├── CHAOS ├── i2p.url ├── i2p-conf.png ├── i2p-conf2.png ├── i2p-conf3.png ├── i2p-conf4.png ├── install.sh └── iptables.rules ├── CLIENT ├── install.sh ├── issh.sh ├── knock.sh ├── ssh └── vpn.sh ├── VPN ├── i2p.url ├── i2p-conf.png ├── i2p-conf2.png ├── i2p-conf3.png ├── crontab ├── ssocat.sh ├── ssocat.sh.alt ├── knockd.conf ├── tunnel.sh ├── install.sh ├── knockd.conf.alt ├── iptables.rules └── sshd_config ├── logo.jpg ├── schema.png ├── VolgaCTF-2018.pdf ├── LICENSE └── README.md /CHAOS/i2p.url: -------------------------------------------------------------------------------- 1 | #new hidden standard service 2 | http://localhost:7657/i2ptunnel/ 3 | -------------------------------------------------------------------------------- /CLIENT/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | apt install ssh socat netcat #knockd 4 | -------------------------------------------------------------------------------- /VPN/i2p.url: -------------------------------------------------------------------------------- 1 | #new standard client tunnel 2 | http://localhost:7657/i2ptunnel/ 3 | -------------------------------------------------------------------------------- /logo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/logo.jpg -------------------------------------------------------------------------------- /schema.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/schema.png -------------------------------------------------------------------------------- /VPN/i2p-conf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/VPN/i2p-conf.png -------------------------------------------------------------------------------- /VPN/i2p-conf2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/VPN/i2p-conf2.png -------------------------------------------------------------------------------- /VPN/i2p-conf3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/VPN/i2p-conf3.png -------------------------------------------------------------------------------- /VolgaCTF-2018.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/VolgaCTF-2018.pdf -------------------------------------------------------------------------------- /CHAOS/i2p-conf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/CHAOS/i2p-conf.png -------------------------------------------------------------------------------- /CHAOS/i2p-conf2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/CHAOS/i2p-conf2.png -------------------------------------------------------------------------------- /CHAOS/i2p-conf3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/CHAOS/i2p-conf3.png -------------------------------------------------------------------------------- /CHAOS/i2p-conf4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Agent00049/GhostInTheChaos/master/CHAOS/i2p-conf4.png -------------------------------------------------------------------------------- /VPN/crontab: -------------------------------------------------------------------------------- 1 | #/var/spool/cron/crontabs/root 2 | @reboot /root/tunnel.sh 3 | @reboot /root/ssocat.sh 4 | #@reboot /usr/sbin/knockd -d 5 | -------------------------------------------------------------------------------- /VPN/ssocat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #crontab @reboot 3 | #apt install socat 4 | 5 | while true 6 | do 7 | socat openssl-listen:443,reuseaddr,cert=cert.pem,cafile=cert.pem tcp:localhost:22 8 | done 9 | 10 | -------------------------------------------------------------------------------- /VPN/ssocat.sh.alt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #crontab @reboot 3 | #apt install socat 4 | 5 | while true 6 | do 7 | socat openssl-listen:4433,reuseaddr,cert=cert.pem,cafile=cert.pem tcp:localhost:22 8 | done 9 | 10 | -------------------------------------------------------------------------------- /CHAOS/install.