How to hide from the NSA and CIA? Basic anonymity techniques to Black Hat
Joas A Santos
Cyber Security Leader | Red Team | Author of Books | Speaker and Teacher
WARNING: The title is just for attention
Anonymity is important for you to avoid authoritarian laws in your country or even cybersecurity and opsec processes.
It is very important to understand that anonymity is not just for people who want to do wrong things, but a useful way to ensure data protection and spying. But well, I'll stop talking nonsense and go straight to what matters.
I am summarizing, it became an article with a reading of 40 minutes, I decided to reduce it and I will probably divide it into two parts, one more theoretical and the other more practical.
The Onion Router
The Tor Network, which stands for "The Onion Router", is an internet communication network aimed at user privacy and anonymity. Tor's purpose is to protect users from Internet surveillance by hiding a user's online activity and physical location.
Tor's operation is based on a network of servers, called "nodes" or "relays", which pass information from one to the other. When a user connects to the Tor network, internet traffic is encrypted and passes through several random nodes before reaching its final destination. Each node only knows the previous and subsequent nodes in the chain, but not the origin or final destination of the information.
Here's a simplified explanation of how this works:
This chain of nodes is known as a "circuit". Each step in this process is called a "hop". So, in a typical Tor connection, there are three "hops": from input node to intermediate node, from intermediate node to output node, and from output node to final destination.
The idea behind this design is that even if an observer is monitoring a portion of the network, it will be very difficult to trace the activity back to the original user. Furthermore, each connection through the Tor network uses a different circuit, making tracking even more difficult.
Browser security settings
Standard
Safer
Safest
Installing on Linux
If you don't already have it, you can install it using your system's package manager. For example, on Ubuntu, you can install Tor with the following command:
sudo apt-get install tor
Here are some examples of options you can set in the torrc file:
SOCKSPort: This option sets the port on which Tor accepts connections. The default value is 9050. You can change it as per your requirement.
For example:
SOCKSPort 9050
Log: This option sets the log level and log file. For example, to log warning level information to the /var/log/tor/notices.log file, you could use:
Log notice file /var/log/tor/notices.log
ExitNodes: This option can be used to specify the exit nodes you want to use. For example, to use US-only exit nodes, you can use:
ExitNodes {US}
StrictNodes: If you set this option to 1, Tor will strictly respect your ExitNodes, ExcludeNodes, etc. For example:
StrictNodes 1
After making your changes, save the file and restart the Tor service for the changes to take effect. On Ubuntu, you can restart Tor with the following command:
sudo service tor restart
Mr. Robot Attacks
ChatGPT Info
The specific attack and technical details are not fully explained in the episode, but we can infer some details about how he might have carried out the attack based on our knowledge of hacking and cybersecurity.
It is important to note that the Tor network is designed to provide anonymity to users and servers that host hidden websites. To do this, it uses a series of intermediary servers, known as "nodes", to obfuscate the source and destination of traffic on the network. However, if a hidden site on the Tor network is misconfigured, it may be possible to trace traffic back to the original server.
Here is a possible way Elliot could have carried out the attack:
It's important to remember that this is just a hypothetical scenario based on how an attack on a Tor server could be carried out. The specific techniques used by Elliot are not explained in detail in the episode. It's also worth remembering that hacking activities are illegal and can have significant consequences.
Proxy
A proxy is a server that acts as an intermediary between the user and the internet. When a user connects to the internet through a proxy server, their connection requests are sent to the proxy server first, and then the proxy server connects to the internet on the user's behalf.
Here is a simplified example of how this works:
Proxy servers can be used for many reasons, including to improve privacy (by hiding the user's IP address), to improve performance (by caching web pages), or to circumvent access restrictions to certain websites.
A common type of proxy server is the SOCKS proxy. Unlike other types of proxies, a SOCKS proxy can handle any type of internet traffic, including email traffic, chat traffic, FTP traffic, etc.
Configuring a client to use a SOCKS proxy usually involves the following steps:
For example, to configure Firefox to use a SOCKS proxy, you would do the following:
Keep in mind that while a proxy can improve your privacy, it is not as secure as a VPN or the Tor network, which encrypt all your internet traffic. A proxy server only protects the requests that are sent through it, and the operator of the proxy server can see all the traffic that passes through it.
