The technical details for online anonymity (megapost)

I recently wrote about the concepts behind how one might attempt to become anonymous on the Internet. As I’ve been filling in the gaps and learning about this stuff, I regularly imagine how stressful this must be for people where a mistake is literally life-and-death! For example:

  • A journalist trying to expose the tyranny of a despotic regime.
  • A journalist trying to work with a whistleblower.
  • A whistleblower.

Nevermind people who actually CHOOSE to do nefarious or Black Hat type things. The point is, there are several key pieces of online anonymity and you can’t mess up, even once! If you do, you could be killed or jailed!

Now, it’s my professional opinion (but necessarily that of my employer) that these sorts of techniques should be commonplace, in use in every household. There are simply too many organizations who can and do observe your every online move, including:

  • Your ISP
  • Marketing and advertising companies who bought your information.
  • Your government
  • Foreign governments
  • Hackers

It only makes sense if people don’t want to let all of these outside-organizations rifle through their personal effects! I digress, because aside from that, my main interest here is professional development and expanding my information security knowledge, and ethical hacking skills. With that said, here are some of the details now, on how to be more anonymous.

Your physical location:
If you are an IT security professional, this isn’t as critical, but if you will be jailed or killed if your identity is found out, then you should not be at home, using your home internet connection. Ideally, you’d want to use public WiFi and even ideally where there are other people that will have similar network traffic as you. For example, at a security conference. Failing that, just using public WiFi is a step in the right direction.

Separation of concerns: your user accounts, and browser setup:
I’m assuming here you will be using Kali Linux. By default, you do everything as “root”. However, when you are going out onto the internet, you should DEFINITELY never, ever run a web browser as root. So, create a non-privileged user:

# adduser test

and then follow the prompts. Just like how your root account should have an extremely good password, this test account is the account from which you be using most of the time – it will have the most damaging data in that profile (if you were trying to hide something). So this account too should have an extremely good password.

For web browsing, you will likely use one of two ways to access the internet, the built-in “iceweasel” browser (which is really just Firefox), or the Tor browser. The Tor documentation can tell you how to set that up. However, for IceWeasel, there are two plug-ins that you should definitely install – both of which are provided from the Electronic Frontier Foundation (EFF), which is an organization beyond reproach!

Privacy Badger virtually eliminates cookies and trackers used by advertisers and website owners, and gives you reports about it found. HTTPS Everywhere attempts to go the https version of every website you go. You can change the settings on a per-website basis. The idea though is that instead of defaulting to http, and only occasionally going to https; why not flip that around to gain a little privacy?

Lastly, to help remind you not to mess up, I change the backgrounds of my non-privileged account to a neutral color:

image

and the background of my root account to something harsh. In real life, you typically have several windows open, so it’s not too hash to look at. However, you do see it out of the corner of your eye and it should be a reminder that you are not running in a “safe” account!

image

For people where these sorts of slip-ups are life-and-death, it makes sense to me to stack the deck in your favor, and set yourself up to not-fail!

Change your MAC address:
If you are using Hyper-V or VirtualBox to host Kali Linux, then you can change the MAC address in the settings. If you have installed Kali on a physical computer, then you probably want to use “macchanger”. Here’s how I have it set up. In /root/ I have a file called macrandomizer.sh which looks like this:

#!/bin/bash
   
ifconfig eth0 down
sleep 2
macchanger -r eth0
ifconfig eth0 up

You can also do the same thing for wlan0 if you are using that, too. Then, mark the script as executable:

# chmod +x ./macrandomizer.sh

then, I want to run this every time the computer boots. So, I run:

# crontab –e

and I add an entry at the end of the file like this:

@reboot /root/macrandomizer.sh

exit and save changes (with the default file name). Lastly, as a reminder EVERY time I open a new window, I open my .bashrc file:

# nano ./.bashrc

and at the very end, I add:

echo “[*] eth0 MAC address:”
macchanger –s eth0

which prints out the current MAC address and the permanent one. The idea being that you’d see something like this every time you open a terminal window:

image

Again, if you try to do this in a VM, it breaks – but if you are using a physical machine, this will help disassociate your physical computer with your network traffic.

