How do Hackers Hide Themselves? - A Guide to Staying Anonymous Online

The world has always been fascinated with Hackers. In this video, we’ll learn about how they hide themselves online. Watch the Video https://www.youtube.com/watch?v=BWVyp0wYpgA&ab_channel=GrantCollins 00:00 four years that is how long a group of 00:02 hackers were able to stay inside the 00:04 starwood marriott network without being 00:06 discovered oof how the heck does an 00:08 unauthorized party stay hidden for this 00:10 long well in today's video topic i will 00:12 address popular methods hackers will use 00:14 to stay anonymous online while hiding 00:17 their online footprint 00:19 so let's go ahead and get started all 00:20 right no the first step is not matrix 00:22 level hacking as much as we love it to 00:24 be it's actually physical security 00:26 physical security is also referred to as 00:29 operational security or opsec so if 00:31 you're one of those you know military 00:33 guys you probably know about this or if 00:35 you're just some random weird it nerd 00:37 well yeah you're probably gonna need to 00:38 know about this too because guess how 00:40 many times it takes to be successfully 00:42 identified 00:43 once one time this guy right here the 00:46 infamous dread pirate roberts or ross 00:48 irvitch or however you pronounce his 00:50 last name who founded the silk road a 00:52 billion dollar underground dark 00:54 marketplace for drugs and other stuff 00:56 how did he get caught well no it wasn't 00:58 through some extreme matrix level glitch 01:01 hacking it was his opsec he got caught 01:03 in san francisco public library his 01:05 go-to place to conduct his fraudulent 01:07 activity and well he did some bad things 01:10 such as often bragging about his work on 01:12 his linkedin page using oblique verbiage 01:15 and he used his real photograph for his 01:17 fake id 01:20 so these are just a few of the critical 01:21 elements which pieced together and led 01:23 to his downfall and these aren't 01:26 technical in nature its habits and the 01:28 public interactions that led to ross's 01:31 downfall it is essential hackers be 01:33 aware of their online and offline habits 01:35 including where they use and connect 01:37 their computers their writing style 01:39 their social media posts and their 01:41 social interactions in general basically 01:43 someone who's the exact opposite of me 01:45 here on youtube okay so an attacker has 01:48 their basic physical security down 01:50 what's next acquiring the hacking 01:52 machine used to conduct your fraudulent 01:55 offensive activities first off buy the 01:57 machine with the most untraceable and 01:59 mobile trail possible ideally this is a 02:02 laptop which is bought in a privacy 02:04 focused cryptocurrency form such as 02:06 monero or zcash once this machine has 02:08 been acquired completely wipe the 02:10 operating system windows no more and 02:13 immediately buy a usb stick to preload a 02:16 live operating system install this usb 02:19 stick right here is a live os meaning 02:22 there is no permanent storage but you 02:24 also want to make sure to enable full 02:26 disk encryption just in case of full 02:28 compromise now when you're installing a 02:30 live os it is important that you keep an 02:33 os distribution such as linux tails and 02:36 mine linux tails is a suite of privacy 02:38 focused features and functionality which 02:41 allow an adversary to stay anonymous 02:43 alright so what's the next step you must 02:45 say that is to go ahead and anonymize 02:47 your identity and network connection 02:49 there are several steps to accomplish 02:51 this now any type of unique or 02:53 pseudo-unique identifier is going to be 02:56 harmful to a hacker like you and i 02:58 because well you can be tracked by that 03:00 now from a hardware perspective one of 03:02 the most well-known identifiers is a mac 03:05 address so a mac address is a serial 03:07 number issued by the device 03:09 manufacturers it is used to identify a 03:11 device on a local network and can be 03:13 used to help identify the geographical 03:15 location of a machine in some cases 03:18 mac address spoofing or mac address 03:21 anonymization uses different mac 03:23 addresses to anonymize your identity 03:25 there are different ways you'd 03:26 accomplish this such as built-in 03:28 programs customized scripts and built-in 03:30 tools in linux tails the mac address is 03:32 temporarily changed to a random value 03:34 for each new session with tails now in 03:37 addition to mac