Blogger Widgets

Friday 23 August 2013

The Art of Anonymity #Infosec #Hacking #Anonymity #Proxy #Security



In This Tutorial
- Browser Security
- Local Net Security
- Encryption/Logs
- Virtualization Software/liveUSB
- IP Address

What You Will Need
- A brain
- A computer
- The ability to read
- Wireshark (not absolutely necessary)
- Linux. There's already plenty of Windows tutorials out there.
- No Jews Allowed...
- Ok fine Jews

::Let's Get Started!

First of all, I realize that there are already a few anonymity tutorials in our wonderful Anonymity section. However, I realized today that they are incredibly generic and are practically duplicates of the hundreds of other generic tutorials out there littering the net. So, I decided to write one that is a little bit more inclusive. I would also like to add that there is not one tutorial out there that will provide you with absolutely all the information you will need to be 100% anonymous. In fact, I don't think that you even can be 100% anonymous. Keep that in mind, and always be paranoid.

Browser Security

Chaining 35 proxies won't do you any good if you overlook other aspects of being anonymous. As far as I'm concerned there's a few keys points to browser security.

User Agent:

If you don't already know what this is then you should probably come back to this tutorial later in life. But just in case:

"The term was coined in the early days of the Internet when users needed tool to help navigate the Internet.  Back then, the Internet was (an actually still is) completely text-based, and to navigate the text, text commands needed to be typed into a keyboard.  Soon tools were developed to be the users 'agent', acting on the user's behalf so that the user didn't have to understand the cryptic commands in order to retrieve information.  Today, nearly everyone uses a web browser as their user agent." - http://whatsmyuseragent.com/WhatsAUserAgent

Obviously this can be indentifying, specially if you have a rather unique one. In older versions of Firefox you were able to go into the about:config and permanently edit your user agent. I don't think you can do that now. So instead, I would recommend getting an add-on to take care of this. There are plenty of them, but my favorite one is Override User Agent because it seems to have the most choices. Everything from Safari to Opera to Internet Explorer to Mozilla to Mobile user agents. Shit, you can even make it appear as though you are a Google Bot. Too easy.

You can do this in most major browsers and it will almost always come in the form of an add-on.

Something that was brought to my attention by proxx is that a network admin could potentially discover that you are being dishonest about your user agent via the TTL values of the packets. TTL stands for 'Time to Live' and is responsible for limiting the number of hops of a packet. This prevents the packets from floating around for eternity to explain it in a mundane way. So, an example would be that you are using a Windows user agent and spoofed it to be a Linux user agent. It would be possible for the net admin to analyze the TTL value and determine that it was changed and when.

A link provided by proxx might help to explain some of this: http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/

It would be a safe bet to keep your windows user agents windows, and your linux user agents linux. You can easily spoof the TTL values in linux, perhaps using iptables.

Referer Url:

This one seems to be rather overlooked. This is an HTTP header field that can be used to track your path from page to page. This one is also a simple fix. At least in Firefox. All you have to do is, once again, go to the about:config and search for network.http.sendRefererHeader. Once you've found it just set it to a value of 0. That takes care of that. You can also use the add on RefControl.

In Chrome you can check this out:

https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin?hl=en

If you are using Internet Explorer then..... Well then you should just go away.

Cookies:

Cookies are used to track your web activities. Don't think that just because you are using Tor you are safe from this. As usual there is a plethora of add-ons that you can use. You can also set your browser to not accept cookies from sites, however, you may find that you won't be able to access certain sites if you do this. At least make sure that you remove cookies when you are done with you session. This can be done in Firefox > Prefs > Privacy > Show Cookies >  Remove All Cookies. Obviously that's for firefox. In Chrome I think it's something like, Chrome > Tools > Clear Browsing Data. For Opera it would be Settings > Preferences > Advanced > Cookies.

For those of you who don't know there is such a thing as long-term cookies. Otherwise known as LSO's(Local Shared Objects). These are flash cookies. As far as I know they aren't removed when you do the cookie removing steps I mentioned above. You can handle these by getting the add-on called BetterPrivacy.

