Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Peeling Onions

Yuma Kurogome
November 15, 2015

Peeling Onions

AVTOKYO 2015 発表資料

Yuma Kurogome

November 15, 2015
Tweet

More Decks by Yuma Kurogome

Other Decks in Research

Transcript

  1. Peeling Onions
    @ntddk
    AVTOKYO 2015
    2015.11.14
    1

    View Slide

  2. $ whoami
    • http://ntddk.github.io
    • Student
    • Security Camp Lecturer
    • CODE BLUE 2015 Speaker
    2

    View Slide

  3. Peeling Onions
    3

    View Slide

  4. The Onion Routing
    4

    View Slide

  5. Tor

    • One of the most common anonymous
    communication systems
    5

    View Slide

  6. Tor
    6
    AES encryption

    View Slide

  7. Tor
    7
    Exit node can sniff plaintext packet.
    So you should use SSL.
    IP
    Entry node can knows source IP address.

    View Slide

  8. Tor
    8
    Tor hidden services
    Hidden services can only be accessed through Tor
    Exit nodes are not used
    at this time.
    .onion TLD
    These are also called “deep web”.

    View Slide

  9. 9
    http://blog.trendmicro.co.jp/archives/12349
    Investigation of underground community in Japan

    View Slide

  10. 10
    https://www.facebookcorewwwi.onion
    Hash of public key

    View Slide

  11. 11
    https://www.facebookcorewwwi.onion

    View Slide

  12. Tor
    12

    View Slide

  13. 13
    https://goo.gl/PFWpYn

    View Slide

  14. 14
    Tor
    Measurement of drug marketplace on Tor network
    https://www.usenix.org/conference/usenixsecurity15/technical-
    sessions/session/measurement

    View Slide

  15. 15
    Confidence is most important in underground. One review, one transaction.

    View Slide

  16. 16

    View Slide

  17. Crawling Deep Web
    17

    View Slide

  18. 18
    http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for-
    cybercriminals/
    900 hidden services
    Kaspersky found 900 hidden services.

    View Slide

  19. 19
    http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for-
    cybercriminals/
    Tor 30,000 hidden services
    Tor project says there are over 30,000 hidden services.

    View Slide

  20. 20
    https://bdpuqvsqmphctrcs.onion
    List of 174,523 hidden services

    View Slide

  21. 21
    {
    "aaData": [
    [
    "0",
    "torlinkbgs6aabns.onion",
    "TorLinks | .onion Link List The Hidden Wiki TheHiddenWiki Onion Urls
    onionland Tor linklist Deepweb",
    "https://encrypted.google.com/search?q=¥".onion¥"",
    "1442342899",
    "1369353102",
    "388",
    "2328"
    ],
    [
    "1",
    "ci3hn2uzjw2wby3z.onion",
    "Talk.onion",
    "https://encrypted.google.com/search?q=¥".onion¥"",
    "1375548844",
    "1369353102",
    "396",

    But, how many of them still alive?

    View Slide

  22. Scraping

    • Confirm the existence of services from the list.
    22
    torsocks wget ¥
    --connect-timeout=10 --tries=1 ¥
    --user-agent= ¥
    “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥
    [.onion]
    Same as Tor browser
    html
    You should scrape only html to avoid child pornography

    View Slide

  23. Scraping

    • Confirm the existence of services from the list.
    • 4,102/174,523
    • Found 4,102/174,523 sites still alive!
    23
    torsocks wget ¥
    --connect-timeout=10 --tries=1 ¥
    --user-agent= ¥
    “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥
    [.onion]

    View Slide

  24. Word Cloud
    • html
    • Now we have html files of the top pages.

    • Visualize word frequency
    24
    #!/usr/bin/env python2
    import sys
    from os import path
    from wordcloud import WordCloud
    d = path.dirname(__file__)
    argvs = sys.argv
    text = open(path.join(d, argvs[1])).read()
    wordcloud = WordCloud(max_font_size=600,width=2560,height=1440).generate(text)
    wordcloud.to_file(path.join(d, argvs[1]+".png"))

    View Slide

  25. 25
    • Word cloud of all sites

    View Slide

  26. 26
    • Word cloud of sites which contain “malware”

    • Black hat hacker likes sophomoric words. lol

    View Slide

  27. Clustering
    • html
    • Strip html tags, extract text
    27

    View Slide

  28. Clustering
    • Calculate tf-idf

    • Term frequency

    • Inverse document frequency
    • tf*log_2(N/df)
    28
    0.0896242738109923 facebook
    0.0811608402477274 checkthis
    0.0763369146951766 words
    0.0637879047442443 sign
    0.0599923671251114 039
    0.0494245419919427 try
    https://www.facebookcorewwwi.onion

