You Down With APP? (Yeah You Know Me)

Yes, I date myself with reference in the title of this blog post.  I can be lame like that.

A fair amount of my time at $last_gig was spent analyzing the Tools Techniques and Procedures of the Advanced Persistent Threat.  Now, as a pentester, I have often thought about applying some of those techniques.  What if I had to create a burnable and unattributable attack platform for a specific type of engagement?  How would I go about it and be an Advanced Persistent Pentester?

This interest was renewed by my co-worker Beau Bullock’s talk at B-Sides Orlando on “Fade from WhiteHat to Black?” and also by a client that wanted us to do a black box assessment as if we were actual attackers trying not to get caught.

Now obviously this isn’t going to be the in the same league as a nation state with deep financial pockets.  It probably isn’t even the same game.  But it is an interesting exercise nonetheless, and for those #redteam times when you want decrease your potential digital footprint, this may help give you some ideas.

Where possible, I am not going to repeat instructions that can be found elsewhere online such as how to make a bootable USB drive.  Afterall, that’s what the Internet is for, right?

Also the obligatory warning that this configuration should not be used for attempting to hack systems that you are not authorized to.  Nothing is unattributable and untrackable, it can just be made less so.  If you perform illegal activities, it is my belief that maintaining perfect OpSec is incredibly difficult and you will get caught if the full weight of law enforcement comes after you.  So don’t do stupid stuff that will get you into trouble.

What we will need:

  • Cash (for buying all the stuff we need and mostly not getting tracked).
  • Laptop and USB flash drive (for loading the OS).
  • Prepaid phone (needed for registering email addresses or other accounts).
  • Prepaid VISA cards for converting to Bitcoin (BTC).
  • Virtual Private Server that takes Bitcoin (VPS).

Cash

How much?  That depends.  I already owned a Lenovo t420 and opted to use it, but found almost the same system (without SSD drives) for $250 on Craigslist.  With the laptop my total cost would have been $423.69.

Smartphone

Obtain a burner phone.  Note that 7-11 never seems to have them in stock (I went to three before giving up and going to Walmart).  The cost for a Tracfone Alcatel OnePlus was $63.79 with a 120 minute plan card (there was a special that tripled the minutes).

It seemed that the activation required WiFi to configure Android, but it may work to activate at Tracfone.com prior to setting up the phone so the 4G connection is set up.  If connecting to WiFi, consider connecting to a public network.  Obviously this was my first Tracfone.

Mainly this will be used for SMS messages for account verification, but hey, having a burner phone should come in handy… maybe for Defcon I guess?  Note that the email address that I created with Google during setup will not be used other than for the phone registration.  There are a few reasons for that.

Laptop Setup

This section isn’t meant to be how to create a perfectly secure and anonymous laptop for long term use.  There are other resources for that – I’ve been reading How to Setup a High-Security Laptop for Hacking*, Privacy, Self-Protection and Deep Web Voyaging:Using Kali Linux 2.0 + VirtualBox + Whonix + Obfuscated Bridges + Tor: Dark Net Science Book 1 which has been interesting, but we’re not going that far in this post.

Our OS will be burned after the engagement due to the Ripley Doctrine (Take off and nuke the entire site from orbit.  It’s the only way to be sure).  Any data that will need to be kept after the engagement will need to be consolidated from local and and archived in some manner.  Afterall, if I were an actual attacker, I’d attempt to stand up new infrastructure for every campaign and burn it when it was over.

Purchase a laptop off of craigslist.  I found a close configuration to the Lenovo t420 that I already own for $250.  Keep it cheap, we’re running Linux and you want it to be a few years old, it will work better.  I chose Ubuntu 14.04 LTS as the OS because I know it works very well with the Lenovo t420.

I know, I know… Ubuntu 14.04 comes out of the box with some privacy concerns.  We’re going to makes some changes to that.  I realize the choice of Ubuntu may make some folks say that or that other distro is a much better choice for what you’re doing here.  That may be the case, our industry is full of caveats that make people stay up late at bars at conferences arguing the pros and cons and starting flame wars on the Internet.  I like Ubuntu because it tends to work better for me.

Download the ISO, verify the checksum, and make a bootable install drive out of the USB stick.  Instructions are easily found online for any platform, so I will not repeat them.

During the installation process, select to encrypt the installation.  Choose as long as a security key as you as you can remember.

Continue with the default installation.  When it is time to select the computer host name and username, select what you feel is appropriate, but I would suggest your normal names or handles are not what you want here.   Use something generic and inconspicuous.

Once booted into the new installation, update it:

#apt-get update

#apt-get upgrade

#apt-get install git

Next we will set up some pentesting tools.  Use git to clone TrustedSec’s PTF project.

#git clone https://github.com/trustedsec/ptf.git

Change into ptf/ and run PTF.

