The world has always been fascinated with Hackers. In this video, we’ll learn about how they hide themselves online.
Watch the Video
https://www.youtube.com/watch?v=BWVyp0wYpgA&ab_channel=GrantCollins
00:00
four years that is how long a group of
00:02
hackers were able to stay inside the
00:04
starwood marriott network without being
00:06
discovered oof how the heck does an
00:08
unauthorized party stay hidden for this
00:10
long well in today's video topic i will
00:12
address popular methods hackers will use
00:14
to stay anonymous online while hiding
00:17
their online footprint
00:19
so let's go ahead and get started all
00:20
right no the first step is not matrix
00:22
level hacking as much as we love it to
00:24
be it's actually physical security
00:26
physical security is also referred to as
00:29
operational security or opsec so if
00:31
you're one of those you know military
00:33
guys you probably know about this or if
00:35
you're just some random weird it nerd
00:37
well yeah you're probably gonna need to
00:38
know about this too because guess how
00:40
many times it takes to be successfully
00:42
identified
00:43
once one time this guy right here the
00:46
infamous dread pirate roberts or ross
00:48
irvitch or however you pronounce his
00:50
last name who founded the silk road a
00:52
billion dollar underground dark
00:54
marketplace for drugs and other stuff
00:56
how did he get caught well no it wasn't
00:58
through some extreme matrix level glitch
01:01
hacking it was his opsec he got caught
01:03
in san francisco public library his
01:05
go-to place to conduct his fraudulent
01:07
activity and well he did some bad things
01:10
such as often bragging about his work on
01:12
his linkedin page using oblique verbiage
01:15
and he used his real photograph for his
01:17
fake id
01:20
so these are just a few of the critical
01:21
elements which pieced together and led
01:23
to his downfall and these aren't
01:26
technical in nature its habits and the
01:28
public interactions that led to ross's
01:31
downfall it is essential hackers be
01:33
aware of their online and offline habits
01:35
including where they use and connect
01:37
their computers their writing style
01:39
their social media posts and their
01:41
social interactions in general basically
01:43
someone who's the exact opposite of me
01:45
here on youtube okay so an attacker has
01:48
their basic physical security down
01:50
what's next acquiring the hacking
01:52
machine used to conduct your fraudulent
01:55
offensive activities first off buy the
01:57
machine with the most untraceable and
01:59
mobile trail possible ideally this is a
02:02
laptop which is bought in a privacy
02:04
focused cryptocurrency form such as
02:06
monero or zcash once this machine has
02:08
been acquired completely wipe the
02:10
operating system windows no more and
02:13
immediately buy a usb stick to preload a
02:16
live operating system install this usb
02:19
stick right here is a live os meaning
02:22
there is no permanent storage but you
02:24
also want to make sure to enable full
02:26
disk encryption just in case of full
02:28
compromise now when you're installing a
02:30
live os it is important that you keep an
02:33
os distribution such as linux tails and
02:36
mine linux tails is a suite of privacy
02:38
focused features and functionality which
02:41
allow an adversary to stay anonymous
02:43
alright so what's the next step you must
02:45
say that is to go ahead and anonymize
02:47
your identity and network connection
02:49
there are several steps to accomplish
02:51
this now any type of unique or
02:53
pseudo-unique identifier is going to be
02:56
harmful to a hacker like you and i
02:58
because well you can be tracked by that
03:00
now from a hardware perspective one of
03:02
the most well-known identifiers is a mac
03:05
address so a mac address is a serial
03:07
number issued by the device
03:09
manufacturers it is used to identify a
03:11
device on a local network and can be
03:13
used to help identify the geographical
03:15
location of a machine in some cases
03:18
mac address spoofing or mac address
03:21
anonymization uses different mac
03:23
addresses to anonymize your identity
03:25
there are different ways you'd
03:26
accomplish this such as built-in
03:28
programs customized scripts and built-in
03:30
tools in linux tails the mac address is
03:32
temporarily changed to a random value
03:34
for each new session with tails now in
03:37
addition to mac address randomization
03:39
you're also going to want to anonymize
