How do Hackers Hide Themselves? - A Guide to Staying Anonymous Online by@grantcollins

How do Hackers Hide Themselves? - A Guide to Staying Anonymous Online

image
Grant Collins HackerNoon profile picture

Grant Collins

An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.

The world has always been fascinated with Hackers. In this video, we’ll learn about how they hide themselves online.

Watch the Video

https://www.youtube.com/watch?v=BWVyp0wYpgA&ab_channel=GrantCollins

00:00

four years that is how long a group of

00:02

hackers were able to stay inside the

00:04

starwood marriott network without being

00:06

discovered oof how the heck does an

00:08

unauthorized party stay hidden for this

00:10

long well in today's video topic i will

00:12

address popular methods hackers will use

00:14

to stay anonymous online while hiding

00:17

their online footprint

00:19

so let's go ahead and get started all

00:20

right no the first step is not matrix

00:22

level hacking as much as we love it to

00:24

be it's actually physical security

00:26

physical security is also referred to as

00:29

operational security or opsec so if

00:31

you're one of those you know military

00:33

guys you probably know about this or if

00:35

you're just some random weird it nerd

00:37

well yeah you're probably gonna need to

00:38

know about this too because guess how

00:40

many times it takes to be successfully

00:42

identified

00:43

once one time this guy right here the

00:46

infamous dread pirate roberts or ross

00:48

irvitch or however you pronounce his

00:50

last name who founded the silk road a

00:52

billion dollar underground dark

00:54

marketplace for drugs and other stuff

00:56

how did he get caught well no it wasn't

00:58

through some extreme matrix level glitch

01:01

hacking it was his opsec he got caught

01:03

in san francisco public library his

01:05

go-to place to conduct his fraudulent

01:07

activity and well he did some bad things

01:10

such as often bragging about his work on

01:12

his linkedin page using oblique verbiage

01:15

and he used his real photograph for his

01:17

fake id

01:20

so these are just a few of the critical

01:21

elements which pieced together and led

01:23

to his downfall and these aren't

01:26

technical in nature its habits and the

01:28

public interactions that led to ross's

01:31

downfall it is essential hackers be

01:33

aware of their online and offline habits

01:35

including where they use and connect

01:37

their computers their writing style

01:39

their social media posts and their

01:41

social interactions in general basically

01:43

someone who's the exact opposite of me

01:45

here on youtube okay so an attacker has

01:48

their basic physical security down

01:50

what's next acquiring the hacking

01:52

machine used to conduct your fraudulent

01:55

offensive activities first off buy the

01:57

machine with the most untraceable and

01:59

mobile trail possible ideally this is a

02:02

laptop which is bought in a privacy

02:04

focused cryptocurrency form such as

02:06

monero or zcash once this machine has

02:08

been acquired completely wipe the

02:10

operating system windows no more and

02:13

immediately buy a usb stick to preload a

02:16

live operating system install this usb

02:19

stick right here is a live os meaning

02:22

there is no permanent storage but you

02:24

also want to make sure to enable full

02:26

disk encryption just in case of full

02:28

compromise now when you're installing a

02:30

live os it is important that you keep an

02:33

os distribution such as linux tails and

02:36

mine linux tails is a suite of privacy

02:38

focused features and functionality which

02:41

allow an adversary to stay anonymous

02:43

alright so what's the next step you must

02:45

say that is to go ahead and anonymize

02:47

your identity and network connection

02:49

there are several steps to accomplish

02:51

this now any type of unique or

02:53

pseudo-unique identifier is going to be

02:56

harmful to a hacker like you and i

02:58

because well you can be tracked by that

03:00

now from a hardware perspective one of

03:02

the most well-known identifiers is a mac

03:05

address so a mac address is a serial

03:07

number issued by the device

03:09

manufacturers it is used to identify a

03:11

device on a local network and can be

03:13

used to help identify the geographical

03:15

location of a machine in some cases

03:18

mac address spoofing or mac address

03:21

anonymization uses different mac

03:23

addresses to anonymize your identity

03:25

there are different ways you'd

03:26

accomplish this such as built-in

03:28

programs customized scripts and built-in

03:30

tools in linux tails the mac address is

03:32

temporarily changed to a random value

