/os/ - Online Security

News, techniques and methods for computer network security.

Posting mode: Reply

Check to confirm you're not a robot
Name
Email
Subject
Comment
Password
Drawing x size canvas
File(s)

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom


Welcome to Online Security the place for internet and computer security, privacy and anonymity.
If you have some helpful tips please feel free to share your ideas. Start a new thread, or contribute to an existing thread.

Expand All Images


Tor Hidden Service Mail Server Endwall 08/08/2017 (Tue) 03:16:04 [Preview] No. 992
############### BEGINNING OF GUIDE ##########################

In this thread I document and revise how to set up a tor hidden service email server, you may substitute the servers that you are most comfortable with.

STEP 0) Collect the relevent files from The Endware Hidden Service
Set up a tor mail server using postfix or OpenSMTPd, with dovecot for imap or pop.

You may contact me anonymously at endwall@tmg3kli67jlbcduh.onion
Use endmail.sh to send mail to this account.
http://42xlyaqlurifvvtq.onion/endwall_pgp.asc

Encrypt with pgp and send messages and files by email on a tor hidden mail service on port 25.

Everyone should do this. Then just share your hidden service address and handle.

http://42xlyaqlurifvvtq.onion/endware/endmail.sh

http://42xlyaqlurifvvtq.onion/endware/endfix.cf

http://42xlyaqlurifvvtq.onion/content/dovecot/ <--- download all of these config files

Try it out!

STEP 1) Install Postfix

$ su
# torsocks pacman -S postfix dovecot
# ...

# cd /etc/postfix/
# cp endfix.cf /etc/postfix/main.cf

STEP 2) Install Dovecot

# cd /etc/dovecot/
# mkdir -p conf.d
# cp dovecot.conf /etc/dovecot/dovecot.conf
# cp *.conf /etc/dovecot/conf.d/
# cp *.ext /etc/dovecot/conf.d/

STEP 3) Make ssl self signed certificates for postfix and dovecot
And place these in the appropriate directory
This might require entropy so you might need to run haveged first

# torsocks pacman -S haveged
# haveged

# mkdir -p /etc/pki/tls/certs
# mkdir -p /etc/pki/tls/keys
# cd /etc/pki/tls/keys
# openssl req -x509 -newkey rsa:4096 -keyout postfix.key -out postfix.crt -days 365 -nodes
# openssl req -x509 -newkey rsa:4096 -keyout dovecot.key -out dovecot.crt -days 365 -nodes
# mv postfix.crt ../certs/
# mv dovecot.crt ../certs/

or use libressl or gnutls and create the same certificates

now go back and edit /etc/postfix/postfix.cf and /etc/dovecot/dovecot.conf to reflect the location of the certificates and keys

STEP 4) Start the services

# systemctl enable postfix
# systemctl start postfix

# systemctl enable dovecot
# systemctl start dovecot

or the openrc equivalent to enable and start the services.

STEP 5) Setup tor for mail hidden service

# mkdir -p /srv/tor/mail

Add this to your torrc file and start tor

nano /usr/local/etc/tor/torrc

HiddenServiceDir /srv/tor/mail/
HiddenServicePort 25 127.0.0.1:25

your hidden service name will be generated and placed in the directory /srv/tor/mail/hostname

# cat /srv/tor/mail/hostname

This is the hostname for your mail server. Go and edit /etc/postfix/main.cf to reflect this.

Do Not Share the private key from this directory with anyone, and change the permisions to read only with no access to other.

# chmod o-rwx /srv/tor/mail
# chmod g-rwx /srv/tor/mail
# chmod u-w /srv/tor/mail

#################### INTERMISSION #########################################
Edited last time by Endwall on 08/08/2017 (Tue) 08:07:49.


Endwall 08/08/2017 (Tue) 03:48:05 [Preview] No. 993 del
############## CONTINUED ###################

STEP 6) Select a strong password for a new user account

# passgen --bytes 33

Write this down in a passbook and add a few random numbers and letters from your mind in here as well.
Alternatively store your keys in a gpg encrypted file on an airgapped computer with a memorizable password to open the file.

STEP 7) Create a new user with your anonymous handle /name

# useradd anon12345foo -m -s /bin/bash
# password:
# verify password:

STEP 8) Restart the services
You might have to postmap the file recipient access

# cd /etc/postfix
# echo "anon12345foo permit" >> recipient_access
# postmap recipient_access
# echo "127.0.0.1 permit" >> client_access
# echo "192.168.1.32 permit" >> client_access
# postmap client_access
# postmap aliases
# postmap access
# echo "anon12345foo@hiddenservice34zagag.onion anon12345foo" >> virtual
# postmap virtual
# echo "anon12345foo@hiddenservice34zagag.onion anon12345foo" >> virtusertable
# postmap virtusertable

or use a different username for logon than the anonymous name used for communication

// i think virtual is required I'll check my endfix.cf

# systemctl restart postfix
# systemctl restart dovecot

# systemctl status postfix
# systemctl status dovecot

STEP 9) Setup imap retrieval with clawsmail
etc. using the name and paswsword for the anon user account,
or don't use dovecot just read it from the maildir directly or use Mutt.

