From d3fd6a2e0f9835b8c874235b1239d64a5b5df781 Mon Sep 17 00:00:00 2001 From: ShadGIT Date: Fri, 28 Aug 2015 18:30:57 +0200 Subject: [PATCH 1/6] New module Tortle VERSION="0.3" DESCRIPTION="TORTLE - TOR TURTLE Gateway + TOR Hidden Shell" --- modules/tortle | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 modules/tortle diff --git a/modules/tortle b/modules/tortle new file mode 100644 index 0000000..01bc660 --- /dev/null +++ b/modules/tortle @@ -0,0 +1,98 @@ +#!/bin/bash /usr/lib/turtle/turtle_module +VERSION="0.3" +DESCRIPTION="TORTLE - TOR TURTLE Gateway + TOR Hidden Shell" +AUTHOR="Shad" + +: ${DIALOG_OK=0} +: ${DIALOG_CANCEL=1} +: ${DIALOG_HELP=2} +: ${DIALOG_EXTRA=3} +: ${DIALOG_ITEM_HELP=4} +: ${DIALOG_ESC=255} + +function tortlecfg { + if [ ! -e "/etc/config/tortle" ]; then + touch /etc/config/tortle + uci set tortle.socksip="172.16.84.1" + uci set tortle.socksport="5090" + uci set tortle.tport="22" + uci set tortle.lport="22" + uci set tortle.forwarding="1" + uci commit tortle + fi + if [ -e "/var/lib/tor/hidden/hostname" ]; then + tortle_hostname="$(cat /var/lib/tor/hidden/hostname)" + uci set tortle.hostname="$tortle_hostname" + else + tortle_hostname="You need to start/run tor first to obtain an onion address" + fi + tortle_tport="$(uci get tortle.tport)" + tortle_lport="$(uci get tortle.lport)" + tortle_socksip="$(uci get tortle.socksip)" + tortle_socksport="$(uci get tortle.socksport)" + tortle_forwarding="$(uci get tortle.forwarding)" + +} + + +function configure { +if [ "$tortle_hostname" == "" ]; then + tortle_hostname="You need to start/run tortle first to obtain an onion address" +fi +tortlecfg + + dialog --title "tortle" --msgbox "\n\ +NOTE: This is an initial version.\n\\n\ +TOR SHELL\n\ +=========\n\ +Until I finish testing and add the code to customize its parameters in the gui, these are the defaults:\n\n\ +Hostname: $tortle_hostname\n\ +TOR Port: $tortle_tport (Redirects to local port $tortle_lport)\n\n\ + +TOR GATEWAY\n\ +===========\n\ +At this time, it is just a regular TOR Proxy but my plan is to evolve it into a much more convenient and secure fully isolating Gateway.\n\n +The LAN Turtle (with its two ethernet interfaces) is clearly perfect for that purpose, although I have to figure the best way to do it without +affecting the operation of other modules/functions that may be running at the same time (some iptables playing needed).\n\n\ +In the meantime, please notice DNS or other well known leaks are NOT being actively prevented. Use it accordingly.\n\n\ +TOR Proxy is in $tortle_socksip:$tortle_socksport\n \n" 33 72 +} + + +function start { + if [ ! -e "/usr/sbin/tor" ]; then + opkg update && opkg install tor + fi + if [ ! -e "/var/lib/tor" ]; then + mkdir -p /var/lib/tor + chown sshd.sshd /var/lib/tor + fi + tortlecfg + ( + echo "User sshd" + echo "RunAsDaemon 1" + echo "PidFile /tmp/tor.pid" + echo "DataDirectory /var/lib/tor" + echo "SocksPort $tortle_socksip:$tortle_socksport" + #echo "DNSPort 53" + echo "HiddenServiceDir /var/lib/tor/hidden/" + echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport" + ) > /tmp/tortlerc + echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward +} + + +function stop { + killall -9 tor + echo "1" > /proc/sys/net/ipv4/ip_forward + echo "Tortle Proxy and Tortle Shell have been stopped." +} + + +function status { + if pgrep -x tor > /dev/null; then + echo "1" + else + echo "0" + fi +} From 309e6110d4209db3b04e40444f1924597540f67e Mon Sep 17 00:00:00 2001 From: ShadGIT Date: Sat, 29 Aug 2015 14:24:42 +0200 Subject: [PATCH 2/6] Fix non persistance of tor shell - v0.5 I was using /var/lib/tor..... and /var is a symbolic link to tmp so the private key and onion address were being substituted for a new one on boot. Fixed. Other cosmetical and minor additions. --- modules/tortle | 179 ++++++++++++++++++++++++++----------------------- 1 file changed, 95 insertions(+), 84 deletions(-) diff --git a/modules/tortle b/modules/tortle index 01bc660..bfb0563 100644 --- a/modules/tortle +++ b/modules/tortle @@ -1,6 +1,6 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="0.3" -DESCRIPTION="TORTLE - TOR