03:41
the ip address what is that you must say
03:44
an ip address is a network address
03:46
assigned to all machines when connecting
03:47
to other networks to accomplish ip
03:50
address optimization services such as
03:52
vpns tour for web browsing and proxies
03:55
can be used but this is all with strict
03:58
caution each of these methods introduces
04:00
intermediaries with assumptions of
04:02
complete trust vpns extend a private
04:05
encrypted network over a public network
04:07
connection tor uses a network of
04:09
computer nodes to balance a connection
04:11
between different nodes across the world
04:13
and proxies can alter the location
04:16
appearing as if the originating request
04:18
is coming from the proxy client all
04:20
three methods introduce an intermediary
04:22
or central location which can log your
04:24
traffic and send that to an authority in
04:27
order to ensure 100 anonymity you must
04:30
never
04:31
really trust a central authority but in
04:33
a modern architecture such the as the
04:35
internet that's really not realistic now
04:37
to establish these types of anonymizing
04:39
services you could go ahead and use an
04:41
open source project for instance for vpn
04:44
servers you can use openvpn or tailskill
04:47
and then you can install this on
04:48
attacker owned or controlled device or
04:50
you could just use some sort of third
04:52
party provider for tor you can download
04:54
the to our project or use a distribution
04:56
like tails which already has tour
04:58
routing enabled by default a hacker can
05:01
layer each anonymizing service upon each
05:03
other so a program like proxychains can
05:05
be used to route internet traffic
05:07
through a list of proxies on top of the
05:10
tor network to set up this demo i went
05:12
ahead and edited the proxy chains config
05:14
file and set the chain to dynamic
05:17
setting which excludes all dead proxies
05:20
then i also enabled dns requests to be
05:23
proxied through the proxy chain and i
05:25
wrote down the default proxy server
05:27
which is the sox5 through our loopback
05:30
address let's proceed to go ahead and
05:33
start up proxy chains here first thing
05:35
we need to do is make sure that tor is
05:37
on so we can go ahead and do a service
05:39
tour
05:40
start
05:42
okay once this is on we can go ahead and
05:45
go to our proxy chains
05:48
and we're gonna go ahead and use
05:50
duck
05:53
now this will take a few minutes or it
05:56
won't take anything at all see where we
05:58
are coming from we can use a dns leak
06:00
website and i found this all through an
06:02
article so just go ahead go to dns leak
06:06
and as you can see we are coming from
06:08
romania so this is a basic way to layer
06:12
both the tor network and proxy chains on
06:14
top of each other to become anonymous
06:17
okay so after this step it is finally
06:20
time to ensure that
06:22
you're not really working in the same
06:24
environment and that is separation of
06:26
environments you have to make sure that
06:28
you're separating your hacking
06:29
environment from your you know normal
06:32
everyday use environment a classic
06:34
example of machine separation is virtual
06:36
machines and containerization use
06:38
ephemeral or temporary environments when
06:40
conducting offensive security activity
06:43
it is never a good idea to use one
06:45
single environment for all activities
06:47
computer machine isolation ensures
06:49
evidence can be contained and then
06:50
destroyed and this can be really
06:52
achieved through virtualization also
06:54
hackers can use a bouncing server to
06:56
connect to their valuable infrastructure
06:58
where their offensive tools and data
07:00
lies so some cloud party provider that
07:03
doesn't really care about what happens
07:04
on their machines in this way all the
07:06
hacker has to do is have an ssh
07:08
connection into the server after they've
07:10
anonymized their identity even if the
07:12
bouncing server is destroyed or
07:13
compromised the hacker can curate and
07:15
develop a new one within a matter of
07:17
minutes so like i said before you have
07:19
to separate your offensive security work
07:21
from your everyday work environment and
07:24
in this case it's important that you're
07:26
also randomizing your network connection
07:28
so to do this you can go into public
07:30
wi-fi and you know use wi-fi map dot io
07:34
which is a resource to go look for
07:35
public open wi-fi networks and make sure
07:38
