Questions about this topic? Sign up to ask in the talk tab.

Classes/Logs/2012/September/17/03-04

From NetSec
Jump to: navigation, search
03:05 <@rorschach> I'm gonna be discussing online anonymity
03:05 <~hatter> ty sir
03:05 <%foo> Apollo: during part 2 we'll open with your question.
03:05 < lighthouse> yes!
03:05 <@rorschach> obligatory disclaimer: don't do anything illegal with this knowledge.
03:05 < lighthouse> haha
03:06 <@rorschach> from a technical side
03:06 < Atlas> rorschach, goes without saying.
03:06 <%foo> jail is bad cuz they take away all your toys
03:06 < Atlas> ^
03:06 <@rorschach> tor is helpful, but most useful in conjuction with proxies and shells
03:07 <@rorschach> my current setup involves chains of all of the above
03:07 <~hatter> go ahead rorschach 
03:07 <@rorschach> you can easily chain tor and shells with socat tunnels
03:07 <@rorschach> I'm going
03:07 <@rorschach> :)
03:07 < lighthouse> you should make a tutorial on that
03:07 -!- dsog [[email protected]] has joined #CSIII
03:07 -!- ptolemy [[email protected]] has joined #CSIII
03:09 <@rorschach> sorry, my internet is derping really hard
03:09 <@rorschach> but anyway
03:09 <@rorschach> socat is really useful
03:09 <@rorschach> it's kind of complicated at first but can be installed from most repos
03:09 <@rorschach> e.g. apt-get install socat
03:10 <@mepholic> ugh
03:10 <@mepholic> any ipv6 nerds itc?
03:10 <@rorschach> so, I'll walk through my setup
03:10 < lighthouse> what about windows?
03:10 <~hatter> mepholic: classes are in schedule
03:10 <~hatter> in session
03:10 <@rorschach> it looks like me -> vps 1 -> tor ->  -> vps 2 -> tor -> world
03:10 -!- dsog [[email protected]] has quit [client exited: leaving]
03:10 <@rorschach> lighthouse: not sure, but you should be ok once you see what I'm doing
03:11 < lighthouse> ok
03:11 <@rorschach> so, I ssh into vps 1
03:11 <@rorschach> which has a socat tunnel listening on a port on the inside
03:11 <@rorschach> socat TCP4-LISTEN:port,fork,bind=localhost SOCKS4A:localhost:address.onion:port,socksport=9050 &
03:12 < lighthouse> um I see smiley faces after LISTEN and onion
03:12 < lighthouse> sorry to interupt, its pidgin being gay
03:12 <%foo> lighthouse: turn off emoticons when in technical channels :-)
03:12 <@rorschach> this transparently routes a connection to a give port
03:13 <@rorschach> TCP4-LISTEN is the listerner
03:13 <@rorschach> the port is the listener's port, it forks and is bound to localhost so it can't be access externally
03:13 <@rorschach> then I have a SOCKS4A listener
03:14 <@rorschach> the first parameter (localhost) tells it the socks proxy it's going to connect to is on localhost
03:14 <@rorschach> then you have address.onion, which is the adderss that you're connecting too (in this case an onion, 
                   but it's not necessary)
03:14 -!- zekiel [[email protected]] has joined #CSIII
03:14 <@rorschach> and then the port number to tunnel to
03:15 -!- dsog [[email protected]] has joined #CSIII
03:15 <@rorschach> socksport is the port number of the socks proxy (9050 for tor)
03:15 -!- adroc [[email protected]] has joined #CSIII
03:16 <@rorschach> now, I have on VPS 2 a tor hidden service SSH
03:16 <@rorschach> when editting /etc/tor/torrc scroll down to the hidden service section and create on, it's pretty 
                   straightforward
03:17 <@rorschach> it's also a good idea to rm /var/log/wtmp this prevents the server from keeping a last log
03:18 <@rorschach> so restart tor
03:18 <@rorschach> you can find the onion hostname in /var/lib/tor/[hiddenservicedirectory]/hostname
03:19 <@rorschach> now, setup the socat listener on VPS 1 with that onion address and try sshing to it (ssh -plistener 
                   [email protected])
03:19 <@zzzzzZZZZzzz[m3n]> lighthouse, not to knock, pidgin is the worst irc client, and moreover it is the worst irc 
                           client. also tools -> prefferences -> themes -> choose smiley theme 'none'
03:20 -!- dsog [[email protected]] has left #CSIII []
03:20 < lighthouse> yeah, turned it off, thanks 
03:20 <@rorschach> if that works then you can edit /etc/ssh/sshd_config and set ListenAddress to localhost
03:20 -!- dsog [[email protected]] has joined #CSIII
03:20 <@rorschach> then restart your ssh server
03:20 -!- mode/#csiii [+v Atlas] by hatter
03:20 <@rorschach> note: when making changes to Tor, this should NOT be done over a tor hidden service connection, it 
                   won't come back up.