TURTLE Gateway + TOR Hidden Shell" +VERSION="0.5" +DESCRIPTION="TORtle - TOR Turtle Gateway + TOR hidden SHELL/Service" AUTHOR="Shad" : ${DIALOG_OK=0} @@ -11,88 +11,99 @@ AUTHOR="Shad" : ${DIALOG_ESC=255} function tortlecfg { - if [ ! -e "/etc/config/tortle" ]; then - touch /etc/config/tortle - uci set tortle.socksip="172.16.84.1" - uci set tortle.socksport="5090" - uci set tortle.tport="22" - uci set tortle.lport="22" - uci set tortle.forwarding="1" - uci commit tortle - fi - if [ -e "/var/lib/tor/hidden/hostname" ]; then - tortle_hostname="$(cat /var/lib/tor/hidden/hostname)" - uci set tortle.hostname="$tortle_hostname" - else - tortle_hostname="You need to start/run tor first to obtain an onion address" - fi - tortle_tport="$(uci get tortle.tport)" - tortle_lport="$(uci get tortle.lport)" - tortle_socksip="$(uci get tortle.socksip)" - tortle_socksport="$(uci get tortle.socksport)" - tortle_forwarding="$(uci get tortle.forwarding)" + if [ ! -e "/etc/config/tortle" ]; then + touch /etc/config/tortle + uci set tortle.socksip="172.16.84.1" + uci set tortle.socksport="5090" + uci set tortle.tport="22" + uci set tortle.lport="22" + uci set tortle.forwarding="1" + uci set tortle.hiddendir="/etc/tor/hidden" + uci commit tortle + fi + tortle_tport="$(uci get tortle.tport)" + tortle_lport="$(uci get tortle.lport)" + tortle_socksip="$(uci get tortle.socksip)" + tortle_socksport="$(uci get tortle.socksport)" + tortle_forwarding="$(uci get tortle.forwarding)" + tortle_hiddendir="$(uci get tortle.hiddendir)" + + if [ -e "$tortle_hiddendir/hostname" ]; then + tortle_hostname="$(cat $tortle_hiddendir/hostname)" + uci set tortle.hostname="$tortle_hostname" + uci commit tortle + else + tortle_hostname="--Please first START TORtle to generate an Onion address--" + fi } - - -function configure { -if [ "$tortle_hostname" == "" ]; then - tortle_hostname="You need to start/run tortle first to obtain an onion address" -fi -tortlecfg - - dialog --title "tortle" --msgbox "\n\ -NOTE: This is an initial version.\n\\n\ -TOR SHELL\n\ -=========\n\ -Until I finish testing and add the code to customize its parameters in the gui, these are the defaults:\n\n\ -Hostname: $tortle_hostname\n\ -TOR Port: $tortle_tport (Redirects to local port $tortle_lport)\n\n\ - -TOR GATEWAY\n\ -===========\n\ +# Parameters to configure for torshell: tortle.tport, tortle.lport +# Parameters to configure for TOR Gateway: tortle.forwarding, tortle.dnsport +# Parameters in dobt: tortle.socksip, tortle.socksport, tortle.controlport, etc... +# Maybe allow to configure extra hidden services such a web server, etc... Probably should be done in additional auxiliary modules. +function configure { +tortlecfg + + dialog --title "TORtle" --msgbox "\n\ +NOTE: This is an initial version.\n\\n\ +TOR SHELL\n\ +=========\n\ +Until I finish testing and decide which parameters to customize in the gui, these are the defaults:\n\n\ +Hostname: $tortle_hostname\n\ +TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\n\ + +TOR GATEWAY\n\ +===========\n\ At this time, it is just a regular TOR Proxy but my plan is to evolve it into a much more convenient and secure fully isolating Gateway.\n\n -The LAN Turtle (with its two ethernet interfaces) is clearly perfect for that purpose, although I have to figure the best way to do it without -affecting the operation of other modules/functions that may be running at the same time (some iptables playing needed).\n\n\ -In the meantime, please notice DNS or other well known leaks are NOT being actively prevented. Use it accordingly.