7250 Blackthrow - Telecomix Crypto Munitions Bureau

Blackthrow

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search
The blackthrow box is an effective anti-censorship peacefare equipment developed by the Telecomix Crypto Munitions Bureau (TCMB). A blackthrow is an anonymously remotely controlled drone that can be used to send any type of packets to any location at the internets. Communication with an operational blackthrow is slow, but its striking power against censorship can be equated to the power of a submerged nuclear submarine.
The awesum striking power of peacefare.

A blackthrow is a small computer that can be hidden inside government agencies or corporations. It connects to the TOR or I2P networks and publishes its SSH server as a hidden service in any of these networks. The TCMB field agent can then connect to the blackthrow anonymously and remote control it to deliver any type of packets to any location at the internets, that the host organization can connect to. It will look as if the host organization is responsible for the packets that are sent.

Alternative names for the blackthrow is the dropbox or the kamikaze box. The name dropbox comes from the fact that the box delivery system is akin to shopdropping. The name kamikaze box comes from the fact that once the box is installed, it will not be possible to repair it, as the risks for detection are too high. The name blackthrow is a direct translation of the swedish word svartkast. The blackthrow is just one of many types of peacefare boxes for field use developed by the TCMB.

Contents

[edit] Blackthrow assembly instructions

The field agent should be aware of the limiting factors of the box, as it needs to be an autonomous piece of equipment. Once installed, it should never again be physically accessed. Instead of trying to repair the box if it fails, the TCMB operative is adviced to focus on creating new boxes that has as long life expectancy as possible. All blackthrow operations are classified and should be carried out in silence, unless the agent is anonymized.

0. The blackthrow itself consists of only a laptop with a WLAN or NIC card. Nothing else is needed. People throw away old laptops that are still useful, the best method to find new equipment is to search the trashes. You can also use Mini PCs (for example EPIA-based): these are cheap, small, with low-consumption and silent, making them harder to find.

1. There should be no identifying information that could lead back to the agent. TCMB therefore recommends that the hard disk should be carefully wiped. Once the machine is installed it is only a matter of time before someone finds it, even if it might takes years before this happens to a well hidden blackthrow. Once it happens though, it is possible that the sysadmins will read the hard disk to learn more about the box origns.

2. Install the operating system of choice at the laptop. Because of the low communication speeds with a hidden box, it is recommended that no graphical interface is installed. Make sure that you do not enter any identifying information what so ever in the installation process.

3. Once the operating system is installed, TOR or I2P can be installed. It is easier to use TOR. In debian linux, type "apt-get install tor". In OpenBSD type "pkg_add -vi tor".

4.1 For anonymous remote control of the blackthrow, the secure shell (SSH) server needs to be made accessible as a hidden service. You need to edit two lines in the /etc/tor/torrc file. The file needs to contain the following two lines.

HiddenServiceDir /etc/tor/hidden/
HiddenServicePort 22 127.0.0.1:22

You will also need to create the /etc/tor/hidden/ directory. (make sure it is owned by the account that TOR runs as. In debian, its debian-tor)

Then restart TOR. Inside the file /etc/tor/hidden/hostname, there will now be a string that ends in ".onion". This is the anonymous destination of the blackthrows SSH server in the TOR network. It can be used to remotely control the machine anonymously.

4.2 While optional, it may be useful to include a web based ssh terminal in conjunction with standard ssh. This will allow you to access ssh using a standard web browser. Keep in mind, it is still very slow, and should be utilized when you have limited resource at hand (e.g. locked down cafe computer, that you could only boot up torbrowser).

We shall be using ajaxterm (please suggest a more latency friendly web ssh alternative.

apt-get install ajaxterm
/etc/init.d/ajaxterm start

This will also needs to be made accessible as a hidden service. You need to edit two lines in the /etc/tor/torrc file. The file needs to contain the following two lines.

HiddenServiceDir /etc/tor/hidden-webadmin/
HiddenServicePort 80 127.0.0.1:8022

By default, ajaxterm fortunately only binds to localhost, so you can only access this interface via tor.

Instruction source: http://wiki.kartbuilding.net/index.php/Ajaxterm

5. TCMB recommends that you very carefully clean the laptop. At this point, it should not matter if you destroy parts of the laptop in order to clean it from identifying products. The blackthrow should be able to operate fully autonomously without the need for physical access before you install it in any host organization.

Soap and water can remove fingerprints. Please also consider cleaning the inside of the computer if you have touched anything at the inside.

