samyk/proxygambit samyk/proxygambit

  • Stars
    star
    349
  • Rank 117,740 (Top 3 %)
  • Language Arduino
  • Created almost 9 years ago
  • Updated almost 9 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
samyk/proxygambit
github

samyk

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Anonymize and fracture network traffic/Internet access over a point-to-point wireless link or through TCP->GSM->wifi tunnel (advanced resurrection of ProxyHam)

ProxyGambit

ProxyGambit is a simple anonymization device that allows you to access the Internet from anywhere in the world without revealing your true location or IP, fracturing your traffic from the Internet/IP through either a long distance radio link or a reverse tunneled GSM bridge that ultimately drops back onto the Internet and exits through a wireless network you're no where near.

While a point to point link is supported, the reverse GSM-to-TCP bridge allows you to proxy from thousands of miles away with nothing other than a computer and Internet with no direct link back to your originating machine.

ProxyGambit Directional Antenna to Laptop

A high speed (150Mbps+) link is available with direct line of sight from 10km+ away, or if further away, a 2G GSM connection produces a reverse TCP tunnel serializing a shell into the device accessible from anywhere in the world via the Internet or GSM. Either method proxies your connection through local wifi networks near the device, shielding and making it more difficult to determine your true location, IP and identity.

ProxyGambit is an improvement and reincarnation of ProxyHam, the promising device that was to debut at Defcon 2015, yet vanished with no source, documentation or reason for its "destruction". ProxyHam "promised to mask your location online by putting you up to 2.5 miles away from your router"

ProxyGambit improves upon ProxyHam not only by allowing a greater direct range, but also enables you to proxy from anywhere in the world using just an Internet connection, which can then proxy through a reverse GSM serial link onto a public wifi network.

Once set up, no special hardware is needed to bridge through the GSM link and back out onto wifi -- just you, a computer and a net connection (which will not be as easily identified.)

This is an insecure, bare bones proof of concept. The fragmentation of data through alternate mediums is a useful and effective concept and those interested in privacy, anonymization, or deanonymization should explore this area further. Entropy is both gained and lost with these methods and many risks are involved when deploying any system of this nature.

by @SamyKamkar // [email protected] // http://samy.pl // Jul 14, 2015

Code available on github, Linux image available here

Hardware

ProxyGambit Hardware

Raspberry Pi

$35: A Raspberry Pi 2 Model B (or cheaper RPi Model B+) computer is a critical portion of the core and drives the Linux serial link while also bridging our public wifi to radio connection.

username: pi
password: donttracemebro

Arduino

$8: Any ATmega328 device will suffice, such as my favorite Arduino Nano, which provides a software proxy layer between the serial UART of the Raspberry Pi and the FONA GSM board. A logic level converter or voltage divider is required to prevent imminent destruction of hardware which we perform with a few inexpensive resistors.

FONA GSM Board

$40: The Adafruit FONA GSM board uses a SIM800 chip which allows us to connect an Arduino to GSM, providing us a 2G Internet link, and can additionally allow SMSs and voice calls to our friends to verify whether their refrigerators are running.

ProxyGambit Raspberry Pi with Arduino

FONA Antenna

$6: An antenna is helfpul (read: necessary).

Point-to-Point Wireless Links

$98: For low cost and low profile, I suggest either a pair of the Ubiquiti NanoStation LocoM2s (2.4GHz) which reach 5km+, or a pair of the Ubiquiti NanoStation LocoM5s (5GHz) which reach 10km+, but are slightly more expensive at $62 or $124 for both. These devices are not interchangeable. Additionally, if you choose the LocoM5, you can actually use one of the devices to acquire Internet access at Burning Man.

Wifi Card

$10: You can use anything such as an Edimax adapter, or a more powerful Alfa AWUS036NH adapter. This all depends on how far you'd like your ProxyGambit device to reach. This is specifically to connect to the "exit node" of the proxy link where your Internet traffic will ultimately come out of and appear to be coming from.

SIM Card

$8: You will need a SIM card with access to a 2G network. You can purchase prepaid SIM cards in cash with 2G through T-Mobile.

SD Card

$6: An SD card is required for the Raspberry Pi to host the operating system and data.

Powered USB Hub

$10: I avoid two issues with Raspberry Pi -- the limited power output from USB, and the limited power input from most USB power supplies. I do this by using a 2.5A powered USB hub in a virtual loop. The hub acts as the power supply for the Raspberry Pi, preventing any need for a power supply, while ironically I connect the source of the hub back into one of the Raspberry Pi USB slots. This may appear dangerous as a voltage or data loop, but the Pi's USB-voltage-in has data lines split off, and the USB hub prefers power from its voltage rectifier rather than the recirculated power lines.

Raspberry Pi USB Hub Power Loop

3.7 Lithium-Ion (LiOn or LiPo) Battery

$13: The FONA GSM board annoyingly requires a 3.4-4.0V voltage source in addition to a 5V source, so I use a small lipo battery for this. The FONA has a built-in charger so I tie the charger directly to the 5V from the Arduino, which actually bypasses the Arduino voltage regulator and instead grabs power from our high-current USB hub.

Software

Code @ https://github.com/samyk/proxygambit & Linux image here

ProxyGambit (Arduino + GSM Link)

The microcontroller code produces a serial connection over a reverse TCP tunnel through a 2G GSM link and ties it to the UART serial lines of the Raspberry Pi. Compile this onto your Arduino, but be sure to change the TCP_PORT and TCP_HOST definitions in pg_gsm_avr.ino to connect to your own server. We abuse the fact that the SIM800 GSM chip allows only outbound TCP connections and produce a reverse tunnel. The hardware serial lines are hardwired (with a voltage divider) to the Raspberry Pi's serial, and we employ software serial to communicate to the FONA board.

FONA

We use the Adafruit FONA library to produce an outbound TCP connection over the 2G GSM/GPRS link. This actually allows a reverse tunnel back in which we link to serial.

Raspberry Pi Linux Image w/Network Bridging + UART

We use Raspberry Pi Wheezy (2015-05-05) image with network bridging via bridge-utils and serial UART enabled to communicate with our microcontroller. Make sure to set up the wifi connection you want to use via /etc/wpa_supplicant/wpa_supplicant.conf, or you can serial in over GSM later on to connect to a network.

netcat

The SIM800 is not able to open listening sockets, but is capable of making outbound TCP connections. We abuse this property to bridge traffic that was once IP into GSM traffic, but upon retrieval, we tunnel it back into IP through an entirely different, unrelated and physically separated network (the exit wifi node).

From your own server (defined in pg_gsm_avr.ino), run:

nc -vlp 1337 # listens verbosely on port 1337

ProxyGambit Arduino

Wiring

Available from github

  • Use a ~1.6k resistor between RPi RX and Arduino TX and a ~3.3k resistor between RPi RX and Arduino ground
  • Connect lipo and antenna to FONA
  • Power RPi from USB hub
  • Send main USB hub cable into any RPi USB port
  • Connect wifi card to USB hub
  • Connect Ubiquiti to RPi ethernet

ProxyGambit Arduino

Contact

Contact on Twitter: @SamyKamkar

More projects at http://samy.pl or reachable @ [email protected]

More Repositories

1

poisontap

Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.
JavaScript
6,161
star
2

evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
JavaScript
4,320
star
3

magspoof

A portable device that can spoof/emulate any magnetic stripe, credit card or hotel card "wirelessly", even on standard magstripe (non-NFC/RFID) readers. It can disable Chip&PIN and predict AMEX card numbers with 100% accuracy.
C
3,787
star
4

pwnat

The only tool/technique to punch holes through firewalls/NATs where multiple clients & server can be behind separate NATs without any 3rd party involvement. Pwnat is a newly developed technique, exploiting a property of NAT translation tables, with no 3rd party, port forwarding, DMZ, DNS, router admin requirements, STUN/TURN/UPnP/ICE, or spoofing.
C
2,846
star
5

slipstream

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victimโ€™s NAT/firewall, just by anyone on the victim's network visiting a website
Perl
1,865
star
6