\n\n\ -TOR Proxy is in $tortle_socksip:$tortle_socksport\n \n" 33 72 -} - - -function start { - if [ ! -e "/usr/sbin/tor" ]; then - opkg update && opkg install tor - fi - if [ ! -e "/var/lib/tor" ]; then - mkdir -p /var/lib/tor - chown sshd.sshd /var/lib/tor - fi - tortlecfg - ( - echo "User sshd" - echo "RunAsDaemon 1" - echo "PidFile /tmp/tor.pid" - echo "DataDirectory /var/lib/tor" - echo "SocksPort $tortle_socksip:$tortle_socksport" - #echo "DNSPort 53" - echo "HiddenServiceDir /var/lib/tor/hidden/" - echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport" - ) > /tmp/tortlerc - echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward -} - - -function stop { - killall -9 tor - echo "1" > /proc/sys/net/ipv4/ip_forward - echo "Tortle Proxy and Tortle Shell have been stopped." -} - - -function status { - if pgrep -x tor > /dev/null; then - echo "1" - else - echo "0" - fi -} +The LAN Turtle (with its two ethernet interfaces) is clearly perfect for that purpose, although I have to figure the best way to do it without +affecting the functionality of other modules/services that may be running at the same time (some iptables playing needed too).\n\n\ +In the meantime, please notice that DNS or other well known leaks are NOT being actively prevented. Use it accordingly.\n\n\ +TOR Proxy is in $tortle_socksip:$tortle_socksport\n \n" 33 72 +} + + +function start { + tortlecfg + if [ ! -e "/usr/sbin/tor" ]; then + opkg update && opkg install tor + fi + if [ ! -e "/var/lib/tor" ]; then + mkdir -p /var/lib/tor + chown sshd.sshd /var/lib/tor + mkdir -p $tortle_hiddendir + chown sshd.sshd $tortle_hiddendir + fi + if [ ! -e "$tortle_hiddendir" ]; then + mkdir -p $tortle_hiddendir + chown sshd.sshd $tortle_hiddendir + fi + + ( + echo "User sshd" + echo "RunAsDaemon 1" + echo "PidFile /tmp/run/tor.pid" + echo "DataDirectory /var/lib/tor" + echo "SocksPort $tortle_socksip:$tortle_socksport" + #echo "DNSPort 53" + echo "HiddenServiceDir $tortle_hiddendir" + echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport" + ) > /tmp/tortlerc + tor -f /tmp/tortlerc + echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward +} + + +function stop { + killall -9 tor + echo "1" > /proc/sys/net/ipv4/ip_forward + echo "Tortle Proxy and Tortle Shell have been stopped." +} + + +function status { + if pgrep -x tor > /dev/null; then + echo "1" + else + echo "0" + fi +} From 1e2e9d6b8db0a7c44bd126f9b6d643447fadf12e Mon Sep 17 00:00:00 2001 From: ShadGIT Date: Sat, 29 Aug 2015 23:11:56 +0200 Subject: [PATCH 3/6] V0.6 Added "hidden" transparent proxy functionality. To activate and test uci set tortle.forwarding="0". --- modules/tortle | 205 +++++++++++++++++++++++++++---------------------- 1 file changed, 114 insertions(+), 91 deletions(-) diff --git a/modules/tortle b/modules/tortle index bfb0563..cc73ba0 100644 --- a/modules/tortle +++ b/modules/tortle @@ -1,5 +1,5 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="0.5" +VERSION="0.6" DESCRIPTION="TORtle - TOR Turtle Gateway + TOR hidden SHELL/Service" AUTHOR="Shad" @@ -11,99 +11,122 @@ AUTHOR="Shad" : ${DIALOG_ESC=255} function tortlecfg { - if [ ! -e "/etc/config/tortle" ]; then - touch /etc/config/tortle - uci set tortle.socksip="172.16.84.1" - uci set tortle.socksport="5090" - uci set tortle.tport="22" - uci set tortle.lport="22" - uci set tortle.forwarding="1" - uci set tortle.hiddendir="/etc/tor/hidden" - uci commit tortle + if [ "$(uci get tortle.version)" != "0.6" ]; then + rm /etc/config/tortle + fi + if [ ! -e "/etc/config/tortle" ]; then + touch /etc/config/tortle + uci set tortle.version="0.6" + uci set tortle.socksip="172.16.84.1" + uci set tortle.socksport="5090" + uci set tortle.tport="22" + uci set tortle.lport="22" + uci set tortle.forwarding="1" + uci set tortle.hiddendir="/etc/tor/hidden" + uci commit tortle fi - tortle_tport="$(uci get tortle.tport)" - tortle_lport="$(uci get tortle.lport)" - tortle_socksip="$(uci get tortle.socksip)" - tortle_socksport="$(uci get tortle.socksport)" - tortle_forwarding="$(uci get tortle.forwarding)" - tortle_hiddendir="$(uci get tortle.hiddendir)" + tortle_tport="$(uci get tortle.tport)" + tortle_lport="$(uci get tortle.lport)" + tortle_socksip="$(uci get tortle.socksip)" + tortle_socksport="$(uci get tortle.socksport)" + tortle_forwarding="$(uci get tortle.forwarding)" + tortle_hiddendir="$(uci get tortle.hiddendir)" - if [ -e "$tortle_hiddendir/hostname" ]; then - tortle_hostname="$(cat $tortle_hiddendir/hostname)" - uci set tortle.hostname="$tortle_hostname" - uci commit tortle - else - tortle_hostname="--Please first START TORtle to generate an Onion address--" - fi + if [ -e "$tortle_hiddendir/hostname" ]; then + tortle_hostname="$(cat $tortle_hiddendir/hostname)" + uci set tortle.hostname="$tortle_hostname" + uci commit tortle + else + tortle_hostname="--Please first START TORtle to generate an Onion address--" + fi } -# Parameters to configure for torshell: tortle.tport, tortle.lport -# Parameters to configure for TOR Gateway: tortle.forwarding, tortle.dnsport -# Parameters in dobt: tortle.socksip, tortle.socksport, tortle.controlport, etc... + +# Parameters to configure for torshell: tortle.tport, tortle.lport +# Parameters to configure for TOR Gateway: tortle.forwarding, tortle.dnsport +# Parameters in dobt: tortle.socksip, tortle.socksport, tortle.controlport, etc... # Maybe allow to configure extra hidden services such a web server, etc... Probably should be done in additional auxiliary modules. -function configure { -tortlecfg - - dialog --title "TORtle" --msgbox "\n\ -NOTE: This is an initial version.\n\\n\ -TOR SHELL\n\ -=========\n\ -Until I finish testing and decide which parameters to customize in the gui, these are the defaults:\n\n\ -Hostname: $tortle_hostname\n\ -TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\n\ - -TOR GATEWAY\n\ -===========\n\ +function configure { +tortlecfg + + dialog --title "TORtle" --msgbox "\n\ +NOTE: This is an initial version.\n\\n\ +TOR SHELL\n\ +=========\n\ +Until I finish testing and decide which parameters to customize in the gui, these are the defaults:\n\n\ +Hostname: $tortle_hostname\n\ +TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\n\ + +TOR GATEWAY\n\ +===========\n\ At this time, it is just a regular TOR Proxy but my plan is to evolve it into a much more convenient and secure fully isolating Gateway.\n\n -The LAN Turtle (with its two ethernet interfaces) is clearly perfect for that purpose, although I have to figure the best way to do it without -affecting the functionality of other modules/services that may be running at the same time (some iptables playing needed too).\n\n\ -In the meantime, please notice that DNS or other well known leaks are NOT being actively prevented. Use it accordingly.\n\n\ -TOR Proxy is in $tortle_socksip:$tortle_socksport\n \n" 33 72 -} - - -function start { - tortlecfg - if [ ! -e "/usr/sbin/tor" ]; then - opkg update && opkg install tor - fi - if [ ! -e "/var/lib/tor" ]; then - mkdir -p /var/lib/tor - chown sshd.sshd /var/lib/tor - mkdir -p $tortle_hiddendir - chown sshd.sshd $tortle_hiddendir - fi - if [ ! -e "$tortle_hiddendir" ]; then - mkdir -p $tortle_hiddendir - chown sshd.sshd $tortle_hiddendir - fi - - ( - echo "User sshd" - echo "RunAsDaemon 1" - echo "PidFile /tmp/run/tor.pid" - echo "DataDirectory /var/lib/tor" - echo "SocksPort $tortle_socksip:$tortle_socksport" - #echo "DNSPort 53" - echo "HiddenServiceDir $tortle_hiddendir" - echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport" - ) > /tmp/tortlerc - tor -f /tmp/tortlerc - echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward -} - - -function stop { - killall -9 tor - echo "1" > /proc/sys/net/ipv4/ip_forward - echo "Tortle Proxy and Tortle Shell have been stopped." -} - - -function status { - if pgrep -x tor > /dev/null; then - echo "1" - else - echo "0" - fi -} +The LAN Turtle (with its two ethernet interfaces) is clearly perfect for that purpose, although I have to figure the best way to do it without +affecting the functionality of other modules/services that may be running at the same time (some iptables playing needed too).\n\n\ +In the meantime, please notice that DNS or other well known leaks are NOT being actively prevented. Use it accordingly.