You will be required to install an application known as "Node.js" which is a web server development platform. It is widely used in many commercial applications. It is open source software and it is free to use. It is compatible with Windows, Linux and Mac.
If you already have Node.js installed then go to Step 3. The complete installation is about 65 megabytes.
Take your time to explore all of the options and pick the one that is best for you.
The Kraker Local Proxy Server does NOT require that any optional tools be installed.
Do NOT check the checkbox as shown in this image. It is unchecked by default.
Open the Kraker download page (link will open in a new tab).
Download the file to the new folder.
Rename the file to
At this point, you should have a copy of
Open the "Properties" tab on your desktop icon. The "Target" field should be the path to the Node.js executable. Add a space character and "kraker.js" to the end of that line. In the "Start in" field, enter the full path to the folder containing the copy of "kraker.js". That should do it. You should be able to double-click the icon to get the proxy server running. This is what the entries look like on my system:
Start in: | c:\stuff\proxy |
I did not install Node.js in "Program Files" but into a folder that I created off the root of the main drive. If you install in "Program Files" (which is the default destination selected by the Node.js installer) then you need double-quotes because of the space in the path name:
If the above does not work for some reason or if you wish to start the server from the command line, you can use this:
When the Kraker proxy server starts up, a console will appear with a message like this:
Ignore the error messages (setup is not complete). You may get a prompt from your operating system or firewall asking whether to allow access to your network. Node.js only needs access to the Internet and not to your Local Area Network.
I have no advice to offer if you are using a VPN or other type of intermediary.
In your web browser, enter this URL:
Try this:
This will bring up a page listing the HTTP headers received by the remote server. Kraker does not send extra headers or
modify any headers other than the "Host" header (since the browser sent "localhost:8080" to the proxy). Next, try connecting
to the HTTPS port on the proxy with
Now try this:
The proxy provides access to local files but only in its own folder. External access is possible with a configuration file.
Open your favorite text editor and type something like this:
What I have entered above is called an "alias" representing a path to the Windows desktop. If I want to access files on my
desktop, I would type
Instead of making a path to your desktop, you could make a path to a folder containing web pages, text files, images, music,
videos, whatever. Save the file in the Kraker folder with the exact name
Download this app and run it in your browser:
The app is extremely simple. It displays a list of file names and you can open a file in an iframe. The browser does
whatever it would normally do with the file based on the extension and the mime type. Now type
If you look at the server console, you will see a display of your activity. This can be suppressed, if you like, by using
a tilde. That is,
You can also access folders inside the Kraker folder using just the name without the plus sign. There is no global password for file access, whether for reading or writing, since this would be what is called "a single point of failure". Each folder is protected by the fact that its name is not discoverable. That is, the folder name IS the password to protect from unauthorized access. Technically, it is possible for a malicious app to discover an alias or a folder name using a brute force search of all possible character combinations but this is a long process with little payback since the server protects your existing files from being over-written. This would also require that the malicious app be left running in your browser for an extended period of time.
In case you're wondering, the server blocks access to your aliases file. An obvious security risk like this has not gone unnoticed. The entire server architecture has been designed to limit the impact of abuse by potential attackers. Of course, it is possible that something can go wrong if you trust a malicious app unconditionally but the reality is that no environment is safe from a careless user.
By default, Kraker uses your ISP's DNS server for DNS lookups but you can choose another source or switch to DNS-over-HTTPS
(DoH). This is not very useful to you until you redirect all of your web browser's activity through the Socks5 proxy and
that topic will be covered momentarily. Right now, we just want to get your settings file installed. Download
this file named
| Normal DNS | ||
| DNS-over-HTTPS |
You can select a DNS setting from the browser url bar. In order to select a preference automatically on startup, copy the desired setting to the entry called "default". You can combine DoH with normal DNS by placing the DoH first and then the DNS. Kraker will use the DoH setting for its own DNS lookups while the normal DNS is only used for DNS lookups via the browser url bar. For example:
Next, look for the setting called "shadow_secret" and change "password" to a secret of your own choice. Save the settings file, close the server console and restart to load your settings. Now we can set up the Socks5 proxy.
In the case of Chrome-based browsers, you have no choice but to install this extension because the browser defaults to the operating system proxy settings (if any). Although Firefox and its offshoots support proxy configuration in the browser settings, using the extension is the preferred method because it can be easily turned off in case you have the need to do that.