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | 3 | apt install openssh-server iptables-persistent 4 | # https://geti2p.net/en/download/ 5 | # systemctl enable i2p || crontab /usr/bin/i2prouter 6 | 7 | cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys 8 | chmod -R 700 ~/.ssh 9 | 10 | -------------------------------------------------------------------------------- /VPN/knockd.conf: -------------------------------------------------------------------------------- 1 | #/etc/knockd.conf 2 | # systemctl enable knockd || crontab 3 | 4 | [options] 5 | UseSyslog 6 | 7 | [opencloseSSH] 8 | sequence = 443:tcp, 80:tcp 9 | seq_timeout = 1 10 | tcpflags = syn 11 | start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 443 -j ACCEPT 12 | cmd_timeout = 20 13 | stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 443 -j ACCEPT 14 | -------------------------------------------------------------------------------- /CLIENT/issh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VPS=$1 4 | IP=vpn.net 5 | 6 | 7 | if [ "$VPS" != "vpn" ] && [ "$VPS" != "chaos" ] 8 | then 9 | echo 'Usage : issh vpn|chaos' 10 | exit 1 11 | fi 12 | 13 | socat -d tcp-listen:7443 openssl-connect:$IP:443,cert=~/GhostInTheChaos/cert.pem,verify=0 & 14 | bash ~/GhostInTheChaos/knock.sh 15 | ssh $VPS 16 | # certificate verification isn't necessary since SSH is used for that purpose 17 | 18 | #fuser -k 7443/tcp 19 | killall socat 20 | 21 | -------------------------------------------------------------------------------- /VPN/tunnel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #crotntab @reboot 3 | #apt install socat 4 | 5 | NET=10.11.13.0 6 | MASK=24 7 | IPr=10.11.13.1 8 | TUNNEL=tun0 9 | GW=eth0 10 | 11 | 12 | /sbin/sysctl -w net.ipv4.ip_forward=1 13 | /sbin/iptables -t nat -I POSTROUTING 1 -s $NET/$MASK -o $GW -j MASQUERADE 14 | 15 | while true 16 | do 17 | ip l | grep tun0 | grep -v UP 18 | if [[ $? = 0 ]] 19 | then 20 | ip addr add $IPr/$MASK dev $TUNNEL 21 | ip link set $TUNNEL up 22 | fi 23 | sleep 1 24 | done 25 | 26 | -------------------------------------------------------------------------------- /CHAOS/iptables.rules: -------------------------------------------------------------------------------- 1 | #/etc/iptables/rules.v4 2 | *filter 3 | :INPUT ACCEPT [0:0] 4 | :FORWARD ACCEPT [0:0] 5 | :OUTPUT ACCEPT [2590:1545351] 6 | 7 | -A INPUT -i lo -j ACCEPT 8 | -A INPUT -i tun0 -j ACCEPT 9 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 10 | -A INPUT -i eth0 -p udp -j ACCEPT 11 | #-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT 12 | -A INPUT -j DROP 13 | COMMIT 14 | #/etc/iptables/rules.v6 15 | *filter 16 | -A INPUT -i lo -j ACCEPT 17 | -A INPUT -i eth0 -p udp -j ACCEPT 18 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 19 | -A INPUT -j DROP 20 | -A FORWARD -j DROP 21 | COMMIT 22 | 23 | -------------------------------------------------------------------------------- /CLIENT/knock.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | IP=vpn.net 4 | 5 | # universal stealth version for both Linux and Android: 6 | 7 | nc -w 1 -i 1 $IP 443 & 8 | sleep 1 9 | nc -w 1 -i 1 $IP 80 & 10 | sleep 1 11 | 12 | nc -w 1 -i 1 $IP 443 & 13 | sleep 1 14 | nc -w 1 -i 1 $IP 80 & 15 | sleep 1 16 | 17 | nc -w 1 -i 1 $IP 443 & 18 | sleep 1 19 | nc -w 1 -i 1 $IP 80 & 20 | sleep 1 21 | 22 | # three times are enough for a normal usage 23 | 24 | killall nc 25 | 26 | # for more speed and less stealth on Linux (without 'sleep'): 27 | #knock $IP 443 80 443 80 28 | #sleep 1 29 | #knock $IP 443 80 443 80 30 | #sleep 1 31 | #knock $IP 443 80 443 80 32 | #sleep 1 33 | 34 | -------------------------------------------------------------------------------- /VPN/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | apt install openssh-server socat iptables-persistent knockd 4 | # https://geti2p.net/en/download/ 5 | # systemctl enable i2p || crontab /usr/bin/i2prouter 6 | 7 | ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 8 | cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys 9 | chmod -R 700 ~/.ssh 10 | # remove root@vpn.net for .pub 11 | 12 | openssl ecparam -out cert.key -name secp521r1 -genkey 13 | openssl req -new -key cert.key -x509 -nodes -days 365 -out cert.pem -sha256 -subj "/C=FR/ST=IDF/L=Paris/O=OrganizedOrganistion/OU=Org/CN=vpn.net" 14 | cat cert.key >> cert.pem 15 | # cat /dev/urandom > cert.key 16 | rm cert.key 17 | 18 | -------------------------------------------------------------------------------- /VPN/knockd.conf.alt: -------------------------------------------------------------------------------- 1 | #/etc/knockd.conf 2 | # systemctl enable knockd || crontab 3 | # service apache start || service nginx start 4 | 5 | [options] 6 | UseSyslog 7 | 8 | [HTTPSredirectSSH] 9 | sequence = 443:tcp, 80:tcp 10 | seq_timeout = 1 11 | tcpflags = syn 12 | start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 4433 -j ACCEPT && /sbin/iptables -t nat -I PREROUTING 1 -p tcp -s %IP% --dport 443 -j REDIRECT --to-port 4433 13 | cmd_timeout = 20 14 | stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 4433 -j ACCEPT && /sbin/iptables -t nat -D PREROUTING -p tcp -s %IP% --dport 443 -j REDIRECT --to-port 4433 15 | 16 | -------------------------------------------------------------------------------- /VPN/iptables.rules: -------------------------------------------------------------------------------- 1 | #/etc/iptables/rules.v4 2 | #apt install iptables-persistent 3 | *filter 4 | #:INPUT ACCEPT [0:0] 5 | #:FORWARD ACCEPT [0:0] 6 | #:OUTPUT ACCEPT [307558:46722814] 7 | #-P INPUT ACCEPT 8 | -P FORWARD ACCEPT 9 | -P OUTPUT ACCEPT 10 | -A INPUT -i lo -j ACCEPT 11 | -A INPUT -i tun0 -j ACCEPT 12 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 13 | #-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT 14 | #-A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT 15 | #-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT 16 | -A INPUT -j DROP 17 | COMMIT 18 | # TODO enable UDP over IPv4/IPv6 for more stealthing and traffic analysis prevention? 19 | 20 | #/etc/iptables/rules.v6 21 | *filter 22 | -A INPUT -j DROP 23 | -A FORWARD -j DROP 24 | COMMIT 25 | -------------------------------------------------------------------------------- /CLIENT/ssh: -------------------------------------------------------------------------------- 1 | #~/.ssh/config 2 | # share keys with cert && cat id_ed25519.pub >> ~/.ssh/authorized_keys && chmod -R 700 .ssh 3 | 4 | Host vpn 5 | Hostname 127.0.0.1 6 | Port 7443 7 | IdentityFile ~/.ssh/id_ed25519 8 | User root 9 | # HostKeyAlgorithms ssh-ed25519 10 | # Ciphers chacha20-poly1305@openssh.com 11 | # Ciphers aes256-gcm@openssh.com 12 | # MACs umac-128@openssh.com 13 | # Tunnel point-to-point 14 | ConnectTimeout 10 15 | ## ProxyCommand corkscrew $PROXY $PORT %h %p 16 | ForwardX11 yes 17 | DynamicForward 8081 18 | 19 | Host chaos 20 | Hostname 127.0.0.1 21 | Port 8080 22 | User root 23 | IdentityFile ~/.ssh/id_ed25519 24 | # Tunnel point-to-point 25 | ProxyCommand ssh vpn -W %h:%p 26 | ForwardX11 yes 27 | # BindAddress 8080 28 | DynamicForward 8082 29 | 30 | Host lvpn 31 | Hostname 10.11.13.1 32 | Port 22 33 | IdentityFile ~/.ssh/id_ed25519.vps 34 | User root 35 | ConnectTimeout 10 36 | ForwardX11 yes 37 | DynamicForward 8083 38 | 39 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Maksym Zaitsev 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /CLIENT/vpn.