Change your DNS (avoid DNS leaks):
The idea here is that if you were to go through several steps to encrypt and route your traffic around the world, wouldn’t it be stupid for the first thing that you did, was do a DNS request back to your ISP DNS servers? This is what is called a DNS leak. You are leaking information about yourself because you did not point to a more general DNS server.

To see where you point for DNS now, do:

# cat /etc/resolv.conf

You’ll likely see that it’s pointing to 192.168.1.1 or whatever your internet router is. That likely gets it’s DNS from your ISP – which is how you end up leaking. Worse, if you are on a corporate network, you might also notice that it has a domain suffix listed too. This could also leak information. For example, if your DNS suffix says “example.com” – what that means is that when you make a DNS request for “someserver”, if the name fails, your computer will then try “someserver.example.com”. Now, if that is a domain name that is identifiable – you just gave yourself away. What’s worse, is you wouldn’t even realize it because this is done by the name resolution part of your network stack!

So, we want to point to public DNS servers. Perhaps the most popular is OpenDNS, but there are actually quite a few you could use:

Comodo Secure DNS

8.26.56.26

8.20.247.20

DNS Advantage

156.154.70.1

156.154.71.1

DNS.Watch

84.200.69.80

84.200.70.40

FDN

80.67.169.12

FreeDNS

37.235.1.174

37.235.1.177

Google Public DNS

8.8.8.8

8.8.4.4

Norton DNS

198.153.192.1

198.153.194.1

OpenDNS

208.67.222.222

208.67.220.220

Verisign

64.6.64.6

64.6.65.6

 
I got these from doing this search: https://duckduckgo.com/?q=public+dns&t=ffnt&ia=answer. So, to fix these problems, edit the DHCP client config file:
# nano /etc/dhcp/dhclient.conf
In that file, remove the comment for “prepend domain-name-servers” and add exactly three DNS IP addresses, comma separated. for example:
prepend domain-name-servers 208.67.220.220, 80.67.169.12, 8.26.56.26;
I say three because the network stack supports three. Now, even through it’s rare that you’d even use the 2nd DNS server, if ever those 2 DNS servers were down (or blocked, by your adversary), what is the third one, by default? It’s your default 192.168.1.1. So, an adversary could force you to use your tertiary DNS server, leaking your location. So, if you have THREE public DNS servers, then that’s all there is. No network stack supports more than that. If all 3 DNS servers are down, it won’t try for your (virtual) fourth – so you are safe.
 
Similarly, when you do:
# cat /etc/resolv.conf
and see a domain suffix, to override that, in this same dhclienf.conf file, there is another setting:

supersede domain-name “example.com”;

I uncomment this line and add a dummy domain. Now, when I run:
# service network-manager restart
# cat /etc/resolv.conf
I now see the public DNS’s have pushed their way to top, and my custom domain has been overridden too:
 
image
 
Lastly, to verify this, navigate to http://www.dnsleaktest.com/ and click “Standard Test”:
 
image
It shows I’m from Tampa, which I am. We’ll fix that in a minute, but look at our DNS – that now shows correctly, and doesn’t give away our location:
 
BEFORE:
image
 
AFTER:
image
So, now, when we go out on the internet, we aren’t “phoning home” to our ISP DNS servers anymore. We no longer have a “DNS leak”. We’re now using public, open DNS servers, which don’t track our requests (most ISP’s do). By the way, our “entry point” to the internet is still my local internet connection, but the above would still be true whether I’m using a VPN, the Tor network, or any other proxy servers – so this is a key thing to have in place!

