Home TechnologyCybersecurity Ethical Hacking Fridays: How to Hack (Part 6) Anonymous

Ethical Hacking Fridays: How to Hack (Part 6) Anonymous

by Ivan
Ethical Hacking Fridays: How to Hack (Part 6): Anonymisation anonymous

Ethical hacking: How to hack and stay anonymous online

Now this may be a bit of a “taboo topic” as this series is on “Ethical Hacking” so why would there be a need to be anonymised? I’m of the opinion that if you are working in the security field you should know what you are defending against. I’m going to cover anonymisation off in this article but it is for informational purposes only. It’s not actually illegal to be anonymised as there are legitimate uses for it but just don’t do anything illegal with it!

I’m going to split this article into five sections:

  • Disable WebRTC” to prevent VPN information leaks
  • Tor Browser” for anonymised browsing
  • ProxyChains” for anonymised connectivity
  • Virtual Private Networks (VPNs)” for anonymised connectivity
  • macchanger” for spoofing your MAC and bypassing filtering

Disable WebRTC

VPN users beware: Firefox and Chrome have a security vulnerability that may leak your IP address. It is strongly advised to disable WebRTC to protect yourself from vulnerability. You will want to carry out this step before working through the VPN section below.

You can test for a WebRTC leak on your VPN using this link: https://browserleaks.com/webrtc

How to disable WebRTC in Firefox?

  1. Enter “about:config” in the Firefox address bar and press Enter.
  2. Press the button “I’ll be careful, I promise!
  3. Search for “media.peerconnection.enabled
  4. Double click the entry, the column “Value” should now be “false
  5. Done. Do the WebRTC leak test again.

How to disable WebRTC in Chrome?

  1. Open the Chrome Web Store and search for the required extension: WebRTC Leak PreventWebRTC Control, or Easy WebRTC Block.
  2. Click Add to Chrome and confirm installation by pressing Add extension.

3. Activate the extension and it’ll disable WebRTC in your Chrome browser.

In Google Chrome for Android, you can manually block WebRTC using a Chrome Flag (experimental setting): Type chrome://flags/#disable-webrtc in the address bar and press Enter, then press Enable. This disables the WebRTC feature.

Tor Browser

A Tor Browser allows you to access the “Dark Web”, “Deep Web” or “Hidden Web”. It is not installed by default with Kali.

The first step is to install “tor”.

kali@kali:~$ sudo apt-get update -y && sudo apt-get upgrade -y
kali@kali:~$ sudo apt-get install tor -y

The Tor browser requires a dedicated non-root user to run and there is a good reason for this. If for any reason the browser is compromised by some vulnerability or dodgy download, you want to limit the attack surface as much as possible on your system. For the same reason you would never want to run this as root.

kali@kali:~$ sudo adduser tor
Adding user `tor' ...
Adding new group `tor' (1001) ...
Adding new user `tor' (1001) with group `tor' ...
Creating home directory `/home/tor' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for tor
Enter the new value, or press ENTER for the default
Full Name []: Tor Browser
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y

You will now want to log out of Kali and log in with this new dedicated user.

  1. Log into Kali with your “tor” user.
  2. Start your browser
  3. Open, “https://www.torproject.org
  4. Click on “Download Tor Browser
  5. Find the version for your operating system and download it
  6. Locate the archive on your system and open the archive
  7. Extract the “Browser” directory and “start-tor-browser.desktop” file to your desktop
  8. Close the archive
  9. Open “Tor Browser Setup” on your desktop

Click “Connect”. If for any reason it fails click on “Configure” and select that Tor is censored in your country and use a bridge. This should fix it then “Connect” again.

The Tor browser may look like a normal browser but it is special in the way it handles your network traffic by routing via proxy nodes. It also allows you to access special “.onion urls” on the “Dark Web”.

If you want to see an example of this search for “hiddenwiki url” in the “Search with DuckDuckGo” box. The “hiddenwiki” keeps moving so you will need to search for it. It contains a lot of many unindexed non-searchable .onion urls. Please be aware that a lot of it will be illegal to access so don’t do it.

