Skip to main content

Masking your face : IP Masking

It is really important to not to leave traces behind after the attack to successfully complete the job. The first step is to being anonymous while performing the attack, that is covering your face so it will be hard to trace back the attacker. In terms of computing, hiding your original IP is covering face.

Whenever a computer opens a connection to another computer, the connection receiving computer would log the IP address of the connection initiating computer. These logs will be used in audit trails which helps investigators to locate the origin of an attack, most of the time it will be either your ISPs IP which will bring lots of troubles to your door.    

So you don't want the victim computer you are connecting to know your real IP, you need to fake/mask it so the victim will see the connection is originating from a different location of the world. This is done by creating the connecting through multiple intermediate computers. The victim will see the IP of the last computer you used to get connected to the victim machine, but not your IP. And higher the number of intermediate computers you use, make it harder to track you down. 

Here we will be looking at the tool Tor for this job. Tor will create a connection to your target through multiple intermediate computers. Lets first try to understand how Tor works. 

Now think your computer "Alice", needs to get connected to your friends computer "Bob". 




Tor will provide a network of intermediate computers to make the connection from Alice to Bob. 



Now Bob see the IP address of the last computer in the chain as the connection initiator's IP address. This way, it will be really harder to trace back to IP address of the Alice. 

Another key advantage of Tor is that, it changes the chain of computers you are creating the connection to the target computer which makes the victim to see different initiating IP address every time you create a connection.  



Setting up Tor

1. Installing Tor using apt-get in Linux [https://www.torproject.org/docs/debian.html.en]

After you have installed Tor in Linux successfully, it should be running on port 9050. 

2. Installing Privoxy in Linux using apt-get install privoxy. [http://www.privoxy.org/user-manual/installation.html]

After you have installed Privoxy in Linux successfully, it should be running on port 8118. If not use the command /etc/init.d/privoxy start [http://www.privoxy.org/user-manual/startup.html]

3. Configuring Privoxy to work with Tor using forwarding. [http://www.privoxy.org/faq/misc.html#TOR] [Config file http://www.privoxy.org/user-manual/config.html]

Now we have setup Tor to use as a HTTP proxy, but we still haven't engage it to any of our clients. Lets do a simple test. 

Test step 1: Open a terminal and use Curl to check your IP address from a remote service. 
curl curlmyip.com
Now record the IP address you recieved, that is your real IP address external computers will see when you get connected to another computer. 

Now lets engage Tor. Open .bashrc file and put the append the following lines. 

http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

Above config engages the HTTP proxy to Curl, Now open a new terminal tab or you have to source the .bashrc file to use the same terminal tab. 

Now perform the same curl command and see the IP address you receive. 
curl curlmyip.com
Now you can see now you have received a new IP address. This is since Tor created the connection through a chain of computers to the remote service. 

Likewise, now you can configure the HTTP proxy for your web browsers and other client applications. [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO


Labels:

Comments

  1. UnknownOctober 27, 2014 at 12:19 AM

    Very informative and extremely well written. Thanks for sharing.

    ReplyDelete

Post a Comment

Popular posts from this blog

Google XSS Game - Solving Level 4

Level 4 Link: https://xss-game.appspot.com/level4 Solution If inserted in the text field 3'); alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27)%3b+alert(%27XSS Second solution if inserted in the text field 3')+ alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27%29%2Balert%28%27XSS Result Analysis It is obvious the value entered in the textbox is tranfered to the server over the timer parameter in the URL. Lets exmine the code to see how the timer parameter is handled. In the line 21 of the timer.html, the startTimer() method is being called in the onload event. However, the timer parameter is directly passed to the startTimer() method. Lets exmine the network trafic to confirm this. Request with timer=3 The parameter value 3 is directly added to the startTimer() method without any filtering. What we can try to do here is to inject an alert() function to be ex...
Post a Comment
Read more

Google XSS Game - Solving Level 6 (Final)

Level6 Link:  https://xss-game.appspot.com/level6 Solution Host a simple Javascript file which can be fetch through a URL (https). The Javascript file need only to contain an alert() method. alert("XSS") Place the URL to the https file right after the # tag of the URL. Use HTTPS instead of https in the URL to the scropt to bypass the check. Result Analysis The vulnerability lies withing how the code handles the value after the # tag. In the line 45, the value right after the # tag is taken as the gadget name. And then in line 48, this value is directly passed into the includeGadget() method. And in the includeGadget() method a <script> tag is created [line 18] and the url (gadgetName) parameter value is directly used as the src attribute of the <script> tag [line 28]. This means, we can completly control the src attribute of the <script> tag being created. That is, with this vulnerability we can inject our own Javascript file into...
2 comments
Read more

Google XSS Game - Solving Level 3

Level 3 Link: http://xss-game.appspot.com/level3 Solution xxs.jpg' onerror='alert("xss")'/> Result Analysis Hint 1: Clicking on any tab causes the tab number to be displayed in the URL fragment. This hints that the value after the # tag controls the behavior of the page. i.e. it is an input variable. To confirm, let's analyze the code. Inside the event handling method, the value provided after the # in the URL is directly passed into the chooTab() method. No input validation is performed. The value passed to the chooseTab method (the value of the num variable) is directly injected into the <img> tag in line 17. This is an unsafe assignment and it is the vulnerable part of the code. Conculution Now all we have to do is now to craft a payload that would adjust the <img> tag to execute a Javascript. Remember, the <script> tag would not work here since the var html is added to the dom dynamically. Hence EVENTS are ...
3 comments
Read more