Hey Anon

Written By Robert Cao

I. Introduction

1. Scenario: Bypassing Security Blocks in an External Pen Test

"You’re in the middle of an external pen test for a client. You start scanning their external attack surface—enumerating subdomains, checking open ports, and testing web apps. But after a few minutes, your scans stop returning results. You try accessing their website normally, but it won’t load."

Discussion Question:

 What happened? What can you use to continue?

Discussion Answer:

 Enter the VPN.
  • A VPN (Virtual Private Network) encrypts your traffic and routes it through a different IP address, making it appear as if you’re connecting from another location.
  • With a VPN provider that supports multiple exit nodes, you can switch IPs as needed, avoiding detection and bans.

💡 For security professionals, a VPN isn’t just for privacy—it’s a tool for maintaining access, avoiding detection, and ensuring operational security.

2. What This Class Covers

  • How
  • Why
  • Which one?

II. Core Anonymity Tool – VPNs

1. What a VPN Does:

  • Encrypts internet traffic so others on the network cannot see what you’re doing.
  • Routes traffic through a remote server, masking your real IP address.

2. How It Works (Simplified Process):

  1. You connect to a VPN server.
  2. The VPN encrypts your data and sends it to the destination website or service.
  3. The website sees the VPN server’s IP, not yours.
  4. Anyone monitoring the network only sees that you’re connected to the VPN but not what you’re doing.

3. Choosing the Right VPN

No-Logs Policy

  • Choose a provider that doesn’t store connection logs or browsing activity.
  • Some VPNs claim "no logs" but may still keep metadata such as connection timestamps, bandwidth usage, or IP addresses used during the session.
  • Examples of VPN providers that claim "no logs" but collect metadata:
    • ExpressVPN: While ExpressVPN asserts a strict no-logs policy regarding user activity, it acknowledges collecting minimal metadata, such as the app versions used, dates (not times) of connections, choice of server location, and total data transferred per day. (techradar.com)
    • NordVPN: NordVPN maintains a no-logs policy concerning user activity but collects minimal data, such as usernames, for account management purposes. (security.org)
    • CyberGhost: CyberGhost promotes a no-logs policy but collects anonymous data for service optimization, including connection attempts and successful connections, without storing IP addresses or personal data. (techradar.com)
    • PureVPN: PureVPN previously claimed a no-logs policy but was found to have logged user access data in a 2017 FBI case. Since then, the company has updated its privacy policy and undergone third-party audits to verify its no-logs claims. (techradar.com)

Server Locations & IP Rotation

  • More server locations mean more flexibility in switching identities.
  • Some VPNs offer dynamic IP rotation, which helps prevent detection.

Jurisdiction Concerns

  • VPNs based in certain countries may be subject to legal requirements that force them to hand over data.
  • High-risk jurisdictions (part of surveillance alliances like Five Eyes, Nine Eyes, and Fourteen Eyes): USA, UK, Canada, Australia, New Zealand, Germany, France, Netherlands.
  • Privacy-friendly jurisdictions (no mandatory data retention laws): Switzerland, Panama, British Virgin Islands, Seychelles, Romania.

III. Limitations: Tracking & Fingerprinting

 ### 1. DNS Leaks #### How It Works - Every time you visit a website, your device sends a DNS request to resolve the domain name (e.g., example.com) into an IP address. - If your VPN is configured correctly, these DNS requests should go through the VPN tunnel and be handled by the VPN provider’s DNS servers. - A DNS leak occurs when DNS requests bypass the VPN tunnel and are sent to your ISP’s DNS server instead. - This exposes your real location and browsing activity, even though your IP appears masked by the VPN.

How to Prevent DNS Leaks

  • Test for Leaks: Use tools like DNSLeakTest.com to see if your requests are leaking.
  • Use a VPN with Private DNS Servers: Some VPNs (like Mullvad, IVPN, and ProtonVPN) operate their own encrypted DNS servers to prevent leaks.
  • Manually Set Your DNS: Configure Cloudflare’s (1.1.1.1) or Quad9’s (9.9.9.9) DNS servers instead of your ISP’s.

💡Live Demo

  • go to dnsleaktest.com
  • run test, note dns servers
  • connect to poorly configured vpn
  • rerun test
  • connect to protonVPN
  • rerun test

2. WebRTC Leaks

How It Works

WebRTC (Web Real-Time Communication) is a browser feature that enables peer-to-peer connections for video calls, voice chat, and live streaming. While useful, WebRTC can expose your real IP address—even when you’re connected to a VPN.

WebRTC is one of the most overlooked VPN leaks. If left enabled, even the best VPN won’t fully protect your identity.

  • When a website or service requests a WebRTC connection, your device bypasses the VPN tunnel and communicates directly with the other party.
  • This allows websites to detect and log your real IP address, potentially linking your identity to your activity.
  • Many browsers enable WebRTC by default, making it a common vulnerability.

How to Prevent WebRTC Leaks

  • Disable WebRTC in Your Browser:
  • Firefox: Open about:config, search for media.peerconnection.enabled, and set it to false.
  • Use a VPN with WebRTC Protection:
  • Some VPNs (like Mullvad, IVPN, NordVPN, ExpressVPN) block WebRTC leaks at the network level, ensuring your real IP remains hidden.
  • Some VPN providers do not effectively prevent WebRTC leaks, including Hoxx VPN, Hola VPN, VPN.ht, SecureVPN, DotVPN, Speedify, Betternet, Ivacy, TouchVPN, Zenmate, Ra4W VPN, and VPN Gate.