I wanted to find an example .onion url to show you. In the hidden wiki the DuckDuckGo browser also has an .onion url and can be accessed like this, “https://3g2upl4pq6kufc4m.onion”. This link will not work in a normal browser but in the “Dark Web” you can access it with the Tor browser.

As a pen tester and ethical hacker you will find a lot of useful information on the “Dark Web” in order carry out your job more effectively. The hacking forums are particularly interesting.

I guess it goes without saying to never run anything from the “Dark Web” on your regular machine or anyone’s machine for that matter. If you do want to run or look at something offline make sure you run it in a contained virtual machine with no external access.


You know in those “hacking movies” where you see the hacker bouncing their traffic all over the globe? That’s basically glamourised “proxychains”. In reality it is much much slower than you see in the movies but it works.

If you are going to follow this part of the tutorial with me please make sure you have read my article, “Ethical Hacking (Part 2): Introducing Kali Linux”.

The configuration file for “proxychains” on Kali Linux can be found here, “/etc/proxychains.conf”.

proxychains” supports a number of different proxy types…

  • HTTP — HTTP traffic
  • SOCKS4 — IPv4 TCP traffic, no IPv6 or UDP
  • SOCKS5 — IPv4 and IPv6 IP traffic

You will almost always want to use a SOCKS5 proxy.

There are three “proxychains” modes…

  • dynamic_chain” — proxies can be used in any order, failed proxies will be ignored, at least one proxy should respond.
  • strict_chain” — proxies need to be used in a specific order and all proxies need to respond.
  • random_chain” — proxies will be used in a random order and at least one proxy should respond.

If you are using free proxies (which we will be using), you will want to use “dynamic_chain”. Free proxies are a little unreliable so in most cases this is the one you will want. This would also be recommended with the “tor” service. If you have paid for reliable proxies then “strict_chain” would be a good option. “random_chain” could be used for testing IDS solutions as each request will follow a different path.

For the purpose of this tutorial please uncomment “dynamic_chain” and make sure “strict_chain” and “random_chain” are commented.

Make sure “proxy_dns” is uncommented. If you are not using proxy DNS you are not anonymous.

Please duplicate the last line of the configuration file for SOCKS5, then save and exit.

# defaults set to "tor"
socks4 9050
socks5 9050

You may or may not have “tor” installed in Kali already. I didn’t and had to install it.

kali@kali:~$ sudo apt-get update -y && sudo apt-get upgrade -y
kali@kali:~$ sudo apt-get install tor -y

Then let’s check the status of “tor”.

kali@kali:~$ service tor status
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; disabled; vendor preset: disabled)
Active: inactive (dead)kali@kali:~$ service tor start
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'tor.service'.
Authenticating as: Kali User,,, (kali)

Now let’s run a basic test…

kali@kali:~$ proxychains firefox www.duckduckgo.com
ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| www.duckduckgo.com
|D-chain|-<>-<><>-|DNS-request| content-signature-2.cdn.mozilla.net
|DNS-request| duckduckgo.com
|DNS-request| firefox.settings.services.mozilla.com
|DNS-response| www.duckduckgo.com is
|D-chain|-<>-<><>-|DNS-response| duckduckgo.com is
|D-chain|-<>-<><>-|DNS-response|: content-signature-2.cdn.mozilla.net does not exist
|DNS-request| push.services.mozilla.com
|DNS-response| firefox.settings.services.mozilla.com is
|D-chain|-<>-<><>-|DNS-request| shavar.services.mozilla.com
|D-chain|-<>-<><>- unsupported fd-relative fstatat(24, "", 0x7FFE55A1BBA0, 4096)
|DNS-response| push.services.mozilla.com is
|DNS-request| push.services.mozilla.com
|D-chain|-<>-<><>-|DNS-response| shavar.services.mozilla.com is
|DNS-response| push.services.mozilla.com is
|DNS-request| improving.duckduckgo.com
|DNS-request| ocsp.digicert.com
|DNS-request| ocsp.digicert.com
|D-chain|-<>-<><>-|DNS-response| ocsp.digicert.com is
|D-chain|-<>-<><>-|DNS-response| improving.duckduckgo.com is
|D-chain|-<>-<><>-|DNS-response| ocsp.digicert.com is