\n\n\ +TOR Proxy is in $tortle_socksip:$tortle_socksport\n \n" 33 72 +} + + +function start { + tortlecfg + if [ ! -e "/usr/sbin/tor" ]; then + opkg update && opkg install tor + fi + if [ ! -e "/var/lib/tor" ]; then + mkdir -p /var/lib/tor + chown sshd.sshd /var/lib/tor + mkdir -p $tortle_hiddendir + chown sshd.sshd $tortle_hiddendir + fi + if [ ! -e "$tortle_hiddendir" ]; then + mkdir -p $tortle_hiddendir + chown sshd.sshd $tortle_hiddendir + fi + + ( + echo "User sshd" + echo "RunAsDaemon 1" + echo "PidFile /tmp/run/tor.pid" + echo "DataDirectory /var/lib/tor" + echo "SocksPort $tortle_socksip:$tortle_socksport" + echo "HiddenServiceDir $tortle_hiddendir" + echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport" + echo "VirtualAddrNetworkIPv4 10.192.0.0/10" + echo "AutomapHostsOnResolve 1" + echo "TransPort 9040" + echo "TransListenAddress $tortle_socksip" + echo "DNSPort 9053" + echo "DNSListenAddress $tortle_socksip" + ) > /tmp/tortlerc + tor -f /tmp/tortlerc + if [ "$tortle_forwarding" == "0" ]; then + iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 9053 + iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDIRECT --to-port 9040 + iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 9053 + fi + echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward + +} + + +function stop { + killall -9 tor + if [ "$(uci get tortle.forwarding)" == "0" ]; then + echo "1" > /proc/sys/net/ipv4/ip_forward + iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 9053 + iptables -t nat -D PREROUTING -i br-lan -p tcp -j REDIRECT --to-port 9040 + iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 9053 +# iptables -t nat -D PREROUTING 1 + fi + echo "Tortle Proxy and Tortle Shell have been stopped." +} + + +function status { + if pgrep -x tor > /dev/null; then + echo "1" + else + echo "0" + fi +} + From c71259f94ea86fc95a9e73b4fa7ddd8dbf5feb0f Mon Sep 17 00:00:00 2001 From: ShadGIT Date: Sun, 30 Aug 2015 01:33:28 +0200 Subject: [PATCH 4/6] Clomac v1.2 Reworked and added workarounds to some situations. --- modules/clomac | 76 +++++++++++++++++++++++++++++++++++++------------- 1 file changed, 56 insertions(+), 20 deletions(-) diff --git a/modules/clomac b/modules/clomac index 2957d7c..bac71ca 100644 --- a/modules/clomac +++ b/modules/clomac @@ -1,5 +1,5 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="1.1" +VERSION="1.2" DESCRIPTION="Clone Client's MAC address into WAN interface" AUTHOR="Shad" @@ -13,34 +13,71 @@ AUTHOR="Shad" function configure { dialog --title "clomac" --msgbox "\n\ (\___/) \n\ -(='.'=) Nothing to configure here.\n\ +(='.'=) Nothing to configure here... yet.\n\ (\")_(\")\ \n\ " 9 72 } +function clonemac { + if [ "$CLIENT_MAC" != "$ETH1MAC" ]; then + echo "Cloning CLIENT_MAC: $CLIENT_MAC" >> /tmp/clomac.debug + uci set clomac.eth1mac="$ETH1MAC" + uci commit clomac + ifconfig eth1 down + macchanger -m "$CLIENT_MAC" eth1 # Hope there is no IDS that alerts about the MAC change. + ifconfig eth1 up + sleep 1 + ETH1_IP="`ifconfig eth1 | grep "inet addr"`" + if [ "$ETH1_IP" == "" ]; then # Maybe we didn't get an IP because of MAC Filtering? Try again now! + echo "Trying to get a new IP address via DHCP" >> /tmp/clomac.debug + uci set network.wan.macaddr="$CLIENT_MAC" # Workaround to avoid udhcpc restoring the default MAC + killall -9 udhcpc +# udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -C + fi + else + echo "CLIENT_MAC and ETH1MAC are the same. Nothing to do." >> /tmp/clomac.debug + fi +} function start { + if [ ! -e "/etc/config/clomac" ]; then + touch /etc/config/clomac + uci set clomac.version="1.2" # Workaround to know what to do on updates + uci set clomac.trylast="1" # if 1 AND not find a dhcp client, it will clone the last seen client MAC (if there is one) + uci set clomac.clientmac="$(macchanger -s eth1 | awk '{ print $3}')" + uci set clomac.eth1mac="22:22:22:22:22:22" + uci commit clomac + fi if [ "`grep clomac /etc/dnsmasq.conf`" == "" ]; then echo "dhcp-script=/tmp/clomac_pivot" >> /etc/dnsmasq.conf fi - echo "#!/bin/bash" > /tmp/clomac_pivot - echo "/etc/turtle/modules/clomac start" >> /tmp/clomac_pivot - chmod 755 /tmp/clomac_pivot - echo "debug" >> /tmp/clomac.debug + if [ ! -e "/tmp/clomac_pivot" ]; then + echo "#!