I hope I don't have to tell you guys to clear your history or use Private Browsing. Oh! and one more note that I'm not going to make a title for. Be aware of the Desktop and Web Browser extensions you are using. For example, weather monitoring extensions could be very bad because they may transmit zip codes or address information to get local weather reports. Many people overlook this. Hiding your IP won't matter if you overlook this.

 




Other good add-ons:

Adblock Plus - Can be used for Firefox, Chrome, Opera and Android

HTTPS Everywhere - Encrypts your communications with over 1000 websites. Unless you're taters I'm sure most of you are already using this.

Ghostery - See what's tracking you on a site to site basis. Block them if you wish

TrackMeNot - I really like this one. This one spoofs your searches. For example, currently it looks like I'm browsing for: dogs

When instead I might be browsing: How to be a terrorist

No Script - Oh come on.


Startpage:

Also, for those of you who don't like Google for obvious reasons, check out Startpage. It sends your searches to their own server before actually sending it out to the web to help hide who's searching. It's alot like Ixquick except that it yields better results. They don't log your IP.
 
Local Net Security

If you aren't worried about your local network identifying your machine then I wouldn't worry about this section. Still, it's good to know.

MAC Address:


Your MAC address is a 48bit hardware identifying address which is part of your network card. Everyone has one and they are all unique. Again, this doesn't cross router boundaries so there are many situations when spoofing this doesn't matter. There are a few ways to spoof this. This first way being manually. The basic syntax for this is:

ip link set wlan0 down < to bring down the interface temporarily, otherwise it won't work
ip link set wlan0 hw ether ff:ff:ff:ff:ff:ff < don't use that one idiot

Snayler reminded me that in Debian based systems you can run:

ifconfig wlan0 down <to bring down the interface
ifconfig wlan0 hw ether ff:ff:ff:ff:ff:ff

Then you have to reconfigure the interface. Simply running ip link set wlan0 up(or ifconfig wlan0 up) won't work.

The easier way is just to do this with macchanger.
Code:
macchanger --help
Code: Usage: macchanger [options] device

  -h,  --help                   Print this help
  -V,  --version                Print version and exit
  -s,  --show                   Print the MAC address and exit
  -e,  --endding                Don't change the vendor bytes
  -a,  --another                Set random vendor MAC of the same kind
  -A                            Set random vendor MAC of any kind
  -r,  --random                 Set fully random MAC
  -l,  --list[=keyword]         Print known vendors
  -m,  --mac=XX:XX:XX:XX:XX:XX  Set the MAC XX:XX:XX:XX:XX:XX

Generally I prefer to do macchanger -r wlan0. Don't forget to run ip link set wlan0 down first. If you want to run this at startup you could write a little bash script and symlink it.
Code:
ln -s /etc/init.d/script.sh /etc/rcX.d/K10script.sh

For those systemd users I created a tutorial not too long ago on exactly how to do this here.

DHCP:

Many people are aware of the MAC address and that spoofing it might be a good idea. Not everyone considers this though. You dhcp client will often transmit some information when requesting an IP address. Much of the time this only includes your hostname and MAC address(which you now know how to spoof). Unless your hostname is:

twinkletits@hackingboxDumbassvilleOregon123herpderpLane

Then you should be fine.

Unfortunately, at least in the case of dhcpcd for you Gentoo and Arch users, it transmits a hell of alot more. It will transmit your hostname, dhcpcd version, kernel, OS and architecture. This is known as your vendor class id. Which is obviously very identifying. This can be taken care of by editing your /etc/dhcpcd.conf file.

So, for example instead of having your actual hostname and vendorclass id be transmitted you can change it to whatever you want. Now, here's where you might want Wireshark. Set your filter to bootp and send out a DHCP request.

Take a look at this DHCP Request packet.




Notice where it's highlighted and it says Vendor Class ID. That is extremely identifying information. As you can see I'm using Arch linux with Genuine Intel. You now know my exact kernel and dhcp version. Underneath you can see that my hostname is machine. However, when I append these lines to the bottom of /etc/dhcpcd.conf:
Code:
hostname imatransvestite
vendorclassid isc-dhclient-V3.1.3:Linux-2.6.32-45-generic-ubuntu:x86

And now we send out another dhcp request.



