GhostInTheChaos - Chaotic Crypto Stealth VPN for Anonymity and Untraceable Hacking Attacks with Linux and Android

13.07 - as you may have seen in the past, at this date, I publish some pretty decent projects, this one isn't an exception and probably will become a subject of a controversy, like it happened already.

Anyway, the following research (and code) is about the eternal confrontation between order and chaos, specifically between network censorship/filtering and freedom of access, as well as traceability, but also about security.

In order not to complexify an already pretty complex system, let's start from simple things and improve them step by step.

CAN I HAZ ACCEZ?

A simple situation, you're accessing the internet directly (with a router and/or switch) from your device (laptop, PC, tablet, smartphone, etc.) :

This is how the majority of you (unfortunately) access the internet. Well, there are certain advantages, like speed (since no traffic is intentionally modified), simplicity (plug&play) and price (can even be free in some cases). However, there are some obvious disadvantages, like a complete lack of security and privacy. Of course, you still can access some sites over HTTPS, which will provide security (authenticity, confidentiality and integrity), but your ISP or some other attackers  or a corporate firewall can see what site you're visiting, for how long and how much data is going (aka metadata), don't even mentioning that if your country/enterprise will decide to block some sites or/and services, you can't access them anymore (using the described schema) :

You still can use another DNS server and even go over DNSCrypt, but your ISP can still block IPv4 as well as IPv6 addresses and a corporate firewall can force local DNS.

PROXYZ

Some of you might use so-called proxy server, free or paid, which basically routes your web traffic over another server in such a way that your ISP don't handle the packets itself :

This is a pretty common way to bypass censorship and some filtering, although filtering might be problematic since, proxy can force local authentication and redirection, without even speaking about security, especially for "free" proxy servers since, you can't trust them and the traffic still can be unencrypted.

But some of you might have their own servers, in a country with not too many restrictions, which can be used as an encrypted and authenticated proxy server with the help of SSH Dynamic Port Forwarding :

Putting it to port 443 (HTTPS) will even bypass network filtering and censorship, however, it's only a proxy and not a complete VPN and it can and will be blocked by a majority of corporate WAFs or government DPI since, SSL (used by HTTPS) and SSH are different protocols.

VPNZ

Speaking about VPN, some of you might also have it :

Which allows to redirect all network traffic transparently through such server, but there is still the problem of protocol difference, although OpenVPN is based on SSL/TLS and support certificates, the traffic order and packets are still different (depending on configuration), thus can be blocked :

So, a solution is to use another software to simulate HTTPS and encapsulate the VPN traffic inside, one of them is stunnel:

With a proper domain name and certificate, this should work, but you still have to take in count traceability, if you're going to do some stuff that will spark up an interest in your activity since, your VPN provider will store logs at least on IP level that will lead to you.

H4X0RZ

What hackers commonly do is that they have a "bulletproof" VPN, a server that they buy anonymously (usable cards, crypto, etc.) or just hack and use anonymously (Tor, neighbour WiFi, etc.) :

This is very nice, except that you still have to prevent correlation and don't access Tor directly (which will require another technique), plus you will lose some speed. An actual VPN isn't required though, you still can have a simple shell, but you suppose to have a server in order to hack properly (like reverse shell) and store loot.

FORGET EVERYTHING YOU JUST READ

Nothing new so far, right? Well, now we will begin the fun part, in short I will do all of the above in a better way without OpenVPN, stunnel and Tor. Moreover, I will secure servers on network perspective, so let's start with this.

First of all, the whole technical configuration can be automated and found on my GitHub.

Now, we will need iptables on our server to... block all the traffic. Yes, we will block everything which enters the servers (leaving the state-full connections and output/transfer) and yes, this will completely lock it down and make completely invisible on the network. No, I'm not joking. This will ultimately protect from scanning and exploiting the server, "you can't fight what you can't see", the stealth element. I know that you're still wondering, how then we will access the server, except the debug TTY which we may not have in the first place? Well, the answer is knockd, Port Knocking utility, which will allow a specific IP to connect after a special sequence of ports has been sent to server. This is kind of "security by obscurity", I do agree, but since we will secure everything else, this is an optimal solution InMyHakishOpinion since, you don't waste your resources for fail2ban or other stuff like that. I prefer to use only 80 and 443 ports, which is the minimum network filtering nowadays, and then redirect 443 port to our service.

