Peeling Onions

Transcript

1. Peeling Onions @ntddk AVTOKYO 2015 2015.11.14 1

2. $ whoami • http://ntddk.github.io • Student • Security Camp Lecturer

   • CODE BLUE 2015 Speaker 2

3. Peeling Onions 3

4. The Onion Routing 4

5. Tor • • One of the most common anonymous communication

   systems 5

6. Tor 6 AES encryption

7. Tor 7 Exit node can sniff plaintext packet. So you

   should use SSL. IP Entry node can knows source IP address.

8. Tor 8 Tor hidden services Hidden services can only be

   accessed through Tor Exit nodes are not used at this time. .onion TLD These are also called “deep web”.

9. 9 http://blog.trendmicro.co.jp/archives/12349 Investigation of underground community in Japan

10. 10 https://www.facebookcorewwwi.onion Hash of public key

11. 11 https://www.facebookcorewwwi.onion

12. Tor 12

13. 13 https://goo.gl/PFWpYn

14. 14 Tor Measurement of drug marketplace on Tor network https://www.usenix.org/conference/usenixsecurity15/technical-

    sessions/session/measurement

15. 15 Confidence is most important in underground. One review, one

    transaction.

16. 16

17. Crawling Deep Web 17

18. 18 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ 900 hidden services Kaspersky found 900 hidden

    services.

19. 19 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ Tor 30,000 hidden services Tor project says

    there are over 30,000 hidden services.

20. 20 https://bdpuqvsqmphctrcs.onion List of 174,523 hidden services

21. 21 { "aaData": [ [ "0", "torlinkbgs6aabns.onion", "TorLinks | .onion

    Link List The Hidden Wiki TheHiddenWiki Onion Urls onionland Tor linklist Deepweb", "https://encrypted.google.com/search?q=¥".onion¥"", "1442342899", "1369353102", "388", "2328" ], [ "1", "ci3hn2uzjw2wby3z.onion", "Talk.onion", "https://encrypted.google.com/search?q=¥".onion¥"", "1375548844", "1369353102", "396", … But, how many of them still alive?

22. Scraping • • Confirm the existence of services from the

    list. 22 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion] Same as Tor browser html You should scrape only html to avoid child pornography

23. Scraping • • Confirm the existence of services from the

    list. • 4,102/174,523 • Found 4,102/174,523 sites still alive! 23 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion]

24. Word Cloud • html • Now we have html files

    of the top pages. • • Visualize word frequency 24 #!/usr/bin/env python2 import sys from os import path from wordcloud import WordCloud d = path.dirname(__file__) argvs = sys.argv text = open(path.join(d, argvs[1])).read() wordcloud = WordCloud(max_font_size=600,width=2560,height=1440).generate(text) wordcloud.to_file(path.join(d, argvs[1]+".png"))

25. 25 • Word cloud of all sites

26. 26 • Word cloud of sites which contain “malware” •

    • Black hat hacker likes sophomoric words. lol

27. Clustering • html • Strip html tags, extract text 27

28. Clustering • Calculate tf-idf • • Term frequency • •

    Inverse document frequency • tf*log_2(N/df) 28 0.0896242738109923 facebook 0.0811608402477274 checkthis 0.0763369146951766 words 0.0637879047442443 sign 0.0599923671251114 039 0.0494245419919427 try https://www.facebookcorewwwi.onion

29. Clustering • Pearson score 29 a b c d e

30. Clustering • 100 sites (randomly chosen) 30

31. Clustering • 1,000 sites (randomly chosen) 31 __ ━┓ ―

    ┏┛ ( ) ( ) ⌒ __ | / _ / | | | |

32. Clustering • 4,102 sites (all) • • O(N^2) 32

33. 33

34. Tor shops • PHP • Template written in PHP for

    black markets • Bitcoin • 48 • Used at 48 sites 34

35. Clustering (Tor shops) 35

36. Clustering (Tor shops) 36

37. Clustering (Tor shops) 37

38. Clustering (Tor shops) 38

39. Clustering (Tor shops) 39

40. Clustering (Tor shops) 40

41. Clustering (Tor shops) 41

42. Clustering (Tor shops) 42

43. Clustering (Tor shops) 43

44. Clustering (Tor shops) 44

45. Clustering (Tor shops) 45

46. Clustering (Tor shops) 46

47. Clustering (Tor shops) 47

48. Clustering (Tor shops) 48

49. Clustering (Tor shops) 49

50. Clustering (Tor shops) • About 12 clusters • Hitman, Drug,

    Phone, Tablet, Kush, LSD, Cannabis, Cocaine, USD, Hacker, US Passport, UK Passport 50

51. 51 https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998 Previous research of clustering web-based hidden services But

    not focused on black markets

52. Conclusion • Tor hidden services • There are hidden services

    for criminal purpose. • 12 • There are about 12 types of black markets. • k-means • We will do further analysis by using a k-means in the future. 52

53. Running Exit Node 53

54. Tor 54 Exit node can sniff unencrypted packet. So you

    should use SSL. IP Entry node can knows source IP address.

55. Tor 55 Exit node can sniff unencrypted packet. Tor We

    can monitor attacks via Tor.

56. • • For victim, attacker is YOU. • IPS •

    IPS is required. 56

57. 57

58. Attack to exit node • .torrc • You can specify

    exit nodes by .torrc. • 58

59. Pass the back (bad idea) 59 Tor Passing to Tor

    once more. Entry node

60. Appendix 60

61. 61 https://goo.gl/PFWpYn

62. 62 https://goo.gl/PFWpYn

63. 63 https://goo.gl/PFWpYn

64. 64 https://goo.gl/PFWpYn

65. 65 https://www.reddit.com/r/SilkRoad/

66. 66 https://www.reddit.com/r/DarkNetMarkets

67. 67 “The Dark Net: Inside the Digital Underworld” ( )

68. 68 Session of anonymizing data https://www.usenix.org/conference/usenixsecurity15/technical-sessions/session/forget- me-not BGP/AS Tor BGP/AS-level

    de-anonymization of Tor Fingerprinting hidden service connections

69. 69 http://panopticlick.eff.org Tor browser on this machine(default setting)

70. 70 https://torstatus.blutmagie.de There are only ~7000 exit nodes Tor is

    not fully secure. Tor Tor Research is not in the stage about whether it can be de-anonymized or not. It is just about its efficiency.

71. • 187 deep web architectures • Alternative internet alter the

    world, crime as well. 71 https://github.com/redecentralize/alternative-internet