├── LICENSE ├── README.md └── srt_fw.sh /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This blog describes a quick and simple BASH script I wrote when I started doing penetration testing with Synack's Red Team. I wanted to write an easy and straightforward script before starting to scan targets. 2 | 3 | Once a project is selected, a VPN configuration is generated and used to VPN into the Launchpoint, which acts as a gateway for all traffic destined for the target's network. The VPN is stable and has not failed me yet, but what if it did? The VPN configuration pushes all Internet-bound traffic through the VPN, as along as it is up. If you kicked off a scan to run overnight and all of the sudden the VPN connection drops, that traffic will start leaving your home or office's network and head straight to the target network. I did not want to risk explaining myself to my ISP, the FBI, or the target organization. 4 | 5 | To prevent this, I developed a quick BASH script, called srt_fw.sh, to run before starting a Synack Red Team project. It does three things: 6 | 7 | 1. Prompts for any domains to block and does a DNS lookup on the IPs 8 | 2. Prompts for any IP addresses to block 9 | 3. Uses ufw or iptables (your choice) to loop through the IPs and create firewall rules to prevent direct communication with them on my primary Kali network interface `eth0`. 10 | 11 | The domains and IP addresses are provided in the project details and can be copy/pasted. It also has optional commands to allow SSH and [dnmap](http://sourceforge.net/projects/dnmap/) if you VPN into the Launchpoint from distributed servers. Another useful byproduct is the target_ips.txt file which can be used to feed into other tools, like nmap: 12 | 13 | nmap -iL target_ips.txt 14 | 15 | The code can be found here https://github.com/opsdisk/srt_fw. I plan on improving it in time and want to develop a simple batch script for the Windows OS as well. 16 | 17 | Comments, suggestions, and improvements are always welcome. Be sure to follow [@opsdisk](https://twitter.com/opsdisk) on Twitter for the latest updates. 18 | -------------------------------------------------------------------------------- /srt_fw.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Prompts for domains and IPs to block for quickly generating firewall rules 3 | # MIT License 4 | # Opsdisk LLC | opsdisk.com 5 | 6 | #sudo apt-get install iptables-persistent -y 7 | #sudo apt-get install ufw -y 8 | 9 | deny_domain_list=target_domains.txt 10 | deny_ip_list=target_ips.txt 11 | 12 | read -p "Enter any target DNS domains..." 13 | vim $deny_domain_list 14 | 15 | read -p "Enter any target IP address..." 16 | vim $deny_ip_list 17 | 18 | # Allow inbound SSH 19 | SSHPORT=$(cat /etc/ssh/sshd_config | grep Port | cut -f 2 -d ' ') 20 | 21 | # Allow dnmap port 22 | dnmapport=2000 23 | 24 | #ufw enable 25 | 26 | #ufw allow $SSHPORT/tcp 27 | iptables -A INPUT -i eth0 -p tcp --dport $SSHPORT -m state --state NEW,ESTABLISHED -j ACCEPT 28 | iptables -A OUTPUT -o eth0 -p tcp --sport $SSHPORT -m state --state ESTABLISHED -j ACCEPT 29 | 30 | #ufw allow 2000/tcp 31 | iptables -A INPUT -i eth0 -p tcp --dport $dnmapport -m state --state NEW,ESTABLISHED -j ACCEPT 32 | iptables -A OUTPUT -o eth0 -p tcp --sport $dnmapport -m state --state ESTABLISHED -j ACCEPT 33 | 34 | while read domain; do 35 | nslookup $domain | egrep -v "#53" | grep Address: | cut -f 2 -d " " >> $deny_ip_list 36 | done < $deny_domain_list 37 | 38 | while read IP; do 39 | #ufw deny out on eth0 to $IP 40 | iptables -A INPUT -i eth0 -s $IP -j DROP 41 | done < $deny_ip_list 42 | 43 | iptables-save > /etc/iptables/rules.v4 44 | 45 | #ufw status verbose 46 | sudo iptables -L -n -v --line-numbers 47 | --------------------------------------------------------------------------------