This will open “www.duckduckgo.com” in the “firefox” browser in Kali. You can use other browsers here as well. Just a note here if you have followed my other tutorials and still have the OWASP ZAP or Burp Suite proxy still configured in your browser you need to remove it. The browser should not have a proxy configured.

So why use “www.duckduckgo.com” instead of other popular search engines? “www.duckduckgo.com” is an anonymous search engine. Apparently they don’t record your IP address or search traffic like the others do. In terms of your anonymity it is probably the better option to use.

Please browse to “www.dnsleaktest.com” or restart your proxy chains like this, “proxychains firefox www.dnsleaktest.com”. You should notice that the IP address detected is nowhere near you. It currently thinks I’m located in Germany. It is interesting that the IP address I’ve been allocated is on spam report, blacklist & IP abuse database. Not really surprising. If you click on “Standard test” you should see that your DNS leak test is also anonymous. It thinks I’m in Dallas now.

We have just used “proxychains” to open “firefox” but you can pass in other applications as well. For example if you pass in “nmap” all your NMAP traffic will be passed through “proxychains”. Just prefix any application you can start from the terminal with “proxychains”. If you have any issues just make sure your “tor” service is running and potentially run “sudo service tor restart”.

Up until now we’ve used the “tor” proxy service to browse. As you would have seen in the “/etc/proxychains.conf” you are able to include your own custom proxy chains as well (examples included in file). Now you can include your paid for SOCKS5 proxies or you could just so a search online for “free socks5 proxies”, there are loads. Not sure how many will be reliable or work but you can give them a go. Just a word of note that different countries respect user privacy differently. Some countries are better than others in keeping user data safe. I would just do your research to find out which countries are trustworthy and which are not. It really should not matter here as nothing we are doing is illegal so you can choose any reliable SOCKS5 proxy which decent performance. I’m just showing you this so you can simulate a real attack. Please also note that scans and attacks without permission will get you in real trouble. If you want to practice, make sure you scan and attack services that belong to you.

One last word of advice here is don’t add a massive list of proxies to your “/etc/proxychains.conf” as it will take forever to resolve especially if you are using free proxies which are timing out. I would say 2–3 reasonably reliable proxies is more than enough.

Virtual Private Networks (VPNs)

I’m using Kali Linux within Virtual Box as per my article, “Ethical Hacking (Part 2): Introducing Kali Linux”. You’ll need to make one adjustment to the Virtual Box network settings for Kali Linux. Open Virtual Box, right-click on your Kali Linux instance and go to “Settings”, then click on “Network”, expand “Advanced” and make sure “Promiscuous Mode” is set to “Allow All”.

Promiscuous Mode” allows a network adapter to pass all received traffic, no matter to which adapter the traffic is addressed. With “Allow All”, no restrictions in this mode. A virtual machine network adapter can see all incoming and outgoing traffic.

The first step on Kali Linux is to make sure our DNS settings are correct.

kali@kali:~$ cat /etc/resolv.conf
# Generated by NetworkManager
  • and are Google DNS servers
  • and are OpenDNS servers

I recommend using a combination of three DNS servers from them as the maximum DNS servers that will be used is three. Don’t use the DNS provided by your ISP. If you need to update your DNS settings don’t edit this file directly. Open your Kali network settings and make the adjustment to your network connection there.

