How to be a Ghost

Rhett Greenhagen
9 min readJul 4, 2020


This story is all about the training me and one of my closest friends did at multiple large security conferences, with thousands of members participating. We took highlights from this 4 day training course and made this following story, enjoy. If you wish to take the 4 day training in its full details, please message me.

1. Introduction

The concept of digital footprint has never been more relevant than it is today. Being a “cyber ghost” in the interconnected world of the internet is a skill in itself. The desire to be “up to date” hinders the ability to be cautious while scouring the internet. However, given the current landscape of digital uncertainty, it is imperative to be cautious. Privacy is not a complex concept. By understanding certain concepts, the average user can get a grip on their digital footprint.

Concepts like VPN, VPS, COVCOM aren’t that complex as they are made out to be. A VPN (Virtual Private Network) is a secure, private connection created by a private network from a public internet connection. While the average user today would be bombarded by VPN ads, they can also set up their own. A VPS (Virtual Private Server), is a virtual machine service sold by an internet hosting service.

2. ESXI Architecture and Hypervisor Support

ESXi architecture, formally known as the VMware ESXi Architecture is a hypervisor to deploy virtual computers. It is a Type-1 hypervisor, which creates and runs virtual machines. From gaming consoles to computers, hypervisors are found in all of these devices and are implemented according to the use case. Since the hypervisor isn’t a software application installed on an OS, it includes its own components. VMware, the popular cloud computing and virtualization software company is responsible for implementing this technology.

2.1 Installing ESXi

Installing ESXi is a simple task if you have everything in one place. The following pre-requisites outline everything you need before starting the set-up: -

1. Check whether your system supports the machine from the list here

2. Have a back-up of your current files

3. You have the ESXi installation file downloaded from the official site

Once you have the prerequisites, here is what you need to do to install it: -

1. Install ESXi Interactively by following these steps

2. Configure the ESXi Host by following these specific steps

3. To deploy the virtual machines, Install the vSphere client using these steps

4. Login to your ESXi Host to deploy a virtual machine by starting the vSphere client

2.2 Creating Virtual Templates

Here are the steps to create a virtual template: -

VMs and Templates > Right click preferred Template > select All vCenter Actions > Clone to template >

Do note that if you have selected the Convert to Template option, the template automatically becomes available in the Inventory. If not, once the template host has been selected, you’ll be presented with 4 disk format options. Once the decision has been made to choose the disk formats, the template becomes then finally available in the inventory.

To protect yourself from malware and to undertake an effective malware analysis, it is imperative to categorize the hypervisors. By treating each ESXi hypervisor as an individual network, users can defend themselves against malware attacks.

3. Creating Virtual Private Servers

A VPS, as described earlier, is a service offered by an Internet provider. It is a virtual machine provided by a web hosting company, similar to website hosting in a sense. It runs its own OS and gives admins complete root access. This allows it to have diverse functions as it can be installed on any compatible software.

3.1 Creating a VPS

Setting up a VPS is pretty straightforward. The following guide details the steps needed to create your own VPS: -

1. Choose your VPS host. There is a plethora of them, each offering unique bundles. Choose what works for your needs.

2. Once decided, you need to place an order and purchase the VPS Server on that host. It is also worth noting that you would also need to buy a Domain Name. This can be done on the host website itself and it is billed yearly.

3. Once the payment is successful, you will be greeted with the admin panel where you will have to set up the VPS.

3.2 Purchasing VPS Anonymously

There are a host of ways to buy a VPS/VPN anonymously. These are: -

1. Bitcoin

If you happen to have cryptocurrencies stock up with you, then paying for a VPS with a Bitcoin is the safest bet. Every VPS/VPN server accepts them. It is as easy as paying via a debit/credit card. But this only works if you have Bitcoin with you.

2. Gift Cards

Instead of paying via the traditional methods, a gift card could prove to be a better bet. Gift cards can be bought online with a debit/credit card. Also, they can be redeemed without the need of user’s credentials. Lastly, most of the major providers run a 10% of gift cards, which comes out to be more economical.

3.3. Using VPS and VPN Together

VPS and VPN can be pooled together. A VPS allows users to develop their own VPN, as per their needs. While it does require sound technical skills, developing a VPN on a VPS is the cheaper and more customizable compared to the traditional method. If done incorrectly, it exposes sensitive information outside the VPS host and thus requires an expert in this area.

4. Social Media

By this point, it is common knowledge that social media sites are heavily susceptible to attacks. Billions of people access these sites/applications regularly which increases their digital footprint trail. Social media has afforded individuals the liberty to create an online persona that is separate from their real self. With respect to social media, the “Once posted, always posted” idea is heavily prevalent.

Major social networking platforms have spent billions of dollars in their cyber security research. The number of independent cyber security firms have also risen lately to monitor the activity of these platforms. Online personas, from a security perspective, can prove to be beneficial in meaningfully analyzing the security practices of these sites. Personas is a modelling technique used for product definition and design. To develop a strong persona for documentation, the following steps need to be followed: -

1. Defining the target audience to find out who is actually using what service

2. Once the audience is identified, define how the activity of these users will be documented

3. Depending on the number of primary personas, it is important to individually identify the special sections of the documentation. Also, if there are any secondary personas that support the primary personas, they need to be documented along with it.