03:34

for each new session with tails now in

03:37

addition to mac address randomization

03:39

you're also going to want to anonymize

03:41

the ip address what is that you must say

03:44

an ip address is a network address

03:46

assigned to all machines when connecting

03:47

to other networks to accomplish ip

03:50

address optimization services such as

03:52

vpns tour for web browsing and proxies

03:55

can be used but this is all with strict

03:58

caution each of these methods introduces

04:00

intermediaries with assumptions of

04:02

complete trust vpns extend a private

04:05

encrypted network over a public network

04:07

connection tor uses a network of

04:09

computer nodes to balance a connection

04:11

between different nodes across the world

04:13

and proxies can alter the location

04:16

appearing as if the originating request

04:18

is coming from the proxy client all

04:20

three methods introduce an intermediary

04:22

or central location which can log your

04:24

traffic and send that to an authority in

04:27

order to ensure 100 anonymity you must

04:30

never

04:31

really trust a central authority but in

04:33

a modern architecture such the as the

04:35

internet that's really not realistic now

04:37

to establish these types of anonymizing

04:39

services you could go ahead and use an

04:41

open source project for instance for vpn

04:44

servers you can use openvpn or tailskill

04:47

and then you can install this on

04:48

attacker owned or controlled device or

04:50

you could just use some sort of third

04:52

party provider for tor you can download

04:54

the to our project or use a distribution

04:56

like tails which already has tour

04:58

routing enabled by default a hacker can

05:01

layer each anonymizing service upon each

05:03

other so a program like proxychains can

05:05

be used to route internet traffic

05:07

through a list of proxies on top of the

05:10

tor network to set up this demo i went

05:12

ahead and edited the proxy chains config

05:14

file and set the chain to dynamic

05:17

setting which excludes all dead proxies

05:20

then i also enabled dns requests to be

05:23

proxied through the proxy chain and i

05:25

wrote down the default proxy server

05:27

which is the sox5 through our loopback

05:30

address let's proceed to go ahead and

05:33

start up proxy chains here first thing

05:35

we need to do is make sure that tor is

05:37

on so we can go ahead and do a service

05:39

tour

05:40

start

05:42

okay once this is on we can go ahead and

05:45

go to our proxy chains

05:48

and we're gonna go ahead and use

05:50

duck

05:53

now this will take a few minutes or it

05:56

won't take anything at all see where we

05:58

are coming from we can use a dns leak

06:00

website and i found this all through an

06:02

article so just go ahead go to dns leak

06:06

and as you can see we are coming from

06:08

romania so this is a basic way to layer

06:12

both the tor network and proxy chains on

06:14

top of each other to become anonymous

06:17

okay so after this step it is finally

06:20

time to ensure that

06:22

you're not really working in the same

06:24

environment and that is separation of

06:26

environments you have to make sure that

06:28

you're separating your hacking

06:29

environment from your you know normal

06:32

everyday use environment a classic

06:34

example of machine separation is virtual

06:36

machines and containerization use

06:38

ephemeral or temporary environments when

06:40

conducting offensive security activity

06:43

it is never a good idea to use one

06:45

single environment for all activities

06:47

computer machine isolation ensures

06:49

evidence can be contained and then

06:50

destroyed and this can be really

06:52

achieved through virtualization also

06:54

hackers can use a bouncing server to

06:56

connect to their valuable infrastructure

06:58

where their offensive tools and data

07:00

lies so some cloud party provider that

07:03

doesn't really care about what happens

07:04

on their machines in this way all the

07:06

hacker has to do is have an ssh

07:08

connection into the server after they've

07:10

anonymized their identity even if the

07:12

bouncing server is destroyed or

07:13

compromised the hacker can curate and

07:15

develop a new one within a matter of

07:17

minutes so like i said before you have

07:19

to separate your offensive security work

07:21

from your everyday work environment and

07:24

in this case it's important that you're

07:26

also randomizing your network connection

07:28

so to do this you can go into public

07:30

wi-fi and you know use wi-fi map dot io

07:34

which is a resource to go look for

07:35

public open wi-fi networks and make sure

07:38

