paint-brush
How do Hackers Hide Themselves? - A Guide to Staying Anonymous Onlineby@grantcollins
2,138 reads
2,138 reads

How do Hackers Hide Themselves? - A Guide to Staying Anonymous Online

by Grant CollinsMarch 24th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

The world has always been fascinated with Hackers. In this video, we’ll learn about how they hide themselves online.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coins Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How do Hackers Hide Themselves? - A Guide to Staying Anonymous Online
Grant Collins HackerNoon profile picture


The world has always been fascinated with Hackers. In this video, we’ll learn about how they hide themselves online.

Watch the Video

https://www.youtube.com/watch?v=BWVyp0wYpgA&ab_channel=GrantCollins


00:00

four years that is how long a group of

00:02

hackers were able to stay inside the

00:04

starwood marriott network without being

00:06

discovered oof how the heck does an

00:08

unauthorized party stay hidden for this

00:10

long well in today's video topic i will

00:12

address popular methods hackers will use

00:14

to stay anonymous online while hiding

00:17

their online footprint

00:19

so let's go ahead and get started all

00:20

right no the first step is not matrix

00:22

level hacking as much as we love it to

00:24

be it's actually physical security

00:26

physical security is also referred to as

00:29

operational security or opsec so if

00:31

you're one of those you know military

00:33

guys you probably know about this or if

00:35

you're just some random weird it nerd

00:37

well yeah you're probably gonna need to

00:38

know about this too because guess how

00:40

many times it takes to be successfully

00:42

identified

00:43

once one time this guy right here the

00:46

infamous dread pirate roberts or ross

00:48

irvitch or however you pronounce his

00:50

last name who founded the silk road a

00:52

billion dollar underground dark

00:54

marketplace for drugs and other stuff

00:56

how did he get caught well no it wasn't

00:58

through some extreme matrix level glitch

01:01

hacking it was his opsec he got caught

01:03

in san francisco public library his

01:05

go-to place to conduct his fraudulent

01:07

activity and well he did some bad things

01:10

such as often bragging about his work on

01:12

his linkedin page using oblique verbiage

01:15

and he used his real photograph for his

01:17

fake id

01:20

so these are just a few of the critical

01:21

elements which pieced together and led

01:23

to his downfall and these aren't

01:26

technical in nature its habits and the

01:28

public interactions that led to ross's

01:31

downfall it is essential hackers be

01:33

aware of their online and offline habits

01:35

including where they use and connect

01:37

their computers their writing style

01:39

their social media posts and their

01:41

social interactions in general basically

01:43

someone who's the exact opposite of me

01:45

here on youtube okay so an attacker has

01:48

their basic physical security down

01:50

what's next acquiring the hacking

01:52

machine used to conduct your fraudulent

01:55

offensive activities first off buy the

01:57

machine with the most untraceable and

01:59

mobile trail possible ideally this is a

02:02

laptop which is bought in a privacy

02:04

focused cryptocurrency form such as

02:06

monero or zcash once this machine has

02:08

been acquired completely wipe the

02:10

operating system windows no more and

02:13

immediately buy a usb stick to preload a

02:16

live operating system install this usb

02:19

stick right here is a live os meaning

02:22

there is no permanent storage but you

02:24

also want to make sure to enable full

02:26

disk encryption just in case of full

02:28

compromise now when you're installing a

02:30

live os it is important that you keep an

02:33

os distribution such as linux tails and

02:36

mine linux tails is a suite of privacy

02:38

focused features and functionality which

02:41

allow an adversary to stay anonymous

02:43

alright so what's the next step you must

02:45

say that is to go ahead and anonymize

02:47

your identity and network connection

02:49

there are several steps to accomplish

02:51

this now any type of unique or

02:53

pseudo-unique identifier is going to be

02:56

harmful to a hacker like you and i

02:58

because well you can be tracked by that

03:00

now from a hardware perspective one of

03:02

the most well-known identifiers is a mac

03:05

address so a mac address is a serial

03:07

number issued by the device

03:09

manufacturers it is used to identify a

03:11

device on a local network and can be

03:13

used to help identify the geographical

03:15

location of a machine in some cases

03:18

mac address spoofing or mac address

03:21

anonymization uses different mac

