Add to collection(s) Add to saved
  1. Engineering & Technology
Uploaded by Alfredo Gutierrez

ultimate-guide-for-being-anonymous-avoiding-prison-time-for-fun-and-profit

advertisement 
Ultimate guide for being anonymous
Avoiding prison time for fun and profit
Copyright © 2017 Sparc FLOW
All rights reserved. No part of this publication may be reproduced, distributed,
or transmitted in any form or by any means, including photocopying, recording,
or other electronic or mechanical methods, without the prior written permission
of the publisher, except in the case of brief quotations embodied in critical
reviews and certain other noncommercial uses permitted by copyright law.
Important disclaimer
The examples in this book are entirely fictional. The tools and techniques
presented are open-source, and thus available to everyone. Pentesters use them
regularly in assignments, but so do attackers. If you recently suffered a breach
and found a technique or tool illustrated in this book, this does in no way
incriminate the author of this book nor imply any connection between the author
and the perpetrators.
Any actions and/or activities related to the material contained within this book is
solely your responsibility. Misuse of the information in this book can result in
criminal charges being brought against the persons in question. The author will
not be held responsible in the event any criminal charges are brought against
any individuals misusing the information in this book to break the law.
This book does not promote hacking, software cracking, and/or piracy. All the
information provided in this book is for educational purposes only. It will help
companies secure their networks against the attacks presented, and it will help
investigators assess the evidence collected during an incident.
Performing any hacking attempts or tests without written permission from the
owner of the computer system is illegal.
Foreword
If there is a section that most hacking books and blog posts currently disregard,
it is the ‘stay safe’ section. In other words, they fail to detail the schemes and
techniques a typical hacker (or activist) should use to guarantee a certain level of
anonymity and safety. You may be the best hacker in the world, but if you cannot
control your footprint on the internet and correctly erase your trail, you will
simply crash and burn.
There are many books on how to be anonymous online with tips that may work
to some extent: disabling JavaScript, installing the Ghostery extension, using
TOR, etc. These techniques may be effective against Facebook tracking and
Google ads, but will do you no good against an active investigator tracking you
down following a nasty hack, or a state sponsored surveillance program targeting
activists. There is a mindset to have as well as a series of practical precautions to
take when you want to completely disappear off the grid.
Together, we will set up an anonymous environment that guarantees maximum
protection and shields your identity against prying eyes. Of course, there is no
such thing as a zero-risk job, but we will try to get as close as possible.
By the same author:
How to Hack Like a Pornstar
Ultimate Hacking Challenge
How to Investigate Like a Rockstar
How to Hack Like a GOD
Blank slate
The single most effective rule for hacking safety can be summed up in seven
words: ‘Start from scratch each and every time’. By “from scratch”, I mean get a
new computer, new hotspot, new IP address, and new servers for each hack or
job. Investigators will look for common patterns between attacks. They will try
to piece small evidence together to obtain a bigger and clearer picture: ‘Did we
see this IP in another attack? When was it registered? To whom? What did it
access?’.
It can go much further than that. People take their IP address to be the only
information they leave as a trail. Not quite right. Your browser has a fingerprint
that can be used to uniquely identify it across different platforms: OS version,
plugins installed, patch level, etc. Social media tracking services rely heavily on
these unique characteristics to identify your session wherever you are: on their
main website, on an affiliate website, on a random website that included their
seemingly innocent code, etc. Make no mistake, we live under a 24/7
surveillance program every time we fire up a connected device.
Why am I ranting about Social Media websites in a Hacking book? Simply
because they are best friends with law enforcement agencies when it comes to
cooperating with investigators¹. Governments around the world have access to a
pool of information, ranging from your local Internet Service Provider’s records
to social network sites’. In its transparency report², Google shows that it receives
tens of thousands of government requests about users’ emails, connection logs,
and other data each month. This is, however, only the tip of the iceberg, as there
are other requests Google is not allowed, by law, to divulge: National Security
Letters³. These are special subpoenas issued by federal or intelligence agencies
that do not require the approval of a judge and may force the recipient to respect
a strict non-disclosure policy. You can read about CloudFlare’s struggle to
comply with such requests at the following link⁴.
