What do you fear?
as a pentester (or worse, a gray hat), you are no different from any other malicious attackers to your "victims", if you don't cover your ass, you will probably get yourself into some kind of trouble (abuse complaints don't count)
to prevent that from happening, you gotta hide yourself well
Protect yourself
First steps
-
new identity
make sure nobody can identify him, he must be untracable, to achieve this, you need
-
TOR
- do not connect to TOR directly, you need to go through a proxy (Shadowsocks can be a very good choice) before reaching TOR, moreover, I recommend using a OBFS4 bridge along with TOR
- Tor browser bundle is recommended for new users, its SOCKS5 proxy port is
9150
instead of9050
(which is the default port oftor
standalone module) - on your smartphone, you can use
orbot
to proxy your communication
-
ALWAYS use TOR when you are supposed to be anonymous
- be careful when using a phone (consider your phone as a semi-anonymous platform even when you are using TOR as its contains too many spyware)
-
Use XMPP or IRC for instant communication (must connect via TOR)
- chatSecure for iOS
- Conversations for Android
- Pidgin for desktop
- just a reminder, identity can be disposable
When hacking
- Your traffic go through TOR whenever possible (except for when you are connecting to 10k targets simultaneously, which I do not recommend doing)
- At least, you stay behind TOR when sending out commands
- Consider the potential impact on your network
- Clean up evrything after taking over control of a target
- Use an anonymous download server (dropbox is okay too), bring it online only when you need it
Business
- Use BTC, XMR for better anonymity
- Nobody should know your wallet address (especially when it's not an exit node)
to be continued
Comments
comments powered by Disqus