How do hackers hide themselves? - staying anonymous online

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

four years that is how long a group of hackers were able to stay inside the starwood marriott network without being discovered oof how the heck does an unauthorized party stay hidden for this long well in today's video topic i will address popular methods hackers will use to stay anonymous online while hiding their online footprint so let's go ahead and get started all right no the first step is not matrix level hacking as much as we love it to be it's actually physical security physical security is also referred to as operational security or opsec so if you're one of those you know military guys you probably know about this or if you're just some random weird it nerd well yeah you're probably gonna need to know about this too because guess how many times it takes to be successfully identified once one time this guy right here the infamous dread pirate roberts or ross irvitch or however you pronounce his last name who founded the silk road a billion dollar underground dark marketplace for drugs and other stuff how did he get caught well no it wasn't through some extreme matrix level glitch hacking it was his opsec he got caught in san francisco public library his go-to place to conduct his fraudulent activity and well he did some bad things such as often bragging about his work on his linkedin page using oblique verbiage and he used his real photograph for his fake id so these are just a few of the critical elements which pieced together and led to his downfall and these aren't technical in nature its habits and the public interactions that led to ross's downfall it is essential hackers be aware of their online and offline habits including where they use and connect their computers their writing style their social media posts and their social interactions in general basically someone who's the exact opposite of me here on youtube okay so an attacker has their basic physical security down what's next acquiring the hacking machine used to conduct your fraudulent offensive activities first off buy the machine with the most untraceable and mobile trail possible ideally this is a laptop which is bought in a privacy focused cryptocurrency form such as monero or zcash once this machine has been acquired completely wipe the operating system windows no more and immediately buy a usb stick to preload a live operating system install this usb stick right here is a live os meaning there is no permanent storage but you also want to make sure to enable full disk encryption just in case of full compromise now when you're installing a live os it is important that you keep an os distribution such as linux tails and mine linux tails is a suite of privacy focused features and functionality which allow an adversary to stay anonymous alright so what's the next step you must say that is to go ahead and anonymize your identity and network connection there are several steps to accomplish this now any type of unique or pseudo-unique identifier is going to be harmful to a hacker like you and i because well you can be tracked by that now from a hardware perspective one of the most well-known identifiers is a mac address so a mac address is a serial number issued by the device manufacturers it is used to identify a device on a local network and can be used to help identify the geographical location of a machine in some cases mac address spoofing or mac address anonymization uses different mac addresses to anonymize your identity there are different ways you'd accomplish this such as built-in programs customized scripts and built-in tools in linux tails the mac address is temporarily changed to a random value for each new session with tails now in addition to mac address randomization you're also going to want to anonymize the ip address what is that you must say an ip address is a network address assigned to all machines when connecting to other networks to accomplish ip address optimization services such as vpns tour for web browsing and proxies can be used but this is all with strict caution each of these methods introduces intermediaries with assumptions of complete trust vpns extend a private encrypted network over a public network connection tor uses a network of computer nodes to balance a connection between different nodes across the world and proxies can alter the location appearing as if the originating request is coming from the proxy client all three methods introduce an intermediary or central location which can log your traffic and send that to an authority in order to ensure 100 anonymity you must never really trust a central authority but in a modern architecture such the as the internet that's really not realistic now to establish these types of anonymizing services you could go ahead and use an open source project for instance for vpn servers you can use openvpn or tailskill and then you can install this on attacker owned or controlled device or you could just use some sort of third party provider for tor you can download the to our project or use a distribution like tails which already has tour routing enabled by default a hacker can layer each anonymizing service upon each other so a program like proxychains can be used to route internet traffic through a list of proxies on top of the tor network to set up this demo i went ahead and edited the proxy chains config file and set the chain to dynamic setting which excludes all dead proxies then i also enabled dns requests to be proxied through the proxy chain and i wrote down the default proxy server which is the sox5 through our loopback address let's proceed to go ahead and start up proxy chains here first thing we need to do is make sure that tor is on so we can go ahead and do a service tour start okay once this is on we can go ahead and go to our proxy