Go into claws-mail options and add a new account ...

STEP 8) create a pgp public key using RSA 4096

sign in as anon12345foo

$ gpg --generate-key

$ save the public key or export it to armored ASCII

$ gpg --list-keys -u anon12345foo
$ gpg --export -a -u anon12345foo

STEP 9) Distribute the hidden service name, your handle, and the public key to your intended recipient.

STEP 10) Check your mail using claws-mail or use mlogz.sh to look at activity on your mail server for new incoming mail.

# mlogz

STEP 11) Send mail to other tor hidden service mail servers using endmail.sh

# gpg --import anon_523cachu_pgp.asc
# pgp --encrypt -r anon_523cachu -a -o encrpted.asc message.txt
# endmail --help
# endmail anon_523cachu@hidden.onion "Re: from anon12345foo" encrypted.asc
or
# endmail anon_523cachu@hidden.onion "-" encrypted.asc

And place the return address and user info in the encrypted message body thus eliminating meta data in the headers except for the recipient.

STEP 12) Get burned ?
# rm -rf /srv/tor/mail/hostname
# rm -rf /srv/tor/mail/privatekey

and restart tor to start over

# userdel -rf anon12345foo
# useradd anon142boo -m -s /bin/bash

and edit /etc/postfix/main.cf and /etc/dovecot/dovecot.conf to reflect the new hidden service name.

edit /etc/postfix/recipient_access and change the recipient name to anon142boo
# postmap recipient_access
# systemctl reload postfix
# systemctl restart postfix

There might be errors or omissions in the above but I think that's the general process. Now you have a tor hidden service mail server, that uses a selfsigned certificate and you have a gpg public key. you use tor and ssl and gpg to secure your email communications, and you are known by your handle and hidden service .onion address.

################# END OF GUIDE ####################################
Edited last time by Endwall on 08/08/2017 (Tue) 08:18:19.


Endwall 08/08/2017 (Tue) 03:51:02 [Preview] No. 994 del
STEP 13) Air Gapping It

To add an extra layer of security we will be using A:\ drive floppy disks to shuttle the encrypted.asc messages to and from a dedicated airgapped encryption station preferably running openBSD on a non-intel architechture, SPARC, PowerPC, Alpha, etc. Do not use USB as a substitute for this step (STUXNET).

0. Your decryption station will have full disk encryption and be powered off when not in use
1. Generate your keys on the air gap
2. Export your public key,change the file permisions to read only and save it onto a floppy disk A:\
3. Take the floppy disk and sneaker net it to your transmision computer which has the hidden service and postfix on it.
4. Publish your anonymous user name and public key as well as the hidden service onion name using tor and icecat, links, or endcurl or however on your tor hidden service website or on a message board forum like endchan.xyz.
5. Recieve the hidden service onion name and public key of your correspondent ( by reading a published name,address and public key on a forum or other communication method or by recieving it in your inbox by postfix after publishing yours)
6. Save the public key of your correspondent onto a floppy disk A:\ change permisions to read only write a sha256sum checksum for the file and shuttle it to the decryption/encryption station.
7. check the file againts the checksum, and then gpg import the public key to your key ring
8. Type a message for your recipient in plain text on the air gapped encryption station and encrypt it to encrypted.asc. Delete the plain text file if unnecessary to archive especially if it is incriminating.
9. Write the encrypted message encrypted.asc to the floppy disk and change permisions to read only also write the sha256 sum of the file to the floppy if you have space.
10. Shuttle the message by floppy disk A:\ to the transmission computer and send to your recipient using endmail
11. You can also write the sha256 sum of the file or sha512sum of the file onto the disk before sneaker netting it.
12. You can include this sha256 checksum as another attachment to transmit to the recipient or as a second followup email
13. Recieve an encrypted message response from postfix, change its file permissions to read only ( chmod ugo-xw encrypted.asc ) and copy it onto a floppy disk A:\
14. take the sha256sum of the file and also write it onto the floppy disk with ( sha256sum encrypted.asc >> sha256sum.txt ; chmod ugo-xw sha256sum.txt ; cp sha256sum.txt /dev/fd0 or however that is mounted like /mnt/floppy)
13. Shuttle this by sneaker net to the decryption station check the sha256 sum against the file value and decrypt wtih gpg, delete the plaintext response, and either write a response and repeat or reboot the computer.
14. Power off the decryption station airgap after communications have ended to protect your station.

