Today, nearly everything we do on the internet is tracked. Whoever is doing the tracking—whether it be Google tracking our online searches, website visits, and email or the National Security Agency (NSA) cataloging all our activities—our every online move is being recorded, indexed, and then mined for someone’s benefit. The average individual—and the hacker, in particular—needs to understand how to limit this tracking and remain relatively anonymous on the web to limit this ubiquitous surveillance.
In this chapter, we look at how you can navigate the World Wide Web anonymously (or as close as you can get) using four methods:
No one method is sure to keep your activities safe from prying eyes, and given enough time and resources, anything can be tracked. However, these methods will likely make the tracker’s job much more difficult.
To begin, let’s discuss at a high level some of the ways our activities on the internet are tracked. We won’t go into all tracking methods, or into too much detail about any one method, as that would be beyond the scope of this book. Indeed, such a discussion could take up an entire book on its own.
First, your IP address identifies you as you traverse the internet. Data sent from your machine is generally tagged with your IP address, making your activities easy to track. Second, Google and other email services will “read” your email, looking for keywords to more efficiently serve you ads. Although there are many more sophisticated methods that are far more time and resource intensive, these are the ones we try to prevent in this chapter. Let’s start by taking a look at how IP addresses give us away on the internet.
When you send a packet of data across the internet, it contains the IP addresses of the source and destination for the data. In this way, the packet knows where it is going and where to return the response. Each packet hops through multiple internet routers until it finds its destination and then hops back to the sender. For general internet surfing, each hop is a router the packet passes through to get to its destination. There can be as many as 20–30 hops between the sender and the destination, but usually any packet will find its way to the destination in fewer than 15 hops.
As the packet traverses the internet, anyone intercepting the packet can see who sent it, where it has been, and where it’s going. This is one way websites can tell who you are when arrive and log you in automatically, and it’s also how someone can track where you’ve been on the internet.
To see what hops a packet might make between you and the destination, you can use the traceroute command, as shown next. Simply enter traceroute and the destination IP address or domain, and the command will send out packets to the destination and trace the route of those packets.
kali >traceroute google.com
traceroute to google.com (172.217.1.78), 30 hops max, 60 bytes packets
1 192.168.1.1 (192.168.1.1) 4.152 ms 3.834 ms 32.964 ms
2 10.0.0.1 (10.0.0.1) 5.797 ms 6.995 ms 7.679 ms
3 96.120.96.45 (96.120.96.45) 27.952 ms 30.377 ms 32.964 ms
--snip--
18 lgal15s44-in-f14.le100.net (172.217.1.78) 94.666 ms 42.990 ms 41.564 ms
As you can see, www.google.com is 18 hops across the internet from me. Your results will likely be different because your request would be coming from a different location and because Google has many servers across the globe. In addition, packets don’t always take the same route across the internet, so you might send another packet from your address to the same site and receive a different route. Let’s see how we can disguise all this with the Tor network.
In the 1990s, the US Office of Naval Research (ONR) set out to develop a method for anonymously navigating the internet for espionage purposes. The plan was to set up a network of routers that was separate from the internet’s routers, that could encrypt the traffic, and that only stored the unencrypted IP address of the previous router—meaning all other router addresses along the way were encrypted. The idea was that anyone watching the traffic could not determine the origin or destination of the data. This research became known as “The Onion Router (Tor) Project” in 2002, and it’s now available to anyone to use for relatively safe and anonymous navigation on the web.
Packets sent over Tor are not sent over the regular routers so closely monitored by so many but rather are sent over a network of over 7,000 routers around the world, thanks to volunteers who allow their computers to be used by Tor. On top of using a totally separate router network, Tor encrypts the data, destination, and sender IP address of each packet. At each hop, the information is encrypted and then decrypted by the next hop when it’s received. In this way, each packet contains information about only the previous hop along the path and not the IP address of the origin. If someone intercepts the traffic, they can see only the IP address of the previous hop, and the website owner can see only the IP address of the last router that sent the traffic (see Figure 13-1). This ensures relative anonymity across the internet.
