A Cyber Research Lab
Generally, when conducting research via the net one need not take an abundance of caution outside the norm. For anyone researching malware, attack methodology, or potentially frowned upon activities, more precautions should be taken. I approach this with layers of obfuscation. I don’t feel that I can completely anonymize myself, but I can certainly obfuscate my identity so that attempts to uncover it will exceed the value of actually revealing my identity.
The goal in all of this is to add layers of obfuscation between the real us, and the identities we create. Depending on the research we are doing, we would want those layers to make it more difficult for anyone or any group to positively identify us. For example, if I were doing malware research and wanted to allow a discovered sample to download an unknown but crucial file, I might not want the malware author to know my real IP address. If I were doing research on a topic frowned upon by my government, I might not want to take a risk that my data or meta-data such as IP addresses, user agent strings, and other information might be harvested and used against me later.
This part of my research network is comprised of a virtual router (VyOS) configured to direct internal hosts to communicate through a VPN. It’s similar to the map below but for the sake of this entry, I’m only concerned about the VyOS Router, and the Kali Research VM for information gathering purposes. A snapshot of my portable virtual network is below (not to scale). Of course I have some other VMs but they were having a bad hair day during this photo shoot.
For general OSINT activity, one could get away with just using TOR on an OS designed for such, but anything more would be pushing the limits of TOR.
For this small task, I set up my Kali box, established a base cyber persona, set up the VyOS router to only use the VPN, and configured my Kali host to exclusively use the VyOS router. Some have called this overkill, but I call it fun.
If you aren’t sure how to install TOR on your Kali VM, the guide here can help:
After you install and start the tor enabled browser in your Kali VM, you’ll not only have obfuscated your web presence, but you’ll now have access to those “dark web” sites you’ve been hearing about. A partial list of those sites can be found here. You could stop at this point, and simply use TOR to surf with a degree of anonymity that might suit your needs just fine. This does not guarantee that various applications or activities will go through TOR and possibly expose you.
Next I’ll create an on-line identity that I will I will use as a base persona which will serve as my primary on-line cover. Creating an alternate identity is not very complicated in this case because we are probably only going to create an email account and possibly some social media accounts at this point. This identity will become the new “us” on-line. We will create a unique identity with this, and later if we wish, additional sub-identities. One could certainly take this much further…
Using the TOR browser, one might register an email address either at his favorite provider, or maybe one a little more privacy focused such as www.ghostmail.com, securemail.hidemyass.com, or digitalenvelopes.email. If any ask for a backup email, you can use an on-the-fly provider such as mailinator.com. Be sure you read up on whatever providers you use.
For the sake of this activity, I’m creating an email account using the provider digitalenvelopes. If you want to use the same username across a number of sites, http://knowem.com/ can show you if it’s available on many of them at once. If you aren’t feeling especially creative, there are sites that will create random profile information for you such as: http://randomprofile.com/.
I created Sandra Peterson, added a note with some information I’d like to keep track of, and created an email tree with information I will need to reference later. After that, I decided on a VPN provider, TORGuard, and purchased an OpenVPN package. I purchased the VPN provider using a gift and signed up for the VPN while logged into a public wifi hotspot going through TOR. In doing all of that, if not careful I will associate virtual identification with my real id. Multiple layers of obfuscation make me happy but it’s up to the individual to decide where the line between paranoia and lunacy should be drawn (if at all).
Once upon a time, I attempted to keep track of my information in a spreadsheet but it became difficult to immediately get the information I was looking for so I began using a mind-map to keep it sorted. That way, I can see my usernames, creds, and other info as well as how items are related. Below is an incomplete example of what this would look like.
At this point, I am operating as Sandra. The tricky part is in keeping Sandra at a distance from my true identity. If I decide to create a gmail account for Sandra, and then one day check it from my normal computer directly through my wifi, then I’ve made associations between Sandra and my true identity. Also, if I live in the US, routinely connect to a US hosted VPN, and engage in behavior that is extremely interesting to law enforcement (LE) then I can expect to be undone in short order since there are no real competing interests involved that would slow or stagnate the investigation.
Back to the configuration. At this point, I configured my VyOS VM, and Research VM according to the network diagram above. The VyOS ISO I used is here: http://mirror.as62588.net/vyos/iso/release/1.1.6/vyos-1.1.6-amd64.iso but may no longer be the most updated version. I configured my interfaces which in VMware will look something like the below.
After booting, we are taken through the start up script and the VyOS website has plenty of information on this here.
The basic setup is pretty easy and straight forward. After installing VyOS, I usually enable the SSH daemon so that I can ssh in and configure versus having to use the limited interface in the VM console.
set service ssh port '22'
Now I can ssh in easily if on Nix, or use my favorite Windows client such as Cygwin, Putty, or MobaXterm.
Set the interfaces for the external, which in my case is set for NAT and will be assigned an IP, and then my Research and Malware networks as well.
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'External'
set interfaces ethernet eth1 address '10.0.0.1/24'
set interfaces ethernet eth1 description 'Research'
set interfaces ethernet eth2 address '192.168.100.1/24'
set interfaces ethernet eth2 description 'Malware'
Next I’ll set up some simple NAT rules to ensure the internal host traffic uses the VPN (tun0) and not the external interface, eth0.
set nat source rule 100 outbound-interface 'tun0'
set nat source rule 100 source address '10.10.0.0/16'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'tun0'
set nat source rule 110 source address '192.168.100.0/24'
set nat source rule 110 translation address 'masquerade'
At this point, one could add in some additional firewall rules if desired. I have some specific ones but don’t need to paste them here. The nature of this set up forces traffic to go through the tunnel and if it goes down or doesn’t exist, nothing happens. This prevents leaky applications from communicating outside your tunnel.
If you want to be able to create and use temporary VMs without having to set an IP each time, you can enable DHCP but this isn’t necessary if you only use static IPs.
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name anony authoritative 'disable'
set service dhcp-server shared-network-name anony subnet 10.0.0.0/24 default-router '10.0.0.1'
set service dhcp-server shared-network-name anony subnet 10.0.0.0/24 dns-server '10.0.0.1'
set service dhcp-server shared-network-name anony subnet 10.0.0.0/24 domain-name 'anonynet'
set service dhcp-server shared-network-name anony subnet 10.0.0.0/24 lease '86400'
set service dhcp-server shared-network-name anony subnet 10.0.0.0/24 start 10.0.0.100 stop '10.0.0.120'
Set up DNS forwarding.
set service dns forwarding cache-size '0'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '188.8.131.52'
set service dns forwarding name-server '184.108.40.206'
Set the host name, commit, and save
set system host-name 'myvyosname'
This should be enough to get the traffic flowing when we activate the VPN. For the sake of example, I’ll use the free VPN service Vpnbook and will grab and unzip one of their OpenVPN configurations as below.
curl -F http://www.vpnbook.com/free-openvpn-account/VPNBook.com-OpenVPN-Euro2.zip -o openvpn.zip
unzip ../openvpn.zip -d freevpn
mv freevpn /opt/
Start the VPN and enter the creds found on the site which at the time was:
Each time you start the VPN, you’ll have to change directories to your /opt/freevpn directory execute openvpn.
sudo openvpn vpnbook-euro2-tcp80.ovpn
And you should see something like the following:
Now, if you go back to your research VM and set its network adapter to vmnet11, or your equivelent then you should be able to open a normal (non-TOR) browser and visit a site like whatismyip.com to find that you are now identified as your VPN address and any network activity you engage in will now travel through this VPN. Are you perfectly anonymous? No, but you have created an additional layer of obfuscation and privacy.