On Linux, you can set environment variables to use a proxy server. These variables are used by most programs that connect to the internet.
Here are the steps to configure a proxy server using the terminal:
Open the terminal.
To configure an HTTP proxy server, use the export command to set the http_proxy environment variable.
For example:
export http_proxy=https://[username]:[password]@[proxy]:[port]
Replace [username], [password], [proxy] and [port] with your proxy server details. If the proxy server does not require authentication, you can leave out the [username]:[password]@ part.
For an HTTPS proxy server, set the https_proxy variable:
export https_proxy=https://[username]:[password]@[proxy]:[port]
To verify that the variable has been set correctly, you can use the echo command. For example:
echo $http_proxy
This should show your proxy server address.
These settings are temporary and will be lost when you close the terminal. To make them permanent, you can add export commands to the shell's startup file (such as .bashrc or .bash_profile), which is run every time you open a new terminal.
To set up a SOCKS proxy, the process is a little different and depends on the specific program you are using. Many programs have their own SOCKS proxy settings that you need to configure separately.
Example:
To use Nmap over the Tor network and a SOCKS proxy, you will need a utility called proxychains. Proxychains is a program that forces any TCP connection to go through a proxy. It can be used to forward Nmap traffic over Tor.
Here are the general steps for configuring and using Nmap with Tor and Proxychains:
Install Tor and Proxychains: Depending on your Linux distribution, you can use the package manager for this.
On Ubuntu, you can use apt:
sudo apt-get install tor proxychains
Configure Proxychains: The Proxychains configuration file is usually located in /etc/proxychains.conf. You must ensure this file is configured to use Tor. That is, there should be a line at the end of the file that says socks4 127.0.0.1 9050. This setting tells Proxychains to use Tor, which normally listens on IP address 127.0.0.1 and port 9050.
Start Tor: You can do this by running tor in a terminal. On some distributions it may be necessary to start Tor as a service, for example systemctl start tor or service tor start.
Use Nmap with Proxychains: You can now use Nmap with Proxychains. To do this, you simply prefix the nmap command with proxychains. For example:
proxychains nmap -sT -PN -n -sV -p 80 www.example.com
Whonix
Whonix is a Debian-based Linux distribution that is designed to provide privacy, security and anonymity on the internet. It does this by utilizing the Tor network for all internet connections and isolating different tasks in different virtual machines to prevent IP leaks and other forms of deanonymization.
The Whonix setup consists of two parts: the Workstation and the Gateway. The Workstation is where the user performs all activities, such as surfing the internet, sending emails, etc. The Gateway is responsible for connecting to the Tor network and routing all Workstation traffic through the Tor network.
Here are some tips and tricks for using Whonix:
1. Regular updates: Whonix is based on Debian, so you can use apt-get to keep your system up to date. It is recommended to do this regularly to ensure you have the latest security patches.
2. Using Tor Browser: Whonix comes with Tor Browser, which is a modified web browser to protect your privacy and anonymity. It is recommended to use Tor Browser for all web browsing activities.
3. Task isolation: One of the key features of Whonix is task isolation. This means you can use different Workstations for different tasks to avoid correlation of activities. For example, you can use one Workstation to browse the web and another to send e-mails.
4. Be careful what you share: Remember that while Whonix can protect your anonymity, it cannot protect you from sharing personal information. Be careful when sharing information that could be used to identify you.
5. Using VPNs or Proxies with Whonix: While it is possible to use a VPN or proxy with Whonix, it is generally not recommended. The Tor network already provides anonymity, and using a VPN or proxy can introduce additional vulnerabilities.
6. Malware protection: Like any system, Whonix can be vulnerable to malware. Therefore, it is important to practice good security habits, such as not downloading files from unknown or untrusted sources.
7. Reading the Documentation: The Whonix documentation is extensive and covers many topics related to internet privacy and security. We highly recommend reading it to better understand how Whonix and the Tor network work.