/bin/bash" > /tmp/clomac_pivot + echo "/etc/turtle/modules/clomac start" >> /tmp/clomac_pivot + chmod 755 /tmp/clomac_pivot + ETH1MAC="$(uci get network.wan.macaddr)" + uci set clomac.eth1mac="$ETH1MAC" + uci commit clomac + if [ ! -e "/tmp/clomac.debug" ]; then + echo "Launching at job in 1 min" >> /tmp/clomac.debug + at -f /tmp/clomac_pivot now + 1 min 2> /dev/null + fi + fi + + date >> /tmp/clomac.debug CLIENT_MAC="`cat /tmp/dhcp.leases | tail -1 | awk '{ print $2; }'`" + ETH1MAC="$(macchanger -s eth1 | awk '{ print $3; }')" if [ "$CLIENT_MAC" != "" ]; then - if [ "$CLIENT_MAC" != "`macchanger -s eth1 | awk '{ print $3; }'`" ]; then - ifconfig eth1 down - macchanger -s eth1 | awk '{ print $3; }' > /tmp/clomac.srcmac - macchanger -m "$CLIENT_MAC" eth1 - ifconfig eth1 up - sleep 1 - ETH1_IP="`ifconfig eth1 | grep "inet addr"`" - if [ "$ETH1_IP" == "" ]; then - killall -9 udhcpc - udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -C - fi + echo "Got CLIENT_MAC from dhcp.leases" >> /tmp/clomac.debug + uci set clomac.clientmac="$CLIENT_MAC" + uci commit clomac + clonemac + elif [ "$(uci get clomac.trylast)" == "1" ]; then + if [ "$(uci get clomac.clientmac)" != "" ]; then + CLIENT_MAC="$(uci get clomac.clientmac)" + echo "Don't have a dhcp.leases but will use last seen CLIENT_MAC: $CLIENT_MAC" >> /tmp/clomac.debug + clonemac fi fi } @@ -51,9 +88,9 @@ function stop { cp /etc/dnsmasq.conf /etc/dnsmasq.conf.back cat /etc/dnsmasq.conf.back | grep -v clomac > /etc/dnsmasq.conf fi - rm -f /tmp/clomac_pivot + :>/tmp/clomac_pivot ifconfig eth1 down - macchanger -m `cat /tmp/clomac.srcmac` eth1 + macchanger -m $(uci get clomac.eth1mac) eth1 ifconfig eth1 up } @@ -65,4 +102,3 @@ function status { echo 1 fi } - From 2200cfb041feb3f4854b0675ec839e2007ad65b7 Mon Sep 17 00:00:00 2001 From: ShadGIT Date: Sun, 30 Aug 2015 01:47:29 +0200 Subject: [PATCH 5/6] v1.2 --- modules/clomac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/clomac b/modules/clomac index bac71ca..2a3de67 100644 --- a/modules/clomac +++ b/modules/clomac @@ -88,7 +88,7 @@ function stop { cp /etc/dnsmasq.conf /etc/dnsmasq.conf.back cat /etc/dnsmasq.conf.back | grep -v clomac > /etc/dnsmasq.conf fi - :>/tmp/clomac_pivot + rm -f /tmp/clomac_pivot ifconfig eth1 down macchanger -m $(uci get clomac.eth1mac) eth1 ifconfig eth1 up From ad72dc6b814deb031b31f1be9facfb2319e7c7f5 Mon Sep 17 00:00:00 2001 From: ShadGIT Date: Sun, 30 Aug 2015 22:52:13 +0200 Subject: [PATCH 6/6] New version TORtle v0.8 Probably now it does everything it should. --- modules/tortle | 197 ++++++++++++++++++++++++++++++++++++------------- 1 file changed, 145 insertions(+), 52 deletions(-) diff --git a/modules/tortle b/modules/tortle index cc73ba0..7d73794 100644 --- a/modules/tortle +++ b/modules/tortle @@ -1,7 +1,8 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="0.6" +VERSION="0.8" DESCRIPTION="TORtle - TOR Turtle Gateway + TOR hidden SHELL/Service" AUTHOR="Shad" +CONF="/tmp/tortle.form" : ${DIALOG_OK=0} : ${DIALOG_CANCEL=1} @@ -11,27 +12,52 @@ AUTHOR="Shad" : ${DIALOG_ESC=255} function tortlecfg { - if [ "$(uci get tortle.version)" != "0.6" ]; then + if [ "$(uci get tortle.version)" != "0.8" ]; then rm /etc/config/tortle fi if [ ! -e "/etc/config/tortle" ]; then touch /etc/config/tortle - uci set tortle.version="0.6" - uci set tortle.socksip="172.16.84.1" + uci set tortle.version="0.8" + uci set tortle.enableproxy="1" + uci set tortle.enabletrans="1" + uci set tortle.transport="9040" + uci set tortle.socksip="172.16.84.1" # deprecated uci set tortle.socksport="5090" uci set tortle.tport="22" uci set tortle.lport="22" uci set tortle.forwarding="1" + uci set tortle.enablehidden="1" uci set tortle.hiddendir="/etc/tor/hidden" + uci set tortle.enablehidden2="0" + uci set tortle.hiddendir2="etc/tor/hidden2" + uci set tortle.dnsport="9053" + uci set tortle.enablecontrol="0" + uci set tortle.controlport="9051" + uci set tortle.controladdr="172.16.84.1" # deprecated + uci set tortle.hashedpass="16:D2237CB1DA58774A60EF13100BEFEDE024F5C49BA674CE2BEA1032EC38" # default: test + uci set tortle.gateway="0" uci commit tortle fi - tortle_tport="$(uci get tortle.tport)" - tortle_lport="$(uci get tortle.lport)" - tortle_socksip="$(uci get tortle.socksip)" - tortle_socksport="$(uci get tortle.socksport)" - tortle_forwarding="$(uci get tortle.forwarding)" - tortle_hiddendir="$(uci get tortle.hiddendir)" + tortle_tport="$(uci get tortle.tport)" # * customizable + tortle_lport="$(uci get tortle.lport)" # * customizable + tortle_socksip="$(uci get network.lan.ipaddr)" # Use network.lan.ipaddr + tortle_socksport="$(uci get tortle.socksport)" # Use