PDA

View Full Version : Finding whereabouts of a webmaster



lalyil
05-05-2014, 04:43 PM
Hi there,

Well, if someone was to open a website and run it and didn't want to be found (by the police) how would they do it? I'm guessing the police could find who the domain is registered by and the IP address of the webmaster, but it's possible to use a fake address and a fake/mirror IP, right? (is there such a thing as a mirror IP?)

If, let's say, I open a website in England but want the police to see it was opened in Russia and so to get more info they'd have to turn to the Russian government, but they won't cooperate, how would that work?

Thanks

robjvargas
05-05-2014, 05:45 PM
How many pages of explanation do you need? :D

There's no single method for this. People think in names, but computers think in numbers. IP Addresses in this case. Domain names (and other names) get associated with IP Addresses using servers call nameservers.

Your hiding could be done with nameservers that point to a Russian IP address. That IP address would then be a kind of proxy server that connects to the actual server that serves up whatever that site provides.

What you cannot do is take an IP address assigned to Russia and use it in Great Britain. The big equipment that runs at the "core" (aka root) of the Internet will send that traffic to Russia, not GB.

King Neptune
05-05-2014, 06:04 PM
Rob is right, but one can have a webname extension from one country and put the site in another. I sometime visit the Pravda English forum, and those were actually located in Arlington, Virginia. Using a couple of proxies will usually hide the actual location, unless someone has a good sniffer. All ip numbers have to have a name and address with them. I don't know whether anyone checks on the validity of those, but they can be looked up.

You could acquire an IP address in the Russian domain and give a British Name and address with it, or vice versa. There are legitimate reasons for businesses to have site in several countries, and for all of those to have a single owner address. Do some whois lookups; search for that on google.

lalyil
05-05-2014, 06:33 PM
Thanks guys.

So if I use a Russian proxy server to bring up as IP address in Russia, would the police/government be able to find the real whereabouts/real IP somehow without the help of Russian authorities?

robjvargas
05-05-2014, 06:54 PM
Thanks guys.

So if I use a Russian proxy server to bring up as IP address in Russia, would the police/government be able to find the real whereabouts/real IP somehow without the help of Russian authorities?

They could, yes. In order for Internet traffic to move around, it always has to have a sort of return address. So they could, theoretically, see the British server that's the actual server talking back and forth with the Russian proxy.

Depending on how much support your guys gets from Russia, though, it can be pretty damn difficult. One example: a "multi-homed" proxy. Let's say Russia has two big ISP's. Servers could have two (or more) network adapters. One on ISP A, one on ISP B. ISP A connection is the IP everyone uses to connect to your guy's "service." ISP B connection is the private connection back to Britain.

That's all heavily simplified. But doable. The authorities can figure it out in time. You might even get more time if you have ISP C, D, E, and so on, and rotate among them every 8 or 16 or 24 hours.

lalyil
05-05-2014, 07:02 PM
Ok. Well, I don't want the police to be able to find my guys :) so if Russia doesn't cooperate, I suppose it's possible, using a multi-homed proxy. I can have the police spend days on it when, in my case, they don't have enough time.

ironmikezero
05-05-2014, 08:02 PM
Ok. Well, I don't want the police to be able to find my guys :) so if Russia doesn't cooperate, I suppose it's possible, using a multi-homed proxy. I can have the police spend days on it when, in my case, they don't have enough time.


That's the crux of the matter - cooperation. There is always a digital trail, but if the law enforcement agencies within the involved jurisdictions don't fully cooperate and dedicate appropriate resources, your webmaster might remain a ghost. However, if they do cooperate there is no place he/she could hide. Eventually he/she will be found.

King Neptune
05-06-2014, 12:01 AM
Thanks guys.

So if I use a Russian proxy server to bring up as IP address in Russia, would the police/government be able to find the real whereabouts/real IP somehow without the help of Russian authorities?

Yes, there are "sniffers", programs that read the paths of packets. I haven't used one recently, but I used to try to track down where sites or emails came from. Sometimes there were routes that went from U.S. to Russia to Australia back to U.S. Sometimes the program could give a physical address, street and number, but mostly it would just give the city. On occasion there were sites that couldn't be tracked, but they were rare. Search for information about "sniffer" and "packet sniffer".

