Peeling Onions

Peeling Onions @ntddk AVTOKYO 2015 2015.11.14 1

$ whoami • http://ntddk.github.io • Student • Security Camp Lecturer
• CODE BLUE 2015 Speaker 2

Peeling Onions 3

The Onion Routing 4

Tor • • One of the most common anonymous communication
systems 5

Tor 6 AES encryption

Tor 7 Exit node can sniff plaintext packet. So you
should use SSL. IP Entry node can knows source IP address.

Tor 8 Tor hidden services Hidden services can only be
accessed through Tor Exit nodes are not used at this time. .onion TLD These are also called “deep web”.

9 http://blog.trendmicro.co.jp/archives/12349 Investigation of underground community in Japan

10 https://www.facebookcorewwwi.onion Hash of public key

11 https://www.facebookcorewwwi.onion

Tor 12

13 https://goo.gl/PFWpYn

14 Tor Measurement of drug marketplace on Tor network https://www.usenix.org/conference/usenixsecurity15/technical-
sessions/session/measurement

15 Confidence is most important in underground. One review, one
transaction.

Crawling Deep Web 17

18 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ 900 hidden services Kaspersky found 900 hidden
services.

19 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ Tor 30,000 hidden services Tor project says
there are over 30,000 hidden services.

20 https://bdpuqvsqmphctrcs.onion List of 174,523 hidden services

21 { "aaData": [ [ "0", "torlinkbgs6aabns.onion", "TorLinks | .onion
Link List The Hidden Wiki TheHiddenWiki Onion Urls onionland Tor linklist Deepweb", "https://encrypted.google.com/search?q=¥".onion¥"", "1442342899", "1369353102", "388", "2328" ], [ "1", "ci3hn2uzjw2wby3z.onion", "Talk.onion", "https://encrypted.google.com/search?q=¥".onion¥"", "1375548844", "1369353102", "396", … But, how many of them still alive?

Scraping • • Confirm the existence of services from the
list. 22 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion] Same as Tor browser html You should scrape only html to avoid child pornography

Scraping • • Confirm the existence of services from the
list. • 4,102/174,523 • Found 4,102/174,523 sites still alive! 23 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion]

Word Cloud • html • Now we have html files
of the top pages. • • Visualize word frequency 24 #!/usr/bin/env python2 import sys from os import path from wordcloud import WordCloud d = path.dirname(__file__) argvs = sys.argv text = open(path.join(d, argvs[1])).read() wordcloud = WordCloud(max_font_size=600,width=2560,height=1440).generate(text) wordcloud.to_file(path.join(d, argvs[1]+".png"))

25 • Word cloud of all sites

26 • Word cloud of sites which contain “malware” •
• Black hat hacker likes sophomoric words. lol

Clustering • html • Strip html tags, extract text 27

Clustering • Calculate tf-idf • • Term frequency • •
Inverse document frequency • tf*log_2(N/df) 28 0.0896242738109923 facebook 0.0811608402477274 checkthis 0.0763369146951766 words 0.0637879047442443 sign 0.0599923671251114 039 0.0494245419919427 try https://www.facebookcorewwwi.onion

Clustering • Pearson score 29 a b c d e

Clustering • 100 sites (randomly chosen) 30

Clustering • 1,000 sites (randomly chosen) 31 __ ━┓ ―
┏┛ ( ) ( ) ⌒ __ | / _ / | | | |

Clustering • 4,102 sites (all) • • O(N^2) 32

Tor shops • PHP • Template written in PHP for
black markets • Bitcoin • 48 • Used at 48 sites 34

Clustering (Tor shops) 35

Clustering (Tor shops) • About 12 clusters • Hitman, Drug,
Phone, Tablet, Kush, LSD, Cannabis, Cocaine, USD, Hacker, US Passport, UK Passport 50

51 https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998 Previous research of clustering web-based hidden services But
not focused on black markets

Conclusion • Tor hidden services • There are hidden services
for criminal purpose. • 12 • There are about 12 types of black markets. • k-means • We will do further analysis by using a k-means in the future. 52

Running Exit Node 53

Tor 54 Exit node can sniff unencrypted packet. So you
should use SSL. IP Entry node can knows source IP address.

Tor 55 Exit node can sniff unencrypted packet. Tor We
can monitor attacks via Tor.

• • For victim, attacker is YOU. • IPS •
IPS is required. 56

Attack to exit node • .torrc • You can specify
exit nodes by .torrc. • 58

Pass the back (bad idea) 59 Tor Passing to Tor
once more. Entry node

Appendix 60

65 https://www.reddit.com/r/SilkRoad/

66 https://www.reddit.com/r/DarkNetMarkets

67 “The Dark Net: Inside the Digital Underworld” ( )

68 Session of anonymizing data https://www.usenix.org/conference/usenixsecurity15/technical-sessions/session/forget- me-not BGP/AS Tor BGP/AS-level
de-anonymization of Tor Fingerprinting hidden service connections

69 http://panopticlick.eff.org Tor browser on this machine(default setting)

70 https://torstatus.blutmagie.de There are only ~7000 exit nodes Tor is
not fully secure. Tor Tor Research is not in the stage about whether it can be de-anonymized or not. It is just about its efficiency.

• 187 deep web architectures • Alternative internet alter the
world, crime as well. 71 https://github.com/redecentralize/alternative-internet

Peeling Onions

Peeling Onions

More Decks by Yuma Kurogome

Other Decks in Research

Featured

Transcript