Anonymous Virtual Router

[Carder]

Managing a virtual router is a pleasure:

- Everything is clear and simple and you don't need to go into the brains of some box to change the IP address or register the IP address of a new ssh/socks/vpn/tor there, since network switching is done by clicking in another window of the virtual machine.
- Gateway content can be not only at your preferred IP address, but also separated. for example, tor sites in the Onion zone can be opened in regular browsers, since these requests will go to the Tor proxy.
- For WEBRTC requests, the virtual router will return the IP address of your SSH/Socks5 server.
- You can slow down the connection by timeout to bypass two-way Ping on some sites.
- DNS requests are sent exclusively via TCP channels via TOR/Socks - using The acrylic DNS Proxy utility.
- You can use WI-FI and it will be safe because the radio transmitter itself will be in the same Virtual router-in an isolated machine.
- With such a router, you can connect local connections that create various utilities. Example: (Back-Connect Proxy)
- Any anonymous router requires some capacity. You're your own boss here. You allocate as much memory as you need for this purpose.

Why did I use this as a comparison ? As a rule, any router is sharpened for broadcasting the Internet that is served to it...

And if it is flashed with firmware and the process of encrypting / decrypting traffic takes place inside this device and there are third-party utilities, then the internal processor of this router may not be enough. As a result, there may be brakes in the joints, breaks, and so on.

This article will make your Laptop under the operating system (Mac-OS, Windows, Linux) quite anonymous and mobile at the same time, and nothing superfluous will stick out of it, since the device itself looks like a USB plug in your laptop.

The idea itself has been flying for a long time, and it is implemented in this article. This article kills the whole point of buying a" certain " box that will distribute anonymous Internet.

Go...​

You have a laptop running your operating system. You install Virtualbox or VMware on your laptop as you like.

Next, turn off the Ethernet adapter in your laptop (for fanatics: Ethernet input, you can at least seal it with a sealant, you won't need it)

Next, in your laptop, turn off your built-in Wi-FI card (for fanatics: Unscrew it with a screwdriver from the laptop case - throw it out)

Further actions: In the VM of your OS, install OS win 10 (disable UAC, update, and so on and so forth. Also, don't forget to go to the power supply and configure it so that it doesn't fall asleep. It is advisable to allocate 4 GB of RAM for the virtual OS)

Next, we insert a USB Wi-FI adapter into your laptop and push it to the virtual machine (any USB device can be forwarded to the virtual machine)

As a result, we get the following picture: a Laptop with your OS, in this OS there is a virtual machine under WIN 10 with the Internet connected via WI-FI (in General, what kind of Internet will come to your virtual machine choose for yourself.
This is your choice... optimally, however, for myself, I see a mini USB WI-FI stub)

We'll get back to configuring it on the host, but for now, we'll have all the settings on the VM.

Download and run Double SSH Tunnel Manager.​

Where exactly to download Double SSH Tunnel Manager is up to You. There are enough links in Google.

The program will prompt us to install a Virtual TAP Adapter V9 for Private Tunnel-we agree.

Next, go to network settings and uncheck all the boxes from the two adapters (the name of Virtualbox is slightly different from the adapter this screen is from VMware, but the meaning is identical)

Next, we combine these two adapters into a network bridge and also remove all possible ticks from protocols and filters. (on the MAC bridge, the check mark will not be removed. this is normal)

Now go to the settings of the Double SSH Tunnel Manager and look at this data. If necessary, we change it to the desired ones (this data must be transferred to the host machine in the adapter from Virtualbox or from VMware)

Turn off the virtual machine.

Back to the host machine.

Settings for Virtualbox.​

We leave only two checkboxes, change the settings (TCP/IP4) to those that we saw in the Double SSH Tunnel Manager in the DHCP section, in the settings of the VM itself, change the default NAT network to VirtualBox Host-only Ethernet Adapter

Settings for Vmware.​

We leave only two checkboxes, change the settings (TCP/IP4) to those that we saw in the Double SSH Tunnel Manager in the DHCP section, and in the settings of the VM itself, change the default NAT network to VMnet1 (Host-only). Disable the VMware Network Adapter VMnet8

Next, we start our VM... Do not forget to connect the Internet to it via USB. Run Double SSH Tunnel Manager and set the settings opposite your SSH/Socks settings as shown in the figure below. Connecting and checking the Internet on the HOST !!!

To fully broadcast the TOR network, point the slider down to TorBRIDGE + onion, but first make sure that you are connected to the Tor network (green onion)

Video

 

[Carding]

Setting up an anonymous Tor+Socks router on Raspberry PI​

Often, the functionality of a home router is not enough and you want more protection. Today I will tell you how to make your own...

Often, the functionality of a home router is not enough and you want more protection. Today I will tell you how to make your own router from Raspberry PI. Here are just the basics. I'll leave the rest to you to figure out. The possibilities are endless.

The original OS is available for download here https://www.raspberrypi.org/downloads/raspbian/

The router will “pick up " the Internet via an Ethernet or USB 3G modem connected to it.

Further, the router has 3 modes of operation:

1. TOR – (Works only via tor)

2. TOR + SOCKS (TOR a on top of the torus, the output uses the usual socks5)

3. TOR + SOCKS = AUTH (Tor, and on top of the torus, the output uses the usual socks5 with authorization).

The Internet is distributed via WIFI.

You connect via WIFI to our router:

SSID : AP-1 Password : 12345678

and without any additional settings, you get the Internet via TOR or TOR + Socks. Proxy and other things are not needed, everything is done on the router. All DNS requests go through the TOR using the dns_tcp_proxy daemon.

What's on the router itself?

3proxy - as a SOx daemon in transparent +
parrent dns_proxy mode - for tunneling dns requests to the tor.
hostapd-for distributing wifi
dnsmasq - for distributing wifi IP addresses to clients.
python3 - for the webmanager interface I wrote.
tor - you know what it's for.
wvdial - for working with a 3G modem.

Screenshots of the interface:

You can download the Full raspberri PI image with everything installed and fully working here.

The image is fully ready to work, we write it to the SD card using etcher, and insert it into the raspberry.

The image is slightly modified, the pi entry is removed, the login is only under root, SSH is already enabled.

SSH connection data:

Username : root
Pass : 123456

Everything else is default, just like in classic Raspbian.

The first time you run it, you will need to expand the file system.

Typing in:

raspi-config

And go to these menus:

next in

And we agree to increase the space.

An option for those who want to build everything themselves, on their own raspberry with a clean Debian stretch here.

A short description of the process.

Download Debian stretch

we write to the SD card, I recommend that you take ethcer for recording here : https://etcher.io/

after the recording is completed, do not forget to turn on the ssh.

to do this, re-connect the SD card to the laptop and create an ssh file on the boot partition without the txt extension, etc.

safely remove the card and insert it into the raspberry.

when Malinka loads we log in to it using SSH

Username : pi
Password : raspberry

Then type sudo-s (go to root mode)

And download the installer

curl -O https://nova.ws/dl/release/pi_tor_socks/install.sh

When the download process is complete, type:

sh install.sh

Then the script will do everything itself.

You may have additional questions during the installation process. here are the answers:

The router's admin panel is available at: http//192.168.22.1:5000 (if you connect to it via wifi)

At the moment, everything is tested, overwritten more than once, and it seems to work correctly.

Ready-made configs can be swung here.

The Python web interface can be downloaded separately here.

3G daemon is running by default, I have MF180 and MF667 start up normally.

To avoid changing the port in the 3G config in the raspberry interface.

We stick it in this port.

Update on github https://github.com/novaws/pi_tor_socks

Good luck.

Stay safe and take care of yourself.

 

[Carding]

Protecting MikroTik. Secure router setup tricks.​

Errors in the firmware of popular routers are detected regularly. However, just finding the bug is not enough, it still needs to be neutralized. Today we will talk about how to protect yourself from already known vulnerabilities in RouterOS and protect yourself from those that will be revealed in the future.