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # cp -r ~/.ssh /root 3 | # TODO Android automation support 4 | 5 | HOME=/home/user 6 | NET=10.11.13.0 7 | MASK=24 8 | IPr=10.11.13.1 9 | IPh=10.11.13.$(($RANDOM%200+10)) 10 | TUNNEL=tun0 11 | GW=eth0 12 | IP=vpn.net 13 | 14 | VPS=$2 15 | if [ "$VPS" = "vpn" ] || [ "$VPS" = "" ] 16 | then 17 | VPS="vpn" 18 | fi 19 | if [[ "$VPS" = "chaos" ]] 20 | then 21 | VPS="chaos" 22 | # IP=tunnel.net 23 | fi 24 | 25 | bash ~/GhostInTheChaos/knock.sh 26 | 27 | if [[ "$1" = "start" ]] 28 | then 29 | socat -d tcp-listen:7443 openssl-connect:$IP:443,cert=~/GhostInTheChaos/cert.pem,verify=0 & 30 | ssh -C -S /var/run/ssh-vpn-tunnel-control -M -f -w 0:0 $VPS true &>/dev/null 31 | status=$? 32 | # if [ $status -ne 0 ] && [ $status -ne 255 ] 33 | if [[ $status -ne 0 ]] 34 | then 35 | echo 'Unable to establish the tunnel' 36 | killall socat 37 | exit 1 38 | fi 39 | sleep 5 40 | cp /etc/resolv.conf /root/resolv.conf.bk 41 | ip addr add $IPh/$MASK dev $TUNNEL 42 | ip link set $TUNNEL up 43 | echo "route add -host $IP gw $(ip r | grep def | cut -d ' ' -f 3) dev $(ip r | grep def | | cut -d ' ' -f 5)" > /root/route.gw 44 | bash < /root/route.gw 45 | route del default 46 | route add default gw $IPr dev $TUNNEL 47 | echo "nameserver 1.1.1.1" > /etc/resolv.conf 48 | # echo "nameserver $IPr" > /etc/resolv.conf 49 | 50 | elif [[ "$1" = "stop" ]] 51 | then 52 | # ssh l$VPS "sysctl -w net.ipv4.ip_forward=0" &>/dev/null 53 | # ssh l$VPS "iptables -t nat -D POSTROUTING -s $NET/$MASK -o $GW -j MASQUERADE" &>/dev/null 54 | ssh -S /var/run/ssh-vpn-tunnel-control -O exit l$VPS &>/dev/null 55 | sleep 5 56 | route del -host $IP 57 | cp /root/resolv.conf.bk /etc/resolv.conf 58 | route add default gw $(cat /root/route.gw | cut -d ' ' -f 6) dev $(cat /root/route.gw | cut -d ' ' -f 8) 59 | 60 | else 61 | echo 'Usage : vpn start|stop [vpn|chaos]' 62 | exit 2 63 | fi 64 | 65 | -------------------------------------------------------------------------------- /VPN/sshd_config: -------------------------------------------------------------------------------- 1 | #/etc/ssh/sshd_config 2 | # Package generated configuration file 3 | # See the sshd_config(5) manpage for details 4 | 5 | #TODO implement simple user and not root 6 | 7 | # What ports, IPs and protocols we listen for 8 | Port 22 9 | # Use these options to restrict which interfaces/protocols sshd will bind to 10 | #ListenAddress :: 11 | #ListenAddress 0.0.0.0 12 | Protocol 2 13 | # HostKeys for protocol version 2 14 | #HostKey /etc/ssh/ssh_host_rsa_key 15 | #HostKey /etc/ssh/ssh_host_dsa_key 16 | #HostKey /etc/ssh/ssh_host_ecdsa_key 17 | HostKey /etc/ssh/ssh_host_ed25519_key 18 | #Privilege Separation is turned on for security 19 | UsePrivilegeSeparation yes 20 | 21 | # Lifetime and size of ephemeral version 1 server key 22 | KeyRegenerationInterval 3600 23 | ServerKeyBits 4096 24 | 25 | # Logging 26 | SyslogFacility AUTH 27 | LogLevel INFO 28 | 29 | # Authentication: 30 | LoginGraceTime 120 31 | PermitRootLogin without-password 32 | StrictModes yes 33 | 34 | RSAAuthentication yes 35 | PubkeyAuthentication yes 36 | AuthorizedKeysFile %h/.ssh/authorized_keys 37 | 38 | # Don't read the user's ~/.rhosts and ~/.shosts files 39 | IgnoreRhosts yes 40 | # For this to work you will also need host keys in /etc/ssh_known_hosts 41 | RhostsRSAAuthentication no 42 | # similar for protocol version 2 43 | HostbasedAuthentication no 44 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication 45 | #IgnoreUserKnownHosts yes 46 | 47 | # To enable empty passwords, change to yes (NOT RECOMMENDED) 48 | PermitEmptyPasswords no 49 | 50 | # Change to yes to enable challenge-response passwords (beware issues with 51 | # some PAM modules and threads) 