Questions about this topic? Sign up to ask in the talk tab.
Classes/Logs/2012/September/17/03-04
From NetSec
03:05 <@rorschach> I'm gonna be discussing online anonymity 03:05 <~hatter> ty sir 03:05 <%foo> Apollo: during part 2 we'll open with your question. 03:05 < lighthouse> yes! 03:05 <@rorschach> obligatory disclaimer: don't do anything illegal with this knowledge. 03:05 < lighthouse> haha 03:06 <@rorschach> from a technical side 03:06 < Atlas> rorschach, goes without saying. 03:06 <%foo> jail is bad cuz they take away all your toys 03:06 < Atlas> ^ 03:06 <@rorschach> tor is helpful, but most useful in conjuction with proxies and shells 03:07 <@rorschach> my current setup involves chains of all of the above 03:07 <~hatter> go ahead rorschach 03:07 <@rorschach> you can easily chain tor and shells with socat tunnels 03:07 <@rorschach> I'm going 03:07 <@rorschach> :) 03:07 < lighthouse> you should make a tutorial on that 03:07 -!- dsog [[email protected]] has joined #CSIII 03:07 -!- ptolemy [[email protected]] has joined #CSIII 03:09 <@rorschach> sorry, my internet is derping really hard 03:09 <@rorschach> but anyway 03:09 <@rorschach> socat is really useful 03:09 <@rorschach> it's kind of complicated at first but can be installed from most repos 03:09 <@rorschach> e.g. apt-get install socat 03:10 <@mepholic> ugh 03:10 <@mepholic> any ipv6 nerds itc? 03:10 <@rorschach> so, I'll walk through my setup 03:10 < lighthouse> what about windows? 03:10 <~hatter> mepholic: classes are in schedule 03:10 <~hatter> in session 03:10 <@rorschach> it looks like me -> vps 1 -> tor -> -> vps 2 -> tor -> world 03:10 -!- dsog [[email protected]] has quit [client exited: leaving] 03:10 <@rorschach> lighthouse: not sure, but you should be ok once you see what I'm doing 03:11 < lighthouse> ok 03:11 <@rorschach> so, I ssh into vps 1 03:11 <@rorschach> which has a socat tunnel listening on a port on the inside 03:11 <@rorschach> socat TCP4-LISTEN:port,fork,bind=localhost SOCKS4A:localhost:address.onion:port,socksport=9050 & 03:12 < lighthouse> um I see smiley faces after LISTEN and onion 03:12 < lighthouse> sorry to interupt, its pidgin being gay 03:12 <%foo> lighthouse: turn off emoticons when in technical channels :-) 03:12 <@rorschach> this transparently routes a connection to a give port 03:13 <@rorschach> TCP4-LISTEN is the listerner 03:13 <@rorschach> the port is the listener's port, it forks and is bound to localhost so it can't be access externally 03:13 <@rorschach> then I have a SOCKS4A listener 03:14 <@rorschach> the first parameter (localhost) tells it the socks proxy it's going to connect to is on localhost 03:14 <@rorschach> then you have address.onion, which is the adderss that you're connecting too (in this case an onion, but it's not necessary) 03:14 -!- zekiel [[email protected]] has joined #CSIII 03:14 <@rorschach> and then the port number to tunnel to 03:15 -!- dsog [[email protected]] has joined #CSIII 03:15 <@rorschach> socksport is the port number of the socks proxy (9050 for tor) 03:15 -!- adroc [[email protected]] has joined #CSIII 03:16 <@rorschach> now, I have on VPS 2 a tor hidden service SSH 03:16 <@rorschach> when editting /etc/tor/torrc scroll down to the hidden service section and create on, it's pretty straightforward 03:17 <@rorschach> it's also a good idea to rm /var/log/wtmp this prevents the server from keeping a last log 03:18 <@rorschach> so restart tor 03:18 <@rorschach> you can find the onion hostname in /var/lib/tor/[hiddenservicedirectory]/hostname 03:19 <@rorschach> now, setup the socat listener on VPS 1 with that onion address and try sshing to it (ssh -plistener user@localhost) 03:19 <@zzzzzZZZZzzz[m3n]> lighthouse, not to knock, pidgin is the worst irc client, and moreover it is the worst irc client. also tools -> prefferences -> themes -> choose smiley theme 'none' 03:20 -!