03:21 <@rorschach> ok so now to connect to your vps 2
03:21 < lighthouse> wait can you clarify that lastr part
03:21 <@rorschach> you would (if everything is setup correctly)
03:21 <@rorschach> from your local box
03:21 < lighthouse> about not making changes to Tor
03:21 <@rorschach> which the note?
03:21 < lighthouse> yeah
03:22 <+Atlas> Thank you
03:22 <@mepholic> cocks
03:22 <@rorschach> if you are SSH'd into a tor hidden service, if you restart tor it will stop tor, but it won't start it 
                   again and you'll be disconnected, always have a backup direct connection through your VPS provider
03:22 < lighthouse> lol
03:22 <@mepholic> please excuse me
03:22 <@rorschach> mepholic: shh
03:22 <@rorschach> make sense lighthouse?
03:23 <@rorschach> ok so from your socal box, you 
03:23 < lighthouse> I think so, so you are saying make changes, THEN connect?
03:24 <@rorschach> no, make tor changes over a direct connection
03:24 < lighthouse> ok
03:24 <@rorschach> if possible, if not then this setup isn't recommended
03:24 <@rorschach> (and obviously, connect to the direct connection via tor)
03:24 <@rorschach> ok
03:25 <@rorschach> ssh -L9999:localhost:[socat listener port] -p [vps 1 port] [email protected]
03:25 <@rorschach> this will connect you to vps 1 via SSH and setup a local port forward to the socat listener on port 
                   9999
03:26 <@rorschach> you then, ssh -D9998 -p9999 [email protected]
03:26 -!- sheexy [[email protected]] has joined #CSIII
03:26 <@rorschach> this would connect you to vps 2 and setup a dynamic forward (a socks proxy, like tor) that you can use 
                   for say, your browser
03:26 <@rorschach> or port 9998
03:26 <@rorschach> does this make sense so far?
03:26 <+Atlas> Yep
03:26 -!- lighthouse1 [[email protected]] has joined #CSIII
03:27 -!- lighthouse1 [[email protected]] has quit [client exited: Leaving.]
03:27 < Apollo> I'm curious what the purpose of the second vps inside tor is for. wouldnt this just add another 3 hops 
                inside the tor network, adding to latency without adding any obscurity?
03:28 -!- lighthouse [[email protected]] has quit [Ping timeout]
03:29 <@rorschach> hold on Apollo 
03:29 <@rorschach> ok, now in vps 2
03:30 -!- lighthouse [[email protected]] has joined #CSIII
03:30 <@rorschach> we're going to setup a transparent tor proxy
03:30 <@rorschach> (essentially, a tor vpn)
03:30 <@rorschach> http://pastie.org/pastes/4735625/text?key=13yf67axuisqrgo27rca
03:30 <@rorschach> so in there, I have iptables rules that wil ONLY allow tor traffic and route all traffic through a 
                   transparent tor listener
03:31 <@rorschach> and then in torrc add those lines
03:31 <@rorschach> (again do this inside your vpn provider's shell)
03:32 <@rorschach> so now when you connect to the dynamic forward locally, your connection gets routed through vps 1 -> 
                   tor -> ps 2 -> and tor again
03:32 -!- ptolemy [[email protected]] has quit [client exited: Leaving]
03:32 <@rorschach> automatically
03:32 <@rorschach> this might be overkill, but it works fine for me
03:32 <@rorschach> and it's actually not as solw as you would think
03:32 <@rorschach> depending on the tor nodes you get
03:32 <@rorschach> (browsing will probably be unbearable, but if you're using it for IRC or something you're untraceable)
03:33 <@rorschach> and I use a proxy at the very end of the chain for IRC
03:33 <@rorschach> just because most places ban tor nodes
03:33 <@rorschach> (lol, like wtfux)
03:33 <@rorschach> ok, now you will want to separate your personal from this
03:33 <@rorschach> so don't use this for browsing facebook or something
03:34 <@rorschach> keep everyithng segregated, you could even use vps 1 as your personal proxy (that's what I do)
