Penetration testing: TOR, VPN or proxy
If you’re reading this article, chances are good that you already know what penetration testing is. Let's take things a step further and look at the specific case of applying proxies, VPNs and Tor in the process of performing penetration testing.
There is often a need to conduct full-fledged black box penetration testing. This is a form of testing in which security professionals have to deal with such things as firewalls other mechanisms of restriction on the customer’s side. This is an interference while pentesters execute checks and periodically block them by, for example, IP address or user-agent.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
If we didn’t agree on a gray- or white-box model and our IPs were not whitelisted, what can we do to bypass those limitations which are regulated by the customer and their firewall? Here, we can see only one possibility to evade those limitations: by switching both our IP address and user-agent. If we speak about user-agent here, things seem easier, as it will be enough just to install a specific plugin for your web browser or, for example, to switch agents in your script with help of specific function.
So what are we going to do with the IP address? Below, I will describe several available methods, as well as their pros and cons.
There are lots of differences between proxy, VPN and Tor, but their common goal is to hide our IP address, mask our activities, help to evade firewall restrictions, and by extension, bypass bans. TOR and proxy are much easier to use in cases when you need to switch your IP address very often (e.g., proxychains). Proxies seems more complex for usage, as they can’t proxy all the traffic, but only for one port or service. Below, I will provide more detailed information about each of these options, as well as their pros and cons.
Proxy
Proxy servers come in several forms:
HTTP relays GET/POST requests and can add your original IP address to the request header, as well as store the full history of your interaction with the site.
Pros:
- Anonymity (if used correctly)
- Is supported by almost all browsers
- DNS queries on behalf of the server
Cons:
- Server history
- The ability to filter and replace data with a proxy server
- Works only for HTTP protocol
In the case of the SOCKS proxy, the browser opens all TCP (and sometimes UDP) sockets on behalf of the server. At the same time (depending on the browser), you can use your local DNS server and the site will be able to track you by it by issuing a unique name for each request in its subdomain and remembering which addresses DNS queries come to them from.
Proxy usage is mostly applicable for application-level scans and requests rather than network-level. Take nmap for example; here, we can meet several problems. Nmap can only do CONNECT and SOCKS4, and these protocols can do only TCP.
Apart from that, using any kind of proxy means that nmap communicates with the IP stack of the proxy and not of the target. This means that the ICMP ping cannot be done to see if a host is alive, since ICMP is not TCP.
Pros:
- Customer anonymity (if used correctly)
- The ability to forward an arbitrary TCP connection (for example, SSH)
- DNS queries on behalf of the server (Google Chrome)
Cons:
- DNS queries on behalf of the client (Firefox)
- The ability to filter and replace data with a proxy server
- Server history
The main advantage in this case, if we speak about penetration testing, is that we will be able to easily deploy a lot of proxy servers based on docker containers or AWS/DigitalOcean images and quickly switch between them. It is also much easier for a specific script/application to work through proxy, as you may run different tools on different IPs, unlike with VPN.
A crucial point is to not just hide your IP, but to not forget about such parameters like “user-agent” so that firewalls will see you as a real user or users. Furthermore, there are a lot of open proxy servers on the internet which you can easily find by specific port scanning or just grabbing proxies from other websites. These are mostly used during application security assessment to evade firewalls with black-box offender models. In rarer cases, it can be used for the gray-box model if you need a static IP address but can’t obtain such from your internet provider.
VPN (OpenVPN)
“A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks, as if their computing devices were directly connected to a private network. Applications running on a computing device, e.g. a laptop, desktop, smartphone, etc., across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common though not an inherent part of a VPN connection.” (Source: Mason, Andrew G. (2002). Cisco Secure Virtual Private Network. Cisco Press. p. 7.).
In the case of using a VPN, the most popular solution will be OpenVPN. It has a lot of useful features, including the ability to undergo NAT using SSL/TLS encapsulation, possibility to work through UDP and many more. With the help of a VPN, you can change the IP address on your machine and it also will help you with DNS traffic as well (don’t forget here to check your client-server configuration that DNS traffic will go through the server).