Take a look at my vendor class id and hostname now. Be aware there are alot of local services that may transmit your user and hostname. TCP ident lookups, FTP logins, perhaps telnet are examples. Generally it's a good idea to not have a unique or identifying user and hostname.

Encryption/Logs

NOTE: This information up to the Paranoid Encryption category is largely taken from the Arch Wiki. However, it is not copy/paste.

There are a few kinds of encryption.

Stacked Encryption:


This is a when an encrypted filesystem is stacked on top of an existing filesystem. This causes all files written to the encrypted folder to be done so "on the fly" before being written to disk.

- eCryptfs

- EncFS

Block Device Encryption:

This, on the contrary, is written below the filesystem layer to make sure that everything written to a certain block device is encrypted.

- dm-crypt + LUKS

- Truecrypt

Example Encryption Schemes:

1. Simple Data Encryption -
Would include an encrypted folder in /home. Might be encrypted in EncFS or truecrypt.

2. Simple Data Encryption(external device) -
Would include an entire external device encrypted with Truecrypt.

3. Partial System Encryption -
Would include the home directories encrypted, perhaps with eCryptfs. SWAP and /tmp separate partitions encrypted with dm-crypt + LUKS.

4. System Encryption -
If using Truecrypt you can't do this in Linux.

5. Paranoid System Encryption -
A rather clever idea. The entire hard drive is encrypted with dm-crypt + LUKS, and the /boot partition is on a separate USB stick. You would have to be freshly installing to do this because I highly doubt that any of you set up your /boot partition to be on a separate USB stick. This way, you can't even boot the OS without the USB.

Be sure that anything sensitive you may have you NEVER put in an unencrypted area. I recommend always having at least an encrypted folder, if not an entire device, on an external drive. That way it is entirely off of your computer. I you accidentally happen to save something in an unencrypted area, don't think that deleting it is good enough. Every *nix should have a built in shredding command.

man shred
Code:
NAME
       shred - overwrite a file to hide its contents, and optionally delete it

SYNOPSIS
       shred [OPTION]... FILE...

DESCRIPTION
       Overwrite  the specified FILE(s) repeatedly, in order to make it harder

Usage: shred [OPTION]... FILE...
Overwrite the specified FILE(s) repeatedly, in order to make it harder
for even very expensive hardware probing to recover the data.

Mandatory arguments to long options are mandatory for short options too.
  -f, --force    change permissions to allow writing if necessary
  -n, --iterations=N  overwrite N times instead of the default (3)
      --random-source=FILE  get random bytes from FILE
  -s, --size=N   shred this many bytes (suffixes like K, M, G accepted)
  -u, --remove   truncate and remove file after overwriting
  -v, --verbose  show progress
  -x, --exact    do not round file sizes up to the next full block;
                   this is the default for non-regular files
  -z, --zero     add a final overwrite with zeros to hide shredding
      --help     display this help and exit
      --version  output version information and exit

I would recommend at least using the u and z flags. If you want to shred the contents of an entire directory you can run this command:

'find -type f -execdir shred -uvz '{}' \;'

Logs:

Logs can let someone know what you have been doing on your system. Some common places for logs and temporary data in Linux are:

/tmp
/var/tmp
/var/logs
/home (hidden files and folders)

I would be careful about what you go doing in these directories. Destroying certain files could do serious damage to your operating system. Something else I would watch out for is your swap partition. Data could be saved here if you happen to use swap. This data could be retrieved even though you may not be aware of it. If you have the RAM I would recommend not even making a swap partition. Alternatively, you could mount your RAM and swap as /tmpfs and they will be cleared at shutdown. You can easily do this in your /etc/fstab. Certain *nixes already have this as default.

If you are thorough(paranoid) enough, you could always write a bash script to run in place of your shutdown command. I don't know how many of you use the terminal to shutdown but if you don't you could always edit whatever shutdown button you use to run your script.

Here's an example script:
Code: 
#! /bin/bash
# Truncate all files in /var/log
find /var/log -type f exec sh -c '> "{}"' \;

# Clear any other log files you deem necessary
cat /dev/null > ~/.cache/config/openbox/openbox.log
cat /dev/null > blahblah.txt
shutdown -h now

Then you can set your script to an alias:
Code:
alias shutdown='/path/to/bash/script/shutdown.sh'

And add that to your ~/.bashrc. This way all you have to do is open a terminal and run 'shutdown' and you clear all your logs before shutdown. Simple.

