The Hacks of Mr. Robot: How Elliot & Fsociety Made Their Hack of Evil Corp Untraceable

How Elliot & Fsociety Made Their Hack of Evil Corp Untraceable

Welcome back, my tenderfoot hackers!

Well, the first season of Mr. Robot just ended and Elliot and fsociety successfully took down Evil Corp! They have effectively destroyed over 70% of the world's consumer and student debt! Free at last! Free at last!

Of course, global financial markets crashed as well, but that's another story.

Although there were many elements that made the hack successful, such as Darlene developing a zero-day exploit (I'll showing you how to do that in a future article) that none of the intrusion detection systems, firewalls, or antivirus softwares detected, Elliot also made certain that the hack could not be traced back to him by using proxies.

Early in the last episode, Lenny, the former boyfriend of Elliot's therapist, Krista, reveals to Krista that he had been hacked by Elliot. He points out that Elliot is nearly untraceable as he uses a proxy from Estonia. In this tutorial, I will show how Elliot bounced his attack off an Estonian (or other) proxy in order to make his hacks untraceable.

How Proxies Work

As you know, whenever you visit (or hack) a website or server over the Internet, your unique Interpret Protocol (IP) address travels with you. It would then be very easy to trace the source of an attack by simply tracing the source IP address.

Hackers, though, often use proxies to hide or obscure their IP address. In this way, they send their traffic to an intermediary proxy, who then sends the traffic on to the destination, replacing the source IP address with its own. In this way, the malicious traffic appears to be coming from the proxy and not the original sender.

Before I start, I want to point out that there are multiple types of proxies. One of the more popular, anonymous proxies is Tor. Although Tor is effective in anonymizing your traffic from Google and other commercial tracking, it is not effective in anonymizing your traffic from law enforcement, especially the NSA.

As Elliot points out in the pilot episode, when he is explaining to the coffee shop owner who is also a child pornographer, "Whoever's in control of the exit nodes is also in control of the traffic, which makes me the one in control." He owns the exit node, owns the traffic, and hence, the identity of the users.

Now, let's see how Elliot and fsociety hid their identity in their hacks!

Step 1: Fire Up Kali

To get started, fire up Kali Linux. If don't already have Kali, you can download it here.

Step 2: Go to Proxychains

Next, let's go to proxychains. Type:

kali > proxychains

When you do so, it shows you the simple proxychains syntax. Basically, after setting up proxychains, all you need to do is precede the command you want to run with the command "proxychains" and all of your Internet traffic will go through your chosen proxy. As we will see later in this tutorial, if we want to browse the Web with our browser, we can simply start our browser by preceding it with proxychains, such as:

kali > proxychains iceweasel

Step 3: Search for Proxies

In order to set up proxychains to hide our IP address, we will need to select a proxy. There are many sites on the Web with lists of free and paid proxies. Some of these include, but are not limited to:

Let's try using SamAir Security. When we navigate there, we can see their list of free proxies.

Near the bottom of the page, we can see that they have sorted the proxies by country. Remember, Elliot was using a proxy in Estonia. This list has one proxy listed in Estonia.

When click on it, we can see that this one proxy in Estonia is a transparent proxy. This means it won't hide our IP. That won't work!

Instead, let's try the list of Russian proxies. Many hackers use Russian proxies as EU and U.S. law enforcement do not have jurisdiction in Russia. This means there is little or no chance of tracing their identity.

We can see that there are five "high-anonymous" proxies in Russia on this list. Let's us one of those.

Step 4: Configure Proxychains

Now that we have a list of potential anonymous proxies, we have to configure proxychains to use it. Like nearly all Linux/Unix applications, configuration is done by a plain text file. These files are generally found in the /etc directory. In this case, the configuration file for proxychains is found at:

/etc/proxychains.conf

We can open it with any text editor, but I will use Leafpad here.

kali > leafpad /etc/proxychains.conf

This opens the configuration file for proxychains as seen below. Near the bottom of the file is the critical part. Here is where we tell proxychains which proxy to use.

By default, proxychains is setup to use Tor. As Elliot expressed in episode one, he who controls the exit node of Tor controls the traffic. Elliot is certainly aware that the NSA and law enforcement know this as well and would not want to use Tor. To disable Tor, simply put a comment mark (#) before line #64.

Now, to use one of our Russian proxies, we simply need to add the type of proxy (http) and the IP address and port for that proxy as I have done above. Then, save the proxychain.conf file and close it.

