BlackArch / blackarch

An ArchLinux based distribution for penetration testers and security researchers.
https://www.blackarch.org
Other
2.82k stars 566 forks source link

Nipe incorrect transfer and DNS ports #2729

Closed highjack closed 4 years ago

highjack commented 4 years ago

Bug description

Inside the file /usr/share/nipe/lib/Nipe/Engine/Start.pm $dnsPort is set to 9061 and $transferPort is set to 9051. However in /etc/tor/torrc TransPort is 9040 and DNSPort is 5353. These ports need to match up so IPtables can forward your traffic over tor.

torrc uses these ports because they are the ones used by tor-router https://github.com/BlackArch/blackarch/blob/af404f99f10d45a91e7e92478774c249957fe582/packages/tor-router/tor-router.install

 echo -e "\n# Seting up TOR transparent proxy for tor-router\nVirtualAddrNetwork 10.192.0.0/10\nAutomapHostsOnResolve 1\nTransPort 9040\nDNSPort 5353" >> "$torconfig"

Steps to reproduce

Info for developers

Tool version: 277.2f5bcba-1

noptrix commented 4 years ago

@highjack thx for reporting this! quick question: what about line 11 in Start.pm: my $network = "10.66.0.0/255.255.0.0"; shouldn't that also equal to VirtualAddrNetwork 10.192.0.0/10 from tor-router?

highjack commented 4 years ago

@noptrix thanks for getting back to me so fast, I checked the tor documentation and it says this address is used by the MAPADDRESS command (which looks like its used to force traffic out through a certain exit nodes) and AutomapHostsOnResolve (I think its used for .onions to work). Tor apparently picks an unassigned address from the range specified to use. Nipe's code has the following line to send all of it's TCP traffic out over this network, so it should not work, but I tested it in my browser and my IP is an exit node :/ :

sudo iptables -t $table -A OUTPUT -d $network -p tcp -j $target

I also noticed something weird, in https://github.com/GouveaHeitor/nipe/blob/master/.configs/arch-torrc the VirtualAddrNetwork is actually commented out.

The documentation suggests using the network that tor-router is using: When providing proxy server service to a network of computers using a tool like dns-proxy-tor, change this address to "10.192.0.0/10" or "172.16.0.0/12".

I'm not clear why it is "working" but I think it's good to keep things consistent, to follow the documentation and we might potentially have some IP leaks if it is not changed.

Thanks

noptrix commented 4 years ago

@highjack awesome, thanks for this detailed answer :)) we gonna patch the Start.pm now and release nipe again.

noptrix commented 4 years ago

patched and released :)