standard default + tortle_forwarding="$(uci get tortle.forwarding)" # * customizable + tortle_enablehidden="$(uci get tortle.enablehidden)" # * customizable + tortle_hiddendir="$(uci get tortle.hiddendir)" # + tortle_enablehidden2="$(uci get tortle.enablehidden2)" # Reserved for future use + tortle_hiddendir2="$(uci get tortle.hiddendir2)" # Reserved for future use + tortle_dnsport="$(uci get tortle.dnsport)" # Use standard default + tortle_enableproxy="$(uci get tortle.enableproxy)" # * customizable + tortle_enabletrans="$(uci get tortle.enabletrans)" # * customizable + tortle_transport="$(uci get tortle.transport)" # Use standard default + tortle_enablecontrol="$(uci get tortle.enablecontrol)" # * customizable + tortle_controlport="$(uci get tortle.controlport)" # Use standard default + tortle_controladdr="$(uci get network.lan.ipaddr)" # Use network.lan.ipaddr + tortle_hashedpass="$(uci get tortle.hashedpass)" # * customizable + tortle_gateway="$(uci get tortle.gateway)" # * customizable + tortle_version="$(uci get tortle.version)" if [ -e "$tortle_hiddendir/hostname" ]; then tortle_hostname="$(cat $tortle_hiddendir/hostname)" @@ -42,67 +68,132 @@ function tortlecfg { fi } -# Parameters to configure for torshell: tortle.tport, tortle.lport -# Parameters to configure for TOR Gateway: tortle.forwarding, tortle.dnsport -# Parameters in dobt: tortle.socksip, tortle.socksport, tortle.controlport, etc... -# Maybe allow to configure extra hidden services such a web server, etc... Probably should be done in additional auxiliary modules. function configure { tortlecfg - dialog --title "TORtle" --msgbox "\n\ -NOTE: This is an initial version.\n\\n\ +dialog --ok-label "Submit" \ + --help-button \ + --title "TORtle Configuration" \ + --form "Gateway + TOR Hidden Service configuration\n\n\ +TORGateway, if enabled, automatically and conveniently tunnels ALL eth0 traffic through TOR Transparent Proxy.\n\n\ +Onion Host sets up a hidden service inside the TOR network. By default it is a TORShell (SSH within TOR)\n\n\ +TOR Proxy is just the regular SOCKS proxy through TOR.\n\ +Forwarding enables/disables LAN Turtle IP forwarding to help prevent leaks for Proxy mode.\n \n" 26 60 7\ + "Onion Host Enable: ($tortle_hostname)" 1 1 "$tortle_enablehidden" 1 20 5 0 \ + " External Port:" 2 1 "$tortle_tport" 2 20 5 0 \ + " Local Port:" 3 1 "$tortle_lport" 3 20 5 0 \ + "TOR Proxy Enable:" 4 1 "$tortle_enableproxy" 4 20 5 0 \ + "TransProxy Enable:" 5 1 "$tortle_enabletrans" 5 20 5 0 \ + "TORGateway Enable:" 6 1 "$tortle_gateway" 6 20 5 0 \ + "Forwarding Enable:" 7 1 "$tortle_forwarding" 7 20 5 0 \ + 2>$CONF + + return=$? + + case $return in + $DIALOG_OK) + cat $CONF | { + read -r tortle_enablehidden + read -r tortle_tport + read -r tortle_lport + read -r tortle_enableproxy + read -r tortle_enabletrans + read -r tortle_gateway + read -r tortle_forwarding + + uci set tortle.enablehidden="$tortle_enablehidden" + uci set tortle.tport="$tortle_tport" + uci set tortle.lport="$tortle_lport" + uci set tortle.enableproxy="$tortle_enableproxy" + uci set tortle.enabletrans="$tortle_enabletrans" + uci set tortle.gateway="$tortle_gateway" + uci set tortle.forwarding="$tortle_forwarding" + uci commit tortle + rm $CONF + };; + $DIALOG_CANCEL) + rm $CONF + clear + exit;; + $DIALOG_HELP) + dialog --title "Help" \ + --msgbox "\ + TORtle V$tortle_version\n\n\ TOR SHELL\n\ =========\n\ -Until I finish testing and decide which parameters to customize in the gui, these are the defaults:\n\n\ Hostname: $tortle_hostname\n\ -TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\n\ - +TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\ +\n TOR GATEWAY\n\ ===========\n\ -At this time, it is just a regular TOR Proxy but my plan is to evolve it into a much more convenient and secure fully isolating Gateway.\n\n -The LAN Turtle (with its two ethernet interfaces) is clearly perfect for that purpose, although I have to figure the best way to do it without -affecting the functionality of other modules/services that may be running at the same time (some iptables playing needed too).