Step 5: Send Traffic Through Proxy

Lastly, if we want to send our HTTP traffic while browsing the Web through that Russian proxy, we simply open our Iceweasel browser by typing:

kali > proxychains iceweasel

Now, all of our traffic will go through the proxy and will appear to be coming from that proxy should anyone inspect the traffic.

Stay Tuned for More Hacking Lessons

If you want to learn more about hacking, please take the time to explore Null Byte. If you are interested in becoming a professional hacker, check out my article "How to Use Null Byte to Study to Become a Professional Hacker." Finally, keep coming back my tenderfoot hackers, as I continue to demonstrate each of Elliot's and fsociety's hacks!

81 Comments

A good article as usual, OTW.

But I (again) have one question about proxies: it is best to use a reversed payload to avoid firewalls (most firewalls allow outbound connections by default), but reversed payloads don't work with proxies. Bind payloads do, however.

But when using bind payloads, the firewall will most likely reject our connections to it. So I began to think and came up with a possible solution.

Say that for example, our target has a FTP server running on port 21. To accept connections from the outside world, it must pass the firewall.

So if I bind my payload to port 21, will it work? Or will i get problems because the FTP server is also running on it?

Not for OTW: If any of you wonder why hackers avoid proxies in the E.U and the U.S, should read my article on NSA Spying.

-Phoenix750

Hm, I'm no expert but since FTP is built on TCP you shouldn't be able to run 2 programs on the same port, I think.

i took FTP as an example. ofcourse we could use other services like SNMP or DNS. But thanks for the clarification.

-Phoenix750

Unrelated to your question about binding, but you can get a free website and install a proxy on there. You can then get the reverse payload to connect to your proxy. Not really secure, since the hosting company will log the traffic. Just something I thought up when I read your comment.

Hi Phoenix750

I'm a beginner and I just want to clarify some things, is this procedure works even I use a payload from msfvenom? I'm looking for ways to hide my real IP considering I was able to deploy my exploits.

Thanks in advance
-Art

Great article, thanks OTW. Fired up iceweasel with proxychains (I'm using proxychains4 btw) and accessed whatismyip.com, it showed my real IP... I'm pretty sure the proxies are working (using 3). Could they be using some different method to retrieve it?

did you set up your config file right and are you sure the proxy isn't transparent?

-Phoenix750

According to hidemyass.com its anonimity is "High +KA". How can I really be sure of it? Thanks!

then there is probably something wrong with your config file. here is what you should do:

  1. Make sure the proxy is actually up and running. you can ping the proxy to check this.
  2. Make sure you commented out the TOR proxy in your proxychains.conf file
  3. check your proxy's type (http, socks4, socks5...), then enter the proxy in your config file using this syntax:

type address port

for example:

http 222.222.222.222 8080

hope i helped.

-Phoenix750

Everything checks. The lib output seems alright aswell, I've made a little python script to check my external IP on various websites, and it showed the proxy IP, but iceweasel fired up with proxychains still doesn't work.

try to set iceweasel's proxy settings to "use system proxy" if it is not already set to do that.

-Phoenix750

Well I'm all out of ideas now. maybe try a different proxy?

-Phoenix750

I've tried several proxies, none worked. Thanks for you help anyway!

Okay i had the same problem as you did, and it ended up being really basic and simple to fix, if you go back into your .config file, and look where you put your address of the proxy you are going to use, you probably did not hit the "tab" key twice between "http" or whichever form you are using, and the address itself. Its easier if you just line it up with the tor address in the 64th line. Im not entirely sure why this matters but this fixed the proxychains for me

OMG, Thank you so much. It fixed for me!

Thank you, it worked for me

finally i knew how these proxies work.Thanks.

Great post like always you do

but lets keep this in mind if you could remember defcon 21 ( i quess if im not mistaken) there was spanish guy show that how he pawned 10000 ppl in one day with just a proxy in randome countery and small codes into it(without that much of money and organizing stuff)

so use one is trusted or most likely if you use it dont login on any of your importent works and after you done just clear your browser and all stuff you did with that proxy

i would personally recommend using VPN its not still safe but much safer than getting MIMT or MIBT so pls dont use proxy you dont know about.

page not loading..

Can we say a hacked wifi from too far with a strong yagi antenna + no log vpn(bought via mixed bitcoins) + proxychains(highly anonymous offshore proxy) over TOR is nearly impossible to trace?

Nearly impossible, but not impossible. In addition, your connection will likely be slow and unstable.

Which proxy type we need to use to be more secure? What's difference between http and socks proxy?