Set up VPN:
The concept of a VPN is you have Virtual Private Network connection to someplace else on the internet. You might be familiar with this if you connect in to work, from home. Well, how this is used in this context is that it gives you a different “entry point” onto the internet. Instead of your network traffic coming right out of your modem, and starting to route to it’s destination – you connect to a remote server, and your network traffic comes out of their internet connection.

First – it’s important to understand that VPN services for this sort of use, don’t track who you are or where you’ve been. It’s not logged. So, if law enforcement from some government attempts to compel them to turn over information, they don’t have any information. With that said, especially if this anonymity is life-and-death for you, you should take the 2 minutes to read the terms of service and privacy policy! Here is the privacy policy of VPN Book for example – pretty reasonable: http://www.vpnbook.com/contact 

You can pay for a VPN service. That is both bad a good. It’s good because you will get much better, much more stable network performance. However, it’s bad because this service now has a money-trail which leads to you, personally.

You can use free VPN services. These are also both bad and good. They are good because they are free and quite anonymous. They are bad because there is no service level, and performance can be unstable or slow.

You can find free VPN services just by searching for those words. I’ve been working with www.vpnbook.com and performance has been pretty good, plus their privacy policy is pretty reasonable too! So, let’s dig into how to set it up.

Kali Linux comes with openvpn already installed. This is a program which knows how to open a connection (a.k.a. a tunnel), and the change your network route table to route everything through that tunnel. So, navigate to http://www.vpnbook.com/freevpn for example and download the various bundles. I downloaded them all. These all represent relatively free countries – and the EU is known for it’s privacy laws. What each country file represents is where you are going to “come out” on the internet. If you use the DE (Denmark/Germany) bundle, you’re public IP will appear to be somewhere in that region. Use the US bundle and you’re public IP will appear to be somewhere in the United States.

So, download the unzip those into a directory – I put mine in ~/openvpn/. Then just run this command:

# openvpn ./vpnbook-euro1-tcp443.ovpn

Note that the username/password is publicly available on that same page on VPN Book – but does change periodically. You want to wait a minute in the output until you see:

Initialization Sequence Completed

At this point all traffic for this computer, including all other users, is now being tunneled through this VPN connection. Let’s verify it, open a browser and navigate to www.dnsleaktest.com again or a “whats my ip” type website like www.ipaddress.com:

image

OK, so now my network traffic is entering the internet from somewhere in Romania!

That’s pretty much all there is to it. So long as openvpn is running, ALL of your network traffic for ALL users on your computer is going through the tunnel and coming out somewhere else in the country/region that you specified.

Set up ProxyChains (through Tor):
Proxy servers are different than VPN and solve a different problem. VPN changes the location from where you enter the internet. A proxy server masks your starting point, and makes it difficult to see where your traffic went. Now, the easiest and relatively “safest” way to use proxies is to just route your network traffic over the Tor network. That typically means it will be 2 to 3 steps, but EACH stop creates a new, secure connection to the next hop, making it extremely difficult (almost impossible) to trace your network traffic – well, at least at the network level. Your behavior or usage might be your downfall, but your network traffic should be relatively safe.

To set this up, you first need to install Tor:

# apt-get install tor

Then, start Tor:

# service tor start
# service tor status

Note that in Kali Linux, as a precaution, services like this won’t start automatically. You must manually start it when you want to use it. By default, the Tor proxy runs on the localhost on port 9050. So, edit the following:

# nano /etc/proxychains.conf

Uncomment “dynamic”, comment out “static”, and at the end of the file, add:

socks5 127.0.0.1 9050

Exit and save changes. This tells a program called “proxychains” that it should use the local Tor service to route traffic through the Tor network. We’ll get to that in a minute…

Now, another way that proxy servers are different than a VPN is that VPN’s are at the network level, and proxy servers at the application level. That also means that ALL of your traffic may not be routed through the proxy server! For example, if you use an HTTP proxy, only HTTP traffic is routed. If you use a socks4 proxy, everything except for IPV6 traffic and UDP is sent through the proxy.