Once you have done that disable networking and re-enable networking for the changes to take effect.

kali@kali:~$ sudo service NetworkManager restart

I’m using a static IP for Kali but if you are using DHCP you can prepend the DNS servers as follows.

kali@kali:~$ sudo vi /etc/dhcp/dhclient.conf

Uncomment the following line and add the OpenDNS servers, then save and exit.

prepend domain-name-servers;

You will need to restart your “NetworkManager” service.

kali@kali:~$ sudo service NetworkManager restart

We are going to use a free OpenVPN which we’ll find in VPN Book.

You can download the bundle ZIP file from any of these servers. Just make a note of the “Username” and “Password” above as we’ll need it later.

kali@kali:~$ cd Downloadskali@kali:~/Downloads$ ls -la
total 20
drwxr-xr-x 2 kali kali 4096 Oct 14 16:32 .
drwxr-xr-x 19 kali kali 4096 Oct 14 10:51 ..
-rw-r--r-- 1 kali kali 9219 Oct 14 20:32 VPNBook.com-OpenVPN-US1.zipkali@kali:~/Downloads$ unzip VPNBook.com-OpenVPN-US1.zip
Archive: VPNBook.com-OpenVPN-US1.zip
inflating: vpnbook-us1-tcp80.ovpn
inflating: vpnbook-us1-tcp443.ovpn
inflating: vpnbook-us1-udp53.ovpn
inflating: vpnbook-us1-udp25000.ovpn

Now let’s connect to the VPN…

kali@kali:~/Downloads$ sudo openvpn vpnbook-us1-tcp443.ovpn
[sudo] password for kali:
2020-10-14 20:37:13 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2020-10-14 20:37:13 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2020-10-14 20:37:13 OpenVPN 2.5_rc2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 30 2020
2020-10-14 20:37:13 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
🔐 Enter Auth Username: vpnbook
🔐 Enter Auth Password: *******

2020-10-14 20:37:31 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-10-14 20:37:31 NOTE: --fast-io is disabled since we are not using UDP
2020-10-14 20:37:31 TCP/UDP: Preserving recently used remote address: [AF_INET]
2020-10-14 20:37:31 Socket Buffers: R=[131072->131072] S=[16384->16384]
2020-10-14 20:37:31 Attempting to establish TCP connection with [AF_INET] [nonblock]
2020-10-14 20:37:32 TCP connection established with [AF_INET]
2020-10-14 20:37:32 TCP_CLIENT link local: (not bound)
2020-10-14 20:37:32 TCP_CLIENT link remote: [AF_INET]
2020-10-14 20:37:32 TLS: Initial packet from [AF_INET], sid=2484a6a2 a4ab6c2a
2020-10-14 20:37:32 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-10-14 20:37:33 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
2020-10-14 20:37:33 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
2020-10-14 20:37:33 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
2020-10-14 20:37:33 [vpnbook.com] Peer Connection Initiated with [AF_INET]
2020-10-14 20:37:34 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
2020-10-14 20:37:36 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS,dhcp-option DNS,route,topology net30,ping 5,ping-restart 30,ifconfig,peer-id 0,cipher AES-256-GCM'
2020-10-14 20:37:36 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2020-10-14 20:37:36 OPTIONS IMPORT: timers and/or timeouts modified
2020-10-14 20:37:36 OPTIONS IMPORT: --ifconfig/up options modified
2020-10-14 20:37:36 OPTIONS IMPORT: route options modified
2020-10-14 20:37:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-10-14 20:37:36 OPTIONS IMPORT: peer-id set
2020-10-14 20:37:36 OPTIONS IMPORT: adjusting link_mtu to 1627
2020-10-14 20:37:36 OPTIONS IMPORT: data channel crypto options modified
2020-10-14 20:37:36 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-10-14 20:37:36 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-10-14 20:37:36 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-10-14 20:37:36 net_route_v4_best_gw query: dst
2020-10-14 20:37:36 net_route_v4_best_gw result: via dev eth0
2020-10-14 20:37:36 ROUTE_GATEWAY IFACE=eth0 HWADDR=08:00:27:24:30:b1
2020-10-14 20:37:36 TUN/TAP device tun1 opened
2020-10-14 20:37:36 net_iface_mtu_set: mtu 1500 for tun1
2020-10-14 20:37:36 net_iface_up: set tun1 up
2020-10-14 20:37:36 net_addr_ptp_v4_add: peer dev tun1
2020-10-14 20:37:38 net_route_v4_add: via dev [NULL] table 0 metric -1
2020-10-14 20:37:38 net_route_v4_add: via dev [NULL] table 0 metric -1
2020-10-14 20:37:38 net_route_v4_add: via dev [NULL] table 0 metric -1
2020-10-14 20:37:38 net_route_v4_add: via dev [NULL] table 0 metric -1
2020-10-14 20:37:38 Initialization Sequence Completed

If you see “Initialization Sequence Completed” then you are good to go. Open your browser and go to, “https://www.dnsleaktest.com”. If you have used the same VPN as me it should say you were in, “Washington, United States”. If you are actually from Washington you should probably use another VPN 🙂


Each network interface card (NIC) has it’s own unique hardware address (MAC). The first half of a MAC is the Organisational Unique Identifier (OUI) (“manufacturer”) and the second half is the Network Interface Specific Identifier.

Let’s take a look…

kali@kali:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:24:30:b1 brd ff:ff:ff:ff:ff:ff
inet brd scope global noprefixroute eth0
valid_lft forever preferred_lft forever

So the MAC address of my Kali virtual machine is, “08:00:27:24:30:b1”.

OUI: 08:00:27
NIC: 24:30:b1

According to a quick search for “08:00:27 manufacturer” in my browser the manufacturer is “Cadmus Computer Systems”.

Hopefully you will at least know the basics of networking but a MAC is only used at layer-2. It does not leave your Local Area Network (LAN) and can’t be seen when you are routing externally.

There may be limited cases where you need to change your MAC (especially in a virtual machine) but it is still useful to know how to do it. An example I can think of is if there is some sort of layer-2 filtering only allowing connectivity from a specific vendor or MAC. If you know what MAC address(es) are allowed you can set yours accordingly.

kali@kali:~$ macchanger -h
GNU MAC Changer
Usage: macchanger [options] device-h, --help Print this help
-V, --version Print version and exit
-s, --show Print the MAC address and exit
-e, --ending Don't change the vendor bytes
-a, --another Set random vendor MAC of the same kind
-A Set random vendor MAC of any kind
-p, --permanent Reset to original, permanent hardware MAC
-r, --random Set fully random MAC
-l, --list[=keyword] Print known vendors
-b, --bia Pretend to be a burned-in-address
-m, --mac=XX:XX:XX:XX:XX:XX
--mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XXReport bugs to https://github.com/alobbs/macchanger/issueskali@kali:~$ macchanger -s eth0
Current MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)
Permanent MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)

It’s quite nice that “macchanger” actually shows you the OUI vendor with the “-s” argument. Another really handy argument is “-l” which lists all vendor OUI’s. If you have a MAC and want to identify it you can look it up in the list.

kali@kali:~$ sudo macchanger -s eth0
Current MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)
Permanent MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)kali@kali:~$ sudo macchanger -r eth0
Current MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)
Permanent MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)
New MAC: 4a:8d:65:51:10:f1 (unknown)
Current MAC: 4a:8d:65:51:10:f1 (unknown)kali@kali:~$ sudo macchanger -s eth0
Permanent MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)
Current MAC: 4a:8d:65:51:10:f1 (unknown)kali@kali:~$ sudo macchanger -a eth0
Permanent MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)
New MAC: 00:1a:ac:70:dd:df (Corelatus AB)
Current MAC: 00:1a:ac:70:dd:df (Corelatus AB)
Permanent MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)kali@kali:~$ sudo macchanger -s eth0
Current MAC: 00:1a:ac:70:dd:df (Corelatus AB)
Permanent MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)kali@kali:~$ sudo macchanger -p eth0
New MAC: 08:00:27:24:30:b1 (CADMUS COMPUTER SYSTEMS)

You may also like

Leave a Comment