6. Consider painting the blackthrow with the PsyOP tactical color patters for maximum perplexity.

7. Install the blackthrow at a suitable location. If necessary, you will have to crack their WLAN first. In office areas, it is often possible to hide machinery above of any of the roof tiles. Cable racks ("kabelstegar") are also possible candidates. Below the floor or inside walls are also possible hideouts. Find locations where no one would ever look casually.

Do not forget to remove all the log files. And never insert any personal information about yourself into the box.

[edit] Accessing the blackthrow

These instructions should not be applied to the blackthrow itself, but only at the operators computer.

To access the blackthrow, the operator needs to compile a small program and use it together with SSH. You can download it here, or directly from this wiki. Compile it with "gcc -o connect ./connect.c". Move the executable file connect to some directory that you enjoy.

Then edit /etc/ssh/ssh_config. Append the following lines to the end of the file:

# use TOR to access TOR services lol :)
Host *.onion
ProxyCommand /xxx/yyy/connect -S localhost:9050 %h %p

Replace xxx/yyy/ with the directory where you placed the connect program.

You should now be able to anonymously access the blackthrow by just typing (replace "fca4q5tuyhdxas7p.onion" with your own destination, which you got from the blackthrows /etc/tor/hidden/hostname file.)

ssh root@fca4q5tuyhdxas7p.onion -p 22

[edit] Alternative method for access

If the TOR hidden address is fca4q5tuyhdxas7p.onion, you could add the following line to your /etc/tor/torrc file:

mapaddress 10.40.40.90 fca4q5tuyhdxas7p.onion

and then connect to the ip address 10.40.40.90 with SSH, telnet, .. (Make sure your connection to the IP goes through TOR, otherwise it will not work. Type something like "torify ssh root@10.40.40.90" when you connect.). You can use any IP address you want. Notice that you also needs to change the torrc file at the blackthrow to accept connections to the various ports from its hidden service. All information that is needed can be found in your /etc/tor/torrc file.

[edit] Fighting the delay

It will take about ten to thirty seconds to connect to the blackthrow. Once connected, an issued command will take about 2-3 seconds to return its result. The delay is caused by the extensive hopping between different computers at the TOR network. Even though the blackthrow is slow to respond, its bandwidth to the internets is as high as the host organizations. Your connection to it is slow just because you are anon, everyone else will perceive the box as having normal bandwidth.

Consider piping the output to files instead of directly back to the terminal. (Also see "tee" to provide immediate feedback alongside an output logfile.) The use of nuhup, cron, screen, and other services could help with performing tasks even if the connection is broken. Also remember that while it takes time to interact with the blackthrow, it is still possible to transfer rather large files over TOR with ease. Interactive communication is much slower than non-interactive: Use files, not the terminal, to dump the output of larger tasks.

If you like to hack something together, you could cut down some of the lagging by using telnet login instead. TOR is already end-to-end encrypted so it should not matter. Just do not forget to firewall the telnet port so that its only accessible from inside the TOR network.

One thing that can help fight delay substantially is disabling GSSAPI authentication. This authentication method is associated with Kerberos, and isn't needed for our purposes here. Having this option enabled can cause a very long delay during the initial connection, as it tries to connect in this way unsuccessfully several times. Turn this option off in your /etc/ssh/sshd_config file.

# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPICleanupCredentials yes

Alternatively, connect to your blackthrow with GSSAPI disabled on the client-side:

ssh -o GSSAPIAuthentication=no -p 22 root@fca4q5tuyhdxas7p.onion

[edit] OnionCat

It is possible to forward any type of information over OnionCat via the blackthrows, to the internets anonymously. This means that you do not have to log in to send packets, if the svartkast is configured to route packets from the OnionCat interface to its ordinary WLAN interface.

TODO: iptables command to do so.

[edit] running hidden services

If you run hidden services on your blackthrow (eg. a web server), it could leak the purpose of the device to someone who finds it. Even if you encrypt almost everything, the /etc/tor/hidden/hostname has to be unencrypted so you are still able to ssh to your blackthrow via tor to unencrypt the secret data if it reboots for some reason. If it is unencrypted, one could put the blackthrow back and wait for it to reconnect to the network and for you to re-type in the password and then try to access the box with a web browser by typing in the host name from /etc/tor/hidden/hostname. (same problem with other services that might expose the origin or purpose of it, such as irc)

[edit] Hardware (MOAR?)

[edit] See also

Personal tools
0