So, it’s important to understand which network protocols you are using to ensure that are in-fact being routed through your proxy servers.

Ideally, you want to use SOCKS5 because that has the broadest support.

OK, to recap, we’ve configured proxychains to use “dynamic” and to use our local Tor proxy server on port 9050 for a socks5 proxy. This in turn, sends our traffic to be routed out over Tor. To actually do this, you basically called “proxychains” and give it a program to run, like a browser:

$ proxychains firefox https://duckduckgo.com

at that point, a browser show pop open. It should take a few seconds for the page to load. Meanwhile, back in the terminal, you should see messaages like this:

image

You should ideally do this from your unprivileged account, because you will now be using a browser over your connection. To verify that we really are going through a proxy, you can go check www.dnsleaktest.com or www.ipaddress.com, and sure-enough:

image

I’m coming out onto the internet in Germany this time!

If you don’t want to use Tor, you could also search for “public proxy server” and get a list of public socks5 proxy servers. You’ll see though that MOST of them will be down. The ones that are up will be very slow – and it’s said that many public proxy servers are really just set up as public honeypots to be able to capture some interesting network traffic. However, it is an option – and that is the only difference. Instead of listing “socks5 127.0.0.1 socks5” in that file, comment that out and list off your own proxy servers.

Using VPN –AND– ProxyChains:
One next obvious step might be to combine these last two pieces. What if: you connect to a VPN and come out in a remote city, and then immediately connect through the Tor network to get to your final destination?

Well, I actually spent the most amount of time on this. In fact, there are a couple of ways you could do this, right?

  • Connect to Tor, then connect to VPN: This obscures who you are, to the VPN provider – but makes it easier for someone in the Tor network to observe you. So, use this when you trust Tor more than your VPN.
  • Connect to VPN, then connect to Tor: This obscures who you are, to Tor – but makes it easier for someone at the VPN to observe you. Use this when you trust the VPN more then Tor.

Now, the bad news is, I couldn’t get this working in the most obvious of ways. For example:

  • Run proxychains, and have it run the statement to open the VPN connection. I think this is because the VPN stuff is at the network level, and proxychains is at the app level. It ended up freezing the process.
  • Run openvpn, then run proxychains. This just ended up where everything timed-out. I’m not sure why.

However, in real use, I really would open the VPN connection as root (since it’s a privileged operation), and I’d really want to use proxy chains from my unprivileged user. Since VPN settings affect the whole machine, I tried that. That seems to work. In fact, this is the only way I could get this working. In other words, I:

  1. Log in as root and bring up your VPN connection
  2. Log in as the unprivileged user and start “proxychains firefox”, for example

How do I validate that it’s working? Well, I logged in as root and started the VPN connection. I then switched to the non-privileged account. I open a browser and verify my public IP:

image

Note that the location is Romania, and the hostname includes *.vpnbook.com; that means I’m entering the internet from the VPN. I close the browser and run “proxychains firefox”, and then re-verify my public IP:

image

notice how now, my public IP appears to be in Pennsylvania, and the name says it’s a Tor exit node. Put another way, my network traffic creates a secure tunnel to Romania, it then comes out onto the internet for the first time, and enters the Tor network. It is bounced and re-encrypted 2-3 times and ultimately comes out, back in the U.S. And remember, the VPN is still running, over where I’m logged-in as root.

When I close the browser, proxychains stops. I open a browser on my own and go back to www.ipaddress.com and see I’m back in Romania again. This is because openvpn is still running as root, over in my other session and affects the entire network card, for all users.

Lastly, it should be noted that when you use a configuration like this. Not only does it take a few minutes to physically get everything all set up, the performance is quite slow. So, you are trading performance for more layers of obscurity.

Just use the Tor Browser:
What we described above, is a little involved. It’s not so much that there are complex commands to run, but it really does require a pretty comprehensive understanding about how network works. What if you just want something simple?

image

Well, you can just install the Tor web browser. This is basically Firefox with https-everywhere installed, and it automatically routes through the Tor network.