03:23

addresses to anonymize your identity

03:25

there are different ways you'd

03:26

accomplish this such as built-in

03:28

programs customized scripts and built-in

03:30

tools in linux tails the mac address is

03:32

temporarily changed to a random value

03:34

for each new session with tails now in

03:37

addition to mac address randomization

03:39

you're also going to want to anonymize

03:41

the ip address what is that you must say

03:44

an ip address is a network address

03:46

assigned to all machines when connecting

03:47

to other networks to accomplish ip

03:50

address optimization services such as

03:52

vpns tour for web browsing and proxies

03:55

can be used but this is all with strict

03:58

caution each of these methods introduces

04:00

intermediaries with assumptions of

04:02

complete trust vpns extend a private

04:05

encrypted network over a public network

04:07

connection tor uses a network of

04:09

computer nodes to balance a connection

04:11

between different nodes across the world

04:13

and proxies can alter the location

04:16

appearing as if the originating request

04:18

is coming from the proxy client all

04:20

three methods introduce an intermediary

04:22

or central location which can log your

04:24

traffic and send that to an authority in

04:27

order to ensure 100 anonymity you must

04:30

never

04:31

really trust a central authority but in

04:33

a modern architecture such the as the

04:35

internet that's really not realistic now

04:37

to establish these types of anonymizing

04:39

services you could go ahead and use an

04:41

open source project for instance for vpn

04:44

servers you can use openvpn or tailskill

04:47

and then you can install this on

04:48

attacker owned or controlled device or

04:50

you could just use some sort of third

04:52

party provider for tor you can download

04:54

the to our project or use a distribution

04:56

like tails which already has tour

04:58

routing enabled by default a hacker can

05:01

layer each anonymizing service upon each

05:03

other so a program like proxychains can

05:05

be used to route internet traffic

05:07

through a list of proxies on top of the

05:10

tor network to set up this demo i went

05:12

ahead and edited the proxy chains config

05:14

file and set the chain to dynamic

05:17

setting which excludes all dead proxies

05:20

then i also enabled dns requests to be

05:23

proxied through the proxy chain and i

05:25

wrote down the default proxy server

05:27

which is the sox5 through our loopback

05:30

address let's proceed to go ahead and

05:33

start up proxy chains here first thing

05:35

we need to do is make sure that tor is

05:37

on so we can go ahead and do a service

05:39

tour

05:40

start

05:42

okay once this is on we can go ahead and

05:45

go to our proxy chains

05:48

and we're gonna go ahead and use

05:50

duck

05:53

now this will take a few minutes or it

05:56

won't take anything at all see where we

05:58

are coming from we can use a dns leak

06:00

website and i found this all through an

06:02

article so just go ahead go to dns leak

06:06

and as you can see we are coming from

06:08

romania so this is a basic way to layer

06:12

both the tor network and proxy chains on

06:14

top of each other to become anonymous

06:17

okay so after this step it is finally

06:20

time to ensure that

06:22

you're not really working in the same

06:24

environment and that is separation of

06:26

environments you have to make sure that

06:28

you're separating your hacking

06:29

environment from your you know normal

06:32

everyday use environment a classic

06:34

example of machine separation is virtual

06:36

machines and containerization use

06:38

ephemeral or temporary environments when

06:40

conducting offensive security activity

06:43

it is never a good idea to use one

06:45

single environment for all activities

06:47

computer machine isolation ensures

06:49

evidence can be contained and then

06:50

destroyed and this can be really

06:52

achieved through virtualization also

06:54

hackers can use a bouncing server to

06:56

connect to their valuable infrastructure

06:58

where their offensive tools and data

07:00

lies so some cloud party provider that

07:03

doesn't really care about what happens

07:04

on their machines in this way all the

07:06

hacker has to do is have an ssh

07:08

connection into the server after they've

07:10

anonymized their identity even if the

07:12

bouncing server is destroyed or

07:13

compromised the hacker can curate and

07:15

develop a new one within a matter of

07:17

minutes so like i said before you have

07:19

to separate your offensive security work

07:21

from your everyday work environment and

07:24

in this case it's important that you're

07:26

also randomizing your network connection

07:28