that you're randomizing exactly when

07:40

you're you know connecting to that wi-fi

07:42

remember our good boy ross you know he

07:44

uh well you know what happened to him

07:46

okay so up into this point i've talked

07:48

about anonymizing one ownes identity but

07:51

i haven't talked about actual attack so

07:54

let's say in a hacker has compromised a

07:57

network similar to the starwood myriad

08:00

case

08:00

how can they go about you know covering

08:03

up their online tracks within the

08:06

network so they're not being detected by

08:09

any security professionals like you and

08:11

i once initial access has been

08:13

established it is imperative that

08:15

attackers limit their offensive activity

08:18

so it's not a good idea to generate a

08:20

whole bunch of logs and activity once

08:23

you're entered into network it's about

08:26

stealthynessness

08:28

take a look at the solarwinds attack of

08:30

2021 the alleged adversaries kept the

08:32

tracks hidden for months by slowly

08:34

testing their capabilities through the

08:36

course of those months initial access

08:38

started september 4th of 2019 and then

08:40

by march of 2020 is when the

08:42

distribution of sunburst was deployed

08:44

and that took six months now in addition

08:47

a skilled adversary will analyze network

08:49

and user behavior and mimic this

08:51

offensive activity as closely as

08:53

possible such as conducting their

08:55

actions during the proper business hours

08:57

next hackers will blend their fraudulent

09:00

activity with common network connections

09:02

and protocols such as dns tunneling dns

09:06

or the domain name system is an

09:08

essential component to a network

09:09

translating ip addresses into those web

09:11

domains

09:12

well because dns is essential it's

09:14

usually opened so in dns tunneling it

09:17

uses seemingly harmless dns queries to

09:19

traverse between a private and public

09:21

network

09:22

a hacker could use an encrypted

09:24

connection and route their fraudulent

09:25

activity through dns take dns cat 2 an

09:29

open source command and control

09:30

framework that lives out on github which

09:32

is used to route traffic through dns in

09:34

this demo i used the windows machine to

09:36

simulate a victim and a cali machine to

09:39

simulate an attacker i downloaded dns

09:41

cat to utility on github on my kelly

09:44

machine and then the victim payload on

09:45

the windows machine which is an

09:47

executable in this case so if we go

09:49

ahead and start the dns cat to server

09:52

we need to set the security policy to

09:54

unencrypted in a real world scenario of

09:56

course you wouldn't want to do this but

09:58

i'm a script kitty so

10:00

well i'm just using this for testing

10:01

purposes and also it worked i'm a script

10:04

kitty anyway let's go ahead and get

10:06

moving forward so if we do set

10:09

that will make sure that our security

10:10

policy is

10:12

to unencrypted

10:14

now if we go into our windows machine i

10:17

already downloaded the windows 32 here i

10:20

have added the host which is this

10:22

machine's

10:24

let's go ahead and execute it

10:28

and boom as you can see we now have a

10:30

session and it's an unencrypted session

10:33

now let's go ahead and see if i can get

10:36

well i don't know notepad plus plus or

10:38

notepad open

10:40

so we what we do here is we go into

10:43

session

10:44

i

10:46

one

10:48

and then we can see our list of commands

10:50

here that we can do so for instance we

10:52

can ping or we can get a shell

10:54

but um well let's go ahead and do exec

10:57

notepad

11:01

and as you can see we now have a notepad

11:05

opened and this is all tunneled through

11:07

dns so in a real world scenario if this

11:10

was encrypted

11:11

you really wouldn't be able to notice

11:13

that this

11:14

fraudulent traffic was going through

11:16

your network unless

11:17

you had some advanced defenses in place

11:20

all right so hopefully in today's video

11:21

you've learned something new about how

11:23

hackers can hide their tracks although

11:26

this video was very let's just say

11:28

script kitty high level overview

11:30

uh you can see how even people such as

11:33

the silk road founder can be absolutely

11:36

taken down with

11:38

one poor doing but this is how hackers

11:41

do it anyway if you guys want me to do a

11:43

video on getting more technical let me

11:45

know in the comments down below yes and

11:48

until the next video

11:50

well don't be a script giddy and

11:52

that that's me have a good day guys



The world has always been fascinated with Hackers. In this video, we’ll learn about how they hide themselves online.