Even more troublesome, in 2013 the Snowden files revealed several projects
created by agencies like the NSA, CIA, GCHQ,… to retrieve bulk users’
metadata stored by service providers (Microsoft, Apple, Google, Yahoo, PalTalk
and AOL). These agencies can then fetch what they need, when they need it and
share it with other intelligence entities around the world. To get a sense of the
massive surveillance projects conducted by governments (the USA, the UK,
Australia, France, Canada, etc.) check out Edward Snowden’s story⁵ and prepare
to be amazed.
In the end, it boils down to this. Starting afresh each time helps keeping a shroud
of mystery around the artifacts gathered by an investigator. It is literally like
recreating a new persona on the net which will act as a smokescreen to hide your
real identity. Let’s get you a new persona, shall we?
Multi-layered approach
The first corollary of the blank slate principle is to never use your
home/university/work IP address. Never. Not even with two layers of anonymity
on top of it. Always assume that at some point, a small glitch in the system could
somehow leak your real IP to an investigator: a tiny detail you omitted, the limits
of some technology, or NSA’s superpower intelligence systems. A small
connection to the real world is all it takes to motivate a law enforcement agent to
dig deeper, issue warrants, and pressure you to confess. We do not want that.
Which IP address should you use, then? I would strongly recommend public WiFi hotspots like fast-food places (Starbucks, Olympus, McDonalds, etc.) or large
public gatherings like malls, train stations, etc., as long as there are enough
people to hide you from possible cameras.
When accessing the Wi-Fi hotspot, they might ask you for personal information,
but of course you can enter any data you want. If they ask for mobile
verification, use a prepaid SIM card – paid for in cash – if you have access to
one or better yet, choose another spot.
Sometimes they might ask for email confirmation, in which case create a
disposable email account. These are email services that give access to a mailbox
in literally two seconds, with no verification whatsoever, which is quite useful
for validation links and spam messages. ‘Yopmail.com’ is one example, but you
can easily find other services in case Yopmail accounts are forbidden:
‘guerrillamail.com’, ‘mailinator.com’, ‘mytemp.email’…
Once you are connected to the hotspot there are two quick verifications to
perform before deciding to settle in:
Does the hotspot perform SSL interception?
Are there any firewall rules in place?
SSL is the encryption layer used by web sites to protect traffic sent to their
clients over HTTP. In a normal SSL (or HTTPs) connection, the server provides
a certificate to prove its identity, which the browser checks before displaying the
green padlock in the address bar, if indeed the certificate is valid and authentic.
This certificate is then used to encrypt communication between the user and the
server.
In order to break this encryption scheme, some Hotspots replace the website’s
legitimate certificate with their own, when a client wishes to establish a secure
connection. If the browser does not perform additional verification, like
matching the Canonical Name (CN or Object field in a certificate) to the
website’s DNS name, it can wrongly display the green padlock even though the
hotspot can break encryption and access data. (Man in The Middle attack).
Technically, since we will stack up additional layers of anonymity and
encryption later, the hotspot will be totally clueless as to what we really send, but
we want to avoid any possible leaks in case of a glitch in any one layer.
Thankfully it is easy to make sure that the hotspot does not perform such
meddling. We simply visit any HTTPs website and check its certificate
properties (View Certificate button on Firefox). If it the Object/CN field in a
certificate matches the website’s name, we are good to go:
If there is only a wild card “*” or an unexpected name in the Object or CN field⁷,
then we can be sure that the hotspot swapped certificates and can actively
monitor content. I can only encourage you to search for another place to connect
from.
The second major point to look for is the network filtering in place. Can you
send requests on ports other than 80 and 443? Can you issue UDP requests?
ICMP requests? Not that we will attack the target directly from the hotspot, but
we will need certain ports to be available to build a fast and reliable network
tunnel to protect our identity (see next chapter). A simple test would be to launch
Nmap on a random website like ftp.ubuntu.com. You should be able to see a few
ports marked as open:
The previous chapter mainly protects our physical location to avoid a police raid
at midnight. The second layer of hacking safety, however, is by far the most
important one. It usually consists of a tunneled network that encrypts anything
that goes into it and ideally maintains zero logs about who accessed which IP
address.