Install and Configurate using KVM
Connect to Host via SSH with tunneled ports:
ssh $USER@$HOST -L 5910:localhost:5910 -L 5911:localhost:5911
Whonix Gateway
cd /var/lib/libvirt/images
wget https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.libvirt.xz
tar -xvf Whonix-Gateway*.libvirt.xz
Create Network:
virsh define Whonix-Gateway*.xml
sed -i 's/virbr1/whonixbr1/g' Whonix_network-*.xml
virsh net-define Whonix_network*.xml
virsh net-autostart Whonix
virsh net-start Whonix
Configure & Start Whonix VM:
virt-xml Whonix-Gateway --remove-device --graphics
virt-xml Whonix-Gateway --edit --graphics 'vnc,password=test,port=5910,keymap=de'
virsh start Whonix-Gateway
Connect VNC to?127.0.0.1:9510?& Finish Whonix Wizard.
Kali
qemu-img create -f qcow2 /var/lib/libvirt/images/kali.qcow2 32G
Download & Modify Preseed File:
wget -O preseed.cfg https://raw.githubusercontent.com/offensive-security/kali-linux-preseed/master/kali-linux-light-unattended.preseed
sed -i 's/\/dev\/sda/\/dev\/vda/g' preseed.cfg
Install Kali Linux:
virt-install --name kali \
--ram 2048 \
--disk "bus=virtio,path=/var/lib/libvirt/images/kali.qcow2,format=qcow2" \
--vcpus 2 \
--accelerate \
--os-type "linux" \
--noautoconsole \
--network "bridge=virbr0" \
--location "https://http.kali.org/kali/dists/sana/main/installer-amd64/" \
--graphics "vnc,port=5911,password=secret,keymap=de" \
--initrd-inject "preseed.cfg" \
--extra-args "keymap=de"
Start Kali:
virsh start kali
apt-get install kali-linux-full
Change Network to the Whonix Gateway's internal Network:
virsh detach-interface kali --type bridge
virsh attach-interface kali --type=bridge --source=whonixbr1
Configure Kali Network:
Reboot:
virsh destroy kali
virsh start kali
Tails
Tails, which stands for The Amnesic Incognito Live System, is a Debian-based Linux distribution that is designed to provide privacy and anonymity. Like Whonix, Tails uses the Tor network to anonymize all Internet connections.
Tails is a live operating system, which means that it runs from a removable device, such as a DVD or USB stick, and does not need to be installed on your computer's hard drive. One of the main features of Tails is that it leaves no trace on the computer it runs on. It is designed not to use your computer's hard drive or memory unless specifically instructed to do so.
Here are the general steps for configuring Tails:
Here are some notable examples of how Tails has been used historically:
As an operating system focused on privacy and security, Tails has been an important tool for many individuals and organizations working in sensitive areas or facing powerful adversaries such as governments and corporations.
VPN (Virtual Private Network)
VPN, or Virtual Private Network, is a technology that allows you to create a secure connection between two devices on a network, usually the internet. When using a VPN, all data traffic is encrypted and sent through a virtual "tunnel", protecting your information from being intercepted or seen by others.
VPNs are used for several purposes:
OVPN is a configuration file format used by OpenVPN which is open source VPN software. An .ovpn file contains all the information needed to connect to a VPN, including the VPN server address, encryption keys, and any specific configuration options.
To use an .ovpn file, you usually need a VPN client that supports OpenVPN, such as the OpenVPN client itself. You import the .ovpn file into the VPN client, and it can then use the information in the file to connect to the VPN.
Tor + VPN?
Yes, it is technically possible to use a VPN in conjunction with the Tor network, but how effective this combination is depends very much on what you are trying to achieve and the specific threat model you are facing. Here are two common configurations:
Configurando sua VPN
HINT:
Create your own VPN?
4. Ensuring Users' Security and Privacy: Here are some ways to ensure users' security and privacy on a VPN service:
Keep in mind that operating a VPN service can be a technical and legal challenge. It is important to research and understand all the implications before proceeding.
VPN Solutions
https://alerdium.io/ (No Tested)
"The main detail to be looked at in the VPN is how the activity logs are stored."
"Wireguard or OpenVPN?"
"Double-Connection or VPN Chaining?"
领英推荐
Torbox
What’s this all about?