Virtualization Software/liveUSB

To be quite honest, I wouldn't worry TOO much about logs. A better idea is to just not do anything illegal on your main OS. There are alternatives.

Virtualbox/VMware:

A good idea is to install some anonymity based OS(or any OS for that matter) in a virtualization software of your choosing. Doing this keeps alot of sensitive information such as logs and whatnot off of your main OS. Think of it as keeping all your dirty underwear in one tiny basket. I'm not going to teach you how to create a virtual machine here because, it's fucking easy. What I will say is that if you are going to do this you should do it the right way. My recommendation is to follow these steps:

1. Encrypt an external device. Preferably not a USB. You'll probably need something with more room.

2. Before you create the virtual machine, plug in your external and unlock it(since you encrypted it).

3. Set the path of the virtual machine in your settings to the path of the encrypted device. Doing so will make it so that the only way to access your virtual machine is if the device is plugged in and unlocked.

4. For extra security use a couple of keyfiles. Use a few jpegs or mp3 files on yet another external device. That is, if you're paranoid enough  . Some good operating systems for doing this might be:

- Virtus (although it runs on Ubuntu 11.10 so maybe not)
- Whonix

Whonix is built specifically for Virtualization software. You can not install this on your actual computer. Due to the way it's built DNS leaks are impossible.

liveUSB:

Using virtualization software is good practice. However, it IS still on your actual computer. Yet a safer way would be to create a liveUSB. You can do this with UNetbootin, LinuxLive USB Creater(LiLi) or the dd command.

dd if=/path/to/iso of=/dev/sdX

Create it with no persistence. What is persistence you ask? Persistence is when any settings or modifications you make on a liveUSB stay, or, persist every time you start up the liveOS.

The downside to creating a USB with no persistence is that everytime you decide to boot it up, any settings you may wish to have(such as many of the settings I mentioned in the tut so far) will have to be done every single time. However, the upsides I think outweigh the downsides. Basically, a liveUSB with no persistence is like booting into a fresh install of an operating system every time. So on those warm summer days where you feel like talking a relaxing walk to the public library, sitting down with a cool drink, and hacking the gibson, you can! Just pop in your liveUSB and hack away! Ok, don't really do that. But you get my point. This way when you are done you just yank the thing out and the next time you boot it up it will be like nothing ever happened on the liveUSB. If you are going to do anything really serious, this is a good option. Good operating systems for this might be:

- Privatix
- Liberte
- Tails

Really though you can use any operating system you want. These are just some examples of anonymity based operating systems.

IP address


Ok ok fine. I'll talk about hiding your IP. I'm not going to go quite as in depth as I may have with the other sections of this tutorial because this is only one part of being anonymous that people get too hung up on. Not that it's not important. People seem to think this is all you have to do to be anonymous though, and they are wrong. But, it wouldn't be a complete anonymity tutorial without this part now would it?

Proxies:


Wikipedia says: "In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Today, most proxies are web proxies, facilitating access to content on the World Wide Web."

Ah yes. Proxies. Some of them log, and some of them don't, but how the hell do we know which ones do and don't? Hard to tell really. There are a few main different kinds of proxies.

- Transparent Proxies: Simply put, a transparent proxy is no good for doing anything illegal. You Ip address is logged and shown. Although these may have the advantage of being a bit faster.

- Anonymous Proxies: These hide your IP address. One downside is that anything you may connect to can probably tell that you are using a proxy. Which may cause problems for you in many cases.

- Elite Proxies: These hide your IP and may hide the fact that you are using a proxy at all. Which can be beneficial. These often times will be the slowest.

WARNING: Never assume that any proxy is not logging. Even if they say they aren't.

 

A good thing to look at is the country it is in. You should never use a proxy that is in the same country as you. If you've done something worth trying to track you down for, LE won't have any trouble doing so if you used a proxy in your country. What you want to do is figure out which countries have the best privacy laws. Or which ones have the worst so you can avoid them. As far as I know, Sweden has very good privacy laws. China or North Korea however, have shitty ones. The US isn't really the best for internet privacy either. So choose wisely.

