It is relatively easy to hide the IP address of clients through the use of VPNs and proxies. However, it is a challenge for services since they need to be reachable by the clients. Imagine if your phone number changed at the stroke of midnight everyday, it would be very difficult for others to reach you reliably. There are many methods for IP hiding, one of which is through the use of tor. However, one drawback is that it is reachable only through a
.onion address and hence is accessible only to very savvy internet users. Other methods used by botnets include updating the A records every few seconds, however it is impractical as it requires you to be controlling large swathes of IP addresses.
The method I am going to illustrate involves the use of
iptables for both hiding and cloaking. Hiding the IP address means that the actual IP hosting the questionable content is not the same IP that is revealed through an
nslookup. Cloaking the IP address allows you to either whitelist or blacklist certain IP addresses from accessing the questionable content, serving them innocuous content instead.
Hiding IP addresses
1 2 3 4 5 6 7 8 9
piratecove.com A 220.127.116.11 piratecove.org A 18.104.22.168 piratecove.net A 22.214.171.124 126.96.36.199:443 ------\ | 188.8.131.52:443 -------------------- 184.108.40.206:54321 | 220.127.116.11:443 -- 18.104.22.168:443 /
For the above example, we have questionable content for the website
piratecove hosted at 22.214.171.124. For redundancy purposes, the owner has purchased 3 domains with all serving the same content. However, resolution of domain will never reveal the actual IP address. In order to perform the redirection, the following commands have to be executed on 126.96.36.199 and 188.8.131.52.
1 2 3
echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 184.108.40.206:54321 iptables -t nat -A POSTROUTING -j MASQUERADE
The redirection happens at the IP layer, therefore SSL connections will be end-to-end. Only encrypted traffic passes through 220.127.116.11 and no questionable content will be present on the server. However, if 18.104.22.168 is seized, investigators will be able to uncover the actual IP address by dumping the iptables rules. To get around that, we need multiple hops as implemented in 22.214.171.124.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 126.96.36.199:443 # Executed on 188.8.131.52 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 184.108.40.206:54321 # Executed on 220.127.116.11
In this particular case, once 18.104.22.168 is seized, the owner will immediately erase all data on 22.214.171.124 thus leaving a cold trail.
To further hinder investigations, IP cloaking can also be used. IP cloaking serves different content depending on the source IP of the visitor. Hence, if you know that Walt Sidney uses the IP range 126.96.36.199/24, we can forward this IP range to a different web server hosting a fan site dedicated to Walt Sidney.
iptables -t nat -A PREROUTING -s 188.8.131.52/24 -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:1443 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 184.108.40.206:54321
In other cases, whitelisting might be a better option. For example, if you have a meterpreter listener and expect clients polling from a single static IP address. It is possible to whitelist only that address to forward to your listener and serve generic content to all other IP addresses.