TorBox is an easy to use, anonymizing router based on a Raspberry Pi. TorBox creates a separate WiFi that routes the encrypted network data over the Tor network. Additionally, TorBox helps to publish data easily and safely through Onion Services. The type of client (desktop, laptop, tablet, mobile, etc.) and operating system on the client don’t matter.
Tor, on which TorBox is based, encrypts your network data from your client to the Tor exit node, overcomes censorship, and anonymizes your data stream. Commonly, Tor is used by the?Tor Browser, which facilitates surfing the web or accessing?onion services?(.onion – Websites). However, there are also other programs using Tor, like the peer-to-peer messenger app?Ricochet Refresh,?TorBirdy?(an extension for Mozilla Thunderbird) and?OnionShare. Though wouldn’t it convenient to route?all your data?through the Tor network, independently from the client, the service, and the program be used?
TorBox accomplishes this by creating a separate WiFi and routing all network data over the Tor network. Also, clients can be connected to a TorBox using an Ethernet cable. The TorBox image file,?available here?(~1.1 GB), can be run on a low-priced?Raspberry Pi.
TorBox can be connected to an Internet router through an Ethernet cable, but it can also be used in connection with another (unsecured) WiFi, even if it has a?captive portal.
VPS (Virtual Private Server)
VPS is the acronym for Virtual Private Server, or Virtual Private Server. It is a type of web hosting service that provides users with a dedicated server environment on one machine that is shared by multiple users. This is accomplished through the use of virtualization technology, which divides a physical server into several separate virtual "machines".How to set up a VPS:
Benefits of a VPS:
Dedicated Resources: Unlike shared hosting where server resources (CPU, memory, storage) are shared among many users, in a VPS you have a specific amount of resources reserved just for you.
Full control: You have full control over the server environment, which means you can install any software you want and configure the server the way you see fit.
Scalability: As your needs grow, it's easy to upgrade your VPS package for more features.
Isolation: As each VPS is a separate environment, your processes are not affected by what other users are doing on the server.
Cost-effectiveness: VPS tend to be more affordable than physical dedicated servers and can offer many of the same benefits
Solutions:
Sock Puppet
The term "sock puppet" is used to refer to a false or alternate online identity created by a person or organization. Typically, sock puppets are used to influence online discussions, manipulate public opinion, or spread misinformation. In some cases, they can also be used for spying or intelligence gathering purposes.
In the context of Open Source Intelligence (OSINT), a sock puppet can be used to collect information without revealing the real identity of the collector. For example, a sock puppet can be used to infiltrate an online group, participate in discussions, ask questions, and gather information without arousing suspicion.
Secure Mailer
A criptografia de e-mails é um método para proteger a privacidade e a seguran?a das mensagens de e-mail, codificando-as de tal forma que somente o destinatário pretendido possa lê-las. Isso é feito usando uma chave de criptografia que pode ser usada para codificar e decodificar as mensagens.
There are two main types of email encryption:
Advantages of email encryption include:
Privacy: Email encryption ensures your messages remain private and can only be read by the intended recipient.
Security: Email encryption protects your messages from being intercepted and read by malicious third parties.
Data Integrity: Email encryption can also help ensure the integrity of your messages, ensuring they haven't been altered in transit.
Authentication: Some email encryption systems also provide authentication, which means you can be sure the message really came from the person it says it came from.
There are several secure mail solutions available that prioritize encryption and privacy. Here are a few examples:
Encrypted Messaging Apps
Other Encrypted Messaging
Disk Encryption
Disk encryption is a technology that protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. It uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume.
Two types of disk encryption include:
Techniques of Disk Encryption:
Some of the most popular disk encryption software includes:
Hints:
On Linux hosts, it may be possible to obtain plausible deniability using different methods than those listed below, but this topic is a rabbit hole. Plausible deniability and full disk encryption (FDE) are also useless if physically coerced by the hijacker. A safer option is to leave no trace of detectable data on the personal computer. Whonix? grub-live package provides amnesic functionality on Debian hosts and the Whonix? virtual environment. When used exclusively within a virtual machine, it can provide adequate legal protection if several precautions are taken.
To protect against theft of information or personal data on the host, FDE should be used, and the computer should be turned off during high-risk situations such as travel. In the case of laptops, the battery should be temporarily removed after powering down. This ensures that RAM chips are completely deactivated and all encryption keys in memory are wiped. Hibernation is also a safe alternative, as the swap partition is encrypted in the default FDE setup for several platforms (e.g., Debian), provided that no changes have been made.
Additional
Removing the Luks Headers
Removing the LUKS header is a security measure that can be taken to ensure that data on an encrypted hard drive cannot be recovered. The LUKS header contains the necessary information to decrypt the disk, so by removing it, you effectively make the data inaccessible.
To remove the LUKS header from a disk, you can use the cryptsetup command in the Linux terminal. Replace /dev/sdXY with the encrypted partition. Respond YES to the prompt:
sudo cryptsetup luksErase /dev/sdXY
Alternatively, to achieve the same goal without prompting, run:
sudo dd if=/dev/zero of=/dev/sdXY bs=1M count=2
This will overwrite the first two megabytes of the /dev/sdXY partition, which should cover the entire LUKS encryption header for version 1. If you're using LUKS2 with cryptsetup version 2.1.0 (Debian Buster default), the default header size is now 16 MB. Earlier cryptsetup versions used a 4MiB LUKS2 header. In this case, just adjust the dd command: dd if=/dev/zero of=/dev/sdXY bs=1M count=16 (or count=4). Determine the header size using the command cryptsetup luksDump --debug <device>.
Nuke Patch for cryptsetup
The Nuke Patch for cryptsetup is a feature implemented by the Kali Linux distribution's penetration testing team. It adds an option to cryptsetup that allows all key slots to be erased upon entering a specific password, essentially rendering the encrypted data on the drive inaccessible, hence the name "nuke".
The concept behind this patch is that in a situation where someone is forced to reveal their encryption password, they could instead provide the "nuke" password. This would effectively delete all encryption keys, making the data on the hard drive unreadable.
Here's how to implement the Nuke Patch on cryptsetup:
Separate / boot partition
When using Full Disk Encryption (FDE) on a host, it's often recommended to keep the /boot partition separate from the rest of the encrypted system. This is because the /boot partition contains the initial boot loader and kernel image, which need to be accessible for the system to start up. However, if these files are stored unencrypted, they could potentially be tampered with, compromising the security of the rest of the system.
Here's how you might set up a separate /boot partition:
Remember that an attacker with physical access to the system could still potentially tamper with the /boot partition. Some users choose to mitigate this risk by storing the /boot partition on a USB stick that they can keep separate from the computer when not in use.
TRESOR Kernel Patch
The TRESOR Kernel Patch is a Linux security feature that is used to mitigate the risk of cold boot attacks, which involve an attacker obtaining encryption keys from a machine's RAM.
Traditional full-disk encryption systems store the encryption keys in RAM while the system is running. This exposes the keys to potential threats, since RAM can be read by any process with administrative privileges, and the data in RAM can also persist for a short period of time even after power loss, making it possible to physically extract the keys.
TRESOR aims to solve this problem by storing the encryption keys inside the CPU, specifically in the debug registers used by the CPU's built-in debugging facilities. This makes the keys much more difficult to access, and they are also immediately lost when the system is powered down, preventing cold boot attacks.
However, there are some limitations to TRESOR:
USB Killer
USBKill is an anti-forensic script written after the end of the SilkRoad process.?Its purpose is to trigger security events that prevent attackers from downloading files, installing malware, or running a mouse jigger.?The script creates a whitelist of valid USB devices.?If anything else is connected to the machine, the RAM is erased and the computer shuts down immediately.
USBKill can also be configured to exclude all devices from being connected.?In another high security configuration, the whitelisted flash drive serves as the key and must be permanently in the USB port.?If the flash drive was forcibly removed, the program will run the necessary procedures
Clear hard disk table and sectors
If you want to completely clear your hard disk drive, meaning that you want to erase all the data on it, you can do this with the dd command in Linux. This command will overwrite all data on your hard drive with zeros, making it very difficult (but not impossible) to recover any data.
Before proceeding, please be aware that this will permanently delete all data on the drive. Make sure you have backed up any important data before you do this.
Here is the command:
sudo dd if=/dev/zero of=/dev/sdX bs=4096
Replace sdX with the correct identifier for your hard drive. For example, it might be sda for the first hard drive. You can check the identifiers for your drives with the lsblk or fdisk -l command.