There are versions of the extension for Chrome, Firefox, Opera and Edge. Select the "Manual" tab once you have installed the extension. Enter a profile name and fill all three proxy name fields with "localhost" and set the port number to "8088". Check "SOCKS v5" and check "Remote DNS" (for Firefox only). Press the green checkmark symbol and you are done. Load any web page and take a look at the server console. You should see all of the DNS activity displayed there. This feature can be disabled in the settings file ("showdns"). Personally, I prefer to have this enabled.
An important thing to know about the Socks5 proxy is that it is totally transparent. It cannot be detected by remote servers such as those operated by Cloudflare which will attempt to fingerprint your connection. HTTP/2 works just fine although it won't be possible to support HTTP/3 because it is based on UDP and not TCP but that's a long story. It remains to be seen whether HTTP/4 will be around the corner soon.
Yes! We are near the end! Once this is done, your new proxy server will be ready to do some heavy lifting and then we can play around a bit more. This is a necessary step for ANY proxy server that needs to intercept HTTPS requests from the web browser. There is no avoiding it.
First, you need to create a new folder in the Kraker folder and it must be named after your shadow secret. The reason for this is security. Your server certificate can be stolen and used against you if a malicious app knows where to find it. This is a targeted hack which would be difficult to pull off but we want to be safe rather than sorry since anything can happen.
Download certificate.htm to the new folder and download webssl.js to the home folder.
Start the app with
The helper file "webssl.js" is not an implementation of X509 (the official name of the standard on which the HTTPS certificate is based). It is the product of reverse engineering the certificate format and creating new code to duplicate the format for the purpose of making self-signed certificates.
Once you have the app running, press the "Create Key" button. A file named as shown in the app will be created in the secret folder. Next, fill in the fields shown under the "Subject" heading or leave them blank to use the defaults. The information doesn't have to be actual (just make up some funny stuff) but it is needed so that the browser can properly identify your signing authority. The country code is limited to two characters and the "Common Name" may contain only letters, digits, hyphen, underscore or period. You can put whatever you want in the other fields. Stick to straight ASCII since the app is not designed to handle Unicode. Next, press the "Create Authority" button.
You now have a signing authority and you will install that shortly. Press the "View" button to load the new file and display its content. Note that if you wish to remake the file, you will need to first delete it since the app cannot overwrite it (Kraker security policy). The new file is signed with the RSA key which you created earlier. The signing authority will be used by the web browser to authenticate the server certificate which you will now create.
Fill in the fields as you did when you made the signing authority. In this case, however, the only field that actually matters is the "Common Name". Just leave the others blank if you want. Under "Subject Alternative Names", you will see the common name which you specified for the signing authority (if you don't see it then press the "View" button as I mentioned earlier). This is filled in automatically because Google Chrome is picky about it. Most browsers don't expect this field to contain anything. Delete the name because you don't want it in the server certificate.
Now press the "Create Certificate" button and then press the "View" button to verify the content of the new file. It should contain the fields that you specified as well as the fields from the signing authority which will be used by the web browser for authentication. That is, the Issuer fields in the server certificate must match the Subject fields in the signing authority. The server certificate is signed with the RSA key. In an official process, the signing authority and the server certificate are never signed with the same key. This is not an official process so we can do what we want.
Under "Subject Alternative Names", you will now see the default names of the Kraker Local Proxy Server. You can add additional names for whatever purpose but you don't need to do that. The proxy will automatically add domain names to its internal copy of the certificate as needed to handle HTTPS shadow ports. This is a new feature of the proxy server starting with version 5a (I copied the code from "webssl.js").
Finally, press "Restart Server" to load the new server certificate. You will now install the file called
Install the certificate signing authority in your web browser (Windows 10):
|
| |
|
| |
|
| |
|
|
Test your new certificate by going to
The rest of this walkthrough consists of tests and experiments to familiarize you with the capabilities of your new proxy server. Don't leave too soon else you will miss out on some important tips and helpful information. If you wish, you can go straight to the Kraker instruction manual.
This is a small utility that will introduce you to the Kraker commands. Although all of the commands can be accessed from the browser url bar, this utility will reduce your typing burden. Plus, it includes a help section containing an overview of the commands and some details on the structure of the Kraker settings file. This information is not duplicated elsewhere (the instruction manual just goes deeper).
