I do not endorse illegal activity of any kind. This is pure theory. I’m posting this so that you can learn how malicious hackers could hide from law enforcement. Be smart.
Hacking anonymously is a much-debated topic on hacker forums and in other hacking communities. Do you use VPNs, proxies, VMs…? I’m not claiming the way I’m going to show you is a end-all ultimate anonymity setup. Such thinking is foolish and the kind of thinking that gets you caught. There are some basic concepts about anonymity you have to understand. No matter what you do, if enough resources are used to try to find you then you will be found. Your goal is to be anonymous enough to make the amount of resources required to find you too high a price to pay for your adversaries. To put it in plain English, you have to be hard enough to find that nobody can and/or wants to put the necessary time/money in to find you. The other concept you must be aware of is that anonymity isn’t a toolset or software. It’s good habits that keep you safe and constantly being alert. Now let’s get to the juicy stuff. I haven’t seen this other places, but it may have been done before.
Anonymity starts at the OS level (or lower if you’re a real psychopath). OSs keep logs, reveal things about themselves via various forms. You have two main threats from your OS. 1) What your OS remembers (things saved to disk like files, logs, etc.) and 2) what your OS tells people about itself (browser fingerprinting, open ports, etc.). What an OS remembers about you is fairly easy to circumvent. Most people say use a VM. I tend to not prefer this though, since VM software writes to the host OS disk and trying to get it to not make any kind of trace is more trouble than it’s worth. Keeping anonymity simple is critical. I like to use live USBs for running a Linux distribution. Usually Kali, since it’s so widely supported. A live USB for those of you who don’t know, is essentially an operating system installed on a USB. Your normal computer has its OS installed on the hard drive. The USB can be thought of as a mini hard drive. The great thing about live USBs is that they save nothing to any disk. It’s all in memory (which goes away as soon as you turn off the computer). Unless you explicitly do it, the USB won’t touch your other hard drive. The USB itself will forget everything as soon as you turn the computer off. So that more or less eliminates the threat of incriminating files or logs on your OS.
Next we look at three identifying aspects of your OS related to networking. Open ports are one thing you may not think of. What ports are open on a machine can be used to accurately guess what OS is running. How likely is it that someone portscans your system? Very unlikely. However, automated programs on other computers (routers or other devices) may or may not do a little network exploration. In general try to keep ports closed. You can run
ss -ant | grep -i "listen" to see what ports are open.
Hostname is another thing to be aware of. It’s only significant in very specific cases. But it’s easy to change and doesn’t hurt. Hostnames show up in WiFi APs logs and devices connected lists. A hostname of ‘kali’ is kind of suspicious since kali is a security-oriented OS. To change it, just enter this in a terminal:
echo "LAPTOP-16821" > /etc/hostname; hostname LAPTOP-16821
Your MAC address is an important thing to address. It is (theoretically) unique to your hardware. So we need to make sure to change it. You can manually do it with ifconfig, but you have to come up with your own MAC address. I prefer to use macchanger. Just enter
macchanger -r <interface>. This will give you a random MAC address on the specified interface.
Now we venture a little further than our local network. Firstly, do not use your home network. If your other anonymity measures get bypassed, it will lead straight to your house. This is obviously pretty bad. Break into someone elses’ wifi or use a public network. This next step requires a little bit of money. You have to buy a bulletproof VPS or server. A higher grade one is ideal, but not 100% necessary. This is where we stage our attacks from. The server should be geographically located in a country that is hostile to your home country and/or won’t have an extradition agreement with it. The idea is that all our hacking tools are installed on this server. We SSH in to it from our live USB-equipped laptop over TOR. The reason we go through TOR to our own server is the scenario that the server is compromised or seized by law enforcement. The server won’t have any logs containing your real IP. Just your TOR exit node IP. Of course, periodically wipe the server to remove traces in logs that will show your activities. Or just wipe the logs ;). Now if at all possible we don’t want this server to get “burned” (get discovered by law enforcement or hacked itself). So we’ll set up a proxy system of sorts. But do not pay for proxies or use free ones. Both can potentially stab you in the back through various means. Instead, compromise vulnerable systems. Low hanging fruit like servers with weak passwords or known exploitable vulnerabilities are ideal targets. We essentially set these up as proxies. If you can proxy chain through multiple of these “proxies” that’s even better.
So now we take a brief look at how this works in action. Say we want to do a portscan of a target. Using our computer with live USB, we SSH into our server over TOR, use a portscanning tool installed on the server to scan the target, with the compromised systems as proxies. Let’s break down how this protects you. If you attack a system and an investigation is started, they’ll likely start by looking over the system (or carbon copy of the system to avoid tainting any evidence). They’ll probably find some suspicious activity at some point or another in the logs. Once they track down the suspicious activity they might find your IP address. If law enforcement is doing the investigation, they might go to the ISP the malicious traffic originated from. They can probably get some details like where you live, who you are, etc. But even if that IP is located somewhere in the law enforcement’s jurisdiction, that isn’t your IP. It’s the IP of one of your proxies. The system itself could be a home user PC, company server, or whatever else. If the system isn’t even in the law enforcement agency’s jurisdiction, this further complicates things. They’ll have to cooperate with the other country’s law enforcement and it just gets difficult. Now say they track down the location of the proxy. They still have to figure out that the malicious traffic didn’t originate from this device. If or when they do, it may be tracked to another proxy. But it’s pretty much the same story as the last proxy. Say they track things all the way back to the hacking server. They may get some evidence or clues from the logs (again assuming the bulletproof service and hosting country even let law enforcement access the service). And even if they get some clues from that, they don’t have your real IP address. They just have the TOR exit node IP. The chances of them cracking TOR are pretty low. If the investigation hasn’t stopped by now, it may well die here.
I hope you learned a little something. Thanks for reading to this point. I know that was a bit long. I look forward to being a part of this community. If you have any questions, comments, or holes in my theory let me know. Until next time, keep hacking.