Home 0P3N Blog Become the Man-In-The-Middle with an Open Internet Proxy
Ready to Start Your Career?
Create Free Account
By: sergiomitm
January 9, 2018

Become the Man-In-The-Middle with an Open Internet Proxy

By: sergiomitm
January 9, 2018
By: sergiomitm
January 9, 2018
Ever wanted to manage a chunk of internet traffic? Whether you are learning to use network management tools or doing something more nefarious, having a test bed of traffic is an important tool. Follow this tutorial and you'll be the boss of more traffic than you can handle. I'm showing you how to create an open internet proxy with Squid.

What's a proxy?

proxy conceptA proxy is a device that acts as an intermediary between your computer and the server that you are trying to reach. There are several reasons that you might want a proxy:
  • Masking network addresses: Hackers use proxies because their source address is hidden from the destination, making it non-obvious who is doing the hacking. People behind firewalls (for instance, people who can't surf facebook at work) use proxies because the destination address is hidden from their corporate oppressors, making facebook appear despite the restrictions.
  • Caching: If you have multiple people requesting the same website, the proxy only has to get the files from the remote server once. In big networks this can save real money.
  • Policy Enforcement: The proxy can enforce policies (like no porn or gambling) for its users.
That last one is important. In order to effectively enforce policies, the proxy must be able to monitor and modify all the traffic. And if you run the proxy, those tools are yours.

What you need to get started

While it's possible to do this on your personal desktop, it is not at all advisable. You should have a VPS - virtual private server. One with unmetered bandwidth. The one I use has 3 cores, 3Gb of RAM and 60GB SSD. It does really well at running squid plus doing the packet inspection things I want it to. You only need one IP address. In this tutorial, I'll show you commands for Debian/Ubuntu - so that is the operating system you should pick.

Setting Up Squid

The first step is to install squid.
sudo apt update && sudo apt install squid
We configure squid via a 7900 line configuration file (no kidding) at /etc/squid/squid.conf. The file is that big because it's also a large part of the documentation for each feature. Learn how to search for a phrase in your favorite text editor.Here are the lines we need to add or modify.
  • http_port: This is the port that squid will be accessible on. Modify the existing line to make it become a more widely known port. It should read
    http_port 8080
  • http_access: This tells squid who is able to access the server. You'll see a line in the file that says "http_access deny all", in the line above it, add
    http_access allow all
  • dns_v4_first: This line will increase the performance of your squid proxy dramatically. At least it did for me. Find the line that says "# dns_v4_first off" and remove the# that indicates a comment, then change it to say
    dns_v4_first on
Next we're going to set up "delay pools". These govern how much bandwidth Squid and your users are allotted. You can read all about it in the .conf file. Underneath the line that reads "# TAG: delay_pools" add the following
delay_pools 1delay_class 1 1delay_parameters 1 32000/64000delay_access 1 allow all
These lines say 1) there is only one delay pool, 2) delay pool number one is of class one (limits total bandwidth), 3) delay pool 1 is limited to this much bandwidth (these settings work out to ~2Mbps, don't ask me how that math works), and 4) all traffic goes into delay_pool 1.That's it. You've done the bare minimum to get squid running well. Now let's just restart it and we're ready to go.
sudo service squid restart
Now you should be able to test your proxy by configuring your browser to use it. The hostname is the ip address of your VPS, and the port is 8080.

Wait for your traffic to come

For me, it was only 6 hours before my proxy was running at 2M per second. Some bot had clearly scanned port 8080 and found out about its true nature. They published it to a list, and other lists copied it. If that doesn't happen for you, you can submit to a proxy list as well. But I would suspect a Squid misconfiguration before I suspected a lack of port scanning bots.

Other Tools You Probably Want

Here are a couple of good tools to use to keep an eye on your squid server. Squidanalyzer parses your squid logs to tell you about who is using your proxy and how, down to which urls individual users have accessed. NTOP is a great & easy to setup network monitoring solution, shows how your bandwidth is being consumed in close to real time.

You're the captain now

Snoop, tamper, ban, prioritize, do whatever you want with your traffic. It's yours. If you need some ideas for the type of possible mischief, check out this defcon talk from Chema Alonso. But be careful because there are laws.

Defending against rogue proxies

I should say a few words about defending yourself from this type of proxy. If you are using a proxy service, it's hard to know if your data is being tampered with. My advice is to only use trusted network services. Do not voluntarily route your traffic through anyone offering to take it for free. And encrypt everywhere. But mostly just don't use open proxies.
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry