Custom WireGuard Exit Nodes
Configure your Root Server to send all traffic via an Exit Node
Use either SERVER-MODE
or CLIENT-MODE
— but not both.
A new network interface (wgExit) will magically appear on your Root Server: Traffic from your Root Server will now appear as if originating from the Exit Node.
The Exit Node can be behind a Firewall or NAT-Gateway (e.g. you can use your workstation as an Exit Node). Superuser privileges or root access is not needed.
Server-Mode
Connect from an EXIT NODE to SEGFAULT
Typical use case:
- You like to mass-scan from your Root Server.
- You have shell access to the Exit Node and like all traffic from your Root Server to leave via this Exit Node.
- The Exit Node is not reachable from the Internet or is behind NAT/Firewall.
- You like to connect from your Root Server to workstations on a remote firewalled/private LAN (e.g. use nmap, metasploit, smbscan, etc.. on your Root Server to scan a private LAN behind the Exit Node).
Step #1 - On your Root Server
Create and activate an Exit Node configuration:
curl http://sf/net/up
Your Root Server is now ready to accept an Exit Node.
Step #2 - On the Exit Node
Cut & paste the output from above into the shell on your Exit Node:
» All traffic from your Root Server will now leave via the Exit Node «
Client-Mode
Connect from SEGFAULT to an EXIT NODE
Typical use case:
- The Exit Node is on the public Internet (ProtonVPN, Mullvad, NordVPN, …)
- You like to access an AWS VPC/Private-Subnet
On your Root Server
This example uses Proton’s Free VPN as an Exit Node. After registration scroll down to “WireGuard Configuration” and select “GNU/Linux” and click “Create”.
A window containing Proton’s WireGuard configuration similar to this one will show:
Use this informationon your Root Server:
curl sf/wg/up -d name=ProtonFree \
-d PrivateKey=aBvvSus/nNdGxzep/gnC1j0EqSHVKgxSM7VyBsXwD1s= \
-d Address=10.2.0.2/32 \
-d PublicKey=TH87YVmOQBoo1Mir13INlDzvTOlvsi9dWmAp+IF3bRg= \
-d Endpoint=149.34.244.169:51820
### THESE KEYS WILL NOT WORK. YOU MUST REQUEST YOUR OWN KEYS FROM PROTON AS EXPLAINED ABOVE.
### THESE KEYS WILL NOT WORK. YOU MUST REQUEST YOUR OWN KEYS FROM PROTON AS EXPLAINED ABOVE.
### THESE KEYS WILL NOT WORK. YOU MUST REQUEST YOUR OWN KEYS FROM PROTON AS EXPLAINED ABOVE.
» All traffic from your Root Server will now leave via Proton’s Free VPN «
More Shenanigans
Each command is executed on the Root Server (after the Exit Node has connected).
Check Exit Node
curl sf/net/show # Server Mode
curl sf/wg/show # Client Mode
Masscan the Internet
### Simple
masscan -e wgExit -p 22,80,443 --rate 10000 --range 1.0.0.0-8.255.255.255
### With banner grabbing:
masscan -e wgExit -p 22,80,443 --rate 10000 --range 1.0.0.0-8.255.255.255 --banners --adapter-ip 172.16.0.3-172.16.128.2 --adapter-port 1024-33791
Note: Setting --rate 40000
will use 40000 * (40 + 60 + 40) * 2 * 8 == 85.45 Mbit on the EXIT node.
Ping an IPv6 host
ping6 2606:4700:4700::64
Scan the remote private LAN
nmap -n -Pn -sV -F -T5 --min-rate 10000 --open 192.168.123.0/24
Crackmapexec the LAN
cme smb 192.168.123.0/24
Find Window shares on the LAN
nbtscan 192.168.123.0/24
SNMP dump
snmp-check 192.168.123.250
Log in to a workstation (Remote Desktop/RDP) on the LAN
startxweb
remmina -c rdp://username@server
Poke the lion and appear as if originating from the LAN
amass enum -d nsa.gov
Windows
Cut & Paste the YELLOW strings into an Admin Powershell (Right-Click on Powershell -> Run as Administrator) or else Defender’s heuristic will block Wiretap.
Similar services
Contact
X.com: https://x.com/hackerschoice
Mastodon: @thc@infosec.exchange
Telegram: https://t.me/thcorg
Web: https://www.thc.org
Medium: https://medium.com/@hackerschoice
Hashnode: https://iq.thc.org/
Abuse: https://thc.org/abuse
E-Mail: members@proton.thc.org
Signal: ask
SimpleX: ask