Updates
Despite the terrible descriptions and the really big danger that vulnerabilities pose, we should pay tribute to the developers of MikroTik: they release patches as soon as possible. Many holes are closed even before they are leaked to the public, and the remaining ones are closed within a day or two. Therefore, the first thing you need to pay attention to is the current version of RouterOS on your device. The system is not automatically updated, so you need to keep track of new versions manually. In the Software section on the MikroTik website there are current versions of the operating system and individual packages. The easiest way to update: System → Packages → Check For Updates → Download and Install.

The same actions can be performed by typing the following command in the console line of the router:/system package update install.

Updating the router's system

There are four development branches available: Long-term, Stable, Testing, and Development. For critical systems, we recommend setting it to Long-term. A piece of hardware that can lie down for a couple of minutes during the update process is worthy of Stable, leave the rest of the branches for experiments on your home router. Please read the Changelog carefully before updating. Sometimes some parts of the OS are completely recycled, after which they are not able to work with the old configuration (this was the case, for example, with bridge in 6.41).

If you are a happy owner of several MikroTik routers, remember that a massive upgrade by standard means is not possible, but you can use The Dude or self-written scripts.

Packages
The next step you can take to improve security is to disable unnecessary functionality. If you don't use IPv6, disable it, if you don't need Wi-Fi, disable the entire module responsible for It (all in the same System → menu Packages). Please note that you can only completely remove additional packages from the system, i.e. those that are not included in routeros-platformname.

Services
All threats to MikroTik work only if the administrator has not taken care of security beforehand. With basic settings of services and firewall, the router will work for years without updates. In the IP → Services menu, disable unnecessary services. I recommend opening only SSH and Winbox from certain addresses, the rest is disabled. The same effect can be achieved with the command /ip service disable ftp.

List of running services

Also check if the following IP services are enabled: Web Proxy, IP → UPnP, IP → Socks. If they are enabled without your knowledge, I have bad news for you. Here are the commands to disable these services from the command console: /ip proxy, /ip upnp, /ip socks.

We check whether proxy is enabled in the system

RouterOS has an MNDP-enabled neighbor detection mechanism. Knowing the neighbors on your network is a great idea, but shining the router model and software version into the surrounding space is hardly good from a security point of view.

It is better not to show your neighbors the router model and software version

The neighbor detection function, like many other features in RouterOS, uses lists of interfaces in its work. The default configuration already has LAN, WAN, dynamic, all, and none lists, but you can also create your own lists with a complex structure. Nested lists (include) and exceptions (exclude) are allowed. They are configured in the Interface → Interface Lists menu. First, we create the list itself (the Lists button), then add interfaces to it in the main menu. The command for working with lists looks like this:/interface list.

List of interfaces

As you know, you can connect to RouterOS not only by IP address, but also by MAC. Ping by MAC address also works. Tools → MAC Server is responsible for these services. It also uses lists of interfaces in the settings. You should select a separate group of interfaces for management, and then allow neighbor detection and MAC Server only to it.

Do not disable MAC Winbox and MAC Telnet completely: one day there will come a time when you will break your Winbox access and you will need to use the MAC connection, so it is better to keep such a backdoor for yourself. In addition, MAC Telnet is useful when a new piece of hardware appears on the network that does not yet have an IP address. Then it is convenient to configure it from the console of a neighboring router.

The default configuration of RouterOS with the add-ons described above will increase the security of the router. In General, the developers tried to make the Default Configuration as universal as possible and took into account many security nuances. Next, we'll look at additional RouterOS hardening.

Users and groups
If your company's it Department is large, it probably has a division of roles and responsibilities. For example, a tech support employee doesn't need the rights to create VPN connections or view the Wi-Fi password, while network operators, of course, should have access to them. RouterOS has a fairly flexible mechanism for allocating rights. Permissions are assigned in groups, then the user is added to the appropriate group. Group management is available in the System →menu Users, as well as using the command /user group.

