You are a threat hunter and need to perform some recon on an adversarial foreign APT. However, you do not want to use a common VPN service to get a foreign IP, since those are easily detected and blocked by foreign ISP router rules.
Solution? Personal Dante SOCKS5 proxy server set up on a VPS with a GeoIP located in your target nation.
Choose a VPS Service
First, you need to find a company that provides a VPS with an IP address geolocated in your target country. In this example, I’m going to choose Russia.
Use the following Google dork: site:”*.by” russia vps
This allows me to find companies in Belarus that offer Russian IP VPS. You can try searching for “*.ru” but with the sanctions, you will be unable to pay for the server with your American CC. But if you also need to stay anonymous, I would recommend using Monero (XMR) cryptocurrency. How do you get some? Coinbase > buy bitcoin > download Cake Wallet > transfer btc from Coinbase to Cake wallet address > Open Cake Wallet app and swap bitcoin for monero. Now you can find a native Russian VPS service that allows rentals with XMR.
However, I’ve noticed that all Russian VPS companies require working Russian contact info — namely, a phone number and/or email address. To do this, use OnlineSIM to get a SMS verification code for an email address sign up with Yandex/RuMail
Install & Configure Dante
I usually install dante on a barebones Debian VPS. Low footprint but still gives me the apt package manager natively.
$ sudo apt update
$ sudo apt install dante-serverVerify dante is installed:
$ systemctl status danted.serviceMost likely it’s disabled. Make sure to enable the service.
$ sudo systemctl enable dated.serviceNow let’s edit the config file. I usually keep it barebones:
logoutput: syslog
user.privileged: root
user.unprivileged: nobody
# The listening network interface or address.
internal: 0.0.0.0 port=1080
# The proxying network interface or address.
external: eth0
# socks-rules determine what is proxied through the external interface.
socksmethod: username
# client-rules determine who can connect to the internal interface.
clientmethod: none
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
}If you want to allow only your home computer to connect to the proxy, then specify your IP address in the client pass rule, from: option.
The socksmethod option determines the authentication method for when a client connects to the proxy. username refers to a username/password authentication method. Set clientmethod to none so you don’t have to authenticate again on the internal interface during the proxy connection setup process.
REMEMBER!!! Change the external: option to the interface of your VPS — it could be eth0 or ens3 or enp0s25, etc.
Now restart dante.
$ sudo systemctl restart danted.serviceConnect to Proxy
Test the proxy using curl on your personal device.
$ curl -v -x socks5://your_dante_user:your_dante_password@your_server_ip:1080 http://www.google.com/Output will tell you if you’ve successfully connected to the page.
I use the Dante proxy in Firefox Proxy Containers. Install the Container Proxy plugin and configure a proxy with the auth username/password and make sure it is using the SOCKS5 protocol (SOCKS5 can also be used in proxychains — maybe that’ll be a different post). Now assign that proxy to a container tab.
Open a new tab with that proxy and verify you can reach websites. I would also check the IP address on a public GeoIP checker.