Safety & Security Saturday!

The DNMs can be a scary and dangerous place if you don't know what you're doing. Use this thread to ask questions or give advice on harm reduction & OPSEC!


Comments


[3 Points] stampy_the_eleph4nt:

Here is a guide I wrote. Pretty simple.

Alright so back in the day I was a pretty BA blackhat (not to toot my own horn), but needless to say the below information I have only passed along to a few people, and as far as I know it has not been widely reproduced.

First you need a SSH scanner with a good user/pass list. All you need to use SSH as a proxy are valid login credentials. My old alias was blackhat420 so if you have seen it show up somewhere else it was me who posted it. Anyway what makes this method gold is 2 things, one -- many linux based services use simple logins like (apache/apache). They secure these accounts by giving them no bash (aka command line) Shells. DD-WRT Routers, a lot of people don't change the root password on these so they work great as well. To use this method we DO NOT or WANT an account shell that opens or even if it could we wouldn't want to do it. SSH logs user access by shell/pts assignments. Both who and last commands do not display authenticated sessions with no shell. If a system admin runs the who command to see who is logged in, they will show nothing. See proof section of this at the end of article.

This example is for a 2 tunnel chain, IE route through one device to another to your destination. You can modify it to use as many proxies as you want. The beautiful thing about it is that it leaves no trace because your not opening a command shell. It's been a minute since I was a blackhat but as I recall it doesn't even show in the session list if you had a snoopy root admin.

Example Images from Putty to help facilitate understanding.
Image 1: http://matrixtxri745dfw.onion/neo/u...wONION_041412Dwb_1-NoCommandShell-TunnelA.png
Image 2: http://matrixtxri745dfw.onion/neo/u...45dfwONION_051853cPT_2-TunnelA-SocksProxy.png
Image 3: http://matrixtxri745dfw.onion/neo/u...3-Tunnel2-ProxyInitiatingConnectToTunnelB.png
Image 4: http://matrixtxri745dfw.onion/neo/u...45dfwONION_042117WTF_4-TunnelB-SocksProxy.png

For Step )1:
Specify the option for DO NOT OPEN A COMMAND SHELL check box (see Image 1). Now we setup the port forwardings. First do a Dynamic (which is essentially a socks4 proxy) forward on whatever port you want to setup to proxy the second tunnels SSH connection through In my Case I chose port 8181 -- no destination is required to be filled in for dynamic ports. The next putty session for the second tunnel will be seutp with a dynamic port that will be used by the computer/device wanting to tunnel traffic through multiple connections. (See Image 2 for Tunnel setup instructions)

Step 2):
Setup second tunnel connection. If we just raw dog connected to the second SSH session their is an opsec concern that the originating IP may be logged. So for extra caution we will proxy our connection through our first proxy we have already setup and running. Make sure on the second putty session you also check the DO NOT OPEN A COMMAND SHELL check box (see Image 1). Then for this one, we need to enter the Dynamic proxy settings we established in Step 1 (Port 8181). See Image 3. This tells us that when we try to connect to the second SSH server to establish a tunnel, that it routes the connection through our already connected tunnel. Last but not least we need to setup a Dynamic port forward for the second tunnel so it can act as a socks4 proxy endpoint. This dynamic is what we will tell our applications/devices/computers whatever to use for a proxy. Although it is only 1 port -- that port is already routed through Tunnel 1. In this example it was 8182. See Image 4.

Now we can configure application, proxifier, proxychains, whatever -- to use a socks4 proxy with a host of localhost and a port of 8182 (the final endpoint proxy port - as specified in step 2). Basically the way the traffic flows is:
Actual Location Proxies Traffic to Localhost:8182 -> Connection to Tunnel 1 -> Socks 4 Dynamic port setup on port 8181) -> Proxied Connection (see image 3) (through the D8181 port forward on tunnel 1) to Tunnel 2 -> Tunnel 2 has a Dynamic port forward waiting on port 8182 to tunnel traffic through.

Simplified:
Localhost:8182 -> Tunnel 1 D8181 -> -[Proxied SSH connection socks4 on 8181 ] -> Tunnel 2 (Dynamic Forward on 8182) -> Destination Address

May seem complicated but it really isn't. You're just utilizing the socks4 functionality on each tunnel session and chaining them together. You can stack it as many high as you want (speed may decrease on each tunnel you had though. Just remember the proxy port you want to use will always be the final dynamic port in the chain.