The dd command works as follows:
Please note that this operation can take a long time, depending on the size and speed of your hard drive.
After running this command, your hard drive will be completely empty, and you will need to create a new file system on it before you can use it again.
If you want to make the data even harder to recover, you could overwrite the drive with random data instead of zeros. To do this, you can use /dev/urandom as the input file:
sudo dd if=/dev/urandom of=/dev/sdX bs=4096
This will take much longer than overwriting with zeros, but it provides a higher level of security.
Data destruction by Mr. Robot (No recommended)
Elliot drilled holes in the hard drives to expose the platters to air and dust. The metal shavings would have also scratched the surface of the platters and the holes themselves would have either prevented the platters from spinning altogether or would have screwed up the read/write head if anyone tried to recover the data. Personally, when I destroy a hard drive, I prefer to go over each side of the platters with a belt sander just to be sure. But when in a pinch, drilling holes is probably good enough. Even just removing the cover would make data recovery very difficult.
For the motherboards, he removed the DRAM, BIOS ROM, and CMOS RAM chips, which may have contained identifying information. Crushing them would have probably done the trick, but throwing them in the microwave was faster. He did the same for his MicroSD and SIM cards.
The rest of the PC he just threw in the trash, which again, is fine in a pinch. But a lot of the other chips on the motherboard and hard drive controller could have contained persistent writable memory and should have been destroyed, as well. But maybe he did that and we just didn't see
Don't do this at home, I recommend looking at reddit above for more details and there are better methods with electrical discharges and such
General OpSec Techniques
Operational Security (OpSec) techniques for maintaining anonymity often involve obscuring your identity, encrypting your communications, and using secure systems. Here are ten such techniques and example tools:
Anti-Forensic and Hardware Solutions
Conclusion
Anti-forensics, anonymity and opsec methods go far beyond what has been shown, whether you use alternate phone numbers, wipe metadata from files and photos, use encrypted USB drives and others without write permission read-only to store information, in addition to being encrypted. Use P2P forms of communication or that use cryptographic keys and secure communication tunnel. Using OSINT techniques to map your tracks on the internet, famous digital footprinting and even investing in equipment. That's why it requires expenses and costs that depending on your reality, it's better to do the minimum. Being a Black Hat is not something simple as shown in the movies, you can take half of what I've shown here and use it in your day to day as a Red Teamer and White Hat to carry out campaigns and test your internal team.
Another thing is the way you make monetary transactions, verify currencies that use more sophisticated security technologies and that make it difficult to track and detect abuse.
Also, other unspoken methods are encryption and the techniques of hiding a file or message in a photo, audio and even inside another file. Example:
Other Content about Anonymit
https://www.youtube.com/watch?v=5bcbmef4I3I&ab_channel=AltiumStories
https://www.youtube.com/watch?v=rMSgnOYcEVE&ab_channel=DoingFedTime
https://www.youtube.com/watch?v=eSoOUvpb2HU&ab_channel=BlackHat
https://www.youtube.com/watch?v=E4SYtCOYzQM&ab_channel=CATx003_
https://www.youtube.com/watch?v=qsvMhGXBdg8&ab_channel=CATx003
_
?sécurité offensive OFFSEC?Veille informatique????CTF PLAYER????(hands on keyboard)????juste un passionné (Ethical Hacker) autodidacte ????Humour & café très noir // 300 oliviers et des chèvres dans le Larzac ...
1 年Backdoored cyphers, backdoored hardware, bogus software, 0 day thanks to BULLRUN, Tor's exit nodes, deep packet Inspection = spoiler alert (they own you). Your privacy is gone (was possible in the 20th century though).
??Certified| Ethical Hacker (Master C|EH) ??Offensive SecOps ?OSINT Investigator || ?Cyber warrior @Hackers Arise || ??Cyberdefense | GRC | SIEM | SOC || ??Cybersecurity Engineer || SCADA/ICS
1 年This makes it more difficult for them to find you but you CANNOT really hide from NSA unfortunately anonymity is a myth !
RNTT Faculty Southeast Missouri State University
1 年Nice article