Figure 13-1: How Tor uses encrypted traffic data
To enable the use of Tor, just install the Tor browser from https://www.torproject.org/. Once installed, it will look something like Figure 13-2, and you can use it like any old internet browser. By using this browser, you’ll be navigating the internet through a separate set of routers and will be able to visit sites without being tracked by Big Brother. Unfortunately, the tradeoff is that surfing via the Tor browser can be a lot slower; because there are not nearly as many routers, the bandwidth is limited in this network.
Figure 13-2: The landing page for the Tor browser
In addition to being capable of accessing nearly any website on the traditional internet, the Tor browser is capable of accessing the dark web. The websites that make up the dark web require anonymity, so they allow access only through the Tor browser, and they have addresses ending in .onion for their top-level domain (TLD). The dark web is infamous for illegal activity, but a number of legitimate services are also available there. A word of caution, however: when accessing the dark web, you may come across material that many will find offensive.
The intelligence and spy services of the United States and other nations consider the Tor network a threat to national security, believing such an anonymous network enables foreign governments and terrorists to communicate without being watched. As a result, a number of robust, ambitious research projects are working to break the anonymity of Tor.
Tor’s anonymity has been broken before by these authorities and will likely be broken again. The NSA, as one instance, runs its own Tor routers, meaning that your traffic may be traversing the NSA’s routers when you use Tor. If your traffic is exiting the NSA’s routers, that’s even worse, because the exit router always knows your destination. The NSA also has a method known as traffic correlation, which involves looking for patterns in incoming and outgoing traffic, that has been able to break Tor’s anonymity. Though these attempts to break Tor won’t affect Tor’s effectiveness at obscuring your identity from commercial services, such as Google, they may limit the browser’s effectiveness in keeping you anonymous from spy agencies.
Another strategy for achieving anonymity on the internet is to use proxies, which are intermediate systems that act as middlemen for traffic: the user connects to a proxy, and the traffic is given the IP address of the proxy before it’s passed on (see Figure 13-3). When the traffic returns from the destination, the proxy sends the traffic back to the source. In this way, traffic appears to come from the proxy and not the originating IP address.
Figure 13-3: Running traffic through a proxy server
Of course, the proxy will likely log your traffic, but an investigator would have to get a subpoena or search warrant to obtain the logs. To make your traffic even harder to trace, you can use more than one proxy, in a strategy known as a proxy chain, which we’ll look at a little later in this chapter.
Kali Linux has an excellent proxying tool called proxychains that you can set up to obscure your traffic. The syntax for the proxychains command is straightforward, as shown here:
kali >proxychains <the command you want proxied> <arguments>
The arguments you provide might include an IP address. For example, if you wanted to use proxychains to scan a site with nmap anonymously, you would enter the following:
kali >proxychains nmap -sT - Pn <IP address>
This would send the nmap –sS stealth scan command to the given IP address through a proxy. The tool then builds the chain of proxies itself, so you don’t have to worry about it.
In this section, we set a proxy for the proxychains command to use. As with nearly every application in Linux/Unix, configuration of proxychains is managed by the config file—specifically /etc/proxychains.conf. Open the config file in your text editor of choice with the following command (replacing leafpad with your chosen editor if necessary):
kali >leafpad /etc/proxychains.conf
You should see a file like the one shown in Listing 13-1.
# proxychains.conf VER 3.1
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
# dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app strict chain
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app M
--snip--
Listing 13-1: The proxychains.conf file
Scroll down this file to line 61, and you should see the ProxyList section, as shown in Listing 13-2.
[ProxyList]
# add proxy here...
# meanwhile
# defaults set to "tor"
socks4 127.0.0.1 9050
Listing 13-2: The section of the config file for adding proxies
We can add proxies by entering the IP addresses and ports of the proxies we want to use in this list. For now, we’ll use some free proxies. You can find free proxies by googling “free proxies” or using the site http://www.hidemy.name, as shown in Figure 13-4. Note, however, that using free proxies in real-life hacking activity is not a good idea. I’ll cover this in more detail later in the chapter. The example used here is just for educational purposes.
