RubyGems - spior - Versions diffs - 0.0.4 → 0.0.5 - Mend

spior 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b62d34281190d72cbaa36cc999dc6ced8e652b2ee134c215fe232f4e9c7abc33
-  data.tar.gz: 3e0eed4ff972cabfc8d2d6e69f3e00574cec7af55f63addca6c8158cf727386f
+  metadata.gz: fd5390387f810136edd22aaa9cad905c3a04883faf366278cb9384e5f54605f9
+  data.tar.gz: 6c8be038056d9407403bc72dc919a1f63dcfe2edd8c9dc940352dd05dac4f0f8
 SHA512:
-  metadata.gz: 4c92161d748562eafdcb51a8dbcc1d5d78d830131b07f4f97c9e041d533e113f3288e406b8e9b8eda7ef4302fa6ac9dd0e68404a2e364d79f4a5db3be6516337
-  data.tar.gz: 566584154534bb25415246092b134f6a849b37244cd484fae3717921be51bbbda3f81969e2670c6c83ff0039385664d7d878de57f992772484b4580ee0248ccd
+  metadata.gz: 5cac5ac6b18fded218c40beec95e53cbb85f7e85f6c58bf681085dc28370661da6997518c575d0365852a56c8ba102037414e6b10dc69ef522346bc8b7a24eb8
+  data.tar.gz: 8d96a2e4e9f7646011bbab44615e723bb0032de3bc47c8f97e11fb36df8741f30dc6f2b2aeef75ba50a6ec4b1f3fc59007ca61dd7922bd7f4f648d5d13db7f51

checksums.yaml.gz.sig CHANGED Viewed

Binary file

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,11 @@
+## 0.0.5, release 2020-05-03
+* Spior can now redirect all the traffic through TOR
+* Add OptionParser -t|--tor
+* Change class lib/spior/mac by module
+* Correct option -c|--card NAME
+* Create lib/spior/network
+* Create lib/spior/iptables
 ## 0.0.4, release 2020-05-02
 * Spior can now randomize a mac address with decertmac
 * Add field s.metadata to spior.gemspec

data/lib/spior/copy.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-#!/usr/bin/env ruby
 require 'pathname'
 require 'date'
 require 'digest'