03:34 <@rorschach> also, in firefox, youc set dns tunneling through about:config
03:34 <@rorschach> scroll down to network.proxy.socks_remote_dns and set to true
03:35 <@rorschach> this is probably way over kill, but you are a total ghost
03:35 <@rorschach> oh, I said that already, derp
03:35 <@rorschach> sorry
03:35 <+rory> thats so cool
03:35 <@rorschach> ok anyway
03:35 <@rorschach> so that's the technical side
03:35 < dsog> rorschach: +1
03:36 <@rorschach> and once everything is configured it's extremely simple to use
03:36 <@rorschach> also, buy your vps over a US based proxy + tor and using a vanilla visa payed for in cash
03:36 <@rorschach> these can be bought at gas stations, duse common sense
03:37 <@rorschach> use*
03:37 <@rorschach> don't go buy your porn with it too or something
03:37 -!- mike is now known as mike__
03:37 <@rorschach> they have to be registered at vanillavisa.com but all they ask for is a zip code and they don't care 
                   what you put in
03:37 -!- mike__ is now known as mike
03:37 <@rorschach> I use their example zip code: 30303
03:38 <@rorschach> also, if something requires a phone to register, you can use pinger.com/tfw/ for a phone number and 
                   texting for free
03:39 -!- williamcll [[email protected]] has joined #CSIII
03:39 < Zalgo> [williamcll] why are you all so nice to me???
03:39 <@rorschach> now, make sure to use nicknames that are not used elsewhere
03:39 < williamcll> what?
03:39 <@rorschach> williamcll: mibbit.. really? you're in the wrong talk
03:39 <@rorschach> or maybe the right one.
03:39 <+rory> ^
03:40 <@rorschach> moving on
03:40 <%foo> ^
03:40 < williamcll> rorschach: well, mirc broke
03:40 <@rorschach> use a nickname that you haven't used before, pick it out of a hat 
03:40 <@rorschach> irssi brah
03:40 <+rory> ^
03:40 <@rorschach> when you're chatting use common sense, don't say I'm going to bed, say you're going to work instead
03:41 <@rorschach> whateer, don't trust anyone
03:41 <@rorschach> just have good opsec that way, you don't need to me to tell you that
03:41 <%foo> I think you do need to emphasize that a bit more
03:41 <@rorschach> also, IRC from vps 2
03:41 <@rorschach> foo: ok
03:41 <@rorschach> don't let anything on to anyone
03:42 < williamcll> rorschach: I will use irssi when I get an amazon kindle
03:42 <@rorschach> (depending on how anonymous you can be, in the case of rorschach, I don't really care, but toher nicks 
                   I might)
03:42 <@rorschach> don't tie your nick to your real name, or a doxed nick
03:42 <@rorschach> it's never too late to disappear and reinvent yourself
03:43 <@rorschach> don't even let on your country or timezone
03:43 <@rorschach> obviously, don't set your vps's time :)
03:43 <@rorschach> is that good foo?
03:44 <%foo> yarp
03:44 <%foo> thanks
03:44 <@rorschach> also, if you're gonna hack
03:44 <@rorschach> don't join a group
03:44 <@rorschach> don't media whore
03:44 <@rorschach> don't twitter
03:44 <@rorschach> don't pastebin
03:44 <@rorschach> don't deface
03:44 <@rorschach> don't draw attention to yourself
03:44 <@rorschach> just do it
03:44 <@rorschach> and don't get caught
03:44 <@rorschach> :)
03:44 <@rorschach> but again, don't do that.
03:45 <@rorschach> don't sign your nick, etc.
03:45 <%foo> don't cause collatoral damage or harm
03:45 <%foo> that draws attention to you
03:45 <@rorschach> I think that about covers it.
03:45 <@rorschach> yup
03:45 <@rorschach> so in review
03:46 <@rorschach> setup a nice proxy chain, you can have your own way, I detailed ONE way to do it
03:46 <@rorschach> use cash-bought vanilla  visas for purchases such as vps
03:46 <@rorschach> don't reuse nicknames
03:46 <@rorschach> and don't talk about shit.