    View Slide

  29. Clustering
    • Pearson score
    29
    a
    b
    c
    d
    e

    View Slide

  30. Clustering
    • 100 sites (randomly chosen)
    30

    View Slide

  31. Clustering
    • 1,000 sites (randomly chosen)
    31
    __ ━┓
    ― ┏┛
    ( )
    ( ) ⌒
    __ |
    /
    _
    /
    | |
    | |

    View Slide

  32. Clustering
    • 4,102 sites (all)

    • O(N^2)
    32

    View Slide

  33. 33

    View Slide

  34. Tor shops
    • PHP
    • Template written in PHP for black markets
    • Bitcoin
    • 48
    • Used at 48 sites
    34

    View Slide

  35. Clustering (Tor shops)
    35

    View Slide

  36. Clustering (Tor shops)
    36

    View Slide

  37. Clustering (Tor shops)
    37

    View Slide

  38. Clustering (Tor shops)
    38

    View Slide

  39. Clustering (Tor shops)
    39

    View Slide

  40. Clustering (Tor shops)
    40

    View Slide

  41. Clustering (Tor shops)
    41

    View Slide

  42. Clustering (Tor shops)
    42

    View Slide

  43. Clustering (Tor shops)
    43

    View Slide

  44. Clustering (Tor shops)
    44

    View Slide

  45. Clustering (Tor shops)
    45

    View Slide

  46. Clustering (Tor shops)
    46

    View Slide

  47. Clustering (Tor shops)
    47

    View Slide

  48. Clustering (Tor shops)
    48

    View Slide

  49. Clustering (Tor shops)
    49

    View Slide

  50. Clustering (Tor shops)
    • About 12 clusters
    • Hitman, Drug, Phone, Tablet, Kush, LSD, Cannabis,
    Cocaine, USD, Hacker, US Passport, UK Passport
    50

    View Slide

  51. 51
    https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998
    Previous research of clustering web-based hidden services
    But not focused on black markets

    View Slide

  52. Conclusion
    • Tor hidden services
    • There are hidden services for criminal purpose.
    • 12
    • There are about 12 types of black markets.
    • k-means
    • We will do further analysis by using a k-means
    in the future.
    52

    View Slide

  53. Running Exit Node
    53

    View Slide

  54. Tor
    54
    Exit node can sniff unencrypted packet.
    So you should use SSL.
    IP
    Entry node can knows source IP address.

    View Slide

  55. Tor
    55
    Exit node can sniff unencrypted packet.
    Tor
    We can monitor attacks via Tor.

    View Slide


  56. • For victim, attacker is YOU.
    • IPS
    • IPS is required.
    56

    View Slide

  57. 57

    View Slide

  58. Attack to exit node
    • .torrc
    • You can specify exit nodes by .torrc.

    58

    View Slide

  59. Pass the back (bad idea)
    59
    Tor
    Passing to Tor once more.
    Entry node

    View Slide

  60. Appendix
    60

    View Slide

  61. 61
    https://goo.gl/PFWpYn

    View Slide

  62. 62
    https://goo.gl/PFWpYn

    View Slide

  63. 63
    https://goo.gl/PFWpYn

    View Slide

  64. 64
    https://goo.gl/PFWpYn

    View Slide

  65. 65
    https://www.reddit.com/r/SilkRoad/

    View Slide

  66. 66
    https://www.reddit.com/r/DarkNetMarkets

    View Slide

  67. 67
    “The Dark Net: Inside the Digital Underworld”
    ( )

    View Slide

  68. 68
    Session of anonymizing data
    https://www.usenix.org/conference/usenixsecurity15/technical-sessions/session/forget-
    me-not
    BGP/AS Tor
    BGP/AS-level de-anonymization of Tor
    Fingerprinting hidden service connections

    View Slide

  69. 69
    http://panopticlick.eff.org
    Tor browser on this machine(default setting)

    View Slide

  70. 70
    https://torstatus.blutmagie.de
    There are only ~7000 exit nodes
    Tor is not fully secure.
    Tor
    Tor
    Research is not in the stage about whether it can be de-anonymized or not.
    It is just about its efficiency.

    View Slide

  71. • 187 deep web architectures
    • Alternative internet alter the world, crime as
    well. 71
    https://github.com/redecentralize/alternative-internet

    View Slide