And here are sniffers that will resolve the MAC address, the specific machine from which the packet originated.
http://www.scanwith.com/download/IP_Sniffer.htm

Telergic
05-06-2014, 01:45 AM
The Russian authorities will not assist a British or American investigation into something like this except under direct orders from Putin.

lalyil
05-06-2014, 02:29 AM
Thanks Mike, Neptune and Telegric.

So it seems to me that even the most elaborate scheme to hide an IP, will eventually be solved and found using "sniffers" but it could take a while?
The FBI in my story don't have much time so I guess this could work to my advantage (I don't want the IP found)
And yes, I picked Russia so they will not cooperate, thanks Telegric :)

King Neptune
05-06-2014, 02:41 AM
Thanks Mike, Neptune and Telegric.

So it seems to me that even the most elaborate scheme to hide an IP, will eventually be solved and found using "sniffers" but it could take a while?
The FBI in my story don't have much time so I guess this could work to my advantage (I don't want the IP found)
And yes, I picked Russia so they will not cooperate, thanks Telegric :)

Sniffing sometimes takes a while, and it's a good idea to use at least one Russian proxy server. The more proxies that are involved the more chance that the sniffer will miss the origin.
You might put another proxy in sub Saharan Africa, because they can't cooperate. But investigate some web hosts there first.

TerryRodgers
05-08-2014, 04:59 PM
If the person is purposely trying to stay hidden why would they purchase their own website? There are hundreds of free website hosts. All you have to do is use an alias name, create a free email account and free website. You can even go coffee shop hopping where there's free Internet. Nothing is impossible, but if the person is on the move, it would be almost impossible to find him or her.

Telergic
05-08-2014, 06:09 PM
If the person is purposely trying to stay hidden why would they purchase their own website? There are hundreds of free website hosts. All you have to do is use an alias name, create a free email account and free website. You can even go coffee shop hopping where there's free Internet. Nothing is impossible, but if the person is on the move, it would be almost impossible to find him or her.

Right. And for that matter, many hosting companies exist specifically for the purpose of shielding the identity of the website owners, and are headquartered in countries where they are essentially immune to international law enforcement.

WeaselFire
05-08-2014, 09:19 PM
Well, if someone was to open a website and run it and didn't want to be found (by the police) how would they do it?
Use an anonymous web host. HavenCo running from Sealand would be a popular one in Britain. My current favorite is anonymous.to, but there are only about a bazillion available.

Jeff

King Neptune
05-08-2014, 09:52 PM
Even with anonymous hosting a sniffer would trak the origin of packets back to the IP and MAC addresses.

Telergic
05-08-2014, 10:03 PM
Even with anonymous hosting a sniffer would trak the origin of packets back to the IP and MAC addresses.

And where would this sniffer be deployed? After the proxy used to mask the true origin of the packets? Obviously not before, or they would already know where the subject was located....

robjvargas
05-08-2014, 10:28 PM
It can be a kind of arms race, trying to trace a packet back to its destination. For example, one or more hops could be encrypted through an anonymizer like a TOR tunnel (basically a VPN). When the traffic passes through an encrypted connection, it can be impossible to decrypt and trace (at least within the time frame you've described).

It's possible to use a proxy *as* a sniffer, rather than having one before or after. This is possible with pretty much any piece of network hardware responsible for managing connections. Many switches, routers, and firewalls maintain connection state tables. So your hacker *could* pull down a list of all active connections at any given point in time, and then just go down that list to find the one that interests him or her.

King Neptune
05-08-2014, 10:59 PM
And where would this sniffer be deployed? After the proxy used to mask the true origin of the packets? Obviously not before, or they would already know where the subject was located....

Sniffrs look at the information in a packet and make inquiries based on that. For example, if I wondered where a certain ping was coming from, I would enter the address of that ping in the sniffer, and the sniffer would track down the network in wherever that was sending the ping. One time I was getting dozens of pings from a company in the Philadelphia area, so I emailed the network administrator and asked why. The response was soething like, "None of my users could send a ping, if they even knew what it was."