52 | ChallengeResponseAuthentication no 53 | 54 | # Change to no to disable tunnelled clear text passwords 55 | PasswordAuthentication no 56 | 57 | # Kerberos options 58 | #KerberosAuthentication no 59 | #KerberosGetAFSToken no 60 | #KerberosOrLocalPasswd yes 61 | #KerberosTicketCleanup yes 62 | 63 | # GSSAPI options 64 | #GSSAPIAuthentication no 65 | #GSSAPICleanupCredentials yes 66 | 67 | X11Forwarding yes 68 | X11DisplayOffset 10 69 | PrintMotd no 70 | PrintLastLog yes 71 | TCPKeepAlive yes 72 | #UseLogin no 73 | 74 | #MaxStartups 10:30:60 75 | Banner /etc/issue.net 76 | 77 | # Allow client to pass locale environment variables 78 | AcceptEnv LANG LC_* 79 | 80 | Subsystem sftp /usr/lib/openssh/sftp-server 81 | 82 | # Set this to 'yes' to enable PAM authentication, account processing, 83 | # and session processing. If this is enabled, PAM authentication will 84 | # be allowed through the ChallengeResponseAuthentication and 85 | # PasswordAuthentication. Depending on your PAM configuration, 86 | # PAM authentication via ChallengeResponseAuthentication may bypass 87 | # the setting of "PermitRootLogin without-password". 88 | # If you just want the PAM account and session checks to run without 89 | # PAM authentication, then enable this but set PasswordAuthentication 90 | # and ChallengeResponseAuthentication to 'no'. 91 | UsePAM yes 92 | 93 | UseDNS no 94 | 95 | AllowUsers root 96 | 97 | #Ciphers chacha20-poly1305@openssh.com 98 | Ciphers aes256-gcm@openssh.com 99 | MACs umac-128@openssh.com 100 | KexAlgorithms curve25519-sha256@libssh.org 101 | 102 | PermitTunnel point-to-point 103 | #PermitTunnel yes 104 | 105 | #PrintLastLog yes 106 | 107 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # GhostInTheChaos 2 | Chaotic Crypto Stealth VPN for Anonymity and Untraceable Hacking Attacks with Linux and Android 3 | 4 | ![](https://github.com/cryptolok/GhostInTheChaos/raw/master/logo.jpg) 5 | 6 | Properties: 7 | * Protects client from sniffing and tracing 8 | * Protects server from attacks and scanning 9 | * Bypasses censorship and network filtering 10 | * Transparent 11 | * Cross-platform 12 | * Minimalistic 13 | 14 | Dependencies: 15 | * **Linux 2.4.26+** - will work on any Linux-based OS (and can be ported to other Unix), including Whonix, RaspberryPI and even Android 16 | - BASH - the whole script 17 | - root privileges - for VPN (firewall controlling, but can be used without if manually configured (like Android)) 18 | - [Termux](https://f-droid.org/en/packages/com.termux/) for Android 19 | * **at least 1 (better 2) VPS/DEDIC remote/cloud server with Linux** 20 | 21 | Limitations: 22 | * If using anonymity option (2nd server) the speed will be greatly reduced (to prevent abuse) 23 | * You should use domain name for the 1rst server to increase firewall bypass probability 24 | * Traffic still can be identified and hence blocked using timing analysis 25 | * Server still can be scanned, so you shouldn't rely only on "security by obscurity" 26 | 27 | ## How it works & Analysis 28 | 29 | See my [blog](https://cryptolok.blogspot.com/2018/07/ghostinthechaos-chaotic-crypto-stealth.html) for research details. 30 | 31 | ![](https://github.com/cryptolok/GhostInTheChaos/raw/master/schema.png) 32 | 33 | ### HowTo 34 | 35 | **VPN** 36 | 37 | (Assuming you already have SSH/VNC access to your server with root privileges) 38 | 39 | First of all, install everything that is needed: 40 | ```bash 41 | apt install openssh-server socat iptables-persistent knockd 42 | ``` 43 | 44 | My SSH configuration requires specific options and plus it's hardened (except the root user, but it's just for PoC (even you can still harden it with SELinux/grsec/PAX/AppArmor/cgroups)), so copy VPN/sshd_config to /etc/ssh. 