CLOUD SECURITY

Configure Fireprox for IP Rotation using AWS API Gateway

Nairuz Abulhul

Follow

Published in

R3d Buck3T

9 min readMay 13, 2024

--

Unlock the power of the AWS API gateway with Fireprox configuration

During a penetration testing assessment, certain activities require some level of automation, such as web scraping from sites like LinkedIn to gather a list of valid employee names that can be used for social engineering activities, password-spraying login portals, or blind injections when testing web applications. However, performing these activities from a single source IP address could lead to being blocked during the test.

To overcome this, we need to rotate our IPs frequently enough to avoid detection. We can use services like AWS API Gateway, which proxies our traffic through a gateway rather than sending it directly to the target. When a request is made through the gateway, it selects an IP address from AWS’s large pool. Since AWS has a global infrastructure, these IPs will likely differ for each request.

There are many tools out there that leverage the AWS API Gateway; for this blog, we will look into Fireprox. It is an open-source tool created by Mike Felch from Black Hills Information Security. Fireprox creates temporary pass-through proxies on the fly, and every time a request is made through the proxy, the IP address appears different to the target server.

Creating an Amazon Account

To set up a pass-through proxy for Fireprox, we’ll need to create an AWS account. To get started, head over to the AWS website and click on “Create an AWS Account”. Fill in the account information, including the email address, a strong password, and the desired account name.

Figures 1 & 2 — show the steps to sign up for an AWS account

On the next page, select the account type, personal or business, enter the contact information, and check the box to agree to the AWS Customer Agreement.

Figure 3 — shows adding contact information

After that, enter the billing information and verify your identity through phone or text.

Figure 4 — shows adding the billing information

Then, we select the support plan — Basic, Developer, or Business plan. In general, AWS offers a free tier that allows users to experiment with their services. The 3 main offerings are:

12 Months Free: These services are free to use for the first 12 months after you sign up for AWS. After that, you’ll be charged the standard pay-as-you-go rate.
Always Free: Some AWS services are completely free as long as you stay within the free tier limits.
Free Trials: Some services offer free trials that last for a shorter period, like a month or so.

The basic plan is sufficient for this post. The free tier for the API Gateway offers up to 1 million API calls monthly for REST and HTTP APIs. However, if you need more than that, you can check out their pricing page for more information — Amazon API Gateway pricing.

Figure 5 — shows selecting the support plan

After completing the registration process, we log in and access the “AWS Management Console” to start using AWS services.

Figures 6 & 7 — show signing in and AWS console

Configuring AWS API Gateway

After creating the AWS account, navigate to the “Services” tile icon on the AWS Console. From there, open the “Identity and Access Management dashboard (IAM)”.

Figure 8: shows selecting the IAM service from the AWS Console

In the IAM Dashboard, select “User groups” from the side menu and click on “Create group”.

Enter the group name and scroll down to “Attach permissions policies — Optional” to select the policy type as AmazonAPIGatewayAdministrator policy, and click on “Create user group.”

Figure 11 — shows selecting the Amazon API policy

After that, we will create a new user to add to the “FireProx-Testing” group. Click on “Create user” and enter the username information.

Figures 12 & 13 — show creating a new user

For “Set Permission”, choose “Add user to group” and add it to the Fireprox-Testing group. Then, review the username and group before clicking “Create user”.

Figure 14 & 15 — show setting permissions to the user account

After successful creation of a user, click on the user to view their information.

To generate access keys, click on “Create access key”. In the access key wizard, select the Command Line Interface (CLI) use case and confirm that we understand Amazon’s recommendations for the access keys.

Figure 16 & 17 — show generating access keys

If you want to add a description, you can do so; it’s optional. To proceed, click on “create access key”. In the final step, you can either copy the access key to a password manager or download it as a .csv file. Once you’re done, click on “Done”.

Installing Fireprox

To install the Fireprox tool, clone the repo from GitHub and create a virtual environment for Python3 with virtualenv in the “fireprox” directory.

$ git clone https://github.com/ustayready/fireprox
$ cd fireprox

#create virutal environment
virtualenv -p python3 .

Then, run the command source bin/activate to execute the content of the activate bash script. The activate script modifies the environment variables by setting variables like VIRTUAL_ENV to point to the Fireprox directory.