chains and we're gonna go ahead and use duck now this will take a few minutes or it won't take anything at all see where we are coming from we can use a dns leak website and i found this all through an article so just go ahead go to dns leak and as you can see we are coming from romania so this is a basic way to layer both the tor network and proxy chains on top of each other to become anonymous okay so after this step it is finally time to ensure that you're not really working in the same environment and that is separation of environments you have to make sure that you're separating your hacking environment from your you know normal everyday use environment a classic example of machine separation is virtual machines and containerization use ephemeral or temporary environments when conducting offensive security activity it is never a good idea to use one single environment for all activities computer machine isolation ensures evidence can be contained and then destroyed and this can be really achieved through virtualization also hackers can use a bouncing server to connect to their valuable infrastructure where their offensive tools and data lies so some cloud party provider that doesn't really care about what happens on their machines in this way all the hacker has to do is have an ssh connection into the server after they've anonymized their identity even if the bouncing server is destroyed or compromised the hacker can curate and develop a new one within a matter of minutes so like i said before you have to separate your offensive security work from your everyday work environment and in this case it's important that you're also randomizing your network connection so to do this you can go into public wi-fi and you know use wi-fi map dot io which is a resource to go look for public open wi-fi networks and make sure that you're randomizing exactly when you're you know connecting to that wi-fi remember our good boy ross you know he uh well you know what happened to him okay so up into this point i've talked about anonymizing one ownes identity but i haven't talked about actual attack so let's say in a hacker has compromised a network similar to the starwood myriad case how can they go about you know covering up their online tracks within the network so they're not being detected by any security professionals like you and i once initial access has been established it is imperative that attackers limit their offensive activity so it's not a good idea to generate a whole bunch of logs and activity once you're entered into network it's about stealthynessness take a look at the solarwinds attack of 2021 the alleged adversaries kept the tracks hidden for months by slowly testing their capabilities through the course of those months initial access started september 4th of 2019 and then by march of 2020 is when the distribution of sunburst was deployed and that took six months now in addition a skilled adversary will analyze network and user behavior and mimic this offensive activity as closely as possible such as conducting their actions during the proper business hours next hackers will blend their fraudulent activity with common network connections and protocols such as dns tunneling dns or the domain name system is an essential component to a network translating ip addresses into those web domains well because dns is essential it's usually opened so in dns tunneling it uses seemingly harmless dns queries to traverse between a private and public network a hacker could use an encrypted connection and route their fraudulent activity through dns take dns cat 2 an open source command and control framework that lives out on github which is used to route traffic through dns in this demo i used the windows machine to simulate a victim and a cali machine to simulate an attacker i downloaded dns cat to utility on github on my kelly machine and then the victim payload on the windows machine which is an executable in this case so if we go ahead and start the dns cat to server we need to set the security policy to unencrypted in a real world scenario of course you wouldn't want to do this but i'm a script kitty so well i'm just using this for testing purposes and also it worked i'm a script kitty anyway let's go ahead and get moving forward so if we do set that will make sure that our security policy is to unencrypted now if we go into our windows machine i already downloaded the windows 32 here i have added the host which is this machine's let's go ahead and execute it and boom as you can see we now have a session and it's an unencrypted session now let's go ahead and see if i can get well i don't know notepad plus plus or notepad open so we what we do here is we go into session i one and then we can see our list of commands here that we can do so for instance we can ping or we can get a shell but um well let's go ahead and do exec notepad and as you can see we now have a notepad opened and this is all tunneled through dns so in a real world scenario if this was encrypted you really wouldn't be able to notice that this fraudulent traffic was going through your network unless you had some advanced defenses in place all right so hopefully in today's video you've learned something new about how hackers can hide their tracks although this video was very let's just say script kitty high level overview uh you can see how even people such as the silk road founder can be absolutely taken down with one poor doing but this is how hackers do it anyway if you guys want me to do a video on getting more technical let me know in the comments down below yes and until the next video well don't be a script giddy and that that's me have a good day guys

Info

Channel: Grant Collins

Views: 1,346,364

Rating: undefined out of 5

Keywords:

Id: BWVyp0wYpgA

Channel Id: undefined

Length: 11min 54sec (714 seconds)

Published: Thu Jan 20 2022