Managing groups

Let's take a closer look at group rights:

• telnet, ssh, ftp, winbox, web, api, romon, dude, tikapp - clear by name. Allow the user to connect using the specified protocols;
• local-opens access to the router via the console. If disabled, it will also take away the right to open a terminal inside Winbox;
• reboot - right to restart;
• read, write - read or write permissions;
• sniff-execution rights for the built-in tcpdump analog (tools → sniffer);
• test-running trableshooting tools (ping, traceroute, bandwidth-test, wireless scan, snooper);
• password - the right to change your own password;
• policy - the right to manage accounts and groups.

Sensitive data
Let's take a closer look at the group of sensitive settings. RouterOS defines so-called sensitive data. These include Wi-Fi, IPSec, and SNMP keys, VPN interface and server passwords, routing Protocol passwords , and other security-related information.

In the Winbox window menu, in the settings section, there is a Hide Sensitive checkbox. When it is enabled, this sensitive information is covered with asterisks and it is also not visible in the terminal. A kind of protection against password disclosure. If the Sensitive option is disabled in the group settings, this checkbox is not removed, that is, the Sensitive right allows the user to see the entered passwords.

The Sensitive right allows the user to see the entered passwords

Port Knocking
Just above, we talked about restricting access to the router's management services only from certain addresses. This is very important: the Winbox Protocol is far from ideal and there is a chance that it will still find holes. But often you have to connect to the router from hotels or cafes, and it is impossible to provide all the addresses from which you will connect.

The Port Knocking technique is common among admins. Initially, the port is closed to everyone. But it is necessary to perform some sequence of actions from the outside, as all ports for management are opened for your IP. This set of actions can be very complex, and it is unrealistic to choose it. Consider an example:

• initially, all management ports are closed to all but the allowed list;
• if a TCP segment hits the router's port 1234, then two on port 4321 and one on port 5678, then the source address is entered in the list of allowed addresses for the day.

The following script will help you implement this sequence of actions.

/ip firewall filter
add action=accept chain=input dst-port=22,8291 protocol=tcp \
src-address-list=mgmt_allow
add action=drop chain=input dst-port=22,8291 protocol=tcp
add action=add-src-to-address-list address-list=mgmt_stage1 \
address-list-timeout=1m chain=input connection-state=new \
dst-port=1234 protocol=tcp
add action=add-src-to-address-list address-list=mgmt_stage2 \
address-list-timeout=1m chain=input connection-state=new \
dst-port=4321 protocol=tcp src-address-list=mgmt_stage1
add action=add-src-to-address-list address-list=mgmt_stage3 \
address-list-timeout=1m chain=input connection-state=new \
dst-port=4321 protocol=tcp src-address-list=mgmt_stage2
add action=add-src-to-address-list address-list=mgmt_allow \
address-list-timeout=1d chain=input connection-state=new \
dst-port=5678 protocol=tcp src-address-list=mgmt_stage3

Rules 3-6 (action=add-src-to-address-list) follow the logic described above. The first rule allows access to router management only to addresses from the list mgmt_allowthat is filled in at stages 3-6.the Second rule prohibits access to everyone. The first two rules are brought up in order to avoid unnecessary traffic management by four rules with logic and thereby reduce the load on the CPU.

But it is not so easy to perform such an operation with Windows: Telnet was cut out of the standard set of programs, and it is not always possible to download third-party software. But any OS allows you to change the size of the ICMP packet when pinging. This is what we will use. Changing the terms and conditions:

• initially, all management ports are closed to all but the allowed list;
• if the router receives an ICMP Request of 345 bytes, then two of 543 bytes and one of 678 bytes, then the source address is entered in the list of allowed addresses for the day.

To do this, just change the previous rules:

1. Install the ICMP pin.
2. On the Advanced tab, set the Packet Size.

Don't forget that the packet size specified in the ping and the packet size that reached the router are different values. In Linux, 28 bytes of headers are added to ICMP, so to send a 345-byte packet, you need to specify the size 317 in the ping. Windows has different numbers — it counts headers in its own way.