Watch the Video

https://www.youtube.com/watch?v=BWVyp0wYpgA&ab_channel=GrantCollins

00:00

four years that is how long a group of

00:02

hackers were able to stay inside the

00:04

starwood marriott network without being

00:06

discovered oof how the heck does an

00:08

unauthorized party stay hidden for this

00:10

long well in today's video topic i will

00:12

address popular methods hackers will use

00:14

to stay anonymous online while hiding

00:17

their online footprint

00:19

so let's go ahead and get started all

00:20

right no the first step is not matrix

00:22

level hacking as much as we love it to

00:24

be it's actually physical security

00:26

physical security is also referred to as

00:29

operational security or opsec so if

00:31

you're one of those you know military

00:33

guys you probably know about this or if

00:35

you're just some random weird it nerd

00:37

well yeah you're probably gonna need to

00:38

know about this too because guess how

00:40

many times it takes to be successfully

00:42

identified

00:43

once one time this guy right here the

00:46

infamous dread pirate roberts or ross

00:48

irvitch or however you pronounce his

00:50

last name who founded the silk road a

00:52

billion dollar underground dark

00:54

marketplace for drugs and other stuff

00:56

how did he get caught well no it wasn't

00:58

through some extreme matrix level glitch

01:01

hacking it was his opsec he got caught

01:03

in san francisco public library his

01:05

go-to place to conduct his fraudulent

01:07

activity and well he did some bad things

01:10

such as often bragging about his work on

01:12

his linkedin page using oblique verbiage

01:15

and he used his real photograph for his

01:17

fake id

01:20

so these are just a few of the critical

01:21

elements which pieced together and led

01:23

to his downfall and these aren't

01:26

technical in nature its habits and the

01:28

public interactions that led to ross's

01:31

downfall it is essential hackers be

01:33

aware of their online and offline habits

01:35

including where they use and connect

01:37

their computers their writing style

01:39

their social media posts and their

01:41

social interactions in general basically

01:43

someone who's the exact opposite of me

01:45

here on youtube okay so an attacker has

01:48

their basic physical security down

01:50

what's next acquiring the hacking

01:52

machine used to conduct your fraudulent

01:55

offensive activities first off buy the

01:57

machine with the most untraceable and

01:59

mobile trail possible ideally this is a

02:02

laptop which is bought in a privacy

02:04

focused cryptocurrency form such as

02:06

monero or zcash once this machine has

02:08

been acquired completely wipe the

02:10

operating system windows no more and

02:13

immediately buy a usb stick to preload a

02:16

live operating system install this usb

02:19

stick right here is a live os meaning

02:22

there is no permanent storage but you

02:24

also want to make sure to enable full

02:26

disk encryption just in case of full

02:28

compromise now when you're installing a

02:30

live os it is important that you keep an

02:33

os distribution such as linux tails and

02:36

mine linux tails is a suite of privacy

02:38

focused features and functionality which

02:41

allow an adversary to stay anonymous

02:43

alright so what's the next step you must

02:45

say that is to go ahead and anonymize

02:47

your identity and network connection

02:49

there are several steps to accomplish

02:51

this now any type of unique or

02:53

pseudo-unique identifier is going to be

02:56

harmful to a hacker like you and i

02:58

because well you can be tracked by that

03:00

now from a hardware perspective one of

03:02

the most well-known identifiers is a mac

03:05

address so a mac address is a serial

03:07

number issued by the device

03:09

manufacturers it is used to identify a

03:11

device on a local network and can be

03:13

used to help identify the geographical

03:15

location of a machine in some cases

03:18

mac address spoofing or mac address

03:21

anonymization uses different mac

03:23

addresses to anonymize your identity

03:25

there are different ways you'd

03:26

accomplish this such as built-in

03:28

programs customized scripts and built-in

03:30

tools in linux tails the mac address is

03:32

temporarily changed to a random value

03:34

for each new session with tails now in

03:37

addition to mac address randomization

03:39

you're also going to want to anonymize

03:41

the ip address what is that you must say

03:44

an ip address is a network address

03:46

assigned to all machines when connecting

03:47

