I recently wrote about the concepts behind how one might attempt to become anonymous on the Internet. As I’ve been filling in the gaps and learning about this stuff, I regularly imagine how stressful this must be for people where a mistake is literally life-and-death! For example:
- A journalist trying to expose the tyranny of a despotic regime.
- A journalist trying to work with a whistleblower.
- A whistleblower.
Nevermind people who actually CHOOSE to do nefarious or Black Hat type things. The point is, there are several key pieces of online anonymity and you can’t mess up, even once! If you do, you could be killed or jailed!
Now, it’s my professional opinion (but necessarily that of my employer) that these sorts of techniques should be commonplace, in use in every household. There are simply too many organizations who can and do observe your every online move, including:
- Your ISP
- Marketing and advertising companies who bought your information.
- Your government
- Foreign governments
It only makes sense if people don’t want to let all of these outside-organizations rifle through their personal effects! I digress, because aside from that, my main interest here is professional development and expanding my information security knowledge, and ethical hacking skills. With that said, here are some of the details now, on how to be more anonymous.
Your physical location:
If you are an IT security professional, this isn’t as critical, but if you will be jailed or killed if your identity is found out, then you should not be at home, using your home internet connection. Ideally, you’d want to use public WiFi and even ideally where there are other people that will have similar network traffic as you. For example, at a security conference. Failing that, just using public WiFi is a step in the right direction.
Separation of concerns: your user accounts, and browser setup:
I’m assuming here you will be using Kali Linux. By default, you do everything as “root”. However, when you are going out onto the internet, you should DEFINITELY never, ever run a web browser as root. So, create a non-privileged user:
# adduser test
and then follow the prompts. Just like how your root account should have an extremely good password, this test account is the account from which you be using most of the time – it will have the most damaging data in that profile (if you were trying to hide something). So this account too should have an extremely good password.
For web browsing, you will likely use one of two ways to access the internet, the built-in “iceweasel” browser (which is really just Firefox), or the Tor browser. The Tor documentation can tell you how to set that up. However, for IceWeasel, there are two plug-ins that you should definitely install – both of which are provided from the Electronic Frontier Foundation (EFF), which is an organization beyond reproach!
- EFF Privacy Badger: https://www.eff.org/privacybadger
- EFF HTTPS Everywhere: https://www.eff.org/https-everywhere
Privacy Badger virtually eliminates cookies and trackers used by advertisers and website owners, and gives you reports about it found. HTTPS Everywhere attempts to go the https version of every website you go. You can change the settings on a per-website basis. The idea though is that instead of defaulting to http, and only occasionally going to https; why not flip that around to gain a little privacy?
Lastly, to help remind you not to mess up, I change the backgrounds of my non-privileged account to a neutral color:
and the background of my root account to something harsh. In real life, you typically have several windows open, so it’s not too hash to look at. However, you do see it out of the corner of your eye and it should be a reminder that you are not running in a “safe” account!
For people where these sorts of slip-ups are life-and-death, it makes sense to me to stack the deck in your favor, and set yourself up to not-fail!
Change your MAC address:
If you are using Hyper-V or VirtualBox to host Kali Linux, then you can change the MAC address in the settings. If you have installed Kali on a physical computer, then you probably want to use “macchanger”. Here’s how I have it set up. In /root/ I have a file called macrandomizer.sh which looks like this:
ifconfig eth0 down
macchanger -r eth0
ifconfig eth0 up
You can also do the same thing for wlan0 if you are using that, too. Then, mark the script as executable:
# chmod +x ./macrandomizer.sh
then, I want to run this every time the computer boots. So, I run:
# crontab –e
and I add an entry at the end of the file like this:
exit and save changes (with the default file name). Lastly, as a reminder EVERY time I open a new window, I open my .bashrc file:
# nano ./.bashrc
and at the very end, I add:
echo “[*] eth0 MAC address:”
macchanger –s eth0
which prints out the current MAC address and the permanent one. The idea being that you’d see something like this every time you open a terminal window:
Again, if you try to do this in a VM, it breaks – but if you are using a physical machine, this will help disassociate your physical computer with your network traffic.