One of them will be SSH, that should still be on its default 22 port, but I would advise to use only ed25519 asymmetric cryptography for key exchange, public key authentication, and ChaCha20/AES256-GCM symmetric ciphers with Poly1305/SHA256 hashes as those are defacto standards at the moment.

You might think that we will redirect 443 to 22 and you will be right, except that we need our SSL/TLS tunnel, which we will create using... socat (crypto element), with a custom certificate of course and if you want, you can even generate one using LetsEncrypt.

At this point, we can freely use our SSH which will bypass WAFs and even switch DPF for proxy effect, but it will be cooler if it was a VPN, right? Well, we will create a VPN using... SSH. No, I'm not joking once again, you can create a virtual remote tunnel (what is VPN basically all about) using SSH. So with SSH you can have both shell and all your traffic routing through it, cool (with some ipv4_forwarding and NAT post-routing). Right now, our setup looks like this and fully functional :

But we are still missing the "anonymity" part and here's where the "chaos element" comes into place. Well, by  chaos I mean I2P, which we will use to make the connection to a second "bulletproof" server almost untraceable from our first server by simply creating an indirect tunnel (kind of hidden service) between them :

And yes, the CHAOS server will also have iptables for blocking, but without knockd since we will only allow input for UDP and maybe IPv6 for tunnelling. Such solution will always participate to I2P internal networking and thus making correlation very difficult (which suppose to be the case for VPN as well). We will still need SSH for the very same purpose in proxy mode (shell/VNC/VPN), so basically we are replacing socat with I2P and doing SSH bounce. The main difference is that I2P is made for internal networking, it's like a mini internet with its own crypto and protocols, which is IMHO can be more secure, more reliable and faster than Tor.

Great, the last thing we need to do is to configure all this for our device, in order we can use it and, with some shell scripts and key/certificate sharing everything is done, you can even use it on Android and pretty much any Linux/Unix with some customization, simple and efficient as that (not considering my days of research, problem solving and budget, heh).

As alternative to dropping all the traffic and redirecting using knockd, you can set up your HTTPS web server at the default 443 port and redirect the traffic to SSL:SSH to another port with knockd and socat. Like this, your connection will seem to be legit HTTPS packets with a real HTML site, which will be visible by everyone, whereas it's an encapsulated and prerouted SSH for you.

ALL YOUR DATA ARE BELONG TO US

Wow, amaze haxor, such APT, so hackerish, many pwn, very leet... but can it be defeated? Well, as it is, it can.

First of all, VPN server has to participate in I2P routing in order to make correlation more difficult. Second, you have to store public keys in order to prevent MITM attacks. Third, you shouldn't rely only on knockd and keep your software up-to-date as well as apply "defence in-depth" (like SELinux/grsec/PAX/AppArmor/cgroups). Fourth, even if there is no difference on the protocol level, there will be some regarding packets/bytes/time, so let's do some analysis :

This chart is a simple HTTPS connection to a search engine, for X we have time in seconds and for Y we have the number of packets (red chart) or bytes (black chart). As another example, let's analyze ProtonMail connection :

On the left the ratio of bytes and on the right the ratio of packets, pretty similar characteristics. Now SSH :

As we can see, the SSH connection differs from SSL, both for packets and bytes. Now OpenVPN :

Much more different. How about to compare SSH through socat ?

Well, as you can see, you can change the protocol, but you can't change the data (red - pure SSH, black - over socat). Same goes for VPN :

Note that even if SSH ciphers are better maintained, protocol is more robust and performance is higher, the major bottle-neck is still TCP over TCP, since SSH doesn't support UDP at the moment, which is a bit different topic of discussion, but still a feasible solution.