#cd ptf/

#./ptf

Once in the framework:

ptf>use modules/install_update_all

This takes a while, but when complete, will have current pentesting tools in /pentest.

While PTF does it’s thing, follow the instructions at https://fixubuntu.com/ to turn off search suggestions that may send data to a third party.

PTF is still installing, so I suggest going to get a password manager to generate and keep long passwords.  I like Keypass but as long as the key store is kept local, it should be ok.  As you need to create passwords for various resources, generate long random passwords.

If PTF is still installing, go get some coffee, check back on it in a bit.  It will need you to answer some questions, take the defaults.  Take this time to change the DNS server entry in resolv.conf to point to Google’s DNS (or any DNS server that is not your ISP).

Next, install Virtual Box.  Download and create VMs for Kali and Tails.  Install Tor Browser on the native Ubuntu install.   Most work will happen in the VMS, but I like the flexibility of having tools natively available as well.

Lastly, go get Burp Suite.  The free version may work for you if just to proxy your web traffic when necessary.  The full version is totally worth it, but would add $350 to the cost and I am pretty sure they do not take Bitcoin.  Zed attack proxy may work for your purposes as well.

Next, register a Yahoo email account.  Why?  Because using a mail client with Yahoo (not the web interface) will let you send malicious payloads through it in case you need to send targeted phishing messages and are able to make your ruse work with the Yahoo address.

This should provide a solid and flexible platform for a laptop as a base attack platform to get started with.

Virtual Private Server Setup

Now we need a VPS on the Internet for our testing platform.  We will use it to VPN through as well as hosting listeners for command and control.  But first, we need a way to pay for it that is somewhat more anonymous than a credit card or Paypal.  How about Bitcoin?  I would never say that I am a cryptocurrency expert by any stretch of the imagination, but it seemed that BTC wasn’t necessarily intended to be anonymous.  But it seems more so than other payment options for sure.

There were two ways that some Googling provided to obtain Bitcoins anonymously:

  1. Locally, meeting someone and giving them cash
  2. Prepaid VISA Card

Local Bitcoin traders seemed to have a 1BTC minimum, at the time of this writing that was ~$450, much more that we need for a month or two a VPS and past my comfort zone for an experiment.

I picked up two $50 Vanilla branded cards at a local drugstore about a mile from my house.  Not exactly “anonymous” since I also went to my bank’s ATM right next door to pull out the cash.  I was most certainly on video at the ATM and in the drugstore.  But it was unattributable enough for the test.

Not every BTC market place accepted prepaid VISA cards as a payment method.  After some research, paxful.com provides the means to do so with a few brands of cards.

After creating an account, choose the brand of gift card that you have.  Mine was listed prominently on the page.

You will be purchasing BTC from another individual through the paxful market.  The cost of BTC in this method will be approximately $.77 on the dollar and it fluctuations a few cents.  The two transactions for this test required pictures of the front and back of the card.  If these were taken with a smartphone, as mine were, do not forget to remove the exif data.

#exiftool -all= *.jpg

Once enough BTC has been obtained for the duration of the operation, then it is time to set up the VPS.  LibertyVPS (https://libertyvps.net/) allows OpenVPN in their terms of service and is hosted in the Netherlands.  Create an account and order the cheapest server.

When checking out, select the Bitcoin option.  When you initiate the transaction, since your BTC wallet is not on the local system, but on paxful.com, transfer the amount to LiberyVPS from the paxful.com wallet.  The checkout window on LiberyVPS will hang, but the transaction will complete.

SSH should be live on the VPS after creation.  Once connected we will do the same as with the laptop – update the server and install git and PTF.  Why install the same tools on the client and the server?  Well, there are a lot of tools there.  Better to set up what you may need now than get into the middle of something later and realize you should have installed it.

OpenVPN

I followed the instructions from:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

The only deviation was that a dependency package needed to be forced:

#apt-get install openvpn easy-rsa

#apt-get install -f

#apt-get install openvpn easy-rsa

Once openvpn server is up and running and the client files have been configured use the openvpn client built into Linux to connect.

#openvpn –config myvpn.ovpn

Now we have a laptop setup that would be a bit more anonymous for reconnaissance activities with Tor browser and Tails when necessary and and to VPN in our VPS as the main attack platform.  When VPNed into the system, using Burp Suite for web app testing fromt the laptop, the traffic should appear to come from the offshore VPS.

After connecting the VPN to the VPS, Google thought I was in a different area of the world.

As a quick test I ran an nmap scan on an externally facing host and using tcpdump to write the network traffic to file.   I admit it was not a comprehensive test to see if any data was leaking out, but for pentesting and red team purposes, this should be sufficiently anonymous to raise the bar if you need to do so.

Non VPN connection scanning from native laptop install:

VPN connection scanning from native laptop install: