Merge pull request #5 from ShadGIT/gh-pages

New module TORtle
pull/7/head
Darren Kitchen 2015-09-08 17:53:57 -07:00
commit 6094fe968c
2 changed files with 280 additions and 19 deletions

View File

@ -1,5 +1,5 @@
#!/bin/bash /usr/lib/turtle/turtle_module #!/bin/bash /usr/lib/turtle/turtle_module
VERSION="1.1" VERSION="1.2"
DESCRIPTION="Clone Client's MAC address into WAN interface" DESCRIPTION="Clone Client's MAC address into WAN interface"
AUTHOR="Shad" AUTHOR="Shad"
@ -13,34 +13,71 @@ AUTHOR="Shad"
function configure { function configure {
dialog --title "clomac" --msgbox "\n\ dialog --title "clomac" --msgbox "\n\
(\___/) \n\ (\___/) \n\
(='.'=) Nothing to configure here.\n\ (='.'=) Nothing to configure here... yet.\n\
(\")_(\")\ \n\ (\")_(\")\ \n\
" 9 72 " 9 72
} }
function clonemac {
function start { if [ "$CLIENT_MAC" != "$ETH1MAC" ]; then
if [ "`grep clomac /etc/dnsmasq.conf`" == "" ]; then echo "Cloning CLIENT_MAC: $CLIENT_MAC" >> /tmp/clomac.debug
echo "dhcp-script=/tmp/clomac_pivot" >> /etc/dnsmasq.conf uci set clomac.eth1mac="$ETH1MAC"
fi uci commit clomac
echo "#!/bin/bash" > /tmp/clomac_pivot
echo "/etc/turtle/modules/clomac start" >> /tmp/clomac_pivot
chmod 755 /tmp/clomac_pivot
echo "debug" >> /tmp/clomac.debug
CLIENT_MAC="`cat /tmp/dhcp.leases | tail -1 | awk '{ print $2; }'`"
if [ "$CLIENT_MAC" != "" ]; then
if [ "$CLIENT_MAC" != "`macchanger -s eth1 | awk '{ print $3; }'`" ]; then
ifconfig eth1 down ifconfig eth1 down
macchanger -s eth1 | awk '{ print $3; }' > /tmp/clomac.srcmac macchanger -m "$CLIENT_MAC" eth1 # Hope there is no IDS that alerts about the MAC change.
macchanger -m "$CLIENT_MAC" eth1
ifconfig eth1 up ifconfig eth1 up
sleep 1 sleep 1
ETH1_IP="`ifconfig eth1 | grep "inet addr"`" ETH1_IP="`ifconfig eth1 | grep "inet addr"`"
if [ "$ETH1_IP" == "" ]; then if [ "$ETH1_IP" == "" ]; then # Maybe we didn't get an IP because of MAC Filtering? Try again now!
echo "Trying to get a new IP address via DHCP" >> /tmp/clomac.debug
uci set network.wan.macaddr="$CLIENT_MAC" # Workaround to avoid udhcpc restoring the default MAC
killall -9 udhcpc killall -9 udhcpc
udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -C # udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -C
fi fi
else
echo "CLIENT_MAC and ETH1MAC are the same. Nothing to do." >> /tmp/clomac.debug
fi
}
function start {
if [ ! -e "/etc/config/clomac" ]; then
touch /etc/config/clomac
uci set clomac.version="1.2" # Workaround to know what to do on updates
uci set clomac.trylast="1" # if 1 AND not find a dhcp client, it will clone the last seen client MAC (if there is one)
uci set clomac.clientmac="$(macchanger -s eth1 | awk '{ print $3}')"
uci set clomac.eth1mac="22:22:22:22:22:22"
uci commit clomac
fi
if [ "`grep clomac /etc/dnsmasq.conf`" == "" ]; then
echo "dhcp-script=/tmp/clomac_pivot" >> /etc/dnsmasq.conf
fi
if [ ! -e "/tmp/clomac_pivot" ]; then
echo "#!/bin/bash" > /tmp/clomac_pivot
echo "/etc/turtle/modules/clomac start" >> /tmp/clomac_pivot
chmod 755 /tmp/clomac_pivot
ETH1MAC="$(uci get network.wan.macaddr)"
uci set clomac.eth1mac="$ETH1MAC"
uci commit clomac
if [ ! -e "/tmp/clomac.debug" ]; then
echo "Launching at job in 1 min" >> /tmp/clomac.debug
at -f /tmp/clomac_pivot now + 1 min 2> /dev/null
fi
fi
date >> /tmp/clomac.debug
CLIENT_MAC="`cat /tmp/dhcp.leases | tail -1 | awk '{ print $2; }'`"
ETH1MAC="$(macchanger -s eth1 | awk '{ print $3; }')"
if [ "$CLIENT_MAC" != "" ]; then
echo "Got CLIENT_MAC from dhcp.leases" >> /tmp/clomac.debug
uci set clomac.clientmac="$CLIENT_MAC"
uci commit clomac
clonemac
elif [ "$(uci get clomac.trylast)" == "1" ]; then
if [ "$(uci get clomac.clientmac)" != "" ]; then
CLIENT_MAC="$(uci get clomac.clientmac)"
echo "Don't have a dhcp.leases but will use last seen CLIENT_MAC: $CLIENT_MAC" >> /tmp/clomac.debug
clonemac
fi fi
fi fi
} }
@ -53,7 +90,7 @@ function stop {
fi fi
rm -f /tmp/clomac_pivot rm -f /tmp/clomac_pivot
ifconfig eth1 down ifconfig eth1 down
macchanger -m `cat /tmp/clomac.srcmac` eth1 macchanger -m $(uci get clomac.eth1mac) eth1
ifconfig eth1 up ifconfig eth1 up
} }
@ -65,4 +102,3 @@ function status {
echo 1 echo 1
fi fi
} }

225
modules/tortle Normal file
View File

@ -0,0 +1,225 @@
#!/bin/bash /usr/lib/turtle/turtle_module
VERSION="0.8"
DESCRIPTION="TORtle - TOR Turtle Gateway + TOR hidden SHELL/Service"
AUTHOR="Shad"
CONF="/tmp/tortle.form"
: ${DIALOG_OK=0}
: ${DIALOG_CANCEL=1}
: ${DIALOG_HELP=2}
: ${DIALOG_EXTRA=3}
: ${DIALOG_ITEM_HELP=4}
: ${DIALOG_ESC=255}
function tortlecfg {
if [ "$(uci get tortle.version)" != "0.8" ]; then
rm /etc/config/tortle
fi
if [ ! -e "/etc/config/tortle" ]; then
touch /etc/config/tortle
uci set tortle.version="0.8"
uci set tortle.enableproxy="1"
uci set tortle.enabletrans="1"
uci set tortle.transport="9040"
uci set tortle.socksip="172.16.84.1" # deprecated
uci set tortle.socksport="5090"
uci set tortle.tport="22"
uci set tortle.lport="22"
uci set tortle.forwarding="1"
uci set tortle.enablehidden="1"
uci set tortle.hiddendir="/etc/tor/hidden"
uci set tortle.enablehidden2="0"
uci set tortle.hiddendir2="etc/tor/hidden2"
uci set tortle.dnsport="9053"
uci set tortle.enablecontrol="0"
uci set tortle.controlport="9051"
uci set tortle.controladdr="172.16.84.1" # deprecated
uci set tortle.hashedpass="16:D2237CB1DA58774A60EF13100BEFEDE024F5C49BA674CE2BEA1032EC38" # default: test
uci set tortle.gateway="0"
uci commit tortle
fi
tortle_tport="$(uci get tortle.tport)" # * customizable
tortle_lport="$(uci get tortle.lport)" # * customizable
tortle_socksip="$(uci get network.lan.ipaddr)" # Use network.lan.ipaddr
tortle_socksport="$(uci get tortle.socksport)" # Use standard default
tortle_forwarding="$(uci get tortle.forwarding)" # * customizable
tortle_enablehidden="$(uci get tortle.enablehidden)" # * customizable
tortle_hiddendir="$(uci get tortle.hiddendir)" #
tortle_enablehidden2="$(uci get tortle.enablehidden2)" # Reserved for future use
tortle_hiddendir2="$(uci get tortle.hiddendir2)" # Reserved for future use
tortle_dnsport="$(uci get tortle.dnsport)" # Use standard default
tortle_enableproxy="$(uci get tortle.enableproxy)" # * customizable
tortle_enabletrans="$(uci get tortle.enabletrans)" # * customizable
tortle_transport="$(uci get tortle.transport)" # Use standard default
tortle_enablecontrol="$(uci get tortle.enablecontrol)" # * customizable
tortle_controlport="$(uci get tortle.controlport)" # Use standard default
tortle_controladdr="$(uci get network.lan.ipaddr)" # Use network.lan.ipaddr
tortle_hashedpass="$(uci get tortle.hashedpass)" # * customizable
tortle_gateway="$(uci get tortle.gateway)" # * customizable
tortle_version="$(uci get tortle.version)"
if [ -e "$tortle_hiddendir/hostname" ]; then
tortle_hostname="$(cat $tortle_hiddendir/hostname)"
uci set tortle.hostname="$tortle_hostname"
uci commit tortle
else
tortle_hostname="--Please first START TORtle to generate an Onion address--"
fi
}
function configure {
tortlecfg
dialog --ok-label "Submit" \
--help-button \
--title "TORtle Configuration" \
--form "Gateway + TOR Hidden Service configuration\n\n\
TORGateway, if enabled, automatically and conveniently tunnels ALL eth0 traffic through TOR Transparent Proxy.\n\n\
Onion Host sets up a hidden service inside the TOR network. By default it is a TORShell (SSH within TOR)\n\n\
TOR Proxy is just the regular SOCKS proxy through TOR.\n\
Forwarding enables/disables LAN Turtle IP forwarding to help prevent leaks for Proxy mode.\n \n" 26 60 7\
"Onion Host Enable: ($tortle_hostname)" 1 1 "$tortle_enablehidden" 1 20 5 0 \
" External Port:" 2 1 "$tortle_tport" 2 20 5 0 \
" Local Port:" 3 1 "$tortle_lport" 3 20 5 0 \
"TOR Proxy Enable:" 4 1 "$tortle_enableproxy" 4 20 5 0 \
"TransProxy Enable:" 5 1 "$tortle_enabletrans" 5 20 5 0 \
"TORGateway Enable:" 6 1 "$tortle_gateway" 6 20 5 0 \
"Forwarding Enable:" 7 1 "$tortle_forwarding" 7 20 5 0 \
2>$CONF
return=$?
case $return in
$DIALOG_OK)
cat $CONF | {
read -r tortle_enablehidden
read -r tortle_tport
read -r tortle_lport
read -r tortle_enableproxy
read -r tortle_enabletrans
read -r tortle_gateway
read -r tortle_forwarding
uci set tortle.enablehidden="$tortle_enablehidden"
uci set tortle.tport="$tortle_tport"
uci set tortle.lport="$tortle_lport"
uci set tortle.enableproxy="$tortle_enableproxy"
uci set tortle.enabletrans="$tortle_enabletrans"
uci set tortle.gateway="$tortle_gateway"
uci set tortle.forwarding="$tortle_forwarding"
uci commit tortle
rm $CONF
};;
$DIALOG_CANCEL)
rm $CONF
clear
exit;;
$DIALOG_HELP)
dialog --title "Help" \
--msgbox "\
TORtle V$tortle_version\n\n\
TOR SHELL\n\
=========\n\
Hostname: $tortle_hostname\n\
TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\
\n
TOR GATEWAY\n\
===========\n\
TOR Proxy is at $tortle_socksip:$tortle_socksport\n\
TOR Transport is at $tortle_socksip:$tortle_transport\n\
TOR Dnsport is $tortle_dnsport\n\
\n\n\n\
For support, please use the LAN Turtle forum at:\n\n\
https://forums.hak5.org/index.php?/forum/88-lan-turtle/\n\n\
I need YOUR feedback to help me improve TORtle!\n\n\
- Shad.\n" 27 60
configure
;;
$DIALOG_ESC)
clear;;
esac
}
function start {
tortlecfg
if [ ! -e "/usr/sbin/tor" ]; then
opkg update && opkg install tor
fi
if [ ! -e "/var/lib/tor" ]; then
(
mkdir -p /var/lib/tor
chown sshd.sshd /var/lib/tor
mkdir -p $tortle_hiddendir
chown sshd.sshd $tortle_hiddendir
) 2> /dev/null
fi
if [ ! -e "$tortle_hiddendir" ]; then
(
mkdir -p $tortle_hiddendir
chown sshd.sshd $tortle_hiddendir
) 2> /dev/null
fi
(
echo "User sshd"
echo "RunAsDaemon 1"
echo "PidFile /var/run/tor.pid"
echo "DataDirectory /var/lib/tor"
if [ "$tortle_enableproxy" == "1" ]; then
echo "SocksPort $tortle_socksip:$tortle_socksport"
fi
if [ "$tortle_enablehidden" == "1" ]; then
echo "HiddenServiceDir $tortle_hiddendir"
echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport"
fi
if [ "$tortle_enabletrans" == "1" ]; then
echo "VirtualAddrNetworkIPv4 10.192.0.0/10"
echo "AutomapHostsOnResolve 1"
echo "TransPort $tortle_transport"
echo "TransListenAddress $tortle_socksip"
echo "DNSPort $tortle_dnsport"
echo "DNSListenAddress $tortle_socksip"
fi
if [ "$tortle_enablecontrol" == "1" ]; then
echo "ControlListenAddress $tortle_controladdr"
echo "ControlPort $tortle_controlport"
echo "HashedControlPassword $tortle_hashedpass"
fi
) > /tmp/tortlerc
tor -f /tmp/tortlerc
if [ "$tortle_gateway" == "1" ]; then
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port $tortle_dnsport
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port $tortle_dnsport
iptables -t nat -A PREROUTING -i br-lan -p tcp --dest $tortle_socksip -j ACCEPT
# Should I add here a rule to allow reaching eth1 network? Perhaps... but is it secure?
iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDIRECT --to-port $tortle_transport
fi
echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward
}
function stop {
tortlecfg
killall -9 tor
# if [ "$tortle_gateway" == "1" ]; then
(
iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port $tortle_dnsport
iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port $tortle_dnsport
iptables -t nat -D PREROUTING -i br-lan -p tcp --dest $tortle_socksip -j ACCEPT
iptables -t nat -D PREROUTING -i br-lan -p tcp -j REDIRECT --to-port $tortle_transport
) 2> /dev/null
# fi
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "All TORtle services and redirections have been disabled."
}
function status {
if pgrep -x tor > /dev/null; then
echo "1"
else
echo "0"
fi
}