to other networks to accomplish ip

03:50

address optimization services such as

03:52

vpns tour for web browsing and proxies

03:55

can be used but this is all with strict

03:58

caution each of these methods introduces

04:00

intermediaries with assumptions of

04:02

complete trust vpns extend a private

04:05

encrypted network over a public network

04:07

connection tor uses a network of

04:09

computer nodes to balance a connection

04:11

between different nodes across the world

04:13

and proxies can alter the location

04:16

appearing as if the originating request

04:18

is coming from the proxy client all

04:20

three methods introduce an intermediary

04:22

or central location which can log your

04:24

traffic and send that to an authority in

04:27

order to ensure 100 anonymity you must

04:30

never

04:31

really trust a central authority but in

04:33

a modern architecture such the as the

04:35

internet that's really not realistic now

04:37

to establish these types of anonymizing

04:39

services you could go ahead and use an

04:41

open source project for instance for vpn

04:44

servers you can use openvpn or tailskill

04:47

and then you can install this on

04:48

attacker owned or controlled device or

04:50

you could just use some sort of third

04:52

party provider for tor you can download

04:54

the to our project or use a distribution

04:56

like tails which already has tour

04:58

routing enabled by default a hacker can

05:01

layer each anonymizing service upon each

05:03

other so a program like proxychains can

05:05

be used to route internet traffic

05:07

through a list of proxies on top of the

05:10

tor network to set up this demo i went

05:12

ahead and edited the proxy chains config

05:14

file and set the chain to dynamic

05:17

setting which excludes all dead proxies

05:20

then i also enabled dns requests to be

05:23

proxied through the proxy chain and i

05:25

wrote down the default proxy server

05:27

which is the sox5 through our loopback

05:30

address let's proceed to go ahead and

05:33

start up proxy chains here first thing

05:35

we need to do is make sure that tor is

05:37

on so we can go ahead and do a service

05:39

tour

05:40

start

05:42

okay once this is on we can go ahead and

05:45

go to our proxy chains

05:48

and we're gonna go ahead and use

05:50

duck

05:53

now this will take a few minutes or it

05:56

won't take anything at all see where we

05:58

are coming from we can use a dns leak

06:00

website and i found this all through an

06:02

article so just go ahead go to dns leak

06:06

and as you can see we are coming from

06:08

romania so this is a basic way to layer

06:12

both the tor network and proxy chains on

06:14

top of each other to become anonymous

06:17

okay so after this step it is finally

06:20

time to ensure that

06:22

you're not really working in the same

06:24

environment and that is separation of

06:26

environments you have to make sure that

06:28

you're separating your hacking

06:29

environment from your you know normal

06:32

everyday use environment a classic

06:34

example of machine separation is virtual

06:36

machines and containerization use

06:38

ephemeral or temporary environments when

06:40

conducting offensive security activity

06:43

it is never a good idea to use one

06:45

single environment for all activities

06:47

computer machine isolation ensures

06:49

evidence can be contained and then

06:50

destroyed and this can be really

06:52

achieved through virtualization also

06:54

hackers can use a bouncing server to

06:56

connect to their valuable infrastructure

06:58

where their offensive tools and data

07:00

lies so some cloud party provider that

07:03

doesn't really care about what happens

07:04

on their machines in this way all the

07:06

hacker has to do is have an ssh

07:08

connection into the server after they've

07:10

anonymized their identity even if the

07:12

bouncing server is destroyed or

07:13

compromised the hacker can curate and

07:15

develop a new one within a matter of

07:17

minutes so like i said before you have

07:19

to separate your offensive security work

07:21

from your everyday work environment and

07:24

in this case it's important that you're

07:26

also randomizing your network connection

07:28

so to do this you can go into public

07:30

wi-fi and you know use wi-fi map dot io

07:34

which is a resource to go look for

07:35

public open wi-fi networks and make sure

07:38

that you're randomizing exactly when

07:40

you're you know connecting to that wi-fi

07:42

remember our good boy ross you know he

07:44

uh well you know what happened to him

07:46

okay so up into this point i've talked

07:48