Change your DNS (avoid DNS leaks):
The idea here is that if you were to go through several steps to encrypt and route your traffic around the world, wouldn’t it be stupid for the first thing that you did, was do a DNS request back to your ISP DNS servers? This is what is called a DNS leak. You are leaking information about yourself because you did not point to a more general DNS server.
To see where you point for DNS now, do:
# cat /etc/resolv.conf
You’ll likely see that it’s pointing to 192.168.1.1 or whatever your internet router is. That likely gets it’s DNS from your ISP – which is how you end up leaking. Worse, if you are on a corporate network, you might also notice that it has a domain suffix listed too. This could also leak information. For example, if your DNS suffix says “example.com” – what that means is that when you make a DNS request for “someserver”, if the name fails, your computer will then try “someserver.example.com”. Now, if that is a domain name that is identifiable – you just gave yourself away. What’s worse, is you wouldn’t even realize it because this is done by the name resolution part of your network stack!
So, we want to point to public DNS servers. Perhaps the most popular is OpenDNS, but there are actually quite a few you could use:
# nano /etc/dhcp/dhclient.conf
prepend domain-name-servers 22.214.171.124, 126.96.36.199, 188.8.131.52;
# cat /etc/resolv.conf
supersede domain-name “example.com”;
# service network-manager restart
# cat /etc/resolv.conf
Set up VPN:
The concept of a VPN is you have Virtual Private Network connection to someplace else on the internet. You might be familiar with this if you connect in to work, from home. Well, how this is used in this context is that it gives you a different “entry point” onto the internet. Instead of your network traffic coming right out of your modem, and starting to route to it’s destination – you connect to a remote server, and your network traffic comes out of their internet connection.
You can pay for a VPN service. That is both bad a good. It’s good because you will get much better, much more stable network performance. However, it’s bad because this service now has a money-trail which leads to you, personally.
You can use free VPN services. These are also both bad and good. They are good because they are free and quite anonymous. They are bad because there is no service level, and performance can be unstable or slow.
Kali Linux comes with openvpn already installed. This is a program which knows how to open a connection (a.k.a. a tunnel), and the change your network route table to route everything through that tunnel. So, navigate to http://www.vpnbook.com/freevpn for example and download the various bundles. I downloaded them all. These all represent relatively free countries – and the EU is known for it’s privacy laws. What each country file represents is where you are going to “come out” on the internet. If you use the DE (Denmark/Germany) bundle, you’re public IP will appear to be somewhere in that region. Use the US bundle and you’re public IP will appear to be somewhere in the United States.
So, download the unzip those into a directory – I put mine in ~/openvpn/. Then just run this command:
# openvpn ./vpnbook-euro1-tcp443.ovpn
Note that the username/password is publicly available on that same page on VPN Book – but does change periodically. You want to wait a minute in the output until you see:
Initialization Sequence Completed
At this point all traffic for this computer, including all other users, is now being tunneled through this VPN connection. Let’s verify it, open a browser and navigate to www.dnsleaktest.com again or a “whats my ip” type website like www.ipaddress.com:
OK, so now my network traffic is entering the internet from somewhere in Romania!
That’s pretty much all there is to it. So long as openvpn is running, ALL of your network traffic for ALL users on your computer is going through the tunnel and coming out somewhere else in the country/region that you specified.
Set up ProxyChains (through Tor):
Proxy servers are different than VPN and solve a different problem. VPN changes the location from where you enter the internet. A proxy server masks your starting point, and makes it difficult to see where your traffic went. Now, the easiest and relatively “safest” way to use proxies is to just route your network traffic over the Tor network. That typically means it will be 2 to 3 steps, but EACH stop creates a new, secure connection to the next hop, making it extremely difficult (almost impossible) to trace your network traffic – well, at least at the network level. Your behavior or usage might be your downfall, but your network traffic should be relatively safe.