03:47 <@rorschach> and separate personal from anonymous.
03:47 <@rorschach> any questions?
03:47 <@rorschach> also, my proxy setup is so thorough, because I wanted it to be undetectable from both sides
03:47 < dsog> For IRC, you said you use *another* proxy to connect to servers that prevent tor traffic.
03:47 <@rorschach> for personal reasons.
03:47 < dsog> Do you set that up on vps2? or yet another server?
03:48 <@rorschach> but when monitoring my traffic, all you can see is that I am SSH'd into VPS 1
03:48 <+Atlas> Oh, dox alerts.
03:48 <+Atlas> I was really bad about that for a while
03:48 <@rorschach> dsog: I go find a public proxy list, then find one that works / isn't banned and setup a socat tunnel 
                   to it for SSH
03:48 <+Atlas> Using local timestamps, "good night", etc.
03:48 <+Atlas> Don't do that ^
03:48 <@rorschach> Atlas that's not a bad idea either
03:48 < Apollo> Yeah, in the example you used vps 2 was inside tor. why stop there instead of just routing through tor?
03:49 <@rorschach> setup a google alert for your name
03:49 <@rorschach> whenever your name shows up on the net, you'll see it
03:49 <@rorschach> (real and nick) (use separate acconuts for this...)
03:49 <@rorschach> Apollo:
03:50 <@rorschach> IRC looks like: me -> vps 1 -> tor -> vps 2 -> tor -> proxy -> irc
03:50 <%foo> Apollo: tor acts as a mixer and has a tendency to block ports, you also don't want tor to be your exit
03:50 <@rorschach> this allows me to bypass tor bans
03:50 < dsog> rorschach: makes sense. Thanks :)
03:50 <%foo> your exit node becomes the vulnerable host in a tor chain, one of your proxies should run tor to keep the 
             traffic mixed up
03:50 <@rorschach> this offers me multiple layers of encryption and anonymity when I want it 
03:50 <+Atlas> rorschach, are you that thorough with other services or just IRC?
03:51 < Apollo> oh, so the traffic exits tor before hitting vps 2?
03:51 <%foo> but when you maintain long connections (ssh, openvpn) you leave yourself succeptable to traffic analysis
03:51 <@rorschach> Atlas: mostly IRC, but I port scan or whatever from that box and occaisonally browse when I'm being 
                   paranoid, just whatever I want to be parannoid about
03:52 <+Atlas> I didn't want to use the word "paranoid", since one could argue necessity
03:52 <+Atlas> But, yeah, understood
03:52 <@rorschach> and the way it's all setup, I don't have to know the IP address of VPS 2 at all
03:52 <+Atlas> Oh, back to my own fuck-ups, at one point someone did me the courtesy of changing my local time to UTC in 
               a logfile I was going to post.
03:52 <@rorschach> I actually sometimes give people accounts on vps 2, and have it so ONLY root can see the IP
03:52 <+Atlas> rorschach, oh, wow.
03:53 <@rorschach> and they can't even know the tor hostname the way vps 1 is setup
03:53 <@rorschach> ;)
03:54 <@rorschach> any other questions?
03:54 <%foo> another interpretation: me -> vps 1 (with tor non-exit) -> tor network -> vps 2 (tor non-exit + ssh/openvpn 
             hidden service) -> proxy ssh -> irc
03:54 <@rorschach> also, /ignore * ctcp dcc
03:54 <@rorschach> :)
03:54 <%foo> rorschach: ^ similar design to yours, elaborated a bit. 
03:54 <@rorschach> yeah
03:54 <@rorschach> there's lots of ways to do it
03:55 <@rorschach> just gotta find what works for you
03:55 <%foo> it's all about mixing up and masking traffic
03:55 <%foo> making it harder to find the signal in the noise
03:55 <@rorschach> yup
03:55 <@rorschach> I'm not anonymous on here, but when I want to be a ghost, good luck :)
03:55 <%foo> and if you run a tor exit node having good DMCA responses avaialble. 
03:56 -!- williamcll [[email protected]] has quit [client exited: http://www.mibbit.com ajax IRC Client]
03:56 <%foo> ghosting is a good skill to have. 
03:56 <@rorschach> yep
03:56 <@rorschach> important