address randomization 03:39 you're also going to want to anonymize 03:41 the ip address what is that you must say 03:44 an ip address is a network address 03:46 assigned to all machines when connecting 03:47 to other networks to accomplish ip 03:50 address optimization services such as 03:52 vpns tour for web browsing and proxies 03:55 can be used but this is all with strict 03:58 caution each of these methods introduces 04:00 intermediaries with assumptions of 04:02 complete trust vpns extend a private 04:05 encrypted network over a public network 04:07 connection tor uses a network of 04:09 computer nodes to balance a connection 04:11 between different nodes across the world 04:13 and proxies can alter the location 04:16 appearing as if the originating request 04:18 is coming from the proxy client all 04:20 three methods introduce an intermediary 04:22 or central location which can log your 04:24 traffic and send that to an authority in 04:27 order to ensure 100 anonymity you must 04:30 never 04:31 really trust a central authority but in 04:33 a modern architecture such the as the 04:35 internet that's really not realistic now 04:37 to establish these types of anonymizing 04:39 services you could go ahead and use an 04:41 open source project for instance for vpn 04:44 servers you can use openvpn or tailskill 04:47 and then you can install this on 04:48 attacker owned or controlled device or 04:50 you could just use some sort of third 04:52 party provider for tor you can download 04:54 the to our project or use a distribution 04:56 like tails which already has tour 04:58 routing enabled by default a hacker can 05:01 layer each anonymizing service upon each 05:03 other so a program like proxychains can 05:05 be used to route internet traffic 05:07 through a list of proxies on top of the 05:10 tor network to set up this demo i went 05:12 ahead and edited the proxy chains config 05:14 file and set the chain to dynamic 05:17 setting which excludes all dead proxies 05:20 then i also enabled dns requests to be 05:23 proxied through the proxy chain and i 05:25 wrote down the default proxy server 05:27 which is the sox5 through our loopback 05:30 address let's proceed to go ahead and 05:33 start up proxy chains here first thing 05:35 we need to do is make sure that tor is 05:37 on so we can go ahead and do a service 05:39 tour 05:40 start 05:42 okay once this is on we can go ahead and 05:45 go to our proxy chains 05:48 and we're gonna go ahead and use 05:50 duck 05:53 now this will take a few minutes or it 05:56 won't take anything at all see where we 05:58 are coming from we can use a dns leak 06:00 website and i found this all through an 06:02 article so just go ahead go to dns leak 06:06 and as you can see we are coming from 06:08 romania so this is a basic way to layer 06:12 both the tor network and proxy chains on 06:14 top of each other to become anonymous 06:17 okay so after this step it is finally 06:20 time to ensure that 06:22 you're not really working in the same 06:24 environment and that is separation of 06:26 environments you have to make sure that 06:28 you're separating your hacking 06:29 environment from your you know normal 06:32 everyday use environment a classic 06:34 example of machine separation is virtual 06:36 machines and containerization use 06:38 ephemeral or temporary environments when 06:40 conducting offensive security activity 06:43 it is never a good idea to use one 06:45 single environment for all activities 06:47 computer machine isolation ensures 06:49 evidence can be contained and then 06:50 destroyed and this can be really 06:52 achieved through virtualization also 06:54 hackers can use a bouncing server to 06:56 connect to their valuable infrastructure 06:58 where their offensive tools and data 07:00 lies so some cloud party provider that 07:03 doesn't really care about what happens 07:04 on their machines in this way all the 07:06 hacker has to do is have an ssh 07:08 connection into the server after they've 07:10 anonymized their identity even if the 07:12 bouncing server is destroyed or 07:13 compromised the hacker can curate and 07:15 develop a new one within a matter of 07:17 minutes so like i said before you have 07:19 to separate your offensive security work 07:21 from your everyday work environment and 07:24 in this case it's important that you're 07:26 also randomizing your network connection 07:28 so to do this you can go into public 07:30 wi-fi and you know use wi-fi map dot io 07:34 which is a resource to go look for 07:35 public open wi-fi networks and