Setting up a Proxy Server for traffic monitoring with Tshark
In a few countries there’s a lot of restrictions according to Internet usage, restricted websites, banned web services, or any kind of internal censorship. Most of the time people appeal for anonymity services to bypass that bar, one common element is the Web Proxy.
A Web or HTTP proxy is a server that acts a middle man between two communications (client-server), in a certain way, this proxy will mask your IP address by giving you an alternative internet identity.
A proxy is used for more than privacy, this tool helps to bypass filters, logging, and eavesdropping, caching, filtering blocking, manipulate and modify network traffic, and more.
I’ll emphasize network traffic in this writing. Have you ever think about what can happen if you use a free proxy service? Your privacy can be guaranteed?.
There’s a lot of paid tools that can be trusted, but a lot of people do not pay for this service. The person or group controller of a proxy can see your traffic, especially if it is a free proxy.
How’s it works?
There’s a lot of proxies out there. I’m going to shortly explain the types of proxies and how it works.
For this type, the client sends the request to the proxy and fetches the response on behalf. Where the client can or not know about the proxy, but the server doesn’t know about the proxy at all
The order will be something like this:
— Client => Proxy (Internet) <= Server
This is used to hide behind network architecture for distributing load traffic to the servers. The connections are made to the proxy instead of the servers, and then, the same proxy will handle the request.
It’s some like this:
— Client => Proxy (Internet) => Servers
This kind of proxy does not modify any information without any client configuration. This is commonly used for ISP for faster responses.
— Client => Proxy (Internet) => Servers
Great, how do we connect to a Proxy?
This is more a browser settings setup instead of doing anything techie. Let’s use Firefox for this scenario
Open the Firefox browser -> Settings -> Advance Network -> Manual Proxy Settings
Where you are going to add the IP address and the Port provided by the Proxy Service
At this point, we are all set to start using a Proxy, but there’s some missing part here, we need to install and configure a Proxy Server. I’m gonna be quick with this explanation because later on, I’ll get into details about this.
For this, I recommend using a Linux-Based OS (Debian preferable). We are going to install
proxychains, this tool forces any TCP connection made by any application to follow through a Proxy. You can check it here
apt-get install proxychains
We have to comment the
strict_chain option, basically this means that if one of the proxies for this list is down, the whole chain will be unusable.
After this, you can uncomment the
dynamic_chain option, regardless if all the proxies are available the chain will work, dead proxies are skipped.
The ProxyList will use by default the Tor network in case you won’t put something on the ProxyList in order to anonymize you.
How to use it?
As a non-root user, do the following:
Leave this Terminal session open in order to persist the connection, and with the Firefox settings correctly placed, check your public IP, the network speed might be slower but you will be bypassing some privacy controls by doing this.
But, How to Set up your own Proxy Server?
We are going to generate a cloud-based Debian machine, will be installing a Proxy Server called Squid3 for handling personal traffic to demonstrate how you can be monitored and easily know your destination and packets details using Wireshark and Tshark Network Analyzer.
A cloud instance server with DigitalOcean (can be another cloud provider)
Log in to your provider and create a Droplet (Digital Ocean) machine instance, with a Debian 9 OS in it.
- Select a 5$ plan
- Select country for datacenter
Generating SSH keys and blocking root access (minimum security controls)
- Generating SSH key for accessing the server, doing the following
ssh-keygen -t rsa, once is done you will be a file named
.sshdirectory for the username logged.
- Copying the generated key into DigitalOcean instance by doing:
- Accessing via SSH like this:
ssh root@IPwhere the "IP" will be the IP address instance provided with DigitalOcean. This last one will send an email with the root password
- Adding other users (for security purposes) by
adduser davidset the password using the
- Changing the authentication methods on the
no, this will let users access SSH only.
- copy and generating the root authorized_keys ownership to the same user
davidthis will disable root access to the server.
Installing and configuring a Proxy Server
- Installing squid3 (proxy server):
apt-get install squid3
- Back up the config file
cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original
- Changing rights to the backup
chmod -w /etc/squid3/squid.conf.original(everybody can read the file but can't edit it)
- Inside the conf file:
/etc/squid3/squid.confyou can change the TCP port if you want, by default is the 3128
- Before starting the server, we need a firewall hole, you can check ports with the
nmaptool by doing:
nmap [IP address]
- Checking the squid3 service by doing:
systemctl status squid3.service, start if it is necessary.
- Setting the Squid3 proxy server on the
http [IP address] 3128, where the 3128 is the default port provided by the proxy service
If you scan with Nmap the 3128 port of the squid3 service won’t be on the server
On the squid3 config file
http_access deny !Safe_portsthis is for banning ports if it isn't on port 80, the connections are gonna get a drop.
http_access allow all(the default is to deny all), by setting this into allow, we have to be responsible for things done in the proxy. This is for honeypot proxy servers
- Restarting the squid3.service after changes:
systemctl restart squid3.service
- Ensure all browsers instances are closed
- Trigger the proxychain firefox using:
Sniffing your Proxy Server
On the same server instance, we start sniffing by installing Tshark
Install it using:
apt-get install tshark
Sniffing the eth0 interface by TCP on 3128 port:
tshark -i eth0 -f "tcp port 3128"
For verification, you can test the DNSleak test and the public IP address
Setting a pipe from the server to our local machine
We are going to Stream the traffic to the machine over SSH and push it to Wireshark from monitoring
- On the DigitalOcean instance, just install
apt-get install tshark wireshark(if is necessary)
- Setting the users on the Wireshark group (you cannot run Wireshark as root):
usermod -a -G wireshark david
newgrpcommand configures the group membership with which a user will log in.
newgrp wireshark. This will let running
tsharkcommand on a regular user
- On the Host machine. We are going to pipe the output of the embedded Tshark
pcapfile. This is the tricky part of the workshop.
wireshark -k -i <(ssh david@[IP DO instance] "tshark -F pcap -w - -f 'not tcp port 22'")
- -i (interface) not necessary a network interface, in this case, is live stream information -> output redirection
- the command specifies a -F
pcap(the default format for
- -w — writing on the standard output
This will prompt the GUI of Wireshark (previously installed) and will sniff the incoming traffic
You can also filter the incoming traffic on the WireShark GUI like this
tcp.port == 3128 && ip.src ==[IP DO machine] || tcp.port == 80 || tcp.port == 443
This Wireshark filter should display your own traffic coming from HTTP ports and from the TCP Proxy port
What can we learn from this?
- The person who controls the proxy server can see all the sites you are visiting, all the places you are going, log your traffic information, and more.
- Most source IP addresses on 3128 port will be your home router, someone can look at your router and access it and they can do a lot of things like, change DNS servers, monitor all URLs request, your pc can be placed on the DMZ of the router, etc
- You cannot see encrypted data easily.
- Anonymity is relative