As far as finding open SSH accounts goes:
I used to have a badass SSH scanner but it's stuck in my gmail and gmail has since blocked the attachment due to its contents being malicious. Stole it from some newb hacker who was hammering one of my servers with L/P combonations. Found the server he was attacking from had FTP open, logged in, saw a user called 'Factory'. Tried factory/factory as L/P and got right in. Then I proceeded to steal all his shit, crack the root password (because it wasn't shadowed), then boot his ass out after telling him to go back to school. I shadowed the passwd file too so future hackers couldn't penetrate and recrack it.

I will see if I can dig it up. However, it uses a ton of sockets and may be against ISP policy to use. It runs on linux. So best bet would be to card a VPS or something with some bandwidth and run it off of there. If I can manage to retrieve it I will post it.

Proof of no record keeping when using this method (no command shell):
Have redacted some info for protection of identity.
I have 2 putty sessions open, double proxied (tunnel 1 -> tunnel 2 -> destination) and then I connected via an additional putty instance. I used the valid SSH credentials but this time with bash shell enabled to dump the last users to login, as well as who is currently logged in. The only logged session (in bold) was the one I requested a command shell on (the 3rd putty instance opened to prove this point).

Because I used my endpoint proxy port (8182) in the putty config to connect, it actually shows me as connecting from the server I'm proxying through. This is also a great way to explore and exfiltrate information from hacked servers because it shows you as connecting from within the server. If a sysadmin does a regular check of who is logged in they would probably think its a fluke or a process running under a user account.

[email]xxx@yyy.com[/email] [~]# echo $HOSTNAME
hostXXX.hostmonster.com
[email]xxx@yyy.com[/email] [~]# who
yyy pts/2 Apr 22 22:37 (hostXXX.hostmonster.com)
[email]xxx@yyy.com[/email] [~]# last | head -n8
yyy pts/[email]2xxx@yyy.com[/email] hostXXX.hostmons Fri Apr 22 22:37 still logged in
kxxxxxs pts/1 ntkngabcde038.kng Fri Apr 22 12:36 - 19:06 (04:29)
kxxxxxs pts/1 aa201308abcde305 Thu Apr 20 17:09 - 20:09 (03:00)
dxxxxxd pts/1 h69-128-2abcde. Thu Apr 20 14:05 - 15:00 (00:54)
kxxxxxs pts/2 aa2013080abcde Thu Apr 20 03:19 - 04:09 (00:49)
kxxxxxs pts/1 aa201308017abcde Thu Apr 20 03:08 - 05:30 (02:22)
dxxxxxg pts/1 c-98-209-2abcde Wed Apr 19 21:48 - 22:47 (00:58)
qxxxxxe pts/1 216.2abcde Wed Apr 19 10:30 - 10:34 (00:04)

Good luck staying anonymous! Any questions feel free to drop me a line at [email]asd8iok99@tutanota.com[/email]. If it's sensitive my PGP key is in my profile area on AB. Sorry if this is a jumbled mess sometimes its hard for me to explain things and it comes out jumbled.

Any IT of InfoSec/Coding needs feel free to reach out to me. Also an expert at packet routing and staying fully anonymous. Proof of skills upon request.


[1 Points] DNM-Accountant:

Friendly weekly reminder for you to keep proper bitcoin OPSEC.

Tumble your dirty coins from all taint before linking it to a real life identity!


[1 Points] stampy_the_eleph4nt:

Another pro tip, I've mentioned this one at some time or another. Get an IronKey. They are military grade encrypted flash drives. Their is no way to access the encrypted data partition to clone it as is required by computer forensics teams. It auto self destructs/wipes itself after 10 bad passwords. Water/weatherproof. A 2GB model would probably suit all your needs.

Keep your list of passwords in there as well, that way you can copy and paste and keyloggers cant catch them.

Lastly if you are going to follow my advice you need one password to unlock your encrypted drive. I recommend picking a simple word or phrase (name of pet, favorite car, whatever). Then go here and MD5 hash it https://quickhash.com/ Then take the output hash from your plaintext string and hash it again. No one will ever crack or guess that password, and you will never forget it because its so simple. Anyways that's all for now folks be safe out there!


[1 Points] therealpizzaguy:

I just got Tails up and running. I already feel better about using the DNM's now, but it should've been the 1st thing I did but never too late!!


[1 Points] rabbitholetumble:

Dumb question incoming...

How much large of a package is too large before requiring a drop and not a home address?