Figure 13-4: Free proxies from http://www.hidemy.name
Fill in the details in the form or just click search; then add one of the resulting proxies to your proxychains.conf file using the following format:
Type IPaddress Port
Here’s an example:
[ProxyList]
# add proxy here...
socks4 114.134.186.12 22020
# meanwhile
# defaults set to "tor"
# socks4 127.0.0.1 9050
It’s important to note that proxychains defaults to using Tor if you don’t enter any proxies of your own. The last line in Listing 13-2 directs proxychains to send traffic first through the host at 127.0.0.1 on port 9050 (the default Tor configuration). If you’re not adding your own proxies and want to use Tor, leave this as it is. If you are not using Tor, you’ll need to comment out this line (add a # before it).
As much as I like Tor, as mentioned, it is usually very slow. Also, because the NSA has broken Tor, I am much less likely to depend on it for anonymity. I therefore comment out this line and add my own set of proxies.
Let’s test it out. In this example, I am going to open the browser Firefox and have it navigate to https://www.hackers-arise.com/ anonymously by sending the traffic through a proxy.
The command is as follows:
kali >proxychains firefox www.hackers-arise.com
This successfully opens https://www.hackers-arise.com/ in Firefox through my chosen proxy and returns the results to me. To anyone tracing this traffic, it appears that it was my proxy that navigated to https://www.hackers-arise.com/ rather than my IP address.
Now that we have proxychains working, let’s look at some other options we can configure through the proxychains.conf file. As we now have it set up, we are simply using a single proxy. However, we can put in multiple proxies and use all of them, we can use a limited number from the list, or we can have proxychains change the order randomly. Let’s try all these options.
First, let’s add some more proxies to our list. Go back to http://www.hidemy.name and find some more proxy IP addresses. Then add a few more of these proxies to your proxychains.conf file, like so:
[ProxyList]
# add proxy here...
socks4 114.134.186.12 22020
socks4 188.187.190.59 8888
socks4 181.113.121.158 335551
Now save this config file and try running the following command:
kali >proxychains firefox www.hackers-arise.com
You won’t notice any difference, but your packet is now traveling through several proxies.
With multiple IPs in our proxychain.conf file, we can set up dynamic chaining, which runs our traffic through every proxy on our list and, if one of the proxies is down or not responding, automatically goes to the next proxy in the list without throwing an error. If we didn’t set this up, a single failing proxy would break our request.
Go back into your proxychains configuration file, find the dynamic_chain line (line 10), and uncomment it, as shown next. Also make sure you comment out the strict_chain line if it isn’t already.
# dynamic_chain
#
# Dynamic – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
--snip--
This will enable dynamic chaining of our proxies, thus allowing for greater anonymity and trouble-free hacking. Save the config file and feel free to try it out.
Our final proxy trick is the random chaining option, where proxychains will randomly choose a set of IP addresses from our list and use them to create our proxy chain. This means that each time we use proxychains, the proxy will look different to the target, making it harder to track our traffic from its source. This option is also considered “dynamic” because if one of the proxies is down, it will skip to the next one.
Go back inside the /etc/proxychains.conf file and comment out the lines dynamic_chain and strict_chain by adding a # at the start of each line; then uncomment the random_chain line. We can only use one of these three options at a time, so make certain you comment out the other options before using proxychains.
Next, find and uncomment the line with chain_len and then give it a reasonable number. This line determines how many of the IP addresses in your chain will be used in creating your random proxy chain.
# dynamic_chain
#
# Dynamic – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
#
# strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
random_chain
# Random - Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)
# Makes sense only if random_chain
chain_len = 3
Here, I have uncommented chain_len and given it a value of 3, meaning proxychains will now use three proxies from my list in the /etc/proxychains.conf file, choosing them randomly and moving onto the next one if a proxy is down. Note that although this method certainly enhances your anonymity, it also increases the latency of your online activities.
Now that you know how to use proxychains, you can do your hacking with relative anonymity. I say “relative” because there is no surefire way to remain anonymous with the NSA and FSB spying on our online activities—but we can make detection much harder with the help of proxychains.