Download the app from here and run it:
I won't be giving a tutorial on the usage of the app. At least not directly. As you engage in the following experiments, you can refer to the app from time to time in case you need some additional clarity or to try some things out for yourself.
You have the mandatory ad blocker and/or other devices installed (like NoScript or uMatrix) but you can still be followed around by your IP address and possibly hunted down by the NSA or some other government agency. If they really want to get you, there is nothing that anyone can do to help but you can maybe avoid being an easy target. A VPN is fine if you want to pay for it and you're willing to trust a third party with ALL of your comms but it's not necessarily a great solution when you just want a bit of extra protection from time to time. There are two options: a randomly chosen proxy or Tor.
For this experiment, I will introduce you to two Socks5 proxy servers that I know to be both free and reliable. There are not many options unless you have a list of hundreds of free proxies and the patience to test them (what works today might not work next week). Here are your toys:
These two commands contain an ip:port:username:password combination and you'll need your shadow secret to enable the proxy globally (that is, for all websites). The server should respond with the word LOCKED otherwise the proxy will work only for specified domains.
Check your location: www.whatismyip.net - iplocation.com
You're either in the Netherlands or in Singapore. To remove the proxy, just delete one of the dots or whatever to invalidate the address (you will need the shadow secret). Kraker comes with support for Tor but you will need to have the Tor server running. There are two ways to accomplish this. You could open the Tor Browser but that really defeats the whole purpose (plus you'll need the "altport" setting). Instead, find "tor.exe" somewhere inside your installation and run it. Then go here to explore. I'm not recommending this if you're into something nefarious on the Darknet (whatever that is). You should use the official browser if you have additional security concerns.
Path to the Tor server on Windows:
Note that the server will start up without a console so the only way to shut it down is through Task Manager.
You can activate the Tor server for all domains instead of just the "onion" domain. There are two ways to do this. You can activate the "Tor for All" flag in the Control Panel or use the address "127.0.0.1:9050" in the "vpn" command (don't forget to use your shadow secret to lock it).
Kraker also supports I2P (Invisible Internet Project) but you will need to have the I2P server up and running. See here for more information.
Before we play around with mimicking a real domain, we will first create a fake HTTP domain that redirects to anywhere we want. I am going to introduce you to the domain editor which is a powerful tool for manipulating the Socks5 internal redirector facility. This allows you to redirect a domain to a local file, an HTTP analysis tool, through a proxy server or anywhere you like. Take a look:
What the heck is this "shadow" thing? It's a default shadow port which acts as an alias for "localhost:8080". We can use
it to save some typing. Pick one of the above to try out and then enter
Oh, wait, why don't we do that right now? Let's steal some cookies. Just about every website uses cookies in some fashion so we can just pick any one to play with. If you're logged in somewhere (like Twitter), you could use that for the experiment but I'll just continue with the Bitchute example.
I'm using a fake domain again but this time it is actually associated with a real one. Cookies are, more often than not, applicable to multiple subdomains so we can use a fake one as long as the "bitchute.com" part is in common. You'll need your shadow secret for this. For obvious security reasons, it is not permitted for an unauthorized app to create domains which contain a dot (as it could steal your cookies like we are about to do). One problem that we encounter with mimicking a real domain is the browser holding a socket open which it will usually do for up to two minutes. Until the socket is closed, the Socks5 proxy cannot redirect the connection since it already exists. A fake domain gets around this.
Run the two commands above and check the result. If you have not visited Bitchute recently then the cookie might be "null" (going through the fake domain doesn't count). Visit the site and check for your cookie again. There should be at least one cookie, one created by Cloudflare in particular, even though you didn't see a Cloudflare bot challenge. You have just seen how it is possible for an app to get around Cloudflare which continues to be a major pain in the ass for bots and web scrapers, including my own apps (unfortunately).
I have a list of about 150 proxy servers in the U.S. but they have a problem. They are certificate stealers, meaning that they intercept the connection and substitute their own certificate rather than transparently connecting to the destination. Of course, this is pretty suspicious (NSA?) and I have also seen these proxies block connections to sites they don't like. It would not be smart to trust these guys but if the purpose is to simply change your IP address (and you don't care who sees your web traffic) then they can be useful since they are generally pretty reliable. It's just that, unless we can mask the faulty certificate, they are not workable with your web browser. The trick is to get Kraker to inject its own certificate which the browser already trusts.
