How to create a relay server that is untreaceable back to you?

[log]

(please notice that this is being conducted as a security evaluation in my own company, nothing in here can get me in legal trouble since I own the network and all the computers connected to it)

Hi, I need to create a relay server for my pineapple to ssh to when I deploy it in position. The thing is, I need it to be completely untreaceable back to me, otherwise my IT guys would find it too easily. They know they're going to be tested, they agreed to it and to not knowing when this is going to happen.

My question is, how would you guys go about:

1. buying the hosting/remote server/vps so that it cannot be connected back to you?
2. what kind of server would you use for a relay server?
3. what security measures would you take so your anonimity is preserved?

Thanks a lot!

[overwraith]

I am also interested in this question. I do often wonder how penetration testers set up servers/hosting when odds are the people hosting the server would probably have a few bones to pick with the usage of the server.

-I have read in some articles that when an actual black hat sets something up they typically try to find a provider with a bad security record, and who doesn't generally care what you host on their servers.

-Black hats also use surrepicious methods, like having fake credentials when signing up for the service, but how this stands up to scrutiny I have no idea.

-Black hats also only connect to servers through an indirect route, perhaps a VPN, or perhaps a connection through somebody else's wifi.

I would assume that pen testers would have to resort to some of the same techniques, however with the server provider actually being cognizent of what the pen tester is actually doing, so they cannot get reamed by the law/terms of service. Is there reading material/walkthroughs/tutorials on this particular topic?

[cooper]

Get a pre-paid credit card to pay for the VPN. Pay for the credit card with cash.

Buy the VPN for whatever period you need. What you want is a decent amount of storage and network performance. Since your input will be what your pineapple can push out of the network this shouldn't been too troublesome but make some calculations on how much you will need.

Access the VPN server from whereever you are via TOR and *ONLY* TOR. You could even make the VPN server expose its SSH daemon only as a hidden service within the TOR network so you don't need to use an exit node.

An alternative here is to buy a cheap as fuck prepaid smartphone/phablet. Pay for it with either cash or another, separate, prepaid credit card. Use its internet bundle to access the VPN. Obliterate the device once you've gotten what you need from it. You can and maybe should still be using TOR on this device to access the VPN server.

On the Pineapple side, give it a MAC address from a rarely used device on your network. If $MANAGER rarely comes by, but when he does he plugs his laptop into the network, find out what his MAC is and have the Pineapple use that.

[barry99705]

When you get down to it, you can't. You might be able to stay hidden for a little bit, but eventually you'll get found.

Get a pre-paid credit card to pay for the VPN. Pay for the credit card with cash.

Buy the VPN for whatever period you need. What you want is a decent amount of storage and network performance. Since your input will be what your pineapple can push out of the network this shouldn't been too troublesome but make some calculations on how much you will need.

Access the VPN server from whereever you are via TOR and *ONLY* TOR. You could even make the VPN server expose its SSH daemon only as a hidden service within the TOR network so you don't need to use an exit node.

An alternative here is to buy a cheap as fuck prepaid smartphone/phablet. Pay for it with either cash or another, separate, prepaid credit card. Use its internet bundle to access the VPN. Obliterate the device once you've gotten what you need from it. You can and maybe should still be using TOR on this device to access the VPN server.

On the Pineapple side, give it a MAC address from a rarely used device on your network. If $MANAGER rarely comes by, but when he does he plugs his laptop into the network, find out what his MAC is and have the Pineapple use that.

If you really want to stay hidden, do this, every week or so. Use a different vendor, and different hardware every time. Also never NEVER log in from the same place twice.

[overwraith]

That was very informative, thanks guys. I have to say though, TOR has been hacked by the NSA for quite a while now, wouldn't there be a better way of anonymizing your connection? Actually I think there was a discussion of this on one of the forums a while back. I will go look around.

[log]

Very informative indeed, thanks!

It'd be good if people kept posting their methods to stay anonymous in here. Although this is a chasing game, it's better to know which traces "they" will be checking and in which order.

[cooper]

Make sure there is considerable time, like a month or so, between purchasing the card and you using it. Any CCTV records kept by the shop should've been overwritten by then. Most only keep theirs for a week, if that. And if you need another card to purchase the device you'll be using to access the VPN, make sure you buy this other card at a different location than the first card. The further away, the better.

You can even buy a pre-paid credit card with a credit card which, potentially, is itself a pre-paid credit card. But you'd probably be raising quite a few eyebrows when you do that and it adds nothing over just walking in with a wad of cash, so just get one using cash.

[fugu]

One thing to keep in mind, even if the packets are encrypted, if they can see the packets arriving/leaving the device as well as your connection, the timing of the packets and time in between each packet, my be enough to id and track you.

[cooper]

With most of these things, it's all about layering. Each layer adds to the level of pain the investigator would have to go through before he reaches you.

The investigator has to:

1. Find the Pineapple, discover where the traffic goes to.

2. Request the VPS provider for info on the server.

3. Discover it was paid for with an old cash-purchased pre-paid credit card which means no records on this purchase remain.

4. Request the VPS provider for access logs to the device. This should either point to a TOR exit node or, preferably, a machine from within the TOR network. Good fucking luck, my friend.

5. Having hacked TOR using that backdoor we don't know about yet, they know the IP you used when you went to the VPS via TOR.

6. Run to the Telco company and request customer data for IP x.

7. Discover it was paid for with another old cash-purchased pre-paid credit card which means no records on this purchase remain.

7a. They should be able to tell the investigator your location at the time you accessed the VPS and, if your account is still active (i.e. you're still using that SIM) where you currently are, in which case the sirens you hear actually are for you.

7b. They will be potentially able to provide the investigator with some device-specific info that gets included when you access the network (donno if there is but if there was they wouldn't be telling you about it so be safe and assume there is) so if they find the device itself on you, you're now thoroughly fucked. So when you're not using the device, keep it powered off (a.k.a. remove the battery) and leave the SIM card out of it. Remember that that SIM is venom, so keep it untracable to you.

One tricky thing you could do to buy yourself more time is to find an open wifi somewhere (restaurant, bar, what have you) and plug in a Pi right there. Have it use something like DynDNS to give it a name only you know and use it to proxy you either before you enter or after you leave the TOR network. Hide the physical device. Now either between steps 4 and 5 or 5 and 6 will be the tracing of the Pi which is on the network of an innocent bystander. Preferably in yet another location that you visited exactly once and have no intention of returning back to. Make sure to not leave fingerprints on either this device or the Pineapple.

These things, like porn, are all about making it hard. You can't make tracing you impossible, but how much time will an investigator have to invest in chasing you down? How much damage did you do to make that worth while?

Edited October 8, 2015 by cooper

[log]

Jesus, that's an incredibly detailed answer cooper. Cannot thank you enough.

What's even more impressive than the data itself, is that you've so thoroughly explained a systematic way of thinking about this.

...back to study about TOR and VPN services..!

Keep the answers coming! Even smaller suggestions that can add up to what's already been said, can and surely will prove useful

[fugu]

one other thing that came to mind, (although this project has been canceled, probably for legality reasons) http://hackaday.com/2015/08/07/def-con-the-proxy-for-proxyham/

[barry99705]

one other thing that came to mind, (although this project has been canceled, probably for legality reasons) http://hackaday.com/2015/08/07/def-con-the-proxy-for-proxyham/

Mainly because there's not a lot of bandwidth there either.

[overwraith]

Now a question I have is do hardware manufacturers record specific information, for instance about the Raspberry PI's they sell to customers? For instance would a hardware manufacturer record MAC addresses before selling the hardware to a customer? Would it be a good practice to pay for the Raspberry PI with cash, or a pre paid card also? Perhaps that's a little too paranoid. What about that alfa usb wifi dongle that supports injection that I just bought? Has anybody recorded the MAC addresses on that and stored it in a DB table, or CSV file somewhere? What about electronics chips, do those have tracable metadata/serial numbers? Again, these questions are probably just paranoid on my part I am just curious how far manufacturers/government agencies go to keeping tabs on their customers. Then again, hard disks are cheap these days.

These pre paid cards, do they work on internet transactions?

Edited October 9, 2015 by overwraith

[barry99705]

Now a question I have is do hardware manufacturers record specific information, for instance about the Raspberry PI's they sell to customers? For instance would a hardware manufacturer record MAC addresses before selling the hardware to a customer? Would it be a good practice to pay for the Raspberry PI with cash, or a pre paid card also? Perhaps that's a little too paranoid. What about that alfa usb wifi dongle that supports injection that I just bought? Has anybody recorded the MAC addresses on that and stored it in a DB table, or CSV file somewhere? What about electronics chips, do those have tracable metadata/serial numbers? Again, these questions are probably just paranoid on my part I am just curious how far manufacturers/government agencies go to keeping tabs on their customers. Then again, hard disks are cheap these days.

These pre paid cards, do they work on internet transactions?

Nope. They make so many it would be a nightmare to keep track of it all. Now I'm not saying the place you bought the pi at won't. Who knows what kinds of info say, Microcenter keeps. I know they ask for your info so they can spam you whenever you buy something there. Thing is, how would any law enforcement organization get that specific data? Would they subpoena every company that sells the Pi? Doubtful. Unless you happened to put one in the White House, then all bets are off. Now places like Apple, Dell, Hp, they keep track of who buys their computers, if you buy it directly from them. The store you buy them from might keep a record, and forward it back to the manufacturer as well.

[overwraith]

So what your're saying is that if you buy from a big customer, like IBM, Microsoft, or perhaps the main Raspberry PI manufacturer, they may in fact keep some kind of data, with it being more likely that IBM/Microsoft would record more information/attributes about you. Not necessarily MAC addresses, but definable attributes. Now however since Raspberry PI's are more or less open source, you could buy one from anybody, and it wouldn't really be tracable. So it would be better to buy a PI from another, lesser known retailer, but it would'nt not be strictly necessary?