PHILOSOPHY OF ENTROPY

My point isn't about that order won't ever win versus chaos, or that chaos stands no chance against order, but about the simple fact that none of them can win nor lose. Even if we suppose that the chaos (entropy) is the ultimate destiny of the universe, it will make no sense without order and the fact that the destiny is already determined signifies the presence of order. To put it in the nutshell, nothing is black or white in this world, nothing is determined or uncertain, there is only hope and illusion about either security, either freedom. You can believe me or not, believe that you can believe or not, nothing will matter in the end, but only the fact that you're conscience about your choice at this moment. Entropy is a stable state, so the chaos is order and order is chaos, humans invented it, not universe. Same goes for good/evil, death/life, 0/1 and quantum physics.

Well, I think that I'v kind of leaving my initial topic with such meta-physical-philosophical discussions, without even speaking of all the technical complexity I just explained pretty briefly, so I'll leave you with my "chaos theory" for now.
Remember, the choice doesn't matter, but the fact of choosing does.
Now, think about it all and put my work into the good use :)

Thanks.

Bitcoin Conspiracy - Who and Why? or when technology meets politics and economy

Yeah I know what you're thinking - "please, not another goddamn conspiracy theory", right? Well, I'll do my best to make this article as different and as logical as possible, although, it might be a little more political/economical than technical, but still informative.

OK, now almost everyone knows that at the end of 2017, one BTC cost almost 20,000 $ and that it was a very good investment years ago, but how did it all start and for what purpose?

Before I really begin, I would like to notice that all bitcoin transactions are publicly visible by everyone, thus bitcoin isn't an anonymous currency by nature, like Dash/Zcash for instance, as far as you don't publish your public key with your identity (like for donations).

The legend is that it was created by a Japanese as a decentralized cryptocurrency based on blockchain technology. I do believe that it could be done by a single man (as I reinvented blockchain in my time), but I don't really see the reason for staying anonymous, though some "big" projects creators preferred to hide (like Linux PaX), in this case it won't change anything since, the "Pandora's box" is already open and there is pretty much nothing the creator can do if something will go wrong (the community still has to accept some kind of "soft-fork", like it was with Ethereum or on altcoin with a larger block size (think Litecoin)).
For me this means only one thing - nobody suppose to know who made it and thus, the reason behind it.

So, who actually created it? You may hear different versions : cypherpunks, NSA, CIA, illuminati, lizards, aliens, you name it ...
I will go with a more-or-less realistic assumption, but in order to understand my statement, I have to mention a little bit of history.

What is currency nowadays? Just a paper that people believe is somehow valuable and represents a financial debt, like dollars. But before they were backed by real gold (taken from citizens), you could go to bank and say - "Here's thousand backs, now give me some real coins", the same was in Soviet Union, you could exchange rubles for a shiny metal, a paper was an equivalent for gold. But after a dozen years a man called Charles de Gaulle tried to do it for all the dollars in France, such exploit made USA lose much gold and then they (more precisely, Federal Reserve System, which not belongs to state) understood that it wasn't a very smart idea after-all. So, they just started printing papers, hoping that people will still believe that they are valuable, and later with IT, they just simply making zeroes and ones, without any "material base" what-so-ever. Backing dollars with gold as intrinsic value was an attempt to universalize it and force everyone to use it by USA, which became the richest country with the largest gold reserve just after the WWII.

A currency is itself a debt, but do you know how much USA owns? Very, very much, more than there are resources in the whole world, which will eventually lead to its inevitable economical collapse and America won't ever be "great again", while printing all these bucks. So, as time passes, country has to get rid-of all this debt, a war isn't a bad solution as debt burning (I should mention Ukraine ... maybe later), but after the financial crisis, a solution should be found quickly. Yet, what if we made a new currency related to dollar as its alternative and force everyone to use it instead while keeping a big part of it? Eureka! Total control. Surely, we will have to give the blockchain technology as well, but that's an acceptable price.

OK, enough politics for now, let's go technical, let's speak about hacking, although malware creation isn't really hacking, but still related to the topic.
Some malware researchers/analysts have found some links between some ransomware attacks and government hackers (specifically Equation Group (NSA-TAO)), I may even speculate that some of their tools were leaked on purpose as a justification/endorsement for such attacks (like, maybe, 9/11?), or that a state should actually arrest someone who stopped such attack, or that stocks are hacked not just by criminals and finally, that "anonymous black-markets" are actually law enforcement honey-pots. Not even mentioning a strange recursive hash theft/backdoor discovered recently. Also, Crypto Dip in the middle of January 2018 by "banning" cryptocurrencies, has cut their prices almost ten times for some cases, but in some "particular" cases, the price raised a lot and, where truly Silk-Road seized bitcoins went? So many questions, yet such uncertainty.