\n\n\ -In the meantime, please notice that DNS or other well known leaks are NOT being actively prevented. Use it accordingly.\n\n\ -TOR Proxy is in $tortle_socksip:$tortle_socksport\n \n" 33 72 +TOR Proxy is at $tortle_socksip:$tortle_socksport\n\ +TOR Transport is at $tortle_socksip:$tortle_transport\n\ +TOR Dnsport is $tortle_dnsport\n\ +\n\n\n\ +For support, please use the LAN Turtle forum at:\n\n\ +https://forums.hak5.org/index.php?/forum/88-lan-turtle/\n\n\ +I need YOUR feedback to help me improve TORtle!\n\n\ + - Shad.\n" 27 60 + configure + ;; + $DIALOG_ESC) + clear;; + esac } - function start { tortlecfg if [ ! -e "/usr/sbin/tor" ]; then opkg update && opkg install tor fi if [ ! -e "/var/lib/tor" ]; then - mkdir -p /var/lib/tor - chown sshd.sshd /var/lib/tor - mkdir -p $tortle_hiddendir + ( + mkdir -p /var/lib/tor + chown sshd.sshd /var/lib/tor + mkdir -p $tortle_hiddendir chown sshd.sshd $tortle_hiddendir + ) 2> /dev/null fi if [ ! -e "$tortle_hiddendir" ]; then - mkdir -p $tortle_hiddendir + ( + mkdir -p $tortle_hiddendir chown sshd.sshd $tortle_hiddendir + ) 2> /dev/null fi ( echo "User sshd" echo "RunAsDaemon 1" - echo "PidFile /tmp/run/tor.pid" + echo "PidFile /var/run/tor.pid" echo "DataDirectory /var/lib/tor" - echo "SocksPort $tortle_socksip:$tortle_socksport" - echo "HiddenServiceDir $tortle_hiddendir" - echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport" - echo "VirtualAddrNetworkIPv4 10.192.0.0/10" - echo "AutomapHostsOnResolve 1" - echo "TransPort 9040" - echo "TransListenAddress $tortle_socksip" - echo "DNSPort 9053" - echo "DNSListenAddress $tortle_socksip" + if [ "$tortle_enableproxy" == "1" ]; then + echo "SocksPort $tortle_socksip:$tortle_socksport" + fi + if [ "$tortle_enablehidden" == "1" ]; then + echo "HiddenServiceDir $tortle_hiddendir" + echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport" + fi + if [ "$tortle_enabletrans" == "1" ]; then + echo "VirtualAddrNetworkIPv4 10.192.0.0/10" + echo "AutomapHostsOnResolve 1" + echo "TransPort $tortle_transport" + echo "TransListenAddress $tortle_socksip" + echo "DNSPort $tortle_dnsport" + echo "DNSListenAddress $tortle_socksip" + fi + if [ "$tortle_enablecontrol" == "1" ]; then + echo "ControlListenAddress $tortle_controladdr" + echo "ControlPort $tortle_controlport" + echo "HashedControlPassword $tortle_hashedpass" + fi ) > /tmp/tortlerc tor -f /tmp/tortlerc - if [ "$tortle_forwarding" == "0" ]; then - iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 9053 - iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDIRECT --to-port 9040 - iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 9053 + if [ "$tortle_gateway" == "1" ]; then + iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port $tortle_dnsport + iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port $tortle_dnsport + iptables -t nat -A PREROUTING -i br-lan -p tcp --dest $tortle_socksip -j ACCEPT + # Should I add here a rule to allow reaching eth1 network? Perhaps... but is it secure? + iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDIRECT --to-port $tortle_transport fi echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward @@ -110,15 +201,18 @@ function start { function stop { + tortlecfg killall -9 tor - if [ "$(uci get tortle.forwarding)" == "0" ]; then - echo "1" > /proc/sys/net/ipv4/ip_forward - iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 9053 - iptables -t nat -D PREROUTING -i br-lan -p tcp -j REDIRECT --to-port 9040 - iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 9053 -# iptables -t nat -D PREROUTING 1 - fi - echo "Tortle Proxy and Tortle Shell have been stopped." +# if [ "$tortle_gateway" == "1" ]; then + ( + iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port $tortle_dnsport + iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port $tortle_dnsport + iptables -t nat -D PREROUTING -i br-lan -p tcp --dest $tortle_socksip -j ACCEPT + iptables -t nat -D PREROUTING -i br-lan -p tcp -j REDIRECT --to-port $tortle_transport + ) 2> /dev/null +# fi + echo "1" > /proc/sys/net/ipv4/ip_forward + echo "All TORtle services and redirections have been disabled." } @@ -129,4 +223,3 @@ function status { echo "0" fi } -