Packets start out with to and from information in them, and they transfer information at every node where they are redirected. The proxy doesn't remove anything; it just puts another step in the route.

It is also true that some of the route information could be encrypted, but it would have to have routing information in a form that could be understood by any node that redirected the packet.

Telergic
05-08-2014, 11:21 PM
Sorry, KN, that's untrue. Normal proxies, sure, they aren't trying to confuse or mislead anyone. But any proxy deliberately set up with the intention of masking the packet origin strips all the headers from the user's packet and adds its own and maintains its own internal table of where the completely new packets should go. It's absolutely impossible to detect the origin of a such a packet by sniffing it anywhere along the leg between the proxy and the packet's destination. All you can find out is that some server in Finland or the Caiman Islands or Kazakhstan or wherever is getting the anonymized packet, and you'd have to go to that physical location to find out more or hack the channel carrying the packets to the proxy datacenter.

Hacking the proxy server or its links is certainly possible, but of course they are designed to be secure, so you would probably need physical access, and presumably the server is located in some foreign country where the laws are such that foreign law-enforcement can't legally get access to it -- and that's not just easy packet sniffing, that's an all-out attack.

King Neptune
05-08-2014, 11:50 PM
Sorry, KN, that's untrue. Normal proxies, sure, they aren't trying to confuse or mislead anyone. But any proxy deliberately set up with the intention of masking the packet origin strips all the headers from the user's packet and adds its own and maintains its own internal table of where the completely new packets should go. It's absolutely impossible to detect the origin of a such a packet by sniffing it anywhere along the leg between the proxy and the packet's destination. All you can find out is that some server in Finland or the Caiman Islands or Kazakhstan or wherever is getting the anonymized packet, and you'd have to go to that physical location to find out more or hack the channel carrying the packets to the proxy datacenter.

Hacking the proxy server or its links is certainly possible, but of course they are designed to be secure, so you would probably need physical access, and presumably the server is located in some foreign country where the laws are such that foreign law-enforcement can't legally get access to it -- and that's not just easy packet sniffing, that's an all-out attack.

O.K., if the header information is stripped and new headers added, then it would be like that. How does one engage the services of whoever owns such a proxy? The problem I have with hiding a site that way is that one must have a server in a place where it where it would be possible to keep it from being seized by police.

Would these do that? Or are they just places that run traffic through, so your browser would show that as location, and a visited website would also show that server as the address?

http://en.wikipedia.org/wiki/Anonymizer And these are the kind of proxy that you mean, are they not?

Telergic
05-09-2014, 12:06 AM
O.K., if the header information is stripped and new headers added, then it would be like that. How does one engage the services of whoever owns such a proxy? The problem I have with hiding a site that way is that one must have a server in a place where it where it would be possible to keep it from being seized by police.

Would these do that? Or are they just places that run traffic through, so your browser would show that as location, and a visited website would also show that server as the address?

http://en.wikipedia.org/wiki/Anonymizer And these are the kind of proxy that you mean, are they not?

Correct.

I suppose we're talking about someone who is technically sophisticated with time to plan all this out, so all they need is a hosting company anywhere in the world that doesn't care what they are hosting or how they are paid -- and there are plenty of them. This is where spam comes from, after all.

And this is what you do if you can't find a commercial or free anonymizing service you trust.

You send email to your shady off-shore hoster of choice from a new temp account, you give them a prepaid card or some stolen CC number or a bitcoin or whatever to pay, they give you an FTP address and a password. Now you install your redirecting anonymizing proxy, which I assume is available open source from various places if not commercially. You can repeat this process with multiple hosters around the world if it makes you feel safer to make a chain of them. Someone who has access to Chinese law enforcement probably doesn't have access to the Swiss, and vice-versa, for example. Then at last you can set up some random website with yet another hoster and administer it remotely through one or another of your various cutoffs, and without a truly massive security operation to track you down, you are probably safe.