An alternative version is that it's just another pyramid that spiked-up after a financial crysis, like it was in USSR in case of MMM, but in this case, it's going to be worldwide and there is no one to put to jail for it. You might ask however, how such scheme could even work? Well, it's pretty good illustrated in a book called Dunno on the Moon with "The Society of Giant Plants" as example, but to put it in the nut shell, let's say that a company which costs 100 thousand dollars sells its 100 shares, that would mean that each share cost one thousand dollars, and the price varies regarding multiple criteria, such as being successful or not. The thing is that if people will buy the shares, they will become less and less available and since people want more and more, the shares will raise in price because, demand creates offer. On the other hand, if suddenly the price will go down for whatever reason and if everyone decides to sell back the shares, while nobody wants to buy it, the shares will cost almost nothing and drop in price even lower. And it works, because of such psychological phenomenon as greediness, which is the base for almost any pyramid (and probably the only intrinsic value of cryptocurrencies), especially if it's heaped by media (like YouTube).
After-all, currency is indeed currency when you can buy something with it or exchange for green American presidents of Colon... I mean Columbus country. Finally, even if it's a non-state-sponsored pyramid, the state itself doesn't seems to be worrying about a potential dollar concurrency too much, it only tries to profit from it.

That was probably pretty simplified, yet pretty clear, but how bitcoin price is determined since, it's not material-based and when did the first stock exchange begun to accept it? If I'm not wrong, its wide recognition and acceptance begun in 2013, the same year when the gold price went tremendously down for the first time in history, coincidence?

Now, let's take another powerful state - Russia. They want to make their own cryptocurrency, some kind of cryptoruble. For me the reason is pretty obvious - total control. If the blockchain technology will be state-centralized and the only authorized, which Russia wants, the state will control all the economical flow in the country, every payment of everyone.
The justification for such maneuver is not only to "fight terrorism" cliché, but to fight corruption for example, so the intent may seem to be good. However, one should realize that he/she/it would have practically no privacy of market since, everything what goes from and to his/her/its account is state-monitored. Money is power, and Russia will take it from its citizens sooner or later, just like Soviet Union took private property. Suppression of private property is an attribute of Socialism ("from each one an ability, to each one a work"), which is a transitional step from Capitalism to Communism, history repeats itself ... by spiral (according to Marx at least).
Will it be good or bad? I'm not predicting anything, but I just worry about the vectors Russia's heading (and hope that it will not take an example of Estonia's digitalization mistakes). Considering the CIS summit of december 2017, that was probably a subtle proposition to create a common economical space, thus one could predict a Union of Crypto Socialist Republics - UCSR :) and... another cold war phase, subtly declared by Atlantic Council report.

Do I have bitcoins at the moment? No, and I discourage everyone to buy and use them not only for political, but also for philosophical reasons.
A currency is not a merchandise that can be traded on stock, you suppose to buy things with money, but not to buy money with another money, it contradicts the currency intent and creates problems, bitcoin isn't an exception, so please stop being greedy and financing economical slavery along with capitalistic pyramid.

"But hey! It's just a theory! A conspiracy theory! Thanks for reading!"

P.S. soon I might make a proposition of a new economical model based on cryptography and sociology.

SkyrimCrypt - Deniable Encryption and Steganography in Computer Games

Even if TES V Skyrim was released more than 6 years ago, people still play it, people still like it and I found a very interesting and nontrivial way to use it as a decoy to hide information, basically transforming it into a steganographic crypto-container (like TrueCrypt).

You might know from news about MMORPGs espionage, however, this is becoming more than real elsewhere ... I thought that only USA "seek terrorist" in order to do what they want, but it's not a political article.
Perhaps you could use online games in order to have a private chat, it's not a bad idea on a perspective of a decoy, but in a point of security view, there is no encryption and plenty of logs, so if you're going to be under suspicon, it's not going to be private anymore. Nonetheless, how to use offline games as a secure storage? This is what my article is about.

