It is relatively easy to hide the IP address of clients through the use of VPNs and proxies. However, it is a challenge for services since they need to be reachable by the clients. Imagine if your phone number changed at the stroke of midnight everyday, it would be very difficult for others to reach you reliably. There are many methods for IP hiding, one of which is through the use of tor. However, one drawback is that it is reachable only through a .onion address and hence is accessible only to very savvy internet users. Other methods used by botnets include updating the A records every few seconds, however it is impractical as it requires you to be controlling large swathes of IP addresses.

The method I am going to illustrate involves the use of iptables for both hiding and cloaking. Hiding the IP address means that the actual IP hosting the questionable content is not the same IP that is revealed through an nslookup. Cloaking the IP address allows you to either whitelist or blacklist certain IP addresses from accessing the questionable content, serving them innocuous content instead.

Hiding IP addresses

1
2
3
4
5
6
7
8
9

piratecove.com A 2.2.2.2
piratecove.org A 3.3.3.3
piratecove.net A 4.4.4.4

2.2.2.2:443 ------\
                   |
3.3.3.3:443 -------------------- 6.6.6.6:54321
                           |
4.4.4.4:443 -- 5.5.5.5:443 /

For the above example, we have questionable content for the website piratecove hosted at 6.6.6.6. For redundancy purposes, the owner has purchased 3 domains with all serving the same content. However, resolution of domain will never reveal the actual IP address. In order to perform the redirection, the following commands have to be executed on 2.2.2.2 and 3.3.3.3.

1
2
3

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 6.6.6.6:54321
iptables -t nat -A POSTROUTING -j MASQUERADE

The redirection happens at the IP layer, therefore SSL connections will be end-to-end. Only encrypted traffic passes through 2.2.2.2 and no questionable content will be present on the server. However, if 2.2.2.2 is seized, investigators will be able to uncover the actual IP address by dumping the iptables rules. To get around that, we need multiple hops as implemented in 4.4.4.4.

1
2

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 5.5.5.5:443 # Executed on 4.4.4.4
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 6.6.6.6:54321 # Executed on 5.5.5.5

In this particular case, once 4.4.4.4 is seized, the owner will immediately erase all data on 5.5.5.5 thus leaving a cold trail.

IP Cloaking

To further hinder investigations, IP cloaking can also be used. IP cloaking serves different content depending on the source IP of the visitor. Hence, if you know that Walt Sidney uses the IP range 9.9.9.9/24, we can forward this IP range to a different web server hosting a fan site dedicated to Walt Sidney.

1
2

iptables -t nat -A PREROUTING -s 9.9.9.9/24 -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:1443
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 6.6.6.6:54321

In other cases, whitelisting might be a better option. For example, if you have a meterpreter listener and expect clients polling from a single static IP address. It is possible to whitelist only that address to forward to your listener and serve generic content to all other IP addresses.