45 | 46 | Now, generate a certificate in order to couple it with socat: 47 | ```bash 48 | openssl ecparam -out cert.key -name secp521r1 -genkey 49 | openssl req -new -key cert.key -x509 -nodes -days 365 -out cert.pem -sha256 -subj "/C=FR/ST=IDF/L=Paris/O=OrganizedOrganistion/OU=Org/CN=vpn.net" 50 | cat cert.key >> cert.pem 51 | rm cert.key 52 | ``` 53 | If you are considered by security, you can `cat /dev/random > cert.key` 54 | 55 | It's time to set up the filtering rules, just copy the content of VPN/iptables.rules to /etc/iptables/rules.v4 and /etc/iptables/rules.v6 respectively, then apply them: 56 | ```bash 57 | iptables-restore /etc/iptables/rules.v4 58 | ip6tables-restore /etc/iptables/rules.v6 59 | ``` 60 | 61 | ! WARNING ! it will block all the input traffic, so if in doubt, add a remote access port as exception until you stabilize your configuration 62 | 63 | To finish the filtering copy VPN/knockd.conf to /etc, this will allow SSL:443 connection for socat over special condition, don't forget to daemonize the process if it wasn't done already by your OS: 64 | ```bash 65 | systemctl enable knockd || echo '@reboot /usr/sbin/knockd -d' >> /var/spool/cron/crontabs/root 66 | ``` 67 | Alternatively, you can copy VPN/knockd.conf.alt if you want to redirect your connection to SSL in case you already have a HTTPS server (using an already generated certificate) for stealth. 68 | 69 | In order to launch the socat itself, just put VPN/ssocat.sh to (as example) /root directory and crontab it: 70 | ```bash 71 | @reboot /root/ssocat.sh 72 | ``` 73 | Or VPN/ssocat.sh.alt as HTTPS server alternative. 74 | 75 | Finally, if you want a VPN-type connection, daemonize the script as well and put VPN/tunnel.sh to /root: 76 | ```bash 77 | @reboot /root/tunnel.sh 78 | ``` 79 | 80 | **CHAOS (optional)** 81 | 82 | If you want to test my "chaotic vpn/ssh/proxy" you will need a second server with following installations: 83 | ```bash 84 | apt install openssh-server iptables-persistent 85 | ``` 86 | 87 | ! WARNING ! this server shouldn't be accessed directly, in order to leave no trace (free WiFi or Tor), this is the "bulletproof" server. 88 | 89 | For I2P, you should manually [install/download](https://geti2p.net/en/download) it both for CHAOS server and VPN server. Don't forget to make sure that it's daemonized: 90 | ```bash 91 | systemctl enable i2p || echo "@reboot /usr/bin/i2prouter" >> /var/spool/cron/crontab/root 92 | ``` 93 | 94 | SSH configuration is the same as in case of VPN. 95 | 96 | iptables rules are a bit different however, but still should be copied to /etc/iptables and "restored", just like for VPN. The main difference is that it accepts UDP (for I2P) INPUT for both IPv4 and IPv6. 97 | 98 | ! WARNING ! just like in the case of VPN, these rules will block almost all connections, so make sure you know what you're doing and make backups... 99 | 100 | Finally, the [I2P](http://localhost:7657/i2ptunnel/) configurations can be found in both VPN/ and CHAOS/ directories in correct order. To do it on both servers, you can access them using SSH [DPF](https://www.linuxbabe.com/firewall/ssh-dynamic-port-forwarding) (included in CLIENT conf). 101 | 102 | In the case of CHAOS, you just configure new hidden standard service, with the described options, but note that I used 443 as port for my SSH, so you should replace it with 22. Afterwards, in the main configuration menu, you will see the server's hidden Base32 address ending with \*.b32.i2p that will be used for configuration of VPN's new standard client tunnel with, once again, port 22 and not 443. 103 | 104 | **CLIENT** 105 | 106 | Like in previous case, you would require some packages: 107 | ```bash 108 | sudo apt install ssh socat netcat #knockd 109 | ``` 110 | Knock isn't necessary, unless you want to speedup the process (sacrificing stealth). 