To set this up, you first need to install Tor:
# apt-get install tor
Then, start Tor:
# service tor start
# service tor status
Note that in Kali Linux, as a precaution, services like this won’t start automatically. You must manually start it when you want to use it. By default, the Tor proxy runs on the localhost on port 9050. So, edit the following:
# nano /etc/proxychains.conf
Uncomment “dynamic”, comment out “static”, and at the end of the file, add:
socks5 127.0.0.1 9050
Exit and save changes. This tells a program called “proxychains” that it should use the local Tor service to route traffic through the Tor network. We’ll get to that in a minute…
Now, another way that proxy servers are different than a VPN is that VPN’s are at the network level, and proxy servers at the application level. That also means that ALL of your traffic may not be routed through the proxy server! For example, if you use an HTTP proxy, only HTTP traffic is routed. If you use a socks4 proxy, everything except for IPV6 traffic and UDP is sent through the proxy.
So, it’s important to understand which network protocols you are using to ensure that are in-fact being routed through your proxy servers.
Ideally, you want to use SOCKS5 because that has the broadest support.
OK, to recap, we’ve configured proxychains to use “dynamic” and to use our local Tor proxy server on port 9050 for a socks5 proxy. This in turn, sends our traffic to be routed out over Tor. To actually do this, you basically called “proxychains” and give it a program to run, like a browser:
$ proxychains firefox https://duckduckgo.com
at that point, a browser show pop open. It should take a few seconds for the page to load. Meanwhile, back in the terminal, you should see messaages like this:
You should ideally do this from your unprivileged account, because you will now be using a browser over your connection. To verify that we really are going through a proxy, you can go check www.dnsleaktest.com or www.ipaddress.com, and sure-enough:
I’m coming out onto the internet in Germany this time!
If you don’t want to use Tor, you could also search for “public proxy server” and get a list of public socks5 proxy servers. You’ll see though that MOST of them will be down. The ones that are up will be very slow – and it’s said that many public proxy servers are really just set up as public honeypots to be able to capture some interesting network traffic. However, it is an option – and that is the only difference. Instead of listing “socks5 127.0.0.1 socks5” in that file, comment that out and list off your own proxy servers.
Using VPN –AND– ProxyChains:
One next obvious step might be to combine these last two pieces. What if: you connect to a VPN and come out in a remote city, and then immediately connect through the Tor network to get to your final destination?
Well, I actually spent the most amount of time on this. In fact, there are a couple of ways you could do this, right?
- Connect to Tor, then connect to VPN: This obscures who you are, to the VPN provider – but makes it easier for someone in the Tor network to observe you. So, use this when you trust Tor more than your VPN.
- Connect to VPN, then connect to Tor: This obscures who you are, to Tor – but makes it easier for someone at the VPN to observe you. Use this when you trust the VPN more then Tor.
Now, the bad news is, I couldn’t get this working in the most obvious of ways. For example:
- Run proxychains, and have it run the statement to open the VPN connection. I think this is because the VPN stuff is at the network level, and proxychains is at the app level. It ended up freezing the process.
- Run openvpn, then run proxychains. This just ended up where everything timed-out. I’m not sure why.
However, in real use, I really would open the VPN connection as root (since it’s a privileged operation), and I’d really want to use proxy chains from my unprivileged user. Since VPN settings affect the whole machine, I tried that. That seems to work. In fact, this is the only way I could get this working. In other words, I:
- Log in as root and bring up your VPN connection
- Log in as the unprivileged user and start “proxychains firefox”, for example
How do I validate that it’s working? Well, I logged in as root and started the VPN connection. I then switched to the non-privileged account. I open a browser and verify my public IP:
Note that the location is Romania, and the hostname includes *.vpnbook.com; that means I’m entering the internet from the VPN. I close the browser and run “proxychains firefox”, and then re-verify my public IP:
notice how now, my public IP appears to be in Pennsylvania, and the name says it’s a Tor exit node. Put another way, my network traffic creates a secure tunnel to Romania, it then comes out onto the internet for the first time, and enters the Tor network. It is bounced and re-encrypted 2-3 times and ultimately comes out, back in the U.S. And remember, the VPN is still running, over where I’m logged-in as root.