But that's pretty elaborate. If you use TOR or similar, you're probably safe in one step, though apparently TOR was briefly compromised a few months ago, re Silk Road, etc -- but that was a big operation, tracking down Silk Road.

robjvargas
05-09-2014, 12:23 AM
It's not even all that technologically sophisticated any longer. There are services setup to get you an anonymized state.

http://www.pcworld.com/article/2054040/people-flock-to-anonymizing-services-after-nsa-snooping-reports.html

King Neptune
05-09-2014, 12:37 AM
Correct.

I suppose we're talking about someone who is technically sophisticated with time to plan all this out, so all they need is a hosting company anywhere in the world that doesn't care what they are hosting or how they are paid -- and there are plenty of them. This is where spam comes from, after all.

And this is what you do if you can't find a commercial or free anonymizing service you trust.

You send email to your shady off-shore hoster of choice from a new temp account, you give them a prepaid card or some stolen CC number or a bitcoin or whatever to pay, they give you an FTP address and a password. Now you install your redirecting anonymizing proxy, which I assume is available open source from various places if not commercially. You can repeat this process with multiple hosters around the world if it makes you feel safer to make a chain of them. Someone who has access to Chinese law enforcement probably doesn't have access to the Swiss, and vice-versa, for example. Then at last you can set up some random website with yet another hoster and administer it remotely through one or another of your various cutoffs, and without a truly massive security operation to track you down, you are probably safe.

But that's pretty elaborate. If you use TOR or similar, you're probably safe in one step, though apparently TOR was briefly compromised a few months ago, re Silk Road, etc -- but that was a big operation, tracking down Silk Road.


I haven't been doing this for a few years, so I hadn't heard of TOR, and that's what would be required. I still have trouble figuring out how a packet could give a node encrypted routing information and having the node understand it. Packets would have to get there in a single jump, and that's not easy.

King Neptune
05-09-2014, 12:44 AM
And, as the link that robjvargas posted mentioned, the NSA has broken most encryption methods, so it might be impossible to truly be anonymous now.

King Neptune
05-09-2014, 12:47 AM
It's not even all that technologically sophisticated any longer. There are services setup to get you an anonymized state.

http://www.pcworld.com/article/2054040/people-flock-to-anonymizing-services-after-nsa-snooping-reports.html

What that article describes is ordinary level anonymizing. Making the route disappear is still a problem that requires good encryption, and as the linked article says the NSA has broken most encryption.

Telergic
05-09-2014, 12:50 AM
And, as the link that robjvargas posted mentioned, the NSA has broken most encryption methods, so it might be impossible to truly be anonymous now.

1. NSA has not broken most encryption methods. TLS/SSL was never very secure in the first place, so if you ever relied on it for anything more than online purchases you were fooling yourself. Public-key systems that don't use elliptic curve are still secure at long key lengths, as are various private-key systems for which you can use public-key for key exchange.

2. If you operate your own proxy, I think you don't really need encryption anyway. As I understand it -- not 100% sure since I don't know too much about TOR -- encryption protects you from the proxy operator within the TOR system.

King Neptune
05-09-2014, 02:45 AM
1. NSA has not broken most encryption methods. TLS/SSL was never very secure in the first place, so if you ever relied on it for anything more than online purchases you were fooling yourself. Public-key systems that don't use elliptic curve are still secure at long key lengths, as are various private-key systems for which you can use public-key for key exchange.

Key length has always been the essence of keeping something secure. Have a key of more than a couple dozen characters and it would take a very, very long time to crack.


2. If you operate your own proxy, I think you don't really need encryption anyway. As I understand it -- not 100% sure since I don't know too much about TOR -- encryption protects you from the proxy operator within the TOR system.

If someone can examine the packets, then they an find the route taken. There is a limit as to how much route information can be encrypted, because the packet has to be able to tell nodes where it's supposed to go. I don't know anything about TOR except that it exists, but I got the impression that it might be getting through the matter of telling nodes where to send. Sniffers can sniff information from unencrypted packets, and it doesn't make any difference where those packets started or which nodes they have been through.