[cooper]

I would highly recommend using an Orange Pi. They're cheaper and actually manufactured in China, the epitome of an open, responsive and cooperating government. Plus they're only purchasable via Alibaba but they're sold in such vast quantities this isn't going to help anybody. You can once again order via a prepaid credit card and have it shipped to an address somewhere. If you're worried this package might get tracked, get close to some elderly person. Get friendly with them using a fake name and be sure to be consistent with this. Order the package and have it shipped to them under your fake name. They'll be sure to hand it over to that delightful mr. Joe Bloggs guy they've been drinking coffee with every saturday in the lounge.

Your best bet though is an in-shop cash purchase. The busier the shop, the better because it means the chances of the guy behind the counter remembering you are effectively zero. Pre-ordering requires a name (fake) and an email address (drop.box@whatevermail.com) and means you can walk up to the counter, pick up your order and piss off again in record time.

The most important part is still preparation. You need to get stuff in place *WELL* before you intend to use them. So get the credit cards, wait a few weeks, order that sim card, possibly tablet and any other hardware using those cards (and then destroy the credit cards) and wait for whatever needs to be mailed to you to arrive, wait another few weeks, set up the VPS to your liking, put the Pi in place, test the connectivity and make sure everything is in working order, wait another few weeks, drop the Pineapple on the remote network and do your thing.

- Know before hand what you intend to acquire and make sure you clear our the second you have it.

- Destroy everything you used to get in as you're leaving:

- The Pineapple's SD card should contain an encrypted filesystem which contains anything specific to its current use. Once you're done, tell it to drop its interfaces and start a constant loop that overwrites the SD card with garbage until the power gets cut.

- The VPS will be delivered to you with some image pre-installed. Create an encrypted filesystem within a file, place a distro you're happy with in there and chroot to it. Use screen before chrooting so reconnecting to it means you'll be inside the chrooted environment. Anything the pineapple provides should be taken in by this environment. After use, kill screen and overwrite the filesystem containing file with rubbish until either the power gets cut or your VPS lease ends.

- The Pi boots off of its SD card, so have the first partition be stuff needed for booting up and all the useful stuff is on an encrypted partition which you constantly overwrite with garbage once you're done until either the power gets cut or the SD card tops itself due to the excessive write load.

- The tablet, if you got one, you can take apart yourself. Put it in an over (which you won't use for food after that) and remove all the chips on there. See how well they blend. Cut up the circuit board to make nice notebooks out of.

- Run the SIM card briefly through the microwave, cut it up into even smaller itty bitty pieces and discard with your regular garbage.

- If those pre-paid credit cards are physical items, blend/shred/burn/all of the above them the minute you're done with them. Discard whatever remains with the rest of the garbage.

This is the command I use to generate all my passwords (and yes, you'll need something to keep track of them since you'll never remember then):

tr -cd '[:graph:]' < /dev/urandom | fold -w64 | head -n1

I put this in a 'genpwd.sh' script for easier use.

Think about all those CSI episodes. How everything leaves a trail? You want to destroy as much evidence as you can yourself, and let time do the rest. You yourself can't destroy a shop surveillance tape, but they'll do that themselves eventually. Records might be kept of a purchase, but if it was sufficiently long ago those records might've disappeared already or there have been so many orders before and after already you'll be the actual needle in the haystack.

[hairbag]

yoinked your genpwd.sh :)

[deadlyhabit]

One option is going beyond a usb dead drop, but has access to local open networks, so obviously not just a mortared in usb stick.

Something you can ssh into and observe and use a redirect you can open for free using vpn for starters, this goes more into doing real life shit which i was used to back in phreaking days where'd I'd mod a cheap cordless setup and connect it to a j box that could with some climbing be inserted into a telecom pole box and powered off line while charging handsets at home.

then again we don't use dial up anymore,

[vailixi]

Make sure there is considerable time, like a month or so, between purchasing the card and you using it. Any CCTV records kept by the shop should've been overwritten by then. Most only keep theirs for a week, if that. And if you need another card to purchase the device you'll be using to access the VPN, make sure you buy this other card at a different location than the first card. The further away, the better.

You can even buy a pre-paid credit card with a credit card which, potentially, is itself a pre-paid credit card. But you'd probably be raising quite a few eyebrows when you do that and it adds nothing over just walking in with a wad of cash, so just get one using cash.

Are there prepaid credit cards you can just buy with cash and not have to give out personal details to activate? I want a few. Where can I get them?

[White Light]

Many stores sell them where I live, especially those meant to be for birthdays or special occasions. Often they have a gift box logo on them so they appear even more like a present you'd give to a kid making their first online purchases.

[cooper]

If the guy behind the counter raises his eyebrows over the fact you want a prepaid credit card with $500 on it, be honest and say it's so that the recipient of the card can buy a laptop. When you have your answer ready and throw it out naturally, people forget about you quicker. Going "NONE of your DAMNED BUSINESS!" tends to be something that lingers in a store clerk's mind.

[Guest Josef K]

Are there prepaid credit cards you can just buy with cash and not have to give out personal details to activate? I want a few. Where can I get them?

https://snarfed.org/privacy_through_prepaid_credit_cards

[0phoi5]

These things, like porn, are all about making it hard.

Some sound advice, and that joke made my day. I'll remember that one.