The behavior of a specific persona differs from its offline counterpart. Subjects tend to display different tendencies, depending on the application. The fundamentals of tracking different behaviors come down to the traits exhibited by the subjects in certain online environments.

5. Developing collections
Automated scraping is a method wherein bots harvest content from a site. Content, in this regard, also refers to data stored on the site. The program, which is called a scraper, replicates the entire website’s back end directory. This is further used to copy the entire website somewhere else. From scraping for photos to written content, automated scraping covers every form of content.

To create an automated scrape tool, there are 3 ways it can be done. The first method is to use a browser extension such as Scraper or Web This is the easiest since it can be downloaded and installed on a browser such as Chrome or Firefox. The second method is to utilize a Programming language such as Scrapy, Apache Nutch or rvest. Lastly, desktop applications like Parsehub and Mozenda also work in the same way as the other 2 options.

IRC, which is Internet Relay Chat, is a chat room where people can chat privately. Once users are on the same IRC network, they can interact with one another privately. To facilitate this, an IRC client is needed to be installed on the user computers. Privately logging the behavior of an IRC server requires that the snooper be on the same server. One the snooper breaks into the desired IRC server, they can document user behavior and log it, without being discovered.

6. How Do Researchers Get Caught
Cyber security researchers do get caught. Whether it is intentional or not, there have been numerous occasions when researchers have been caught. They are “white hat hackers”, ethically operating to find flaws in the systems they are up against. Here are some ways in which they get caught: -

1. They tend to unintentionally leave their “digital footprint” behind. This digital footprint, which once detected by the target server, can help trace the trail back to the attacker.

2. Honeypots are also effective ways to trap these researchers. Honeypots lure “criminals” into their system and locks them out as soon as they are trapped. There have been many instances of major corporations using this method to catch hackers.

3. Trying to break into a fail-safe system which triggers an alarm to the admin has also been moderately successful.

6.1 d0xed And What Does It Mean?

This type of an attack involves diving deep into the personal lives of the targets. Lately, a lot of streamers have been the target of this attack. While it was intended to catch criminals. d0xing has also been used for nefarious purposes.

4chan, a popular image board site was at the center stage of this attack. The target, Jessica Leondhardt, an 11 year old, was abused by 4chan users. She was humiliated and taunted as d0xing gave up her details. It got so out of hand that she was ultimately admitted to a mental hospital. This showed the flawed practice of cyber security researcher in their failure to save this young girl from trauma. \

6.2 10 Commandments of Researchers

1. Ensure that systems, applications and users are patched.

2. Share preventions natively

3. Implement a consistent security model, regardless of user location or device type

4. Practicing Least Privilege

5. Embracing advanced endpoint methodologies

6. Enforcing safe application enablement

7. Gaining leverage via threat intelligence

8. Knowing your threat environment

9. Strive for efficient consumption of new security technologies

10. Adopting a holistic approach to prevention philosophy

6.3 Setting up Bitcoin Payments

Bitcoin is its own currency. Setting up a safe payment network is rather simple if you own Bitcoins. Depending on you use case (personal/business), you need to set up a Bitcoin Wallet. It is similar to setting up a digital, phone wallet and you can head over to think link for more information.

7. How to Operate Legally

The question that arises here is, how does one operate legally and ethically? According to OPSEC (Operational Security), silence is the best defense principle. At the end of the day, privacy is psychological and not overly technical. Here are some ways to ensure that you operate within the legal confines of your authority: -

1. Do not trust anyone who in particular, uses electronic means

2. For OPSEC to be deemed effective, it is important not to over rely on personas. While personas are necessary in certain use cases, over reliance can result in contamination. It is better to destroy personas during those circumstances when there is no choice.

3. A proper cost benefit analysis is necessary for the solutions. This will keep a check on individuals with the authority and would help groups make the best choices.

4. Understanding the drawbacks of each solution is necessary to solving problems. While it may not seem like much at the start, it is important to know this since this can easily blue the line between right and wrong.

Final Thoughts

Being a Ghost is certainly not easy in today’s social media dominant landscape. However, with the right choices and a bit of “technical education”, the average user can protect themselves from harm. Understanding “digital footprint” and its role as an “intangible currency” will give users the sense of how important security is. At the end of the day, we are surrounded by personas. Knowing which one is real and which is not makes the job of being a ghost a lot more easier.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Conference Material

Presented at DeepSec 2017, Blackhat, DEFCON, Bsides events, and several others.

Although this course was designed primarily for the expert level security researchers, intelligence analysts, cyber counter intelligence operators, and malware researchers. It can be given in many different settings, please contact me via LinkedIn for more information.



Rhett Greenhagen

“I am always ready to learn although I do not always like being taught.” — Winston Churchill