Even if you are pentesting a web service that has given you explicit consent to do so, such as this site (read the footer), you still need to hide your real IP address. Because you don’t want your real IP listed in the victim’s server log files, and you don’t want it suddenly banned and locked out in the cold. Any half-assed web service these days use some sort of WAF that blacklists your IP if you hammer the server too hard, which is definitely the case if you use the tools we list here and here.
Also, you are typically going to need several or even many different IP addresses, if you seriously want to succeed in pwning a web server that wasn’t set up by total noobs.
There are a number of fairly effortless ways to accomplish this. If you route all your internet traffic through TOR, for example, you’re not exposing your real IP. Quick note: TOR is so much more than a browser! You can route all your traffic through the TOR network by using for example torghost in Linux; getting a fresh IP is accomplished by simply typing
If you feel that TOR doesn’t cover your privacy and integrity needs, where do you find a decent amount of fresh proxies? Google is usually your best friend, but in the case of finding reliable proxies, you are probably gonna find lots of crap. Here is one decent source of public proxies, but we are sure you can find others. Don’t be afraid to list good proxy sources in the comments, as we are constantly looking for more too. Thanks!
If you’re the paranoid kind, chaining two or more proxies makes it virtually impossible to trace any activity back to you. Proxychains is a sweet program you can use to set something like this up.
A different and quite attractive alternative is using a VPN service. You definitely want a premium provider, as all free alternatives suck in one way or the other. Preferably, one from which you can hop between different IP addresses as often as you need. However, as we are not at all into affiliate marketing, naming one provider before the other is simply someone else’s job.