that you're randomizing exactly when
07:40
you're you know connecting to that wi-fi
07:42
remember our good boy ross you know he
07:44
uh well you know what happened to him
07:46
okay so up into this point i've talked
07:48
about anonymizing one ownes identity but
07:51
i haven't talked about actual attack so
07:54
let's say in a hacker has compromised a
07:57
network similar to the starwood myriad
08:00
case
08:00
how can they go about you know covering
08:03
up their online tracks within the
08:06
network so they're not being detected by
08:09
any security professionals like you and
08:11
i once initial access has been
08:13
established it is imperative that
08:15
attackers limit their offensive activity
08:18
so it's not a good idea to generate a
08:20
whole bunch of logs and activity once
08:23
you're entered into network it's about
08:26
stealthynessness
08:28
take a look at the solarwinds attack of
08:30
2021 the alleged adversaries kept the
08:32
tracks hidden for months by slowly
08:34
testing their capabilities through the
08:36
course of those months initial access
08:38
started september 4th of 2019 and then
08:40
by march of 2020 is when the
08:42
distribution of sunburst was deployed
08:44
and that took six months now in addition
08:47
a skilled adversary will analyze network
08:49
and user behavior and mimic this
08:51
offensive activity as closely as
08:53
possible such as conducting their
08:55
actions during the proper business hours
08:57
next hackers will blend their fraudulent
09:00
activity with common network connections
09:02
and protocols such as dns tunneling dns
09:06
or the domain name system is an
09:08
essential component to a network
09:09
translating ip addresses into those web
09:11
domains
09:12
well because dns is essential it's
09:14
usually opened so in dns tunneling it
09:17
uses seemingly harmless dns queries to
09:19
traverse between a private and public
09:21
network
09:22
a hacker could use an encrypted
09:24
connection and route their fraudulent
09:25
activity through dns take dns cat 2 an
09:29
open source command and control
09:30
framework that lives out on github which
09:32
is used to route traffic through dns in
09:34
this demo i used the windows machine to
09:36
simulate a victim and a cali machine to
09:39
simulate an attacker i downloaded dns
09:41
cat to utility on github on my kelly
09:44
machine and then the victim payload on
09:45
the windows machine which is an
09:47
executable in this case so if we go
09:49
ahead and start the dns cat to server
09:52
we need to set the security policy to
09:54
unencrypted in a real world scenario of
09:56
course you wouldn't want to do this but
09:58
i'm a script kitty so
10:00
well i'm just using this for testing
10:01
purposes and also it worked i'm a script
10:04
kitty anyway let's go ahead and get
10:06
moving forward so if we do set
10:09
that will make sure that our security
10:10
policy is
10:12
to unencrypted
10:14
now if we go into our windows machine i
10:17
already downloaded the windows 32 here i
10:20
have added the host which is this
10:22
machine's
10:24
let's go ahead and execute it
10:28
and boom as you can see we now have a
10:30
session and it's an unencrypted session
10:33
now let's go ahead and see if i can get
10:36
well i don't know notepad plus plus or
10:38
notepad open
10:40
so we what we do here is we go into
10:43
session
10:44
i
10:46
one
10:48
and then we can see our list of commands
10:50
here that we can do so for instance we
10:52
can ping or we can get a shell
10:54
but um well let's go ahead and do exec
10:57
notepad
11:01
and as you can see we now have a notepad
11:05
opened and this is all tunneled through
11:07
dns so in a real world scenario if this
11:10
was encrypted
11:11
you really wouldn't be able to notice
11:13
that this
11:14
fraudulent traffic was going through
11:16
your network unless
11:17
you had some advanced defenses in place
11:20
all right so hopefully in today's video
11:21
you've learned something new about how
11:23
hackers can hide their tracks although
11:26
this video was very let's just say
11:28
script kitty high level overview
11:30
uh you can see how even people such as
11:33
the silk road founder can be absolutely
11:36
taken down with
11:38
one poor doing but this is how hackers
11:41
do it anyway if you guys want me to do a
11:43
video on getting more technical let me
11:45
know in the comments down below yes and
11:48
until the next video
11:50
well don't be a script giddy and
11:52
that that's me have a good day guys