What do you fear?

as a pentester (or worse, a gray hat), you are no different from any other malicious attackers to your "victims", if you don't cover your ass, you will probably get yourself into some kind of trouble (abuse complaints don't count)

to prevent that from happening, you gotta hide yourself well

Protect yourself

First steps

  • new identity

    make sure nobody can identify him, he must be untracable, to achieve this, you need

  • TOR

    • do not connect to TOR directly, you need to go through a proxy (Shadowsocks can be a very good choice) before reaching TOR, moreover, I recommend using a OBFS4 bridge along with TOR
    • Tor browser bundle is recommended for new users, its SOCKS5 proxy port is 9150 instead of 9050(which is the default port of tor standalone module)
    • on your smartphone, you can use orbot to proxy your communication
  • ALWAYS use TOR when you are supposed to be anonymous

  • be careful when using a phone (consider your phone as a semi-anonymous platform even when you are using TOR as its contains too many spyware)
  • Use XMPP or IRC for instant communication (must connect via TOR)

    • chatSecure for iOS
    • Conversations for Android
    • Pidgin for desktop
    • just a reminder, identity can be disposable

When hacking

  • Your traffic go through TOR whenever possible (except for when you are connecting to 10k targets simultaneously, which I do not recommend doing)
  • At least, you stay behind TOR when sending out commands
  • Consider the potential impact on your network
  • Clean up evrything after taking over control of a target
  • Use an anonymous download server (dropbox is okay too), bring it online only when you need it


  • Use BTC, XMR for better anonymity
  • Nobody should know your wallet address (especially when it's not an exit node)

to be continued


comments powered by Disqus