Git-Rotate: Bypassing IP Blocks with GitHub Actions
Git-Rotate
Leveraging GitHub Actions for IP Rotation – for more information see the following blog post.
The Sprayer and Catcher components are currently configured to target the Microsoft login portal and handle the response data. You’ll need to modify these components to handle other targets and the response data received. Perhaps this could be made more modular in the future, but at the moments this is just a proof of concept.
GitHub takes abuse and spam of Actions seriously, and they have a dedicated team to track “spammy users.” I am not liable for any account closures due to breaches of their terms and conditions.
Overview
The project is divided into three components; the kicker, the sprayer, and the catcher:
-
Kicker: The kicker is a Python script responsible for creating and populating the workflow runs inside GitHub Actions. When generating the workflow run, it passes the relevant information, such as the target URL, username, password, and the IP address of the catcher. We can use GitHub secrets to pass ‘sensitive’ information to the workflow without exposing it in logs.
-
Sprayer: The sprayer is a Python script executed by a GitHub Actions workflow run. It is responsible for sending a login request to the target endpoint (e.g.,
https://login.microsoft.com/common/oauth2/token) with a username and a password combination, retrieves the response from the login attempt, and forwards it to the catcher component. An IP address is randomly assigned to the VM executing the workflow run, ensuring that each request is sent with a unique IP address to evade detection. -
Catcher: The catcher is a Python Flask web server that receives and processes login response data sent by the sprayer component. It determines the success or failure of the login attempts and logs the data appropriately. Note: Caddy is used as a reverse proxy in this setup to manage incoming requests and forward them to the Flask web server. It’s simple to setup and handles TLS certificates, provides a convenient solution – ensuring secure communication between components.
-
The
Targetcan be any login endpoint you are performing password spraying against or whenever you are brute-forcing something and wanting to avoid IP-based blocking.