It also modifies the system’s $PATH variable to prioritize the libraries installed within Fireprox’s virtual environment.

source bin/activate

To verify that the variables were added correctly, run the env command, and check the PATH, VIRTUAL_ENV, and VIRTUAL_ENV_PROMPT variables.

Figure 21 — shows modified $PATH variable

Figure 22 — shows modified virtual env variables

Finally, install the rest of the requirements for Fireprox with pip, and run the tool.

sudo pip install -r requirements.txt

python fire.py

Running FireProx

To use Firefox, we need to provide the access and secret keys generated earlier while creating the new user “fireprox-testuser”, along with the URL of the site we wish to proxy through.

You can either provide the keys directly in the command, as shown in “Method 1”, or add them to the environment variables. Alternatively, you can create a profile with the AWS CLI and add the keys to it.

Method 1: Directly

python fire.py --access_key ACCESS_KEY --secret_access_key SECRET_ACCESS_KEY --region us-east-2 --command create --url TARGET_URL

Figure 24 — shows running fireprox directly with aws access keys

Method 2: Environment Variables

Add the AWS variable using the export command. Then, run Fireprox and specify the region and URL to proxy.

export AWS_ACCESS_KEY_ID=ACESS_KEY
export AWS_SECRET_ACCESS_KEY=SRECRET_KEY

python fire.py --region Your-Region --command create --url https://TARGET_URL

Figure 26 — shows running Fireprox with AWS variables

After creating the API, go back to the console to see the newly created gateway.

Method 3: AWS Profile

We can create an AWS profile, which is a file that contains a set of configurations for different accounts or purposes. A profile consists of access key ID and secret access key and specify default region.

To create the profile, install AWS CLI first, then create the profile using the aws configure command. Provide the access key ID, secret key, and the region where the API gateway is going be created.

#Install AWS
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

#Configure the profile
aws configure

Figure 28 — shows configuring aws profile

By default, the profile will be named “default”. The aws configuration file is typically located at ~/.aws/config on Linux.

Figure 29 — shows the location of the aws configuration file

Once created, run the tool again with the below command, and it will grab the credentials from the ~/.aws/config .

python fire.py --command create --url https://icanhazip.com

Figure 30 — running fireprox with aws profile

💡The --profile_name option is not working, so run the command without it.

Checking IP rotations

With the free tier, we get 1 million requests; if you are curious how the IPs change when we send the requests through API Gateway, you can write a quick bash script that sends 10 requests to the created URL.

#!/bin/bash

for i in $(seq  10); do
  
  # Send GET request to icanhazip.com
  curl "https://fireprox_URL"
  
done

As seen below, the returned IPs are unique.

Figure 32 — shows the IPs address API Gateway

Spoofing X-Forwarded-For Header

While sending requests to a target URL, I observed that the source IP address of my cloud VM was being shown to the target server in the value of the X-Forwarded-For header instead of the IP address of the API gateway.

I used Burp Suite Collaborator to check the values of the X-Forwarded-For header in sent requests.

python fire.py --region us-east-2 --command create --url https://6ip78y7rtz4ig5o5x7sjnye45swgl.oastify.com

curl https://FIREPROXURL.amazonaws.com/fprox/

Looking at the collaborator requests, you might see the source IPs are coming from the AWS pool, but if you click on one of the requests and check out the header being sent to the target destination, you will see your source IP in the X-Forwarded-For header.

Figure 33 & 34 — showing the value of the X-Forwarded-For header

To evade detection, we can mask our source IP address by adding this custom header to our curl command “X-My-X-Forwarded-For: 127.0.0.1”.

curl -H "X-My-X-Forwarded-For: 127.0.0.1"https://FIREPROXURL.amazonaws.com/fprox/

Figure 35— shows the custom X-My-X-Forwarded-For header in the requests

Full Script

#!/bin/bash

for i in $(seq  10); do
  
  # Send GET request to icanhazip.com
  curl -H "X-My-X-Forwarded-For: 127.0.0.1" "https://FIREPROX_URL.amazonaws.com/fireprox/"
done

We have configured Fireprox and learned how to spoof the X-Forwarded-For header. We can now use it along with various tools to automate our requests without the fear of being blocked.

That’s all for today. Thank you for stopping by!