Could you explain why Elliot used proxies? I thought VPNs were meant to be much more secure?

Not all VPNs are the same. If they don't accept an anonymous(ish) payment, i.e. bitcoin or prepaid card or if they keep logs that can be requested by the officials of the country under whose jurisdiction they fall then they may provide a false sense of security. This article is very informative when it comes to VPNs and what measures they claim to take to ensure anonymity. https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/

DAMN! I love this "Hacks of Mr.Robot" - Series ! :)
Keep up the good work !!!

  • M0

Nice tutorial,

But i have a quistion, I thought all along that tor worked like this: ?

Like a "key system" I dont remember what its excatly called, but i think you understand.

What is the diffrent? Because im pretty sure this isnt a proxy, unless the place who gets the diffrent keys always are changing?!

Correct me if im wrong, I just need to make sure about this is how tor works?

They are similar, but ToR has been compromised.

i tried some proxies, and tried telnet with it, i keep getting error: kali not found please help

kali not found? what kind of error is that?

do you bother giving us a screenshot?

-Phoenix750

So I can jsut type proxychains msfconsole to run all metasploit framework operations through proxies? Also can I do any data over HTTP proxies?

Nice guide. I have a question, should I use this proxies only or can I use tor in top of that for extra protection? Which is better for anti-law enforcement haha

I tried to run proxychains iceweasel for the last step Send Traffic Through Proxy but whenever iceweasel opens up and I try to search the web It doesn't go through as if I don't have an Internet Connection

Marvin and Berk:

First, I assume you can connect without proxychains?

Second, if you can, can you send us a screenshot of your config file?

Third, make certain that you use tabs between the type of proxy and the IP address.

OTW

what is it?

We are not here to check your typing.I'm going to let you find it.

I swear I tried everything, 2 tabs, 1 tab, 2 spaces, 1 spaces ... But its always same. please help me senpai :/

I can confirm too that you have a typo. But like OTW, said we are going to let you find it on your own. That way you will learn something.

HINT: the typo you have has nothing to do with tabs or spaces, Berk.

-Phoenix750

2 Things:
1- You have a typo here:
http 1221.208.194.108 80 (i believe it should be 221.208...)

2- Try to ping the server to check if its alive before editing it in to the conf file... (Hint: its dead/unreachable for some other reason)

Yes, i try tabs but it doesnt work

I tried using numerous proxies from samair.ru that were highly anonymous using the above method but it didn't helped. I still had the same ip on whatismyip.org plus to provide more info i get this error while starting iceweasel with proxychains

GLib-CRITICAL *: gslicesetconfig: assertion 'syspagesize == 0' failed

and i live in saudi arabia which has strict internet laws for proxies like blocking proxy/vpn sites. (I accessed samair.ru using austriaproxy.com)

i have same problem too, and i cant find any solutions. did you find the solution?

Ignore the GLib-CRITICAL message. It has nothing to do with the connection problem and it looks like it's out since ages.

See my post below for a hint on getting it running.

my proxychains is not working
i use kali linux in vmware

please tell me if their is any mistake

in your config file you may want to try removing the colon and using tab instead to seperate the proxy address from the port you are using, in the same way it is done in the 64th line.

For anyone who's not able to get it working (as for me before either), try uninstalling privoxy if you have installed it earlier (which is very likely the case when you followed one the tuts regarding tor and proxychains out in the wild)

$ sudo apt-get purge privoxy
$ proxychains iceweasel

If it's working then (like with me - no more timeouts), you might try to install it again to get a clean config file in /etc/privoxy/config.

Additionally check that you're using tabs as delimiter: 2 between "http" and the IP and 1 between IP and PORT - that's how it's working for me.

I tried this and found a proxy that samair.ru says is elite, but when I try to use a site that checks my IP, it still uses my normal IP. Here are the things I've tried:

  • Making sure that I have tabbed two times in my .conf file.
  • Setting Iceweasel's proxy settings to "use system proxy settings"
  • Commenting out TOR
  • I do not have privoxy installed
  • I have checked for typos

Also I keep getting the error below:

GLib-CRITICAL *: gslicesetconfig: assertion 'syspagesize == 0' failed

It is said further up that this has no effect, but I just wanted to put it in.

Hello, master. Thanks for article but i have a problem. I configure my config file then i type proxychains iceweasel. When i type it an iceweasel browser opens but everything is normal, how can i fix this?

Image via hizliresim.com
Image via hizliresim.com

NOTE: yes, i use 2 tabs and i havent got provioxy.