TOR⁸ is a free, open-source project that does just that. It is a network of servers
that exchange encrypted information. For example, a request will leave your
computer from your web browser in France, enter the TOR network, get
encrypted a few times, and leave from a server in China before reaching its final
destination (Facebook, Twitter, etc.).
Installing TOR on Windows or Linux is as easy as downloading the bundle
available on the official website and launching the TOR Browser, a hardened
Firefox with no script execution and a couple of privacy options:
TOR can of course relay more than just web requests. It can encapsulate any
traffic you wish and may be used by almost any tool thanks to a few tricks. Let’s
say we want to exploit an SQL injection vulnerability on a target using SQLmap.
To make sure every packet launched by SQLmap goes through TOR, we use a
tool called proxychains. It overwrites basic network calls to tunnel all packets
through a Socks Proxy, in this case TOR.
We edit the configuration file (/etc/proxychains.conf) on a classic Linux
distribution as follows :
[ProxyList]
61 # add proxy here ...
62 # meanwile
63 # defaults set to "tor"
64 socks4 127.0.0.1 9050
Then launch SQLmap with the following command:
root@kali:# proxychains sqlmap www.example.com?name=hello
In a TOR network, the destination server cannot see the original IP address; they
only see the IP address of the TOR exit machine. Since multiple people are using
this exit point, it can quickly become very confusing for anyone investigating
later on. The exit node only receives connections from other nodes in the
network, so it does not get any information about the real user’s location or
identity, except when relaying HTTP traffic. Indeed, you can use TOR all you
want, if you send an HTTP request to a website that knows your name and stores
it in a cookie or a URL, you can be sure that the exit node sees it.
The first node knows your real IP address (and thus your real location) but does
not know which exit node your request will end up using. Plus, the request is
encrypted in such a way that only the exit node can see its content (and read it, if
it is not protected with HTTPs).
To know who you are, someone needs to break the first node. To know what you
do, they need to break the last node. Given a big number of nodes available to
bounce users’ requests, the chances of going through a malicious entry and/or
exit node seem pretty low. While that is true, there are still ways to break a
user’s anonymity that have proven quite effective.
Imagine a malicious website that injects code into your TOR web browser. The
code installs a malware that issues crafted requests that bypass TOR and contact
a website controlled by the government. This effectively removes every layer of
protection TOR was providing. There are operating systems that can restrict to
some degree such leaks and automatically channel every request through TOR
(Tails¹ for instance), but you can be sure that such scenarios are totally within
the realm of intelligence agencies or serious corporations.
Moreover, it has long been rumored that some federal agencies control a good
deal of nodes on the TOR network, and can therefore correlate different
information and statistics in order to uniquely identify TOR users; So, beware of
the limits of this service.
If TOR is not the best option for you, another way to go is to requests the
services of a VPN Provider.
A VPN provider builds an encrypted tunnel between your workstation and one of
their servers. Any request you issue from your machine will go through that
server, hiding your real IP address in the process.
Every request out of the computer is encrypted. Your local ISP will not know
which traffic you are sending nor which IP address you are contacting, which is
quite useful for evading censoring programs put in place by oppressing
government.
You can find a list of VPN providers accepting crypto-currencies (Bitcoin for
instance) at the following link¹¹.
Some public internet hotspots might only allow Web traffic to discourage using
them as proxies for hacking attempts. Not to worry, we can always find a way to
bypass their firewall rules. For instance, AirVPN usually establishes its VPN
tunnel on ports 80/443 UDP, but in case they are blocked, it is flexible enough to
establish tunnels over other ports, like 443 TCP (HTTPS) commonly allowed
through firewalls:
TCP will run more slowly than UDP because of differences in their design, but
the real question is, should we really bother bypassing rules put in place by a
certain hotspot? If they took the time to lock down the network, then maybe they
are also logging connection requests and MAC addresses. If you have no other
choices then fine, change your MAC address¹², make sure every request goes
through your VPN, and follow the next instructions in this book (did I mention
to pray?). However, I would suggest finding a comfy chair somewhere else.