You’ll be able to hide your real IP from firewalls for some time until you get a new ban, but this solution is also effective because there’s no need for a proxy-specific port or tool or something else. VPN will mask all your traffic for all ports.
Usage of VPN (OpenVPN) is very popular nowadays for any kind of tool and perfectly fits both for application- and network-level work. With the help of a VPN, you can easily execute network scans without worrying about whether your real IP is hidden. This is popular for usage with gray-box model testing when you agreed with the customer to execute penetration testing from a static IP address but don’t have such. However, if you need to simulate an attack from a specific country or if you need to hide a real IP address during black-box penetration testing, this is a time to use a VPN as well.
Pros:
- Better encryption
- More reliable
- More capabilities
- Easier to use with huge set of tools
- Can be used as a “double VPN” or even VPN inside a VPN
Cons:
- You have 1 IP for everything
- It is hard to switch IPs while using VPN
- Takes more time to connect
- In most cases, it will require more time and efforts to automatically switch between VPNs
TOR
Tor (the Tor network) is a very popular anonymizing technology nowadays which helps you not only hide your real IP address, but also get access to the Tor network. You have two options on how you will run it:
- You can simply install the Tor browser (by Mozilla)
- You can run your Tor service on remote server which will be used as proxy
With the help of Tor, you can easily switch IPs by using a specific option in your browser or just by restarting the Tor service on your server. Each time, you will get a new exit-node IP. Your real IP will be hidden and your connection encrypted, but here we encounter another problem. As mentioned above, you will connect through a huge chain to the exit node which has possibility to see your traffic in the clear.
By the way, with the help of Tor and proxychains, you can even use network-level scanning tools like nmap, zmap, hping and others. The approach is based on usage of Tor service and launching proxychains before you use any tool or script. The command for nmap to use with proxychains through Tor looks like this:
proxychains nmap –sV 192.168.1.1
In this way, you will hide your real IP address and will force nmap to work strictly through the Tor network.
Of course, this adds additional risks for our penetration testing activities due to the possibility of information leakage. So we should take into account all those risks before we will start using Tor on our pentesting projects. This approach is mostly used with black-box penetration testing when we need to hide real IP or evade firewalls.
Pros:
- Easy to use
- Free
- You can quickly change IPs and locations
Cons:
- Somebody on the exit node can monitor your traffic
- You can’t use Tor the same way as proxy; it’s closer to the VPN method
- It works slower, as the exit node will usually be chosen by default in a country far from you
Conclusion
From the information above, we can make some very useful conclusions regarding the way we can change our IP and specific technology effectiveness. If we speak about tools, automation and threading, we should keep closer to the method with proxy usage, because with such a method we can gain a lot in speed and IP-switching possibilities.
If we speak about mostly manual process and we need a more secure and stable connection, then a VPN will accommodate. Though it will provide you with better speeds as well as a stable and encrypted connection, by default it will also route all your traffic through the server, not just one specific port. The huge disadvantage is that if we need lots of IPs, we should tie all of them to our one server and switch between them or assign a specific IP to a specific user behind the NAT.
Finally, if we don’t have the capabilities and/or money to run our own server for proxy or VPN, then we can try to use Tor. This solution is less effective due to speed loss and possibility of information leakage (additional risks), but at least it may help us switch our IP and somehow bypass blocks from firewall.
FREE role-guided training plans
Sources
- Tor Project: Overview, Tor
- Black Box Penetration Testing Tips & Tricks, Scan for Security
- Fifty Shades of Black, White and Gray Box Penetration Testing, ScienceSoft
- ProxyChains Tutorial, Linux Hint
- How to hide your IP address on the Web, Best VPN Zone 2019
- User-Agent, MDN web docs
- What is OpenVPN?, OpenVPN
- History, Tor
- proxychains, GitHub
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Penetration testing: TOR, VPN or proxy
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness