Penetration testing: TOR, VPN or proxy
If you’re reading this article, chances are good that you already know what penetration testing is. Let’s take things a step further and look at the specific case of applying proxies, VPNs and Tor in the process of performing penetration testing.
There is often a need to conduct full-fledged black box penetration testing. This is a form of testing in which security professionals have to deal with such things as firewalls other mechanisms of restriction on the customer’s side. This is an interference while pentesters execute checks and periodically block them by, for example, IP address or user-agent.
If we didn’t agree on a gray- or white-box model and our IPs were not whitelisted, what can we do to bypass those limitations which are regulated by the customer and their firewall? Here, we can see only one possibility to evade those limitations: by switching both our IP address and user-agent. If we speak about user-agent here, things seem easier, as it will be enough just to install a specific plugin for your web browser or, for example, to switch agents in your script with help of specific function.
So what are we going to do with the IP address? Below, I will describe several available methods, as well as their pros and cons.
There are lots of differences between proxy, VPN and Tor, but their common goal is to hide our IP address, mask our activities, help to evade firewall restrictions, and by extension, bypass bans. TOR and proxy are much easier to use in cases when you need to switch your IP address very often (e.g., proxychains). Proxies seems more complex for usage, as they can’t proxy all the traffic, but only for one port or service. Below, I will provide more detailed information about each of these options, as well as their pros and cons.
Proxy servers come in several forms:
HTTP relays GET/POST requests and can add your original IP address to the request header, as well as store the full history of your interaction with the site.
- Anonymity (if used correctly)
- Is supported by almost all browsers
- DNS queries on behalf of the server
- Server history
- The ability to filter and replace data with a proxy server
- Works only for HTTP protocol
In the case of the SOCKS proxy, the browser opens all TCP (and sometimes UDP) sockets on behalf of the server. At the same time (depending on the browser), you can use your local DNS server and the site will be able to track you by it by issuing a unique name for each request in its subdomain and remembering which addresses DNS queries come to them from.
Proxy usage is mostly applicable for application-level scans and requests rather than network-level. Take nmap for example; here, we can meet several problems. Nmap can only do CONNECT and SOCKS4, and these protocols can do only TCP.
Apart from that, using any kind of proxy means that nmap communicates with the IP stack of the proxy and not of the target. This means that the ICMP ping cannot be done to see if a host is alive, since ICMP is not TCP.
- Customer anonymity (if used correctly)
- The ability to forward an arbitrary TCP connection (for example, SSH)
- DNS queries on behalf of the server (Google Chrome)
- DNS queries on behalf of the client (Firefox)
- The ability to filter and replace data with a proxy server
- Server history
The main advantage in this case, if we speak about penetration testing, is that we will be able to easily deploy a lot of proxy servers based on docker containers or AWS/DigitalOcean images and quickly switch between them. It is also much easier for a specific script/application to work through proxy, as you may run different tools on different IPs, unlike with VPN.
A crucial point is to not just hide your IP, but to not forget about such parameters like “user-agent” so that firewalls will see you as a real user or users. Furthermore, there are a lot of open proxy servers on the internet which you can easily find by specific port scanning or just grabbing proxies from other websites. These are mostly used during application security assessment to evade firewalls with black-box offender models. In rarer cases, it can be used for the gray-box model if you need a static IP address but can’t obtain such from your internet provider.
“A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks, as if their computing devices were directly connected to a private network. Applications running on a computing device, e.g. a laptop, desktop, smartphone, etc., across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common though not an inherent part of a VPN connection.” (Source: Mason, Andrew G. (2002). Cisco Secure Virtual Private Network. Cisco Press. p. 7.).
In the case of using a VPN, the most popular solution will be OpenVPN. It has a lot of useful features, including the ability to undergo NAT using SSL/TLS encapsulation, possibility to work through UDP and many more. With the help of a VPN, you can change the IP address on your machine and it also will help you with DNS traffic as well (don’t forget here to check your client-server configuration that DNS traffic will go through the server).
You’ll be able to hide your real IP from firewalls for some time until you get a new ban, but this solution is also effective because there’s no need for a proxy-specific port or tool or something else. VPN will mask all your traffic for all ports.
Usage of VPN (OpenVPN) is very popular nowadays for any kind of tool and perfectly fits both for application- and network-level work. With the help of a VPN, you can easily execute network scans without worrying about whether your real IP is hidden. This is popular for usage with gray-box model testing when you agreed with the customer to execute penetration testing from a static IP address but don’t have such. However, if you need to simulate an attack from a specific country or if you need to hide a real IP address during black-box penetration testing, this is a time to use a VPN as well.
- Better encryption
- More reliable
- More capabilities
- Easier to use with huge set of tools
- Can be used as a “double VPN” or even VPN inside a VPN
- You have 1 IP for everything
- It is hard to switch IPs while using VPN
- Takes more time to connect
- In most cases, it will require more time and efforts to automatically switch between VPNs
Tor (the Tor network) is a very popular anonymizing technology nowadays which helps you not only hide your real IP address, but also get access to the Tor network. You have two options on how you will run it:
- You can simply install the Tor browser (by Mozilla)
- You can run your Tor service on remote server which will be used as proxy
With the help of Tor, you can easily switch IPs by using a specific option in your browser or just by restarting the Tor service on your server. Each time, you will get a new exit-node IP. Your real IP will be hidden and your connection encrypted, but here we encounter another problem. As mentioned above, you will connect through a huge chain to the exit node which has possibility to see your traffic in the clear.
By the way, with the help of Tor and proxychains, you can even use network-level scanning tools like nmap, zmap, hping and others. The approach is based on usage of Tor service and launching proxychains before you use any tool or script. The command for nmap to use with proxychains through Tor looks like this:
proxychains nmap –sV 192.168.1.1
In this way, you will hide your real IP address and will force nmap to work strictly through the Tor network.
Of course, this adds additional risks for our penetration testing activities due to the possibility of information leakage. So we should take into account all those risks before we will start using Tor on our pentesting projects. This approach is mostly used with black-box penetration testing when we need to hide real IP or evade firewalls.
- Easy to use
- You can quickly change IPs and locations
- Somebody on the exit node can monitor your traffic
- You can’t use Tor the same way as proxy; it’s closer to the VPN method
- It works slower, as the exit node will usually be chosen by default in a country far from you
From the information above, we can make some very useful conclusions regarding the way we can change our IP and specific technology effectiveness. If we speak about tools, automation and threading, we should keep closer to the method with proxy usage, because with such a method we can gain a lot in speed and IP-switching possibilities.
If we speak about mostly manual process and we need a more secure and stable connection, then a VPN will accommodate. Though it will provide you with better speeds as well as a stable and encrypted connection, by default it will also route all your traffic through the server, not just one specific port. The huge disadvantage is that if we need lots of IPs, we should tie all of them to our one server and switch between them or assign a specific IP to a specific user behind the NAT.
Finally, if we don’t have the capabilities and/or money to run our own server for proxy or VPN, then we can try to use Tor. This solution is less effective due to speed loss and possibility of information leakage (additional risks), but at least it may help us switch our IP and somehow bypass blocks from firewall.
- Tor Project: Overview, Tor
- Black Box Penetration Testing Tips & Tricks, Scan for Security
- Fifty Shades of Black, White and Gray Box Penetration Testing, ScienceSoft
- ProxyChains Tutorial, Linux Hint
- How to hide your IP address on the Web, Best VPN Zone 2019
- User-Agent, MDN web docs
- What is OpenVPN?, OpenVPN
- History, Tor
- proxychains, GitHub