As a last note on proxy security, be sure to choose your proxies wisely: proxychains is only as good as the proxies you use. If you are intent on remaining anonymous, do not use a free proxy, as mentioned earlier. Hackers use paid-for proxies that can be trusted. In fact, the free proxies are likely selling your IP address and browsing history. As Bruce Schneier, the famous cryptographer and security expert, once said, “If something is free, you’re not the customer; you’re the product.” In other words, any free product is likely gathering your data and selling it. Why else would they offer a proxy for free?
Although the IP address of your traffic leaving the proxy will be anonymous, there are other ways for surveillance agencies to identify you. For instance, the owner of the proxy will know your identity and, if pressured enough by espionage or law enforcement agencies with jurisdiction, may offer up your identity to protect their business. It’s important to be aware of the limitations of proxies as a source of anonymity.
Using a virtual private network (VPN) can be an effective way to keep your web traffic relatively anonymous and secure. A VPN is used to connect to an intermediary internet device such as a router that sends your traffic to its ultimate destination tagged with the IP address of the router.
Using a VPN can certainly enhance your security and privacy, but it’s not a guarantee of anonymity. The internet device you connect to must record or log your IP address to be able to properly send the data back to you, so anyone able to access these records can uncover information about you.
The beauty of VPNs is that they are simple and easy to work with. You can open an account with a VPN provider and then seamlessly connect to the VPN each time you log on to your computer. You would use your browser as usual to navigate the web, but it will appear to anyone watching that your traffic is coming from the IP address and location of the internet VPN device and not your own. In addition, all traffic between you and the VPN device is encrypted, so even your internet service provider can’t see your traffic.
Among other things, a VPN can be effective in evading government-controlled content and information censors. For instance, if your national government limits your access to websites with a particular political message, you can likely use a VPN based outside your country in order to access that content. Some media corporations, such as Netflix, Hulu, and HBO, limit access to their content to IP addresses originating from their own nation. Using a VPN based in a nation that those services allow can often get you around those access limitations.
Some of the best and most popular commercial VPN services, according to CNET, are the following:
Most of these VPN services charge $50–$100 per year, and many offer a free 30-day trial. To find out more about how to set up a VPN, choose one from the list and visit the website. You should find download, installation, and usage instructions that are pretty easy to follow.
The strength of a VPN is that all your traffic is encrypted when it leaves your computer, thus protecting you against snooping, and your IP address is cloaked by the VPN IP address when you visit a site. As with a proxy server, the owner of the VPN has your originating IP address (otherwise they couldn’t send your traffic back to you). If they are pressured by espionage agencies or law enforcement, they might give up your identity. One way to prevent that is to use only VPNs that promise not to store or log any of this information (and hope they are being truthful). In this way, if someone insists that the VPN service provider turn over its data on its users, there is no data.
Free commercial email services such as Gmail, Yahoo!, and Outlook Web Mail (formerly Hotmail) are free for a reason: they are vehicles for tracking your interests and serving up advertisements. As mentioned already, if a service is free, you are the product, not the customer. In addition, the servers of the email provider (Google, for example) have access to the unencrypted contents of your email, even if you’re using HTTPS.
One way to prevent eavesdropping on your email is to use encrypted email. ProtonMail, shown in Figure 13-5, encrypts your email from end to end or browser to browser. This means that your email is encrypted on ProtonMail servers—even the ProtonMail administrators can’t read your email.
ProtonMail was founded by a group of young scientists at the CERN supercollider facility in Switzerland. The Swiss have a long and storied history of protecting secrets (remember those Swiss bank accounts you’ve heard so much about?), and ProtonMail’s servers are based in the European Union, which has much stricter laws regarding the sharing of personal data than does the United States. ProtonMail does not charge for a basic account but offers premium accounts for a nominal fee. It is important to note that when exchanging email with non-ProtonMail users, there is the potential for some or all of the email not to be encrypted. See the ProtonMail support knowledge base for full details.
Figure 13-5: The ProtonMail login screen
We are constantly being surveilled by commercial firms and national intelligence agencies. To keep your data and web travels secure, you need to implement at least one of the security measures discussed in this chapter. By employing them in combination, you can minimize your footprint on the web and keep your data much more secure.