make sure 07:38 that you're randomizing exactly when 07:40 you're you know connecting to that wi-fi 07:42 remember our good boy ross you know he 07:44 uh well you know what happened to him 07:46 okay so up into this point i've talked 07:48 about anonymizing one ownes identity but 07:51 i haven't talked about actual attack so 07:54 let's say in a hacker has compromised a 07:57 network similar to the starwood myriad 08:00 case 08:00 how can they go about you know covering 08:03 up their online tracks within the 08:06 network so they're not being detected by 08:09 any security professionals like you and 08:11 i once initial access has been 08:13 established it is imperative that 08:15 attackers limit their offensive activity 08:18 so it's not a good idea to generate a 08:20 whole bunch of logs and activity once 08:23 you're entered into network it's about 08:26 stealthynessness 08:28 take a look at the solarwinds attack of 08:30 2021 the alleged adversaries kept the 08:32 tracks hidden for months by slowly 08:34 testing their capabilities through the 08:36 course of those months initial access 08:38 started september 4th of 2019 and then 08:40 by march of 2020 is when the 08:42 distribution of sunburst was deployed 08:44 and that took six months now in addition 08:47 a skilled adversary will analyze network 08:49 and user behavior and mimic this 08:51 offensive activity as closely as 08:53 possible such as conducting their 08:55 actions during the proper business hours 08:57 next hackers will blend their fraudulent 09:00 activity with common network connections 09:02 and protocols such as dns tunneling dns 09:06 or the domain name system is an 09:08 essential component to a network 09:09 translating ip addresses into those web 09:11 domains 09:12 well because dns is essential it's 09:14 usually opened so in dns tunneling it 09:17 uses seemingly harmless dns queries to 09:19 traverse between a private and public 09:21 network 09:22 a hacker could use an encrypted 09:24 connection and route their fraudulent 09:25 activity through dns take dns cat 2 an 09:29 open source command and control 09:30 framework that lives out on github which 09:32 is used to route traffic through dns in 09:34 this demo i used the windows machine to 09:36 simulate a victim and a cali machine to 09:39 simulate an attacker i downloaded dns 09:41 cat to utility on github on my kelly 09:44 machine and then the victim payload on 09:45 the windows machine which is an 09:47 executable in this case so if we go 09:49 ahead and start the dns cat to server 09:52 we need to set the security policy to 09:54 unencrypted in a real world scenario of 09:56 course you wouldn't want to do this but 09:58 i'm a script kitty so 10:00 well i'm just using this for testing 10:01 purposes and also it worked i'm a script 10:04 kitty anyway let's go ahead and get 10:06 moving forward so if we do set 10:09 that will make sure that our security 10:10 policy is 10:12 to unencrypted 10:14 now if we go into our windows machine i 10:17 already downloaded the windows 32 here i 10:20 have added the host which is this 10:22 machine's 10:24 let's go ahead and execute it 10:28 and boom as you can see we now have a 10:30 session and it's an unencrypted session 10:33 now let's go ahead and see if i can get 10:36 well i don't know notepad plus plus or 10:38 notepad open 10:40 so we what we do here is we go into 10:43 session 10:44 i 10:46 one 10:48 and then we can see our list of commands 10:50 here that we can do so for instance we 10:52 can ping or we can get a shell 10:54 but um well let's go ahead and do exec 10:57 notepad 11:01 and as you can see we now have a notepad 11:05 opened and this is all tunneled through 11:07 dns so in a real world scenario if this 11:10 was encrypted 11:11 you really wouldn't be able to notice 11:13 that this 11:14 fraudulent traffic was going through 11:16 your network unless 11:17 you had some advanced defenses in place 11:20 all right so hopefully in today's video 11:21 you've learned something new about how 11:23 hackers can hide their tracks although 11:26 this video was very let's just say 11:28 script kitty high level overview 11:30 uh you can see how even people such as 11:33 the silk road founder can be absolutely 11:36 taken down with 11:38 one poor doing but this is how hackers 11:41 do it anyway if you guys want me to do a 11:43 video on getting more technical let me 11:45 know in the comments down below yes and 11:48 until the next video 11:50 well don't be a script giddy and 11:52 that that's me have a good day guys