There are so many easy low hanging fruits, why take any risk at all?
Keep in mind that when using a VPN provider, you necessarily make it the
weakest link in the anonymity chain. It knows your original IP address and thus
your location (even your name, if you paid with your credit card). Some VPN
services, however, ensure that their servers are hosted in countries neutral to
most law enforcement agencies and keep zero logs of what happens on their
servers. Check out https://www.privacytools.io/ for some examples.
To recap, we are connected to a public hotspot and issue all of our ‘malicious’
requests through TOR or a VPN service. You may think that this set up is
perfect, but there are major issues we need to deal with:
The bandwidth is too slow to perform any real attacks.
The IP-masking techniques makes it difficult to use some advanced tools and
techniques (port scans and reverse shells to list but a few)¹³.
Keeping with the blank slate principle, we need to re-install attacking tools and
erase data on the computer we use every day.
This is where our final piece comes into play: A Virtual Private Server (VPS)
directly connected to the internet. We will control this server through our low
bandwidth link and instruct it to issue heavy requests to targets using the large
bandwidth at its disposal:
This VPS, named “Front Gun server” in the figure above, will of course be paid
for in an anonymous crypto-currency¹⁴ (see next chapter). Indeed, there is no
evidence more compelling (and easier to track) than credit card data. You can
find a list of providers accepting Bitcoin at the following URL¹⁵.
This server can host any operating system you feel most comfortable with. For
example, you can install Linux KALI¹ . It comes prepackaged with handy tools,
saving you some trouble. Personally, I prefer both a Windows and a Linux
machine for maximum flexibility.
We can SSH to the Linux server through our trusted VPN (or TOR using
proxychains) to remotely issue commands: SQLmap, Nmap, etc. or if it is a
Windows server, use RDP (Remote Desktop Protocol) to have graphical session
on the machine.
Suppose an investigator is tracking the attack. They will identify the IP of the
VPS server and eventually seize it – if possible – or hack it to monitor incoming
IP connections – the government is not the most law-abiding entity, after all.
These IP addresses will end up being VPN exit nodes used by hundreds or
thousands of other users. The VPN provider is in a neutral country that does not
keep logs or have access to credit card information. Even if by some miracle,
they choose to cooperate with law enforcement and spy on their users, they will
hand over a public hotspot IP address likely located in another country and used
by thousands of users every day. These long series of regressions make the
investigation less and less rewarding until eventually the cost outweighs the
damage and (hopefully) the case is dropped.
System anonymity
Since the Front Gun server is the one launching all attacks, that is where you
should download and install all your favorite tools. There is no need to keep
anything on your local computer, thus dramatically lowering the chances of
being affiliated with any malicious behavior.
In fact, your local computer should only consist of a temporary operating system
booted via a live USB key¹⁷. That way, every time you boot, you start afresh
with no data to incriminate you. All hacking tools and data collected from your
target live solely on the Front Gun Server.
You can learn to create a ‘live USB’ key hosting any Linux distribution at the
following page¹⁸. As for which Linux distribution to choose, if you are using
TOR network, prefer WHONIX¹ or TAILS² , which encapsulates all traffic
inside the TOR network. Otherwise, Linux KALI might be the easiest option,
though any Linux distribution will do, provided you can install the VPN client
on it.
Our attacking infrastructure is now fully operational and modular. We can easily
change identity every day by mixing layers of anonymity to send mixed signals:
log into a different VPN service, alternate between VPS servers, go to a new
WiFi hotspot, etc. That will be enough to drive mad any stubborn investigator.
Remember, you don’t have to outrun the hunter, you only need to outrun the
slowest prey, and giving the impressive number of script kiddies still hanging
out in what they call “hacking” forums or TOR websites, you have all your
chances.
Payment options
Before leaving you to your (un)lawful duties, one brief thought about payment
options available for people cherishing their online privacy. A lot of experts
blindly advocate Bitcoin as the go to currency for being anonymous on the net.
That is very misleading! Bitcoin has its limits, and you should be aware of them.