Wireless
RouterOS supports Wi-Fi whitelists and blacklists. There is a Wireless Access List for this purpose. Just add devices that are not allowed to connect to the network, and then uncheck the Authentication and Forwarding boxes. You can also use the command for this purpose /interface wireless access-list add.

Setting up a Wi-Fi blacklist

The case described above will work as a Blacklist. To convert it to a Whitelist, select the specified check boxes and change the type of operation of the Wireless interface using the command /interface wireless set 0 default-authentication=no.

Setting up a whitelist
The authentication checkbox is responsible for client authentication. If it is set for a specific interface, authentication is allowed for all devices except those listed in the access list without the check box. If the check box is not selected on the interface, then only those who are present in the access list with the check box can connect to the network.

The Forwarding setting is responsible for transferring data between clients on the same subnet. Usually, you should not touch it, but if you are building, for example, a hotspot network whose clients will only go to external networks (that is, they do not need internal interaction), disable this option — this will improve the quality of communication.

Using Wireless Access List, you can configure complex client operation logic: by signal strength, time of day, limit the speed of each client, or drive it to a specific VLAN without additional gestures. I highly recommend that you take a closer look at this tool.

And MikroTik can also make an SSID in the form of emojis. To do this, you need to translate characters to Unicode using a tool like this and insert the resulting string into the SSID.

Conclusion
We have considered a minimum of actions that will help the router become safer, and the administrator sleep more comfortably. But RouterOS still has a lot of features under the hood, and if you don't turn on the brain when setting them up, then no articles will save you from hacking. In General, the brain is a great tool. It should be used regularly.

 

[Jollier]

Step-by-step instructions for creating an anonymous router
The entire Assembly consists of a laptop + router.

The laptop performs the software role of a router, and the router is hardware that distributes the Internet via Wi-FI or Ethernet cable

For example, I will take a regular xiaomi nano router (it is small, it can be powered from USB and it distributes the Internet both via Wi-FI and Ethernet cable.)

+ we will need an Ethernet cable to connect this router to your laptop

1. Standard actions for any router: click Reset in the router itself to reset everything to factory settings. Connect via the default Wi-FI network to the point and set the Wi-Fi network name and password.

2. Now we connect all this to (computer/laptop)

3. Software Part: Software that will distribute (anonymous Internet to our router)

Double SSH Tunnel Manager​

4. Download the Double SSH Tunnel Manager program, unpack it and run it.

The program will prompt you to install a Virtual adapter, we agree, after which you will see approximately the following picture in the list of adapters::

5. Next, remove all ticks from these two adapters

6. Now we need to combine these 2 adapters into a bridge and configure this bridge by unchecking IP4 and IP6

This is all, the settings are finished after connecting to the anonymous network, everything will be distributed through our router

Answers to questions:
What anonymous network can I connect to?

The easiest way is to connect the TOR network to do this, the Manager must be connected to the Tor network and you need to point the slider down.

How do I connect Socks5, SSH, Socks5 Back-connect, TorOnionSocks, LocalSocks5, ShadowSocks?

Can I use different connection chains?
You can connect Tor, Socks5, SSH, Socks5 Back-connect, LocalSocks5, ShadowSocks as the first connection, and use ssh, socks5 as the second chain.

Can I use a VPN ?
"Yes, you can. To do this, use VPN monitor in the program, where you will need to register the IP of your VPN.

Which WebRTC Will be displayed on whoer.net and similar sites?
Any browser out of the box will show the WebRTC of your Socks or SSH connection.

Website 2ip.ru/privacy / determine the ping and say that this is a tunnel or proxy?
Some sites can identify you by the time delay example 2ip.ru/privacy/
To avoid this, use the AntiPing function (AntiPing slows down your work, so don't forget to return the slider to its original position).

I made all the settings correctly, but after connecting it says "Unidentified network"
You need to check all the settings again, and then be sure to restart the OS.

Will the program change the DNS on the host computer?
No, it won't. DNS changes only for your router.

 

[misterdrops]

Need programmer for Raspberry pi set up

we share loot on %

contact in Pm for new jabber id

Only men with knowledge of the projects

have all set up ready just need partner for program

working with experience