- dsog [[email protected]] has left #CSIII [] 03:20 < lighthouse> yeah, turned it off, thanks 03:20 <@rorschach> if that works then you can edit /etc/ssh/sshd_config and set ListenAddress to localhost 03:20 -!- dsog [[email protected]] has joined #CSIII 03:20 <@rorschach> then restart your ssh server 03:20 -!- mode/#csiii [+v Atlas] by hatter 03:20 <@rorschach> note: when making changes to Tor, this should NOT be done over a tor hidden service connection, it won't come back up. 03:21 <@rorschach> ok so now to connect to your vps 2 03:21 < lighthouse> wait can you clarify that lastr part 03:21 <@rorschach> you would (if everything is setup correctly) 03:21 <@rorschach> from your local box 03:21 < lighthouse> about not making changes to Tor 03:21 <@rorschach> which the note? 03:21 < lighthouse> yeah 03:22 <+Atlas> Thank you 03:22 <@mepholic> cocks 03:22 <@rorschach> if you are SSH'd into a tor hidden service, if you restart tor it will stop tor, but it won't start it again and you'll be disconnected, always have a backup direct connection through your VPS provider 03:22 < lighthouse> lol 03:22 <@mepholic> please excuse me 03:22 <@rorschach> mepholic: shh 03:22 <@rorschach> make sense lighthouse? 03:23 <@rorschach> ok so from your socal box, you 03:23 < lighthouse> I think so, so you are saying make changes, THEN connect? 03:24 <@rorschach> no, make tor changes over a direct connection 03:24 < lighthouse> ok 03:24 <@rorschach> if possible, if not then this setup isn't recommended 03:24 <@rorschach> (and obviously, connect to the direct connection via tor) 03:24 <@rorschach> ok 03:25 <@rorschach> ssh -L9999:localhost:[socat listener port] -p [vps 1 port] user@vps1 03:25 <@rorschach> this will connect you to vps 1 via SSH and setup a local port forward to the socat listener on port 9999 03:26 <@rorschach> you then, ssh -D9998 -p9999 user@localhost 03:26 -!- sheexy [[email protected]] has joined #CSIII 03:26 <@rorschach> this would connect you to vps 2 and setup a dynamic forward (a socks proxy, like tor) that you can use for say, your browser 03:26 <@rorschach> or port 9998 03:26 <@rorschach> does this make sense so far? 03:26 <+Atlas> Yep 03:26 -!- lighthouse1 [[email protected]] has joined #CSIII 03:27 -!- lighthouse1 [[email protected]] has quit [client exited: Leaving.] 03:27 < Apollo> I'm curious what the purpose of the second vps inside tor is for. wouldnt this just add another 3 hops inside the tor network, adding to latency without adding any obscurity? 03:28 -!- lighthouse [[email protected]] has quit [Ping timeout] 03:29 <@rorschach> hold on Apollo 03:29 <@rorschach> ok, now in vps 2 03:30 -!- lighthouse [[email protected]] has joined #CSIII 03:30 <@rorschach> we're going to setup a transparent tor proxy 03:30 <@rorschach> (essentially, a tor vpn) 03:30 <@rorschach> http://pastie.org/pastes/4735625/text?key=13yf67axuisqrgo27rca 03:30 <@rorschach> so in there, I have iptables rules that wil ONLY allow tor traffic and route all traffic through a transparent tor listener 03:31 <@rorschach> and then in torrc add those lines 03:31 <@rorschach> (again do this inside your vpn provider's shell) 03:32 <@rorschach> so now when you connect to the dynamic forward locally, your connection gets routed through vps 1 -> tor -> ps 2 -> and tor again 03:32 -!