sSf | sh

# Clone source code
git clone https://github.com/sorz/moproxy
cd moproxy

# Build
cargo build --release
target/release/moproxy --help

# If you are in Debian
cargo install cargo-deb
cargo deb
sudo dpkg -i target/debian/*.deb
moproxy --help

Status

Quickstart

Config

Config Flags

redundis redis-proxy

Usage:
  redundis [flags]

Flags:
  -c, --config-file="": Config file location for redundis
  -l, --listen-address="127.0.0.1:6379": Redundis listen address
  -L, --log-level="info": Log level [fatal, error, info, debug, trace]
  -t, --master-wait=30: Time to wait for node to transition to master (seconds)
  -m, --monitor-name="test": Name of sentinel monitor
  -r, --ready-wait=30: Time to wait to connect to redis|sentinel (seconds)
  -s, --sentinel-address="127.0.0.1:26379": Address of sentinel node
  -p, --sentinel-password="": Sentinel password
  -w, --sentinel-wait=10: Time to wait for sentinel to respond (seconds)

Config File

{
"listen-address": "127.0.0.1:6379",
"sentinel-address": "127.0.0.1:26379",
"sentinel-password": "",
"monitor-name": "test",
"master-wait": 30,
"ready-wait": 30,
"sentinel-wait": 10,
"log-level": "info"
}

Redis Setup

+----------+
| redis    | - redis-server running on port 6380 with sentinel configured
| sentinel | - sentinel configured and started (default listen port of 26379)
| redundis | - proxies incoming connections to master redis (determined by talking to local sentinel)
| flip*    | - manages cluster vip that users connect to
+----------+
* = optional

Limitations