On the Bitcoin transaction network, we do not have regular names and emails.
Instead, every user has a unique pair of long digits (public and private keys)
which they use to spend or receive money. That sounds ideal, right? The catch
however, is that every transaction made on this network (Blockchain) is visible
to all: how much money was sent, to which address, at which hour, etc.
If somehow your association with a Bitcoin public address is leaked (hack of
your offline or online wallet²¹ for instance), people will can track all your
previous transactions, and you can’t do anything about it. One single mistake can
destroy years of anonymity. Not great.
If you insist on using Bitcoin, make sure to generate a new public address for
each transaction, as stated in the original whitepaper describing this currency.
You can do so offline using numerous tools²² or opt for online wallets²³ accessed
through the anonymous environment we created earlier.
Once in possession of a public key, it is possible to fund it using various
payment methods²⁴: gift cards, cash deposit, etc. Again, avoid credit card or wire
transfer, even when buying bitcoins.
There are other crypto currencies more suited for anonymity that one may
consider: Zcash or DASH for instance, but so few services use them that in the
end, we are forced to convert them to Bitcoin to get quality services, thereby
losing their real values. In my opinion, as long as you stick to the “one
transaction, one address” and “no credit card, even when buying bitcoins” rules,
you will be just fine.
Closing note
I hope you had a blast reading this small e-book. I got a bit tired of preaching the
same mantra in every other hacking book I wrote, so I decided to take the time to
properly tackle the subject of anonymity once and for all in a dedicated short
book.
Have fun pwning the world²⁵!
Note from the author: reviews are gold to authors! If you’ve enjoyed this
book, would you consider rating it and reviewing it?
Become a hacker in ONE day!
30% discount coupon: UBA18V833
You have 24 hours to hack all machines and get the flag.
Real machines, real vulnerabilities, real fun!
Learn more on (free trial available)
www.hacklikeapornstar.com/training/
Notes
[←1]
https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data
[←2]
https://www.google.com/transparencyreport/userdatarequests/?
metric=users_accounts
[←3]
NSL can only request metadata: IP addresses, contacts, length of
communication, etc. not the actual data exchanged.
[←4]
https://www.eff.org/deeplinks/2017/01/finally-revealed-cloudflare-has-beenfighting-nsls-years
[←5]
http://www.imdb.com/title/tt4044364/ and https://www.theguardian.com/usnews/the-nsa-files
[←6]
https://ssl.trustwave.com/support/support-how-ssl-works.php
[←7]
Sometimes the website’s DNS name is present only in the “Subject Alt Name”
field, in case the certificate is shared between many websites for instance.
[←8]
https://www.torproject.org/
[←9]
Proxychains is available by default on Kali Linux. Otherwise a simple apt-get
install or yum should do it.
[←10]
https://tails.boum.org/
[←11]
https://www.weusecoins.com/bitcoin-vpns/
[←12]
http://linuxg.net/3-ways-to-temporary-change-the-mac-address-in-linux-andunix/
[←13]
Some VPN providers allow port forwarding making reverse shells possible.
[←14]
https://news.bitcoin.com/meet-top-3-coins-cryptocurrency-anonymity-race/
[←15]
http://cryto.net/~joepie91/bitcoinvps.html
[←16]
https://www.kali.org/
[←17]
http://www.linuxliveusb.com/ for a bootable USB Linux.
[←18]
http://docs.kali.org/downloading/kali-linux-live-usb-install
[←19]
https://www.whonix.org/
[←20]
https://tails.boum.org/
[←21]
https://steemit.com/bitcoin/@michaelmatthews/list-of-bitcoin-hacks-2012-2016
[←22]
https://github.com/mshang/btcaddr
[←23]
https://blockchain.info/en/wallet/#/
[←24]
https://paxful.com/buy-bitcoin
[←25]
Legally, of course.
Related documents
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
605 tree obstacle course
605 tree obstacle course
Activity 2
Activity 2
Untitled document
Untitled document
Cylo
Cylo
isitvivid
isitvivid
HL
HL
Daily Announcements
Daily Announcements
Download
advertisement