- ptolemy [[email protected]] has quit [client exited: Leaving] 03:32 <@rorschach> automatically 03:32 <@rorschach> this might be overkill, but it works fine for me 03:32 <@rorschach> and it's actually not as solw as you would think 03:32 <@rorschach> depending on the tor nodes you get 03:32 <@rorschach> (browsing will probably be unbearable, but if you're using it for IRC or something you're untraceable) 03:33 <@rorschach> and I use a proxy at the very end of the chain for IRC 03:33 <@rorschach> just because most places ban tor nodes 03:33 <@rorschach> (lol, like wtfux) 03:33 <@rorschach> ok, now you will want to separate your personal from this 03:33 <@rorschach> so don't use this for browsing facebook or something 03:34 <@rorschach> keep everyithng segregated, you could even use vps 1 as your personal proxy (that's what I do) 03:34 <@rorschach> also, in firefox, youc set dns tunneling through about:config 03:34 <@rorschach> scroll down to network.proxy.socks_remote_dns and set to true 03:35 <@rorschach> this is probably way over kill, but you are a total ghost 03:35 <@rorschach> oh, I said that already, derp 03:35 <@rorschach> sorry 03:35 <+rory> thats so cool 03:35 <@rorschach> ok anyway 03:35 <@rorschach> so that's the technical side 03:35 < dsog> rorschach: +1 03:36 <@rorschach> and once everything is configured it's extremely simple to use 03:36 <@rorschach> also, buy your vps over a US based proxy + tor and using a vanilla visa payed for in cash 03:36 <@rorschach> these can be bought at gas stations, duse common sense 03:37 <@rorschach> use* 03:37 <@rorschach> don't go buy your porn with it too or something 03:37 -!- mike is now known as mike__ 03:37 <@rorschach> they have to be registered at vanillavisa.com but all they ask for is a zip code and they don't care what you put in 03:37 -!- mike__ is now known as mike 03:37 <@rorschach> I use their example zip code: 30303 03:38 <@rorschach> also, if something requires a phone to register, you can use pinger.com/tfw/ for a phone number and texting for free 03:39 -!- williamcll [[email protected]] has joined #CSIII 03:39 < Zalgo> [williamcll] why are you all so nice to me??? 03:39 <@rorschach> now, make sure to use nicknames that are not used elsewhere 03:39 < williamcll> what? 03:39 <@rorschach> williamcll: mibbit.. really? you're in the wrong talk 03:39 <@rorschach> or maybe the right one. 03:39 <+rory> ^ 03:40 <@rorschach> moving on 03:40 <%foo> ^ 03:40 < williamcll> rorschach: well, mirc broke 03:40 <@rorschach> use a nickname that you haven't used before, pick it out of a hat 03:40 <@rorschach> irssi brah 03:40 <+rory> ^ 03:40 <@rorschach> when you're chatting use common sense, don't say I'm going to bed, say you're going to work instead 03:41 <@rorschach> whateer, don't trust anyone 03:41 <@rorschach> just have good opsec that way, you don't need to me to tell you that 03:41 <%foo> I think you do need to emphasize that a bit more 03:41 <@rorschach> also, IRC from vps 2 03:41 <@rorschach> foo: ok 03:41 <@rorschach> don't let anything on to anyone 03:42 < williamcll> rorschach: I will use irssi when I get an amazon kindle 03:42 <@rorschach> (depending on how anonymous you can be, in the case of rorschach, I don't really care, but toher nicks I might) 03:42 <@rorschach> don't tie your nick to your real name, or a doxed nick 03:42 <@rorschach> it's never too late to disappear and reinvent yourself 03:43 <@rorschach> don't even let on your country or timezone 03:43 <@rorschach> obviously, don't set your vps's time :) 03:43 <@rorschach> is that good foo? 03:44 <%foo> yarp 03:44 <%foo> thanks 03:44 <@rorschach> also, if you're gonna hack 03:44 <@rorschach> don't join a group 03:44 <@rorschach> don't media whore 03:44 <@rorschach> don't twitter 03:44 <@rorschach> don't pastebin 03:44 <@rorschach> don't deface 03:44 <@rorschach> don't draw attention to yourself 03:44 <@rorschach> just do it 03:44 <@rorschach> and don't get caught 03:44 <@rorschach> :) 03:44 <@rorschach> but again, don't do that. 03:45 <@rorschach> don't sign your nick, etc. 03:45 <%foo> don't cause collatoral damage or harm 03:45 <%foo> that draws attention to you 03:45 <@rorschach> I think that about covers it. 03:45 <@rorschach> yup 03:45 <@rorschach> so in review 03:46 <@rorschach> setup a nice proxy chain, you can have your own way, I detailed ONE way to do it 03:46 <@rorschach> use cash-bought vanilla visas for purchases such as vps 03:46 <@rorschach> don't reuse nicknames 03:46 <@rorschach> and don't talk about shit. 03:47 <@rorschach> and separate personal from anonymous. 