Another thing to look at is the different kinds of protocols a proxy may use. Two of the most important ones are HTTP Proxies and SOCKS Proxies. People end up using HTTP proxies by default much of the time.

SOCKS Proxies are lower-level then HTTP Proxies. SOCKS uses a network handshake to send information about a connection. The SOCKS proxy then opens a connection, perhaps through a firewall. HTTP Proxies are transported over TCP and forwards an HTTP request through and HTTP server.

Some SOCKS Servers include:

- Dante
- ss5
- Nylon
- sSocks

A simple Google search will yield you some up to the minute proxy lists.

VPNs:

Wikipedia says: "A virtual private network (VPN) extends a private network and the resources contained in the network across public networks like the Internet. It enables a host computer to send and receive data across shared or public networks as if it were a private network with all the functionality, security and management policies of the private network.[1] This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two."

There's a major difference between proxies and VPNs. That difference is anonymity vs. privacy. The best way I can explain this is that anonymity means that someone is sticking his dick in all of the birthday cakes, whereas privacy means that Timmy is in the room with all the birthday cakes, but no one knows what he's doing in there. Keep in mind:

proxy == anonymous(more or less)
VPN == private(Virtual PRIVATE Network)

Generally you can guess that the paid VPN's are going to be more reliable than the free ones, given that you aren't an idiot who paid for it with your personal credit card and your real name. Again, be aware of where the VPNs are located. So if you are in the US, maybe don't use openVPN for anything illegal. Their headquarters are located in California.

Tor:

I refuse to talk about Tor.

Proxy Chaining:

All I can say here is proxychains. It's a very useful tool and it's easy to use. With this tool you can chain proxy to proxy, proxy to VPN, proxy to VPN to Tor(if you want), proxy to proxy to proxy to proxy to proxy to VPN to proxy. But let's not get to excessive.

You will need to take a look at /etc/proxychains.conf. There isn't a manpage for it, all the directions you need are located in the config file. Basically what you do is add whatever proxies or VPNs you may want(make sure to note the IP and the port number) and you add them after this part:
Code:
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

The proxies you add should be in this format:
Code:
type  host  port

So for example:
Code:
socks4 198.10.23.100 80

Then you run the proxychains program.
Code:
proxyresolv targethost.com

Other Techniques:

Evidentally one of the best ways to remain anonymous is to code your own proxy server, say a SOCKS server, and use other people's personal machines as proxies. This way you can be absolutely sure that they don't log. Or you can also look into 3proxy which was posted by ande quite awhile back. There is also Botnet proxies if you feel like coding yourself a botnet if that's your thing. This is outside the scope of this tutorial however.

Check Yourself Sites

http://whatsmyuseragent.com/

http://www.whatsmyip.org/

http://www.dnsleaktest.com/

Anonymous Emailing


- SilentSender

- Send Anonymous Email

- GuerrillaMail

- DeadFake

- Mailinator

- Melt Mail
 

Final Notes


This tutorial was inspired by all of the generic, useless, copy/paste anonymity tutorials out there. You know which ones I'm talking about. The ones that say:

"Here's a link to CyberGhost and what VPN's are, here's a proxy list, use Truecrypt, make sure to clean up with CCleaner, watch out for Viruses, here's some links to antiviruses. Full anonymous!"

To all those tutorials out there, thank you for motivating me to write this. This one's for you.

As I've said before, there is no one tutorial out there that will make you completely anonymous. Being completely anonymous is next to impossible. You can take as many precautions as you want but if the NSA is looking for you it doesn't matter how secure your Truecrypt password is and how many keyfiles you have. If you are important enough they won't really need to crack your password. They'll just beat it out of you. Besides many of the techniques I've outlined, being anonymous is common sense. Don't link you real email with you hacker identity. Don't talk about crimes you've commited. Use SSL with IRC. If you are going to do anything really serious, don't do it from home. Don't do it from your personal computer. Best of luck to all of you. Hope you gained something from this tutorial




------Credit goes to--- -----LUCID----

No comments:

Post a Comment