so to do this you can go into public

07:30

wi-fi and you know use wi-fi map dot io

07:34

which is a resource to go look for

07:35

public open wi-fi networks and make sure

07:38

that you're randomizing exactly when

07:40

you're you know connecting to that wi-fi

07:42

remember our good boy ross you know he

07:44

uh well you know what happened to him

07:46

okay so up into this point i've talked

07:48

about anonymizing one ownes identity but

07:51

i haven't talked about actual attack so

07:54

let's say in a hacker has compromised a

07:57

network similar to the starwood myriad

08:00

case

08:00

how can they go about you know covering

08:03

up their online tracks within the

08:06

network so they're not being detected by

08:09

any security professionals like you and

08:11

i once initial access has been

08:13

established it is imperative that

08:15

attackers limit their offensive activity

08:18

so it's not a good idea to generate a

08:20

whole bunch of logs and activity once

08:23

you're entered into network it's about

08:26

stealthynessness

08:28

take a look at the solarwinds attack of

08:30

2021 the alleged adversaries kept the

08:32

tracks hidden for months by slowly

08:34

testing their capabilities through the

08:36

course of those months initial access

08:38

started september 4th of 2019 and then

08:40

by march of 2020 is when the

08:42

distribution of sunburst was deployed

08:44

and that took six months now in addition

08:47

a skilled adversary will analyze network

08:49

and user behavior and mimic this

08:51

offensive activity as closely as

08:53

possible such as conducting their

08:55

actions during the proper business hours

08:57

next hackers will blend their fraudulent

09:00

activity with common network connections

09:02

and protocols such as dns tunneling dns

09:06

or the domain name system is an

09:08

essential component to a network

09:09

translating ip addresses into those web

09:11

domains

09:12

well because dns is essential it's

09:14

usually opened so in dns tunneling it

09:17

uses seemingly harmless dns queries to

09:19

traverse between a private and public

09:21

network

09:22

a hacker could use an encrypted

09:24

connection and route their fraudulent

09:25

activity through dns take dns cat 2 an

09:29

open source command and control

09:30

framework that lives out on github which

09:32

is used to route traffic through dns in

09:34

this demo i used the windows machine to

09:36

simulate a victim and a cali machine to

09:39

simulate an attacker i downloaded dns

09:41

cat to utility on github on my kelly

09:44

machine and then the victim payload on

09:45

the windows machine which is an

09:47

executable in this case so if we go

09:49

ahead and start the dns cat to server

09:52

we need to set the security policy to

09:54

unencrypted in a real world scenario of

09:56

course you wouldn't want to do this but

09:58

i'm a script kitty so

10:00

well i'm just using this for testing

10:01

purposes and also it worked i'm a script

10:04

kitty anyway let's go ahead and get

10:06

moving forward so if we do set

10:09

that will make sure that our security

10:10

policy is

10:12

to unencrypted

10:14

now if we go into our windows machine i

10:17

already downloaded the windows 32 here i

10:20

have added the host which is this

10:22

machine's

10:24

let's go ahead and execute it

10:28

and boom as you can see we now have a

10:30

session and it's an unencrypted session

10:33

now let's go ahead and see if i can get

10:36

well i don't know notepad plus plus or

10:38

notepad open

10:40

so we what we do here is we go into

10:43

session

10:44

i

10:46

one

10:48

and then we can see our list of commands

10:50

here that we can do so for instance we

10:52

can ping or we can get a shell

10:54

but um well let's go ahead and do exec

10:57

notepad

11:01

and as you can see we now have a notepad

11:05

opened and this is all tunneled through

11:07

dns so in a real world scenario if this

11:10

was encrypted

11:11

you really wouldn't be able to notice

11:13

that this

11:14

fraudulent traffic was going through

11:16

your network unless

11:17

you had some advanced defenses in place

11:20

all right so hopefully in today's video

11:21

you've learned something new about how

11:23

hackers can hide their tracks although

11:26

this video was very let's just say

11:28

script kitty high level overview

11:30

uh you can see how even people such as

11:33

the silk road founder can be absolutely

11:36

taken down with

11:38

one poor doing but this is how hackers

11:41

do it anyway if you guys want me to do a

11:43

video on getting more technical let me

11:45

know in the comments down below yes and

11:48

until the next video

11:50

well don't be a script giddy and

11:52

that that's me have a good day guys