It is relatively easy to hide the IP address of clients through the use of VPNs and proxies. However, it is a challenge for services since they need to be reachable by the clients. Imagine if your phone number changed at the stroke of midnight everyday, it would be very difficult for others to reach you reliably. There are many methods for IP hiding, one of which is through the use of tor. However, one drawback is that it is reachable only through a
.onion address and hence is accessible only to very savvy internet users. Other methods used by botnets include updating the A records every few seconds, however it is impractical as it requires you to be controlling large swathes of IP addresses.
The method I am going to illustrate involves the use of
iptables for both hiding and cloaking. Hiding the IP address means that the actual IP hosting the questionable content is not the same IP that is revealed through an
nslookup. Cloaking the IP address allows you to either whitelist or blacklist certain IP addresses from accessing the questionable content, serving them innocuous content instead.
Hiding IP addresses
1 2 3 4 5 6 7 8 9
piratecove.com A 126.96.36.199 piratecove.org A 188.8.131.52 piratecove.net A 184.108.40.206 220.127.116.11:443 ------\ | 18.104.22.168:443 -------------------- 22.214.171.124:54321 | 126.96.36.199:443 -- 188.8.131.52:443 /
For the above example, we have questionable content for the website
piratecove hosted at 184.108.40.206. For redundancy purposes, the owner has purchased 3 domains with all serving the same content. However, resolution of domain will never reveal the actual IP address. In order to perform the redirection, the following commands have to be executed on 220.127.116.11 and 18.104.22.168.
1 2 3
echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 22.214.171.124:54321 iptables -t nat -A POSTROUTING -j MASQUERADE
The redirection happens at the IP layer, therefore SSL connections will be end-to-end. Only encrypted traffic passes through 126.96.36.199 and no questionable content will be present on the server. However, if 188.8.131.52 is seized, investigators will be able to uncover the actual IP address by dumping the iptables rules. To get around that, we need multiple hops as implemented in 184.108.40.206.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 220.127.116.11:443 # Executed on 18.104.22.168 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 22.214.171.124:54321 # Executed on 126.96.36.199
In this particular case, once 188.8.131.52 is seized, the owner will immediately erase all data on 184.108.40.206 thus leaving a cold trail.
To further hinder investigations, IP cloaking can also be used. IP cloaking serves different content depending on the source IP of the visitor. Hence, if you know that Walt Sidney uses the IP range 220.127.116.11/24, we can forward this IP range to a different web server hosting a fan site dedicated to Walt Sidney.
iptables -t nat -A PREROUTING -s 18.104.22.168/24 -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:1443 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 22.214.171.124:54321
In other cases, whitelisting might be a better option. For example, if you have a meterpreter listener and expect clients polling from a single static IP address. It is possible to whitelist only that address to forward to your listener and serve generic content to all other IP addresses.