First off, I lied. It’s not a botnet. But it enables you to achieve botnet-like abilities.
Today I am going to show you something that has been kept a secret for a long time in the hacker community and has never really been made accessible to the average hobbyist. With this knowledge you will be able to:
- Bypass rate limits on APIs
- Google dork with impunity
- Scan hosts extremely stealthily
- Leverage hundreds of IP addresses, legally, and quickly
And if that doesn’t already sound incredible. You’ll be able to do it all for less than $3.50 a month.
List of previous knowledge required to understand the paper. Content that will not be explained and without knowing them it will be very difficult to follow the paper content.
- Have a basic understanding of Docker
- Be able to use the linux CLI
- Have a VPN subscription with at least 1 file Click me
- Have Docker installed and your user in the Docker group
If you’ve ever tried to automate any sort of scraping, Google dorking, or pulling from API’s with rate limits, you’ll know this little guy very well,
The dreaded captcha.
A traditional way you would bypass this would be to scrape some public proxies, however, Google has gotten smarter and upped their detection game. Using any public proxy, or any known Tor exit node doesn’t work either. Providers are quick to block these (freenode, API providers, and others).
Now the only option left seems to be VPNs. Many VPNs are difficult to detect, and very rarely ever used to scrape as switching between them is really difficult. Today that is about to change.
My first idea to solve this problem was to get a bunch of different computers and virtual machines, hook them up to a VPN, stand up a HTTP proxy server on them, and then manually load them up in a proxychains file. Sounds like a good idea, except it would take forever for my entire 45 VPN files.
Instead of using actual computers, I decided this would be a good job for Docker.
Inside each ProxyDock docker container, is OpenVPN connected to a VPN tunnel, with a HTTP proxy server exposed on port 8080, all traffic sent through port 8080 will go through the VPN connection.
The simple bash script repeats this for however many VPN files you have in the VPN directory. For each VPN file, it will forward the port 8080 on the container, to a local port, and it will write the local connection port into a proxychains configuration, which means usage of these proxies is super simple.
If you haven’t already, download this
git clone https://github.com/pry0cc/ProxyDock/
Now, create a new directory called ‘VPN’
cd ProxyDock mkdir VPN
Put all your OpenVPN
.ovpn files in there, and make sure they do not have any sketchy characters, they should look like this:
Remove auth prompts from connection files
(skip this if it doesn’t prompt you on connection)
Now, with most providers, they have built-in authentication prompts, so when you run
openvpn file.ovpn, it will load, and ask for a username and password, not very helpful for automation, you can easily solve this using an
Create a file in the ProxyDock directory called
auth.txt, inside that file put your username, followed by your password on a newline. Then, append
auth-user-pass auth.txt to each file in the VPN directory, a simple bash one liner will do the trick nicely:
for f in $(cd VPN; bash -c ls); do echo "auth-user-pass auth.txt" >> VPN/$f; done
You may find that if the string is not on a new line by itself, then this won’t work, it’s a bit hacky, but re-running this oneliner usually fixes that.
You can test this worked by running
sudo openvpn VPN/vpnfile.ovpn, and it should connect without any prompts.
Building the Dockerfile
I have included a script for this, so it’s easy as:
Now you have done all the setup, it is time to run the
start.sh script and let the beautiful collection of proxies startup before your eyes.
A simple run of
docker ps, should reveal the running containers.
Simply use proxychains in the current directory, proxychains will automatically recognize that a proxychains.conf is present and will use it.
Non-icmp nmap scans, curl’s, and other fun stuff can be run through proxychains, and each request will use a different proxy, you can even couple this to an IRC client or browser for maximum hacker cred
This method is extremely simple, very affordable, and a wonder that nobody has thought of this before. What is very cool about this, is that you can throw in as many VPN files to the VPN directory, and potentially have the reach of 400-500 different non-blacklisted IP addresses. You essentially have a botnet that you can use for scraping or whatever else you’re doing.
If you liked this article please like it, share it, and drop a comment giving your thoughts! And as always, Stay Snappy
-Benjamin Bidmead is Security Architect at Sequoia Cyber Solutions, Inc. He is a pentester, ethical hacker, Sysadmin, security specialist and hobbyist developer who co-founded the hacking community https://0x00sec.org. Ben has written several articles on the methods of pentesting and continues to learn as much as he can to share what he can with the security community.