💡Live Demo

  • go to browserleaks.com/webrtc
  • run test
  • connect to poorly configured vpn
  • rerun test
  • connect to protonVPN
  • rerun test

3. Browser Fingerprinting

How It Works

Websites collect detailed information about your browser and device to create a unique fingerprint, allowing them to track you even if you use a VPN.

  • User-Agent String: Identifies your browser type, version, and operating system.
  • Installed Fonts & Extensions: Unique combinations can make your browser stand out.
  • Screen Resolution & Color Depth: Helps narrow down your specific setup.
  • Time Zone & Language Settings: Adds another layer to your identity profile.

Since these characteristics are unique to each user’s system, even switching IPs does not change your fingerprint, making it possible to track you across different websites.

How to Combat Browser Fingerprinting

  • Use a Privacy-Focused Browser: Brave Browser has built-in fingerprinting protection by randomizing values. Firefox (Hardened): Set privacy.resistFingerprinting to true in about:config.

  • Varies browser extensions can help prevent fingerprinting

  • uBlock Origin: Blocks third-party scripts and trackers that aid fingerprinting.

  • Privacy Badger: Uses AI to detect and block tracking attempts dynamically.

  • Chameleon (Firefox Extension): Randomizes browser fingerprint data on every session.

  • CanvasBlocker (Firefox): Prevents websites from using canvas fingerprinting techniques.

4. Canvas Fingerprinting

How It Works

  • Websites use the <canvas> element in HTML5 to draw an invisible image.
  • Each device renders the image slightly differently based on:
    • Graphics Card & GPU Drivers
    • Font Rendering Settings*
    • Operating System & Browser Configuration
  • These tiny differences create a unique fingerprint that persists even if you clear cookies or change IP addresses.

How to Combat Canvas Fingerprinting

  • Block or Modify Canvas Data:
    • CanvasBlocker (Firefox): Prevents websites from reading canvas data.
    • Brave Browser: Automatically blocks canvas fingerprinting attempts.
  • Use a Virtual Machine (VM) or Tor:
    • Running a browser inside a VM or Tails OS standardizes rendering, reducing uniqueness.

5. Behavioral Tracking

How It Works

Behavioral tracking is a method websites use to identify users based on how they interact with a site, rather than relying on IP addresses or browser fingerprints.

  • Typing Patterns: The speed and rhythm of your keystrokes can be recorded and analyzed.
  • Mouse Movements & Click Behavior: Websites can track how you move your mouse, where you hover, and how fast you click.
  • Scrolling Behavior: The way you scroll through a page—whether smoothly or in bursts—creates a unique pattern.
  • Time Spent on Pages & Navigation Flow: Websites analyze how long you stay on a page, how quickly you navigate between pages, and what links you click.

Even if you change your IP address, browser, or VPN, these behavioral patterns remain consistent and can be used to track and re-identify you.

How to Prevent Behavioral Tracking

  • Use a Touchscreen Device Instead of a Mouse – Touch-based interactions are less precise, making tracking harder.
  • Vary Your Typing Speed & Patterns – Changing typing speed, backspacing, and keypress pressure reduces trackability.
  • Use Privacy-Focused Search Engines & Extensions:
    • DuckDuckGo or Startpage instead of Google.
    • Decentraleyes to block tracking scripts from content delivery networks (CDNs).
  • Block Behavior-Based Tracking Scripts:
    • uBlock Origin – Blocks scripts that track typing and mouse movements.
    • Privacy Badger – Detects and stops behavioral tracking attempts.

💡Live Demo

During the demo, participants will see in real time how their interactions generate a unique behavioral signature, even without cookies or traditional tracking methods.

  1. ClickClickClick – A fun, interactive site that tracks mouse movements, clicks, and behaviors to show how much data can be gathered from user interactions.

  2. CreepJS – An advanced fingerprinting test that analyzes mouse movements, typing, and even device motion sensors.

  3. EFF’s Cover Your Tracks – Tests how unique your behavioral fingerprint is and highlights how trackers identify you.

6. Companies Utilizing Behavioral Tracking

Several companies have been reported to use behavioral tracking to monitor user activities.

  • Meta (Facebook): In 2023, the EU banned Meta's behavior advertising practices, resulting in a $90k daily fine for tracking users without their consent. (Source: AP News)

  • Google: In 2024, The FTC issued orders to Google and other companies regarding surveillance pricing and user data collection practices. Meaning, different pricing for items based on uesr data. (Source: FTC.gov)

💡 Behavioral tracking is used at scale by major companies to monitor and influence user activity.

VII. Conclusion & Final Takeaways

1. Recap of Key Points

Throughout this class, we’ve covered:
How VPNs work and what they do (and don’t) protect you from.

Different types of fingerprinting and tracking (browser, canvas, WebRTC, behavioral, and network).

How to mitigate tracking risks using privacy tools like hardened browsers, VPNs with WebRTC protection, and anti-fingerprinting extensions.

2. Final Thought: VPNs Are Not a Silver Bullet

  • A VPN alone does not guarantee anonymity—you must pair it with strong OpSec practices.
  • Companies and advertisers continuously evolve tracking methods, making privacy a constant effort rather than a one-time fix.
  • By understanding and controlling your digital footprint, you take back control of your online privacy.

💡 Online anonymity is a mindset—stay informed, stay cautious, and always be aware of what you share.

Robert Cao
Previous

TIL about GMASK
Next

Bypassing Cisco Umbrella with SSH Tunneling