DOUBLETAP
An asynchronous proxy to proxy HTTP traffic through AWS API Gateway and rotate IP address on each request
Install / Use
/learn @byt3bl33d3r/DOUBLETAPREADME
DOUBLETAP
An asynchronous proxy to proxy HTTP traffic through AWS API Gateway and rotate IP address on each request.
<p align="center"> <img src="https://media1.tenor.com/images/2ce301a35b13eea7b1e6d26a2ef98089/tenor.gif?itemid=12637269"/> </p>Sponsors
<img src="https://www.blackhillsinfosec.com/wp-content/uploads/2016/03/BHIS-logo-L-300x300.png" width="130" height="130"/> <img src="https://handbook.volkis.com.au/assets/img/Volkis_Logo_Brandpack.svg" width="130" hspace="10"/> <img src="https://user-images.githubusercontent.com/5151193/85817125-875e0880-b743-11ea-83e9-764cd55a29c5.png" width="200" vspace="21"/> <img src="https://user-images.githubusercontent.com/5151193/86521020-9f0f4e00-be21-11ea-9256-836bc28e9d14.png" width="250" hspace="20"/> <img src="https://user-images.githubusercontent.com/5151193/87607538-ede79e00-c6d3-11ea-9fcf-a32d314eb65e.png" width="170" hspace="20"/>
Table of Contents
- DOUBLETAP
What is this?
This is a mitmproxy addon that allows you to dynamically proxy HTTP traffic through AWS API Gateway in order to rotate IP address on each request.
Essentially, it's a fully weaponized version of the underlying concept which tools such as FireProx and the IP_Rotate Burp extension have implemented albeit with a lot major improvements:
- Written in Python 3
- Fully asynchronous (which is extremely important for this particular implementation to work efficiently)
- Works just like a regular proxy
- Dynamically creates, stages and deploys AWS API Gateway endpoints for each new domain across multiple AWS regions concurrently and transparently redirects traffic.
DOUBLETAP vs Other IP Rotation Approaches
When it comes to rotating IPs, there are a lot of ways of doing the same thing. This approach offers major benefits over the traditional methods but obviously there are also some cons.
Pros
-
Much easier to setup and use (you literally just need an AWS account, that's it).
-
Cost-wise it's pretty much free unless you go above 1 million requests a month. See the AWS API Gateway pricing page for details.
-
You have a much greater "pool of IPs" compared to the other approaches. The "pool" is even bigger when using multiple AWS regions (which DOUBLETAP does).
-
Connection speeds are extremely fast as the "proxying" is just an HTTP request to an AWS endpoint. There is basically no network overhead compared to other approaches.
-
You're "proxying" through a highly reputable and trusted (trust is obviously subjective) entity as supposed to a random service on the internet that may or may not be maliciously modifying/intercepting your traffic.
-
The IPs that the end service sees are in the AWS network range which are generally trusted.
Cons
-
You can only proxy HTTP, HTTP/2 and Websocket traffic. Not arbitrary TCP (currently DOUBLETAP only supports HTTP due to some mitmproxy limitations)
-
Can be somewhat easily detected by looking for a specific header that cannot be removed (see the Defense & Detection section for more details)
-
Does not work against other services hosted on AWS API Gateway
-
It can take up to ~30 seconds to receive back a response when issuing a request to a new domain/URL. Subsequent requests to the same domain/URL will have normal response times (see the limitations section for more details)
How Does it Work?
mitmproxy exposes an addon system which allows you to create components of any complexity that interact with it's proxy engine.
When you first fire up DOUBLETAP, it'll query AWS API Gateway to see if there's already an existing API called "DOUBLETAP" (by default) which was previously setup by the tool, and if so pulls down a list of each API endpoint and the domains they proxy traffic to so that it doesn't create them again.
The real "magic" comes into play when you send an HTTP request through the proxy. DOUBLETAP works by hooking the mitmproxy request event, which fires every time the proxy receives a HTTP request, it then performs the following actions:
- Constructs the root URL from the URL you requested
- Checks an internal dictionary structure to see if it already setup an API Gateway endpoint that proxies traffic to that domain
- If not, it'll concurrently create, stage and deploy a new API Geteway endpoint across multiple AWS regions (10 by default) to proxy traffic to the domain you requested (this makes the IP rotation rate even higher).
- During the API Gateway endpoint creation, it'll remap the
X-Forwarded-Forheader: this allows us to specify an IP of our choosing that the end server will see in that header. - DOUBLETAP can detect when the API is fully staged (usually takes anywhere between 10-30 seconds) and will only allow the requests to proceed once the API endpoints are ready across all regions.
- It'll then pick at random an API Gateway endpoint URL from the ones it created
- Generate a fake IP for the
X-Forwarded-forheader and change the User Agent of the request - Finally it'll seamlessly redirect the modified request to the chosen API Gateway endpoint URL which will then proxy the request to the actual target.
The result is that the server you're hitting will see a truly unique IP on almost each request. Additionally it will not give away your real IP address through the X-Forwarded-For header as it's supplied a bogus IP.
What's super important to note here is that all of this happens asynchronously in the background, meaning the proxy does not block every time it has to interact with AWS and/or on each HTTP request.
Limitations
A fundamental limitation of this technique/implementation is that whenever you request a URL to a new domain that DOUBLETAP hasn't created an API Gateway endpoint for previously, it takes anywhere between 10-30 seconds before the Gateway endpoint is staged and ready to accept traffic.
Practically speaking, this means an HTTP request to a new domain/URL will just sit there doing nothing for up to 30ish seconds until you receive back any data. Obviously, subsequent requests to that same domain/URL will not have this issue and you'll receive back the response instantly.
As far as I'm aware, there really isn't a way around this. Additionally, AWS doesn't provide a reliable way to determine whether an API Gateway endpoint has finished staging or not. DOUBLETAP handles this by spinning up background AsyncIO tasks that perform an HTTP request to the endpoint URLs and do a signature check on the response looking for specific status codes and data that I've found through testing mean the API is still staging.
To help alleviate this limitation, see the section on the prestage and allowlist options.
Additionally:
- HTTP/2 requests are not supported. mitmproxy doesn't have the ability to redirect HTTP/2 connections (yet). However, AWS API Gateway does support HTTP/2 and Websocket connections so mitmproxy just needs to catch up.
- Incredibly, if the end service you're trying access legitimately uses AWS API Gateway, the proxying won't work. It's like a cloud Judo move. Thankfully, not a lot of things use AWS API Gateway as I've only ran into this once in a year or so of using this tool.
Use Cases
- The new SprayingToolkit update is built to support proxying everything through DOUBLETAP. No more IP blacklisting on password sprays 😈
- ENTROPICFORESIGHT is built to support proxying everything through DOUBLETAP. No more API keys and/or rate limiting when trying to scrape OSINT data 😈
- Scraping with Headless Browsers (Note: You're going to want to use the
allowlistand/or theprestageoptions if you do this. See this section.) - Anything that can benefit from a new IP on each request 😈 make the possibilities flow through you.
OPSEC Considerations, Detection & Defense
Offensive OPSEC Considerations
- The underlying technique can be detected by looking for the
x-amz-apigw-idheader which is sent on each request through AWS API Gateway. There is no way to avoid this. (See the Defense & Detection section for more details) - While the IP on each req