This step protects against keylogging or other malware revealling your message during compositon before encryption.
Edited last time by Endwall on 08/08/2017 (Tue) 04:21:15.


Endwall 08/08/2017 (Tue) 04:29:09 [Preview] No. 995 del
This protocol is now named:

Super Mega Maximum Communication Security Protocol (SMMCSP)

Maximum Security Electronic Mail Communications Protocol (MSEMCP)

Brought to you by the Endware Development Team (c) 2017.

Game On NSA.
Edited last time by Endwall on 08/09/2017 (Wed) 02:11:46.


Endwall 08/09/2017 (Wed) 02:08:23 [Preview] No. 996 del
>>995

This name is juvenile

I'm renaming it to:

Maximum Security Electronic Mail Communications Protocol (MSEMCP)

That's more descriptive of what it is. Its a standard now. Email me with endmail.sh if you set up a server after you test it.

The great thing about this system is that it is opensource, distributed, anonymous, transport layer encrypted, and the message is RSA 4096 encrypted by gpg. Currently you do not have to have a working server to submit mail to a server. So if you were part of a 10 man spy ring with a central node the field agents only need to learn how to use gpg to encrypt and to install swaks, tor, torsocks and use a variant of endmail.sh to report back to central command. Of course it can be used for server to server anonymous communications as well. Since it uses gpg several recipients can be addressed to one anon@hiddenserver.onion and then central command can distribute the messages to their intended recipients after the first decryption. So you could encrypt with a general wrapper that contains the meta data (to: field ) that central command uses to distribute the message to the person it is intended for, and then put the from: and subject: in the targeted encryption for that person that central command/dispatch can't read. So you'd have two gpg keys one public key for central command and then a public key for the intended recipient. The field agent would perform 2 encryptions the first for the recipient with the subject: and from: field in the plain text, and then the second encryption with the to: field in the plain text of of the encrypted file.

Anyways I'm now calling it the:

Maximum Security Electronic Mail Communications Protocol (MSEMCP)
Edited last time by Endwall on 08/09/2017 (Wed) 02:17:45.


Endwall 08/09/2017 (Wed) 22:02:09 [Preview] No. 997 del
Maximum Security Electronic Mail Communications Protocol (MSEMCP)

or

Maximum Security Encrypted Message Communication Protocol(MSEMCP)
Edited last time by Endwall on 08/09/2017 (Wed) 22:20:51.


Endwall 08/09/2017 (Wed) 22:17:11 [Preview] No. 998 del
Maximum Security Encrypted Message Communication Protocol (MSEMCP)

Author: Endwall from the Endware Development Team
Creation Date: August 8, 2017
Copyright: The Endware Development Team (c) 2017
License: You are Free to Study, Reproduce, Copy, Modify, Implement, Test, and Use this protocol as described below, in the spirit of the Endware End User License Version 1.15.

Description:

This protocol MSEMCP provides:
1. Message security through physical isolation of the encryption station by a read only Floppy Disk Message Sneaker Net (FDMSN)
2. Strong Public Key Cryptography using RSA 4096 bit.
3. Transmission and reception anonymity through Tor with 12 hops.
4. Trust and Verification through TLS 1.2 with RSA 4096 bit, and Self Signed Server Certificates to compare repeated server connections.

All of which can be implimented with 4 tools:
1) A Base install of a *nix BSD or GNU operating system in text mode.
2) GNU privacy guard (gpg) on the airgapped encryption decryption system.
3) TLS 1.2 using RSA 4096 certificates from OpenSSL used in a Postfix Mail server to allow for certificate comparison to build trust and continuity.
4) Anonymity durring message transmission and recption using the Tor network with 12 hops,(and weak encryption SHA1 RSA 1024).

Minimal instalation:

Computer 1 (Transmision computer)
1. Base install of *Nix in TEXT MODE no GUI / or use a GUI (whatever)
2. Postfix (or OpenSMTPD ), Tor, Torsocks, Swaks, OpenSSL ( or LibreSSL or GnuTLS)
3. endget.sh, endmail.sh, endfix.cf (for postfix)
4. A 3.5" Floppy drive with 1.44MB HD IBM format Floppy Disks

Computer 2 (Decryption/Encryption Station)
1. Base install of *Nix + Full disk encryption in TEXT MODE no GUI
2. Gnu Privacy Guard gpg
3. Air Gap : Unplug the computer from internet permenantly post installation
4. A 3.5" floppy drive with 1.44MB HD IBM format Floppy Disks

Encrypt and Decrypt messages on Computer 2 with gpg and Send messages with endmail.sh and Receive messages with Postfix with endfix.cf on Computer 1
Move the keys and messages by read only 3.5" floppy disk files. Do not substitute USB for floppy disk read only files (STUXNET).
Edited last time by Endwall on 08/09/2017 (Wed) 22:39:39.



Top | Return | Catalog | Post a reply