Nerd For Tech
Published in

Nerd For Tech

Setting up a Proxy Server for traffic monitoring with Tshark

In a few countries there’s a lot of restrictions according to Internet usage, restricted websites, banned web services, or any kind of internal censorship. Most of the time people appeal for anonymity services to bypass that bar, one common element is the Web Proxy.

A Web or HTTP proxy is a server that acts a middle man between two communications (client-server), in a certain way, this proxy will mask your IP address by giving you an alternative internet identity.

A proxy is used for more than privacy, this tool helps to bypass filters, logging, and eavesdropping, caching, filtering blocking, manipulate and modify network traffic, and more.

I’ll emphasize network traffic in this writing. Have you ever think about what can happen if you use a free proxy service? Your privacy can be guaranteed?.

There’s a lot of paid tools that can be trusted, but a lot of people do not pay for this service. The person or group controller of a proxy can see your traffic, especially if it is a free proxy.

How’s it works?

There’s a lot of proxies out there. I’m going to shortly explain the types of proxies and how it works.

Forward Proxies

For this type, the client sends the request to the proxy and fetches the response on behalf. Where the client can or not know about the proxy, but the server doesn’t know about the proxy at all

The order will be something like this:

​ — Client => Proxy (Internet) <= Server

Reverse Proxies

This is used to hide behind network architecture for distributing load traffic to the servers. The connections are made to the proxy instead of the servers, and then, the same proxy will handle the request.

It’s some like this:

​ — Client => Proxy (Internet) => Servers

Transparent Proxies

This kind of proxy does not modify any information without any client configuration. This is commonly used for ISP for faster responses.

​ — Client => Proxy (Internet) => Servers

Great, how do we connect to a Proxy?

This is more a browser settings setup instead of doing anything techie. Let’s use Firefox for this scenario

Open the Firefox browser -> Settings -> Advance Network -> Manual Proxy Settings

Where you are going to add the IP address and the Port provided by the Proxy Service

At this point, we are all set to start using a Proxy, but there’s some missing part here, we need to install and configure a Proxy Server. I’m gonna be quick with this explanation because later on, I’ll get into details about this.

For this, I recommend using a Linux-Based OS (Debian preferable). We are going to install proxychains, this tool forces any TCP connection made by any application to follow through a Proxy. You can check it here

Installing

Just apt-get install proxychains

Checking configuration

Check the /etc/proxychains.conf

We have to comment the strict_chain option, basically this means that if one of the proxies for this list is down, the whole chain will be unusable.

After this, you can uncomment the dynamic_chain option, regardless if all the proxies are available the chain will work, dead proxies are skipped.

The ProxyList will use by default the Tor network in case you won’t put something on the ProxyList in order to anonymize you.

How to use it?

As a non-root user, do the following:

proxychains4 firefox

Leave this Terminal session open in order to persist the connection, and with the Firefox settings correctly placed, check your public IP, the network speed might be slower but you will be bypassing some privacy controls by doing this.

But, How to Set up your own Proxy Server?

We are going to generate a cloud-based Debian machine, will be installing a Proxy Server called Squid3 for handling personal traffic to demonstrate how you can be monitored and easily know your destination and packets details using Wireshark and Tshark Network Analyzer.

Let’s start.

A cloud instance server with DigitalOcean (can be another cloud provider)

Log in to your provider and create a Droplet (Digital Ocean) machine instance, with a Debian 9 OS in it.

  1. Select a 5$ plan
  2. Select country for datacenter

Generating SSH keys and blocking root access (minimum security controls)

  1. Generating SSH key for accessing the server, doing the following ssh-keygen -t rsa, once is done you will be a file named id_rsa.pub on the .ssh directory for the username logged.
  2. Copying the generated key into DigitalOcean instance by doing: cat id_rsa.pub
  3. Accessing via SSH like this: ssh root@IP where the "IP" will be the IP address instance provided with DigitalOcean. This last one will send an email with the root password
  4. Adding other users (for security purposes) by adduser david set the password using the passwd command
  5. Changing the authentication methods on the sshd configuration file /etc/ssh/sshd_config setting the PermitRootLogin to no, this will let users access SSH only.
  6. copy and generating the root authorized_keys ownership to the same user david this will disable root access to the server.

Installing and configuring a Proxy Server

  1. Installing squid3 (proxy server): apt-get install squid3
  2. Back up the config file cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original
  3. Changing rights to the backup chmod -w /etc/squid3/squid.conf.original (everybody can read the file but can't edit it)
  4. Inside the conf file: /etc/squid3/squid.conf you can change the TCP port if you want, by default is the 3128
  5. Before starting the server, we need a firewall hole, you can check ports with the nmap tool by doing: nmap [IP address]
  6. Checking the squid3 service by doing: systemctl status squid3.service, start if it is necessary.
  7. Setting the Squid3 proxy server on the /etc/proxychains.conf like http [IP address] 3128, where the 3128 is the default port provided by the proxy service

If you scan with Nmap the 3128 port of the squid3 service won’t be on the server

On the squid3 config file

  1. Uncomment: http_access deny !Safe_ports this is for banning ports if it isn't on port 80, the connections are gonna get a drop.
  2. http_access allow all (the default is to deny all), by setting this into allow, we have to be responsible for things done in the proxy. This is for honeypot proxy servers
  3. Restarting the squid3.service after changes: systemctl restart squid3.service
  4. Ensure all browsers instances are closed
  5. Trigger the proxychain firefox using: proxychains4 firefox

Sniffing your Proxy Server

On the same server instance, we start sniffing by installing Tshark

Install it using: apt-get install tshark

Sniffing the eth0 interface by TCP on 3128 port: tshark -i eth0 -f "tcp port 3128"

For verification, you can test the DNSleak test and the public IP address

Setting a pipe from the server to our local machine

We are going to Stream the traffic to the machine over SSH and push it to Wireshark from monitoring

  1. On the DigitalOcean instance, just install apt-get install tshark wireshark (if is necessary)
  2. Setting the users on the Wireshark group (you cannot run Wireshark as root): usermod -a -G wireshark david
  3. The newgrp command configures the group membership with which a user will log in. newgrp wireshark. This will let running tshark command on a regular user
  4. On the Host machine. We are going to pipe the output of the embedded Tshark pcap file. This is the tricky part of the workshop.

wireshark -k -i <(ssh david@[IP DO instance] "tshark -F pcap -w - -f 'not tcp port 22'")

Where:

  1. -i (interface) not necessary a network interface, in this case, is live stream information -> output redirection
  2. the command specifies a -F pcap (the default format for tshark)
  3. -w — writing on the standard output

This will prompt the GUI of Wireshark (previously installed) and will sniff the incoming traffic

You can also filter the incoming traffic on the WireShark GUI like this

tcp.port == 3128 && ip.src ==[IP DO machine] || tcp.port == 80 || tcp.port == 443

This Wireshark filter should display your own traffic coming from HTTP ports and from the TCP Proxy port

What can we learn from this?

  1. The person who controls the proxy server can see all the sites you are visiting, all the places you are going, log your traffic information, and more.
  2. Most source IP addresses on 3128 port will be your home router, someone can look at your router and access it and they can do a lot of things like, change DNS servers, monitor all URLs request, your pc can be placed on the DMZ of the router, etc
  3. You cannot see encrypted data easily.
  4. Anonymity is relative

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store