You might wonder - there are already solutions, why bother with another-one? Well, the reason is that I don't agree with the existent. Crypto-containers like TrueCrypt/VeraCrypt/LUKS can be identified and even if you will remove the header (thus adding deniability) you might think that nobody would think that it's an encrypted data, unless you know some mathematics behind cryptology. You see, encrypted data is "random" by nature, a more precise term would be - entropic, and entropy can be calculated, meaning that if you have a huge entropic file (containing "random" data), that would raise a suspicion that may be followed by brute-force that may be followed by cryptanalysis that may be followed by torture. Probably I'm exaggerating for today, but perhaps tomorrow it will be the case.

Anyway, the article suppose to be about games and not about paranoia, so let's do some tests with Skyrim. I have one installed on my Linux with Wine, works not so great, but works. But, do you know what's special about Skryim? Mods, plenty of mods exist for it and if you play Skyrim you probably have dozens of them, but not everybody develop mods, those who do, know their structure, fragmentation and extensions, specifically BSA. Now, let's look at them in the Skyrim's Data folder:

 
Those are classical Skyrim "mods", which may be included right after the purchase (for some editions). BSA is basically a compressed archive, thus "random" by nature, although it has a deterministic header, it can have a very big size too.
Now, let's look at one of them:

I specifically chose the one with textures because, mathematics. So, let me explain you all this. As ent tool shows, 7.97 out of 8 bits in file looks random, which is 99.7% of them, plus it indicates that the file was indeed well compressed, the chi-squared distribution isn't good though. It also showed some more interesting statistics, but they are less important and I'll have to explain what I already said, to begin, here's the file's bytes distribution:

As you can see, it's not so random as the entropy may show us, but how is that calculated after all? Well, when dealing with IT we often will reference to Shannon's entropy, which indicates how "random" are bytes of a file:

 

Basically, you would  perform a negative sum of probability occurred for each byte by multiplying it by the logarithm (necessary power) in base two of itself.
Encrypted file is 8/8 entropic (which is sometimes more than a randomly generated file), just like a ZIP archive and it's chi-squared distribution is about 290 for 95% to be sure, now about that:

Basically, it's the fraction of the square of the difference between the estimated distribution and the observed one to the estimated distribution.
That is very interesting because, it shows us if there is a big difference between what we observe and what we estimate, that our hypothesis is true with a certain probability. And here is where I'm not really agree with the ent tool because, it doesn't really shows the probability of being certain (50% in the best case according to them), but let's just say that the lower this number is, the more you can be sure that the data are "really random" and as you can see from the screenshot, 67 million is way bigger than few hundreds, thus we will reject the random nature of such distribution.
I know that you still may have some questions about all this, so feel free to make some web searches in order to fully understand such useful math.
That was to say that even if our file is entropic, it may not be randomly distributed.

Besides, as you may notice the content of the header isn't that random, but it begins from a couple thousands bytes:

So, we can copy the first non-random bytes and then append out crypto-container to it, claiming that it's just a mod for Skyrim whereas it's not, and to extract, we just specify the offset for dd (or directly) and decrypt :

Nevertheless, mathematics will show the truth behind such decoy, as you can see even if adding thousands of nonrandom bytes to 500Mb that wouldn't affect the entropy, neither the chi square, thus raising the suspicion for that file and uncovering it.
But, I'll assume that it would be enough in the near future to bypass border controls in some countries.

Of course, it will be preferably to have a whole steganographic OS or a disk, but don't worry, R&D in progress :)

By the way, if you're afraid that somebody someday might decrypt your files, instead of encrypting them, just try to decrypt :) that way you will have to encrypt the files in order to receive their original form (with the last block lost however) :

You might ask me why I didn't publish a tool to make such BSA mods? I won't and discourage everyone to do so for the same reason this article is written - stealthing. The existence of that tool may also make you suspicious and if you have logs of using it, it's game over. The point is to have no trace whatsoever. If you want more details about what I just wrote, you can checkout one of my works.

Finally, even if you're not going to use my technique, I still hope that you learned something interesting and perhaps useful from my article.
That said, let's make Skyrim sneaking "great again" :)