When I close the browser, proxychains stops. I open a browser on my own and go back to www.ipaddress.com and see I’m back in Romania again. This is because openvpn is still running as root, over in my other session and affects the entire network card, for all users.
Lastly, it should be noted that when you use a configuration like this. Not only does it take a few minutes to physically get everything all set up, the performance is quite slow. So, you are trading performance for more layers of obscurity.
Just use the Tor Browser:
What we described above, is a little involved. It’s not so much that there are complex commands to run, but it really does require a pretty comprehensive understanding about how network works. What if you just want something simple?
Well, you can just install the Tor web browser. This is basically Firefox with https-everywhere installed, and it automatically routes through the Tor network.
There are a few advantages here. First, it’s simple and fast. This gives you the equivalent of “proxychains firefox”, except without any configuration required. Next, it gives you access to the Tor-routed “websites”, which you can tell because instead of having a .com or .net domain name, it will be .onion. You can ONLY get to these sites from the Tor network. Tor stands for The Onion Router – where Onion Routing is the technique that is used to keep these connections secure.
So – to use this, from your unprivileged used account, navigate to www.torproject.org and click Download. Make sure to ONLY download it from the official website! In Kali Linux, choose to “Open…[Archive Manager]” the file and then extract to your profile directory, for example:
Sure enough, just run the “start-tor-browser.desktop” and you can then browse – while connecting over the Tor network. If you run the Tor browser while you are connected to a VPN, the startup times can be VERY slow – like several minutes before it’s ready. If you don’t feel you need the VPN connection, this runs MUCH faster without it. Meanwhile, how do we verify that the Tor browse is really re-routing our network traffic? Check out www.ipaddress.com or www.dnsleaktest.com:
In this particular case, I was still connected to the VPN (coming out in Romania), so seeing that in the Tor browser, my public IP is based out of Baltimore, and the name says it’s a Tor exit node, convinces me that it’s sufficiently proxifying my connection. You can also verify by going to www.hiddenwiki.org and (carefully) clicking on *.onion links, as those are only accessible on the Tor network.
Before going online, here is a quick checklist of some things to consider:
- Be someplace that is not your house. Use public Wi-Fi someplace, ideally with other people using these techniques.
- Create a non-privileged user account where you will do most of your work.
- Change your desktop background for root, as a reminder that you are in as a privileged account – and that you should switch back, before going on the internet.
- Change your MAC address.
- Change your DNS and DHCP “domain” name.
- Connect to VPN, to enter the internet from a far-away place.
- Connect via proxychains to Tor (or just use the Tor browser)
- Go to www.dnsleaktest.com and verify your public IP and DNS are not your actual location.
- Make sure the TCP/IP protocols you are using, respect your SOCKS5 proxy, or else that traffic won’t go through Tor, and you won’t even know.
And even then, you can’t REALLY be sure!
Wow. This is a lot, isn’t it? Now imagine being a journalist or a citizen in a despotic country trying to communicate – and if you mess up even once, it could be your life! I mean, some of this can be scripted, but honestly, this is about as simple as it gets – and it’s still quite a manual process.
If you are an IT security professional, there isn’t much stress related to this. For your Red Team pentesting, you can take these steps you’ll probably be fine. The target is going to be too busy reacting to the attack, then likely to counterattack. However, for those that need this – this is not great. It’s not so much complex, but to really understand the risks, it does require a deep understanding of networking. How routing works, how DNS works, how proxy servers and NAT work, how SSL/TLS work, how VPN’s work and what a route table is.
Anyhow, I wanted to write this down because I blew much of the weekend on this and there are many moving pieces. My intention in sharing this is for education purposes only. I in no way, endorse or condone using these techniques for anything unethical or immoral. In fact, I strongly discourage you from considering doing anything bad with this information. If you are in the U.S. you should be aware of the new laws and acts which can easily categorize questionable activity as “terrorism”. So, just don’t do it!
Meanwhile, I hope this was helpful. If you have any useful tips or corrections, please leave a comment below!