There are a few advantages here. First, it’s simple and fast. This gives you the equivalent of “proxychains firefox”, except without any configuration required. Next, it gives you access to the Tor-routed “websites”, which you can tell because instead of having a .com or .net domain name, it will be .onion. You can ONLY get to these sites from the Tor network. Tor stands for The Onion Router – where Onion Routing is the technique that is used to keep these connections secure.

So – to use this, from your unprivileged used account, navigate to www.torproject.org and click Download. Make sure to ONLY download it from the official website! In Kali Linux, choose to “Open…[Archive Manager]” the file and then extract to your profile directory, for example:

image

Sure enough, just run the “start-tor-browser.desktop” and you can then browse – while connecting over the Tor network. If you run the Tor browser while you are connected to a VPN, the startup times can be VERY slow – like several minutes before it’s ready. If you don’t feel you need the VPN connection, this runs MUCH faster without it. Meanwhile, how do we verify that the Tor browse is really re-routing our network traffic? Check out www.ipaddress.com or www.dnsleaktest.com:

image

In this particular case, I was still connected to the VPN (coming out in Romania), so seeing that in the Tor browser, my public IP is based out of Baltimore, and the name says it’s a Tor exit node, convinces me that it’s sufficiently proxifying my connection. You can also verify by going to www.hiddenwiki.org and (carefully) clicking on *.onion links, as those are only accessible on the Tor network.

Final checklist…
Before going online, here is a quick checklist of some things to consider:

  1. Be someplace that is not your house. Use public Wi-Fi someplace, ideally with other people using these techniques.
  2. Create a non-privileged user account where you will do most of your work.
  3. Change your desktop background for root, as a reminder that you are in as a privileged account – and that you should switch back, before going on the internet.
  4. Change your MAC address.
  5. Change your DNS and DHCP “domain” name.
  6. Connect to VPN, to enter the internet from a far-away place.
  7. Connect via proxychains to Tor (or just use the Tor browser)
  8. Go to www.dnsleaktest.com and verify your public IP and DNS are not your actual location.
  9. Make sure the TCP/IP protocols you are using, respect your SOCKS5 proxy, or else that traffic won’t go through Tor, and you won’t even know.

And even then, you can’t REALLY be sure!

Bottom Line:
Wow. This is a lot, isn’t it? Now imagine being a journalist or a citizen in a despotic country trying to communicate – and if you mess up even once, it could be your life! I mean, some of this can be scripted, but honestly, this is about as simple as it gets – and it’s still quite a manual process.

If you are an IT security professional, there isn’t much stress related to this. For your Red Team pentesting, you can take these steps you’ll probably be fine. The target is going to be too busy reacting to the attack, then likely to counterattack. However, for those that need this – this is not great. It’s not so much complex, but to really understand the risks, it does require a deep understanding of networking. How routing works, how DNS works, how proxy servers and NAT work, how SSL/TLS work, how VPN’s work and what a route table is.

Anyhow, I wanted to write this down because I blew much of the weekend on this and there are many moving pieces. My intention in sharing this is for education purposes only. I in no way, endorse or condone using these techniques for anything unethical or immoral. In fact, I strongly discourage you from considering doing anything bad with this information. If you are in the U.S. you should be aware of the new laws and acts which can easily categorize questionable activity as “terrorism”. So, just don’t do it!

Meanwhile, I hope this was helpful. If you have any useful tips or corrections, please leave a comment below!

Posted in Best-practices, Computers and Internet, General, Infrastructure, Linux, Professional Development, Security, Uncategorized
One comment on “The technical details for online anonymity (megapost)
  1. […] up Tor (and configure Firefox):I’ve covered Tor a little bit in a few posts, but probably most fully – here. Tor stands for The Onion Router, and it’s a technology which bounces your web requests, […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 5 other followers

%d bloggers like this: