CLOUD SECURITY
Configure Fireprox for IP Rotation using AWS API Gateway
Unlock the power of the AWS API gateway with Fireprox configuration
During a penetration testing assessment, certain activities require some level of automation, such as web scraping from sites like LinkedIn to gather a list of valid employee names that can be used for social engineering activities, password-spraying login portals, or blind injections when testing web applications. However, performing these activities from a single source IP address could lead to being blocked during the test.
To overcome this, we need to rotate our IPs frequently enough to avoid detection. We can use services like AWS API Gateway, which proxies our traffic through a gateway rather than sending it directly to the target. When a request is made through the gateway, it selects an IP address from AWS’s large pool. Since AWS has a global infrastructure, these IPs will likely differ for each request.
There are many tools out there that leverage the AWS API Gateway; for this blog, we will look into Fireprox. It is an open-source tool created by Mike Felch from Black Hills Information Security. Fireprox creates temporary pass-through proxies on the fly, and every time a request is made through the proxy, the IP address appears different to the target server.
Table of Contents
- Prerequisites
– Creating an Amazon Account
– Configuring AWS API Gateway - Installation and Setup
– Installing Fireprox - Usage
– Running FireProx
– Checking IP rotations
– Spoofing X-Forwarded-For Header - Resources
Creating an Amazon Account
To set up a pass-through proxy for Fireprox, we’ll need to create an AWS account. To get started, head over to the AWS website and click on “Create an AWS Account”. Fill in the account information, including the email address, a strong password, and the desired account name.
On the next page, select the account type, personal or business, enter the contact information, and check the box to agree to the AWS Customer Agreement.
After that, enter the billing information and verify your identity through phone or text.
Then, we select the support plan — Basic, Developer, or Business plan. In general, AWS offers a free tier that allows users to experiment with their services. The 3 main offerings are:
- 12 Months Free: These services are free to use for the first 12 months after you sign up for AWS. After that, you’ll be charged the standard pay-as-you-go rate.
- Always Free: Some AWS services are completely free as long as you stay within the free tier limits.
- Free Trials: Some services offer free trials that last for a shorter period, like a month or so.
The basic plan is sufficient for this post. The free tier for the API Gateway offers up to 1 million API calls monthly for REST and HTTP APIs. However, if you need more than that, you can check out their pricing page for more information — Amazon API Gateway pricing.
After completing the registration process, we log in and access the “AWS Management Console” to start using AWS services.
Configuring AWS API Gateway
After creating the AWS account, navigate to the “Services” tile icon on the AWS Console. From there, open the “Identity and Access Management dashboard (IAM)”.
In the IAM Dashboard, select “User groups” from the side menu and click on “Create group”.
Enter the group name and scroll down to “Attach permissions policies — Optional” to select the policy type as AmazonAPIGatewayAdministrator policy, and click on “Create user group.”
After that, we will create a new user to add to the “FireProx-Testing” group. Click on “Create user” and enter the username information.
For “Set Permission”, choose “Add user to group” and add it to the Fireprox-Testing group. Then, review the username and group before clicking “Create user”.
After successful creation of a user, click on the user to view their information.
To generate access keys, click on “Create access key”. In the access key wizard, select the Command Line Interface (CLI) use case and confirm that we understand Amazon’s recommendations for the access keys.
If you want to add a description, you can do so; it’s optional. To proceed, click on “create access key”. In the final step, you can either copy the access key to a password manager or download it as a .csv file. Once you’re done, click on “Done”.
Installing Fireprox
To install the Fireprox tool, clone the repo from GitHub and create a virtual environment for Python3 with virtualenv
in the “fireprox” directory.
$ git clone https://github.com/ustayready/fireprox
$ cd fireprox
#create virutal environment
virtualenv -p python3 .
Then, run the command source bin/activate
to execute the content of the activate bash script. The activate script modifies the environment variables by setting variables like VIRTUAL_ENV
to point to the Fireprox directory.
It also modifies the system’s $PATH
variable to prioritize the libraries installed within Fireprox’s virtual environment.
source bin/activate
To verify that the variables were added correctly, run the env
command, and check the PATH
, VIRTUAL_ENV
, and VIRTUAL_ENV_PROMPT
variables.
Finally, install the rest of the requirements for Fireprox with pip,
and run the tool.
sudo pip install -r requirements.txt
python fire.py
Running FireProx
To use Firefox, we need to provide the access and secret keys generated earlier while creating the new user “fireprox-testuser”, along with the URL of the site we wish to proxy through.
You can either provide the keys directly in the command, as shown in “Method 1”, or add them to the environment variables. Alternatively, you can create a profile with the AWS CLI and add the keys to it.
Method 1: Directly
python fire.py --access_key ACCESS_KEY --secret_access_key SECRET_ACCESS_KEY --region us-east-2 --command create --url TARGET_URL
Method 2: Environment Variables
Add the AWS variable using the export command. Then, run Fireprox and specify the region and URL to proxy.
export AWS_ACCESS_KEY_ID=ACESS_KEY
export AWS_SECRET_ACCESS_KEY=SRECRET_KEY
python fire.py --region Your-Region --command create --url https://TARGET_URL
After creating the API, go back to the console to see the newly created gateway.
Method 3: AWS Profile
We can create an AWS profile, which is a file that contains a set of configurations for different accounts or purposes. A profile consists of access key ID and secret access key and specify default region.
To create the profile, install AWS CLI first, then create the profile using the aws configure
command. Provide the access key ID, secret key, and the region where the API gateway is going be created.
#Install AWS
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
#Configure the profile
aws configure
By default, the profile will be named “default”. The aws configuration file is typically located at ~/.aws/config
on Linux.
Once created, run the tool again with the below command, and it will grab the credentials from the ~/.aws/config
.
python fire.py --command create --url https://icanhazip.com
💡The --profile_name
option is not working, so run the command without it.
Checking IP rotations
With the free tier, we get 1 million requests; if you are curious how the IPs change when we send the requests through API Gateway, you can write a quick bash script that sends 10 requests to the created URL.
#!/bin/bash
for i in $(seq 10); do
# Send GET request to icanhazip.com
curl "https://fireprox_URL"
done
As seen below, the returned IPs are unique.
Spoofing X-Forwarded-For Header
While sending requests to a target URL, I observed that the source IP address of my cloud VM was being shown to the target server in the value of the X-Forwarded-For
header instead of the IP address of the API gateway.
I used Burp Suite Collaborator to check the values of the X-Forwarded-For
header in sent requests.
python fire.py --region us-east-2 --command create --url https://6ip78y7rtz4ig5o5x7sjnye45swgl.oastify.com
curl https://FIREPROXURL.amazonaws.com/fprox/
Looking at the collaborator requests, you might see the source IPs are coming from the AWS pool, but if you click on one of the requests and check out the header being sent to the target destination, you will see your source IP in the X-Forwarded-For
header.
To evade detection, we can mask our source IP address by adding this custom header to our curl command “X-My-X-Forwarded-For: 127.0.0.1
”.
curl -H "X-My-X-Forwarded-For: 127.0.0.1"https://FIREPROXURL.amazonaws.com/fprox/
Full Script
#!/bin/bash
for i in $(seq 10); do
# Send GET request to icanhazip.com
curl -H "X-My-X-Forwarded-For: 127.0.0.1" "https://FIREPROX_URL.amazonaws.com/fireprox/"
done
We have configured Fireprox and learned how to spoof the X-Forwarded-For
header. We can now use it along with various tools to automate our requests without the fear of being blocked.
That’s all for today. Thank you for stopping by!