data/lib/spior/iptables.rb ADDED Viewed

@@ -0,0 +1,194 @@
+require 'interfacez'
+require_relative 'msg'
+module Spior
+  class Iptables
+    def self.tor(interface = false)
+      initialize(interface)
+      select_cmd
+      flush_rules
+      bogus_tcp_flags
+      bad_packets
+      spoofing
+      icmp
+      dns
+      nat
+      input
+      output
+      forward
+    end
+    private
+    def self.initialize(interface)
+      @lo = Interfacez.loopback
+      @lo_addr = Interfacez.ipv4_address_of(@lo)
+      @tor_dns = 9061
+      @trans_port = 9040
+      @tor_uid = `id -u tor 2>&1 | grep "^[0-9]*"`.chomp
+      @virt_addr= "10.192.0.0/10"
+      @non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+      @input = interface
+      @input_addr = Interfacez.ipv4_address_of(@input)
+    end
+    def self.select_cmd
+      id=`id -u`
+      if id == 0 then
+        @i = "iptables"
+      else
+        @i = "sudo iptables"
+      end
+    end
+    def self.ipt(line)
+      system("#{@i} #{line}")
+    end
+    def self.flush_rules
+      puts "flush"
+      ipt "-F"
+      ipt "-X"
+      ipt "-t nat -F"
+      ipt "-t nat -X"
+      ipt "-t mangle -F"
+      ipt "-t mangle -X"
+      ipt "-P INPUT DROP"
+      ipt "-P FORWARD DROP"
+      ipt "-P OUTPUT DROP"
+    end
+    def self.bogus_tcp_flags
+      puts "bogus"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
+      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
+    end
+    def self.bad_packets
+      puts "bad_packets"
+      # new packet not syn
+      ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
+      # fragment  packet
+      ipt "-A INPUT -f -j DROP"
+      # XMAS
+      ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
+      # null packet
+      ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
+    end
+    def self.spoofing
+      subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
+      subs.each do |sub|
+        ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
+      end
+      ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
+    end
+    def self.icmp
+      puts "icmp"
+      ipt "-N port-scanning"
+      ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
+      ipt "-A port-scanning -j DROP"
+      ipt "-N syn_flood"
+      ipt "-A INPUT -p tcp --syn -j syn_flood"
+      ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
+      ipt "-A syn_flood -j DROP"
+      ipt "-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT"
+      ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
+      ipt "-A INPUT -p icmp -j DROP"
+    end
+    def self.dns
+      puts "dns"
+      ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor_dns}"
+      ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor_dns}"
+      ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor_dns}"
+    end
+    def self.nat
+      puts "nat"
+      # nat .onion addresses
+      ipt "-t nat -A OUTPUT -d #{@virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@trans_port}"
+      # Don't nat the Tor process, the loopback, or the local network
+      ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor_uid} -j RETURN"
+      ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
+      # Allow lan access for hosts in $non_tor
+      @non_tor.each do |lan|
+        ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
+      end
+      # Redirects all other pre-routing and output to Tor's TransPort
+      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@trans_port}"
+      # Redirects all other pre-routing and output to Tor's TransPort
+      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@trans_port}"
+      # input
+      ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
+      ipt "-A INPUT -i #{@lo} -j ACCEPT"
+      # output
+      ipt "-A OUTPUT -m owner --uid-owner #{@tor_uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
+      # Allow loopback output
+      ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
+      # tor transparent magic
+      ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
+      ipt "-t filter -A OUTPUT -p udp -j REJECT"
+      ipt "-t filter -A OUTPUT -p icmp -j REJECT"
+    end
+    def self.input
+      puts "input"
+      ipt "-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
+      ipt "-A INPUT -m conntrack --ctstate INVALID -j DROP"
+      ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      ipt "-A INPUT -i #{@input} ! -s #{@input_addr} -j LOG --log-prefix \"SPOOFED PKT \""
+      ipt "-A INPUT -i #{@input} ! -s #{@input_addr} -j DROP"
+      # ACCEPT rules
+      ipt "-A INPUT -i #{@input} -p tcp -s #{@input_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+      ipt "-A INPUT ! -i #{@lo} -j LOG --log-prefix \"DROP \" --log-ip-options --log-tcp-options"
+      ipt "-A INPUT -i #{@lo} -j ACCEPT"
+    end
+    def self.output
+      puts "output"
+      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
+      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
+      ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      # ACCEPT rules
+      ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+      ipt "-A OUTPUT ! -o #{@lo} -j LOG --log-prefix \"DROP \" --log-ip-options --log-tcp-options"
+      ipt "-A OUTPUT -o #{@lo} -j ACCEPT"
+    end
+    def self.forward
+      puts "forward"
+      ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
+      ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
+      ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      ipt "-A FORWARD -i #{@input} ! -s #{@input_addr} -j LOG --log-prefix \"SPOOFED PKT \""
+      ipt "-A FORWARD -i #{@input} ! -s #{@input_addr} -j DROP"
+    end
+  end
+end

data/lib/spior/mac.rb CHANGED Viewed

@@ -1,52 +1,23 @@
 require "pathname"
-require "interfacez"
 require_relative "msg"
 module Spior
-  class MAC
+  module MAC
+    extend self
-    def self.randomize(interface)
+    def randomize(interface)
       @network_int = interface
-      @check = false
       check_dep
-      verify_card
-      if @check == false then
-        puts "Checking network interface..."
-        ask_for_card
-      end
       system("deceitmac --interface #{@network_int} --random --dhcpcd --tor --no-banner")
     end
     private
-    def self.check_dep
+    def check_dep
       if ! Pathname.new("/usr/local/bin/deceitmac") then
         Msg.error "deceitmac is not installed, please, exec spior --install"
         exit(-1)
       end
     end
-    def self.verify_card
-      return if @check or not @network_int
-      Interfacez.all do |interface|
-        if interface == @network_int then
-          @check = true
-        end
-      end
-      if not @check then
-        Msg.err "Your interface #{@network_int} is no found"
-      end
-    end
-    def self.ask_for_card
-      until @check == true
-        Interfacez.all do |interface|
-          print interface + " "
-        end
-        printf "\nWhich interface to randomize ? "
-        @network_int = gets.chomp
-        verify_card
-      end
-    end
   end
 end

data/lib/spior/network.rb ADDED Viewed

@@ -0,0 +1,46 @@
+require 'interfacez'
+require_relative 'msg'
+module Spior
+  class Network
+    attr_accessor :card
+    def initialize(name = false)
+      @name = name
+      @check = false
+    end
+    def card
+      verify_card
+      if @check == false then
+        ask_for_card
+      end
+      @name
+    end
+    private
+    def verify_card
+      return if @check or not @name
+      Interfacez.all do |interface|
+        if interface == @name then
+          @check = true
+        end
+      end
+      if not @check then
+        Msg.err "Your interface #{@name} is no found"
+      end
+    end
+    def ask_for_card
+      until @check == true
+        Interfacez.all do |interface|
+          print interface + " "
+        end
+        printf "\nWhat is the name of the card to be used? "
+        @name = gets.chomp
+        verify_card
+      end
+    end
+  end
+end

data/lib/spior/options.rb CHANGED Viewed

@@ -3,12 +3,13 @@ require_relative 'status'
 module Spior
   class Options
-    attr_reader :install , :copy, :mac , :interface
+    attr_reader :install , :copy, :mac , :interface , :tor
     def initialize(argv)
       @install = false
       @copy = false
       @mac = false
+      @tor = false
       parse(argv)
     end
@@ -25,12 +26,16 @@ module Spior
           @copy = true
         end
+        opts.on("-c", "--card NAME", "The name of the target network card") do |net|
+          @interface = net
+        end
         opts.on("-m", "--mac", "Change your mac") do
           @mac = true
         end
-        opts.on("-c NAME", "--card NAME", "Network card to change, optionnal") do |net|
-          @interface = net
+        opts.on("-t", "--tor", "Redirect traffic through TOR") do
+          @tor = true
         end
         opts.on("-s", "--status", "Look infos about your current ip") do

data/lib/spior/runner.rb CHANGED Viewed

@@ -2,12 +2,15 @@ require_relative 'options'
 require_relative 'install'
 require_relative 'copy'
 require_relative 'mac'
+require_relative 'iptables'
+require_relative 'network'
 require_relative 'msg'
 module Spior
   class Runner
     def initialize(argv)
       @options = Options.new(argv)
+      @network = false
     end
     def run
@@ -21,7 +24,17 @@ module Spior
       end
       if @options.mac then
         Msg.head
-        Spior::MAC::randomize(@options.interface)
+        if not @network
+          @network = Spior::Network.new(@options.interface)
+        end
+        Spior::MAC::randomize(@network.card)
+      end
+      if @options.tor then
+        Msg.head
+        if not @network
+          @network = Spior::Network.new(@options.interface)
+        end
+        Spior::Iptables::tor(@network.card)
       end
     end
   end

data/spior.gemspec CHANGED Viewed

@@ -3,8 +3,7 @@ Gem::Specification.new do |s|
   s.summary = "A tool to make TOR your default gateway and randomize your hardware"
   s.description = <<-EOF
-    A tool to make TOR your default gateway and randomize your hardware
-    Status: not yet functionnal, please wait for the next releases !"
+    A tool to make TOR your default gateway and randomize your hardware.
   EOF
   s.metadata = {
@@ -13,7 +12,7 @@ Gem::Specification.new do |s|
     "wiki_uri" => "https://github.com/szorfein/spior"
   }
-  s.version = "0.0.4"
+  s.version = "0.0.5"
   s.requirements << 'tor'
   s.requirements << 'sudo'
   s.requirements << 'iptables'

data.tar.gz.sig CHANGED Viewed

Binary file

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spior
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - szorfein
@@ -35,7 +35,7 @@ cert_chain:
   J/zT/q2Ac7BWpSLbv6p9lChBiEnD9j24x463LR5QQjDNS5SsjzRQfFuprsa9Nqf2
   Tw==
   -----END CERTIFICATE-----
-date: 2020-05-03 00:00:00.000000000 Z
+date: 2020-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rainbow
@@ -65,9 +65,7 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 1.0.3
-description: |2
-      A tool to make TOR your default gateway and randomize your hardware
-      Status: not yet functionnal, please wait for the next releases !"
+description: "    A tool to make TOR your default gateway and randomize your hardware.\n"
 email: szorfein@protonmail.com
 executables:
 - spior
@@ -88,8 +86,10 @@ files:
 - conf/torrc
 - lib/spior/copy.rb
 - lib/spior/install.rb
+- lib/spior/iptables.rb
 - lib/spior/mac.rb
 - lib/spior/msg.rb
+- lib/spior/network.rb
 - lib/spior/options.rb
 - lib/spior/runner.rb
 - lib/spior/status.rb

metadata.gz.sig CHANGED Viewed

Binary file