111 | 112 | Then, generate public and private keys pair for SSH authentication and secure it: 113 | ```bash 114 | ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 115 | chmod -R 700 ~/.ssh 116 | ``` 117 | On both servers (VPN and CHAOS) authorize your public key for connection: 118 | ```bash 119 | cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys 120 | ``` 121 | I would advise removing the 'root@vpn.net' part in the end of public key, although, the PoC doesn't provide key passphrase automation, it should be compatible. 122 | 123 | For SSH, just copy CLIENT/ssh to ~/.ssh/config. 124 | 125 | Before continuing, replace $IP variable by your server in all scripts for CLIENT. Useless to say the all your scripts need to be `chmod u+x` (but if you're not that smart, perhaps, you shouldn't use such technology in the first place). 126 | 127 | For socat, you have to transfer the cert.pem as well and to use the issh.sh script to initialize the SSH connection to the VPN: 128 | ```bash 129 | cd ~/GhostInTheChaos 130 | ./issh.sh vpn 131 | ``` 132 | Replace "vpn" by "chaos" if you want the connection going through I2P. 133 | 134 | Make sure that the required script (knock.sh) and cert.pem are in the same dirictory. Though, first connection would require to accept the public keys of both servers (so should be done by hand before automation). 135 | 136 | That's it for SSH shell, X11 applications redirection (like VNC) and even proxy connection through browser using PortForwarding (port 8081 for VPN and 8082 for CHAOS). 137 | 138 | Now the vpn, first you have to copy/alias your .ssh folder to /root (or use sudo for every network command): 139 | ```bash 140 | cd ~/GhostInTheChaos 141 | sudo ./vpn start 142 | ``` 143 | To stop it: 144 | ```bash 145 | sudo ~/GhostInTheChaos/vpn.sh stop 146 | ``` 147 | You can also use vpn with CHAOS server: 148 | ```bash 149 | sudo ./vpn.sh start chas 150 | sudo ./vpn.sh stop 151 | ``` 152 | 153 | OK, it takes some time to set up, but when it's done, you can use it in few clicks (or aliases). 154 | 155 | **ANDROID** 156 | 157 | Everything has been tested on Android with Termux and the configuration is the same as for CLIENT. You still have to install the corresponding packages: 158 | ```bash 159 | pkg install ssh socat netcat 160 | ``` 161 | Except that vpn connection will require root priveleges if using the script, but can also be done by manually configuring the network settings, anyway you still have PortForwarding and SSH, which is already enough for a smartphone, so vpn support is experimental at the moment. 162 | 163 | Finally, don't hesitate to modify my scripts to suit your needs and limitations, as well as reading them in the first place :) 164 | 165 | #### Notes 166 | 167 | Firewall, IDPS, NGFW, UTM, DPI, AI, are all made by human intelligence, which will fall in the face of a stronger intelligence, human or not. 168 | 169 | Chaos can be used for order and order can be used for chaos. 170 | 171 | Order is impossible without chaos and chaos is impossible without order. 172 | 173 | > "Invention, it must be humbly admitted, does not consist in creating out of void but out of chaos." 174 | 175 | Mary Wollstonecraft Shelley 176 | 177 | > "Chaos was the law of nature; Order was the dream of man." 178 | 179 | Henry Adams, *The Education of Henry Adams* 180 | 181 | > "No structure, even an artificial one, enjoys the process of entropy. It is the ultimate fate of everything, and everything resists it." 182 | 183 | Philip K. Dick, "Galactic Pot-Healer" 184 | 185 | --------------------------------------------------------------------------------