skyjack

A drone engineered to autonomously seek out, hack, and wirelessly take full control over any other Parrot or 3DR drones within wireless or flying distance, creating an army of zombie drones under your control.
JavaScript
1,636
star
7

usbdriveby

USBdriveby exploits the trust of USB devices by emulating an HID keyboard and mouse, installing a cross-platform firewall-evading backdoor, and rerouting DNS within seconds of plugging it in.
Arduino
1,230
star
8

keysweeper

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
Eagle
1,076
star
9

opensesame

OpenSesame attacks wireless garages and can open most fixed-code garages and gates in seconds using a Mattel toy
C
818
star
10

samytools

Simple tools to make reverse engineering and console cowboying easier, primarily by data translation and manipulation + file handle piping. Mostly *nix tools with an emphasis on macOS.
Perl
548
star
11

webscan

Browser-based network scanner & local-IP detection
JavaScript
411
star
12

combobreaker

Motorized, portable, 3D printed, Arduino-based combination lock cracker
C++
232
star
13

dingdong

Digital Ding Dong Ditch -- RTL-SDR + Arduino + GSM/SMS/FONA + RF + GQRX to hack a wireless doorbell from a text message
C++
229
star
14

quickjack

Quickjack is a point-and-click tool for intuitively producing advanced clickjacking and frame slicing attacks.
JavaScript
227
star
15

frisky

Instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS and macOS
C++
197
star
16

glitchsink

Voltage glitcher to bypass instructions/bootloader protections *without* target modification
C++
114
star
17

jiagra

Javascript/Website Performance Enhancement
JavaScript
107
star
18

easel-driver

Easel driver for Linux, Mac, Windows, ARM, Raspberry Pi, Intel, FTDI, CH340, CH341, CP210x, FTDI clones, local, and remote access to GRBL-based CNC controllers
Shell
92
star
19

myo-osc

OSC bridge for the Thalmic Myo gesture control armband (cross-platform)
C++
80
star
20

BPL

The Blind Public License is a restrictive license that does not allow any person to read, view, interpret, emulate, debug, disassemble, reverse engineer, or execute ("Observing") any included code, schematics or engineering diagrams (the "Technology").
57
star
21

sqlpp

feature-rich, multi-database interfacing, multi-connection, colorful console-based SQL client
Perl
53
star
22

samyk

50
star
23

bgrid

wireless balloon LED network w/ATtiny24 + nRF24L01+ (PCB + firmware + TouchDesigner)
C++
46
star
24

buspirate

Bus Pirate (cross-platform, cleaned up for OS X)
C
42
star
25

crak

Crash Royale Attack Kit
JavaScript
39
star
26

openrTMS

Open rTMS (Transcranial Magnetic Stimulation)
C++
26
star
27

amazonshelper

TamperMonkey script (browser extension) for Amazon to add price by volume for materials and to hide useless UI elements
JavaScript
24
star
28

lcventilator

Low cost ventilator based on Dr. Jeffrey Ebin's design
C++
21
star
29

specs

Public specifications for easy accessibility
18
star
30

gr-ofdm

Out-of-tree module for GNU Radio containing a complete OFDM implementation including GUI for reasearch and teaching
Python
16
star
31

pinning

#PINNING is a browser extension (currently TamperMonkey script) to improve Pinterest's desktop browsing UX
JavaScript
15
star
32

glitchisnk

Voltage glitcher to bypass instructions/bootloader protections without target modification
14
star
33

microscopy

files for (ฮผ)scope projects
11
star
34

Ultimaker2Marlin

Ultimaker 2/2+ firmware with extruder fan control + interposer board
C
10
star
35

motoaudio

Inspecting the Moto Audio application running on Motorola Android devices
9
star
36

testimg

chrome blocks downloading images from my github :(
9
star
37

jtagulator

JTAGulator: Assisted discovery of on-chip debug interfaces
Propeller Spin
6
star
38

openraman

Low cost, high performance open source Raman spectrometer
C++
5
star
39

clash-royale-client

NodeJS client to connect to Clash Royale servers
JavaScript
5
star
40

mains-logs

log files for mains project
2
star
41

mains

monitoring mains line voltage
Perl
1
star