What do mean by "everything is normal"?

My IP Adress is same, and nothing appears in terminal.

How are you checking your IP and what do you mean "nothing appears in the terminal"?

I use whatismyip.org for check my IP. and this is my terminal.

Image via hizliresim.com

NOTE: sorry for bad English,i am trying to learn.

That is a critical piece of info you left out! Proxychains never ran it gave you a error.

Go back and check you config file for typos and use only one tab.

It looks like you failed to a colon between the IP and port.

I am doing everything right. And i think my proxies are working -i checked in samair.ru-, how can i fix this?

I searched for its solution but i can not find. And KEN STAR says; "Ignore the GLib-CRITICAL message. It has nothing to do with the connection problem and it looks like it's out since ages." so i just ignored it. Also i tried one tab too, but its same :/ is there a typo? i didn't saw it, if there is please help me.

You are obviously NOT doing everything right.

Did you fix the colon issue I pointed out earlier?

What you mean by "colon issue"? i tried this things:
http tab tab ip:port
http tab ip:port
http tab tab ip tab port
http tab ip tab port
http tab ip port

http tab tab ip tab port
works for me

For all the users here at nullbyte still having trouble getting proxychains up and working, what i found to help a lot is to uninstall the default proxychains that comes in kali linux and download the latest version which has many critical updates by using the following commands:

apt-get remove proxychains
git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng
./configure --prefix=/usr --sysconfdir=/etc
make
make install
make install-config

after doing this you will have to use the proxychains4 command instead of only typing proxychains, other then that all you need is to edit your config file again (which is in the same directory) in order to add your proxys of choice. also an easy way to test if your proxy is working is with the command "curl icanhazip.com"

for a full video on using and testing proxychains4 please see this video link and be sure to watch the entire video: https://www.youtube.com/watch?v=h7HAT-7UsVc

THANKS SO MUCH !

this didnt work, and that video is no longer available. Now i'm in worse shape then i was before trying proxychains4.

Awesome i will be trying this, as i have yet to get proxychains to work!

hope it helps everyone

proxychains4 iceweasel
proxychains config file found: /etc/proxychains.conf
proxychains preloading /usr/lib/libproxychains4.so
proxychains DLL init: proxychains-ng 4.10-git-15-g1294d0a

(process:4376): GLib-CRITICAL *: gslicesetconfig: assertion 'syspagesize == 0' failed
still not working :(

does anyone know a good trustworthy place to find FREE proxies? Ive been trying some from SamAir Security but the ones ive been trying all time out.

For anybody who is still having trouble making the proxy work no matter how you change the text /etc/proxychains.conf I found a solution that worked for me and i am pretty sure it may work for you.

I am pretty sure that i installed proxychains 4 to the wrong place, so even though the command "leafpad /etc/proxychains.conf " does open up the .conf file that has the right version, no matter how many changes i made, nothing seemed to work.

Solution: open file folder and just search for "proxychains" or just "proxychains.conf", there you will see the proxychains.conf if you click to open the file and see at the bottom where you have made change using "leafpad /etc/proxychains.conf" that no changes have been made, that means that you have been updating the wrong file. Simply add your proxy, then save and enter "proxychains4 iceweasel" and it should be working.

i spent 3 days trying to solve this, thanks stroke of insight
if you don't know how to install proxychains 4, just check the above comments, somebody posted it already.

p.s to make sure that the two files are separate from each other, open one using the command provided in above and open the other from the folder, if both are able to open at the same time, they are separate files in different directories

I just realized that my earlier post was wrong, i will keep the above post in case it miraculously helped someone.

Turns out that all i needed to do was CLOSE ALL BROWSERS, at least the one your trying to run proxychains with, it worked perfectly fine without a single tab opened. It was never stated so i never thought to do it, it wasn't until i had 20 tabs open trying to find an answer that i was forced to close my browsers due to lag. Once i ran "proxychains4 iceweasel: it worked

I have a noob`s question here... So, Ok, my proxychain4 is working fine, but while testing it, I found something that`s bothering me. I entered in one site that showed me the proxychain IP, but it showed me my real LAN address, so it couldn`t be used to track me back? And if so, how I could hide it too?

I configured the proxychains file as the tutorial asked me too. However when I typed proxychains.iceweasel iget this message => exec: iceweasel: not found.

How can this be solved? PLease someone help me.

Do you have icewasel installed?

Share Your Thoughts

  • Hot
  • Latest