03:47 <@rorschach> any questions? 03:47 <@rorschach> also, my proxy setup is so thorough, because I wanted it to be undetectable from both sides 03:47 < dsog> For IRC, you said you use *another* proxy to connect to servers that prevent tor traffic. 03:47 <@rorschach> for personal reasons. 03:47 < dsog> Do you set that up on vps2? or yet another server? 03:48 <@rorschach> but when monitoring my traffic, all you can see is that I am SSH'd into VPS 1 03:48 <+Atlas> Oh, dox alerts. 03:48 <+Atlas> I was really bad about that for a while 03:48 <@rorschach> dsog: I go find a public proxy list, then find one that works / isn't banned and setup a socat tunnel to it for SSH 03:48 <+Atlas> Using local timestamps, "good night", etc. 03:48 <+Atlas> Don't do that ^ 03:48 <@rorschach> Atlas that's not a bad idea either 03:48 < Apollo> Yeah, in the example you used vps 2 was inside tor. why stop there instead of just routing through tor? 03:49 <@rorschach> setup a google alert for your name 03:49 <@rorschach> whenever your name shows up on the net, you'll see it 03:49 <@rorschach> (real and nick) (use separate acconuts for this...) 03:49 <@rorschach> Apollo: 03:50 <@rorschach> IRC looks like: me -> vps 1 -> tor -> vps 2 -> tor -> proxy -> irc 03:50 <%foo> Apollo: tor acts as a mixer and has a tendency to block ports, you also don't want tor to be your exit 03:50 <@rorschach> this allows me to bypass tor bans 03:50 < dsog> rorschach: makes sense. Thanks :) 03:50 <%foo> your exit node becomes the vulnerable host in a tor chain, one of your proxies should run tor to keep the traffic mixed up 03:50 <@rorschach> this offers me multiple layers of encryption and anonymity when I want it 03:50 <+Atlas> rorschach, are you that thorough with other services or just IRC? 03:51 < Apollo> oh, so the traffic exits tor before hitting vps 2? 03:51 <%foo> but when you maintain long connections (ssh, openvpn) you leave yourself succeptable to traffic analysis 03:51 <@rorschach> Atlas: mostly IRC, but I port scan or whatever from that box and occaisonally browse when I'm being paranoid, just whatever I want to be parannoid about 03:52 <+Atlas> I didn't want to use the word "paranoid", since one could argue necessity 03:52 <+Atlas> But, yeah, understood 03:52 <@rorschach> and the way it's all setup, I don't have to know the IP address of VPS 2 at all 03:52 <+Atlas> Oh, back to my own fuck-ups, at one point someone did me the courtesy of changing my local time to UTC in a logfile I was going to post. 03:52 <@rorschach> I actually sometimes give people accounts on vps 2, and have it so ONLY root can see the IP 03:52 <+Atlas> rorschach, oh, wow. 03:53 <@rorschach> and they can't even know the tor hostname the way vps 1 is setup 03:53 <@rorschach> ;) 03:54 <@rorschach> any other questions? 03:54 <%foo> another interpretation: me -> vps 1 (with tor non-exit) -> tor network -> vps 2 (tor non-exit + ssh/openvpn hidden service) -> proxy ssh -> irc 03:54 <@rorschach> also, /ignore * ctcp dcc 03:54 <@rorschach> :) 03:54 <%foo> rorschach: ^ similar design to yours, elaborated a bit. 03:54 <@rorschach> yeah 03:54 <@rorschach> there's lots of ways to do it 03:55 <@rorschach> just gotta find what works for you 03:55 <%foo> it's all about mixing up and masking traffic 03:55 <%foo> making it harder to find the signal in the noise 03:55 <@rorschach> yup 03:55 <@rorschach> I'm not anonymous on here, but when I want to be a ghost, good luck :) 03:55 <%foo> and if you run a tor exit node having good DMCA responses avaialble. 03:56 -!- williamcll [[email protected]] has quit [client exited: http://www.mibbit.com ajax IRC Client] 03:56 <%foo> ghosting is a good skill to have. 03:56 <@rorschach> yep 03:56 <@rorschach> important