about anonymizing one ownes identity but

07:51

i haven't talked about actual attack so

07:54

let's say in a hacker has compromised a

07:57

network similar to the starwood myriad

08:00

case

08:00

how can they go about you know covering

08:03

up their online tracks within the

08:06

network so they're not being detected by

08:09

any security professionals like you and

08:11

i once initial access has been

08:13

established it is imperative that

08:15

attackers limit their offensive activity

08:18

so it's not a good idea to generate a

08:20

whole bunch of logs and activity once

08:23

you're entered into network it's about

08:26

stealthynessness

08:28

take a look at the solarwinds attack of

08:30

2021 the alleged adversaries kept the

08:32

tracks hidden for months by slowly

08:34

testing their capabilities through the

08:36

course of those months initial access

08:38

started september 4th of 2019 and then

08:40

by march of 2020 is when the

08:42

distribution of sunburst was deployed

08:44

and that took six months now in addition

08:47

a skilled adversary will analyze network

08:49

and user behavior and mimic this

08:51

offensive activity as closely as

08:53

possible such as conducting their

08:55

actions during the proper business hours

08:57

next hackers will blend their fraudulent

09:00

activity with common network connections

09:02

and protocols such as dns tunneling dns

09:06

or the domain name system is an

09:08

essential component to a network

09:09

translating ip addresses into those web

09:11

domains

09:12

well because dns is essential it's

09:14

usually opened so in dns tunneling it

09:17

uses seemingly harmless dns queries to

09:19

traverse between a private and public

09:21

network

09:22

a hacker could use an encrypted

09:24

connection and route their fraudulent

09:25

activity through dns take dns cat 2 an

09:29

open source command and control

09:30

framework that lives out on github which

09:32

is used to route traffic through dns in

09:34

this demo i used the windows machine to

09:36

simulate a victim and a cali machine to

09:39

simulate an attacker i downloaded dns

09:41

cat to utility on github on my kelly

09:44

machine and then the victim payload on

09:45

the windows machine which is an

09:47

executable in this case so if we go

09:49

ahead and start the dns cat to server

09:52

we need to set the security policy to

09:54

unencrypted in a real world scenario of

09:56

course you wouldn't want to do this but

09:58

i'm a script kitty so

10:00

well i'm just using this for testing

10:01

purposes and also it worked i'm a script

10:04

kitty anyway let's go ahead and get

10:06

moving forward so if we do set

10:09

that will make sure that our security

10:10

policy is

10:12

to unencrypted

10:14

now if we go into our windows machine i

10:17

already downloaded the windows 32 here i

10:20

have added the host which is this

10:22

machine's

10:24

let's go ahead and execute it

10:28

and boom as you can see we now have a

10:30

session and it's an unencrypted session

10:33

now let's go ahead and see if i can get

10:36

well i don't know notepad plus plus or

10:38

notepad open

10:40

so we what we do here is we go into

10:43

session

10:44

i

10:46

one

10:48

and then we can see our list of commands

10:50

here that we can do so for instance we

10:52

can ping or we can get a shell

10:54

but um well let's go ahead and do exec

10:57

notepad

11:01

and as you can see we now have a notepad

11:05

opened and this is all tunneled through

11:07

dns so in a real world scenario if this

11:10

was encrypted

11:11

you really wouldn't be able to notice

11:13

that this

11:14

fraudulent traffic was going through

11:16

your network unless

11:17

you had some advanced defenses in place

11:20

all right so hopefully in today's video

11:21

you've learned something new about how

11:23

hackers can hide their tracks although

11:26

this video was very let's just say

11:28

script kitty high level overview

11:30

uh you can see how even people such as

11:33

the silk road founder can be absolutely

11:36

taken down with

11:38

one poor doing but this is how hackers

11:41

do it anyway if you guys want me to do a

11:43

video on getting more technical let me

11:45

know in the comments down below yes and

11:48

until the next video

11:50

well don't be a script giddy and

11:52

that that's me have a good day guys


Grant Collins HackerNoon profile picture
by Grant Collins @grantcollins.An I.T. nerd who wants to think he is good at cybersecurity but really is just a script kiddie.
Read my stories

Comments

Signup or Login to Join the Discussion

Tags

Related Stories