Try the first example and see that the browser complains about an invalid certificate. The second example has "$" in the username and password fields to instruct Kraker to put up a TLS bridge which is simply a socket upgrade. Take a look at the certificate in your browser and see that it is derived from the certificate you originally created. This feature can be extended to a specific website and I'll show you that here because it can be useful if you are outside the U.S. and need to access a geo-blocked website. This one, for example:
This could be done with the domain editor but I'm showing you how to do it in your settings file (hit the Reload command in the Control Panel after you've saved the file). The confusion with the plus signs is a result of supporting IPv6 which uses colons instead of dots in the address. IPv6 is a programmer's nightmare as it creates havoc with old parsing algos.
I used four different IP addresses in the examples because any of them could take a vacation at any time.
Since I mentioned IPv6 in the previous section, I should also mention that my router and/or ISP does not support IPv6. Kraker supports IPv6 because Node.js supports it but I can't test it. The only area where Kraker is not IPv6-enabled is the internal DNS lookup. The truth is that only 30% of websites are IPv6 so the world, from what I can see, is still mostly an IPv4 world. This is a tricky situation to work around.
The question I want to pose is: what can you do when you need to use IPv6 for work or whatever but your equipment or your service provider can't do it? I haven't found any proxy server that can handle IPv6 so the idea of proxying out of the situation would seem to be a dead end. Except that Tor can handle IPv6 and it seems to work fine though I don't know of any IPv6-only sites except for one test site. You have two options: you can either enable Tor for all or you can set up your DNS to proxy only certain sites through Tor:
The domain editor doesn't support the "TOR" keyword so you have to provide the proxy address but either way works the same since "TOR" is just a shortcut. This setting applies to all subdomains of "test-ipv6.com" and there are a lot of them. Once you've set that up, go to the site and let the test run its course. You'll pass with a measly 10/10. Not bad, I guess, but the problem is whether or not Tor's rotating IP address is compatible with your work.
So the question now is: how to turn Tor's rotating IP address into a consistent address that doesn't flip every 15 minutes? To accomplish this, we need to run Tor through another proxy server. This calls for some heavy machinery:
This won't help with the IPv6 problem because the second proxy server can't do IPv6 but it is a way to confuse the NSA because they won't be able to see where you're connecting from. Though the Tor address will still be rotating, the destination will see a consistent address and won't be able to discern that you are connecting via Tor. Anyway, go to the site and you'll see that Tor is invisible.
Is there a way to prove that your connection is actually going through the Tor server? You can try unloading the server to see if you can still connect. You could enable the console to show socket activity in the Control Panel and look for the message "VPX chain link" showing two connections (assuming that you believe what Kraker is telling you but that's another matter). You could also try Wireshark.
For this test, we're going to play with DNS-over-HTTPS. Some DoH servers are nice and cooperative while others won't give up the goods because a certain condition must be satisfied. Try this link and then this link to see what I mean. The first link works but the second link returns an (incorrect) error message. We want to make that second link work. By the way, the response is in the JSON format. Firefox has a JSON viewer but most other browsers will just dump the raw text. So how to make that second link work? We need to set the Accept header by going through the proxy server.
Try:
No error message now but a new problem. The browser doesn't recognize the mime type
Try:
This is for those times when you need to be absolutely sure that a malevolent entity is not intercepting your HTTPS connection to a sensitive server. The certificate validation in your web browser only verifies the authenticity of the certificate issuer and not the authenticity of the website itself. Did you know that? The issuer may be authentic but that doesn't prove that the website you are trusting today is really the same website that you trusted yesterday.
It is possible that any number of certificate authorities may be under the control of a criminal organization or a government agency. A website's domain name can also be confiscated or stolen. It may look like the same website but different people could be in control. This is especially worrisome if you are a whistleblower. There is no foolproof way to prove the authenticity of a website but certificate pinning can help raise the trust level.
Certificate pinning works by storing the hash of the website's public RSA key and comparing it to the hash of the key retrieved on future connections to the site. If the hashes match then it is good assurance that you are connecting to the same web server. Set this up:
Next, bring up the site in your web browser. You will see the hash of the RSA key. Save the hash in your settings file:
That's it. Whenever you try to connect to the website, Kraker will verify the hash. If it doesn't match then the connection is refused. In case the website stops working, you can check whether the cause is a hash mismatch:
You should obtain the IP address of the website using the "dnslookup" command and save the IP address in your settings file. This will guard against the possibility of domain theft or DNS poisoning or relocation of the web server.
