Peeling Onions

5c6358240ec94522f70cf7b0e657f58f?s=47 Yuma Kurogome
November 15, 2015

Peeling Onions

AVTOKYO 2015 発表資料

5c6358240ec94522f70cf7b0e657f58f?s=128

Yuma Kurogome

November 15, 2015
Tweet

Transcript

  1. Peeling Onions @ntddk AVTOKYO 2015 2015.11.14 1

  2. $ whoami • http://ntddk.github.io • Student • Security Camp Lecturer

    • CODE BLUE 2015 Speaker 2
  3. Peeling Onions 3

  4. The Onion Routing 4

  5. Tor • • One of the most common anonymous communication

    systems 5
  6. Tor 6 AES encryption

  7. Tor 7 Exit node can sniff plaintext packet. So you

    should use SSL. IP Entry node can knows source IP address.
  8. Tor 8 Tor hidden services Hidden services can only be

    accessed through Tor Exit nodes are not used at this time. .onion TLD These are also called “deep web”.
  9. 9 http://blog.trendmicro.co.jp/archives/12349 Investigation of underground community in Japan

  10. 10 https://www.facebookcorewwwi.onion Hash of public key

  11. 11 https://www.facebookcorewwwi.onion

  12. Tor 12

  13. 13 https://goo.gl/PFWpYn

  14. 14 Tor Measurement of drug marketplace on Tor network https://www.usenix.org/conference/usenixsecurity15/technical-

    sessions/session/measurement
  15. 15 Confidence is most important in underground. One review, one

    transaction.
  16. 16

  17. Crawling Deep Web 17

  18. 18 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ 900 hidden services Kaspersky found 900 hidden

    services.
  19. 19 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ Tor 30,000 hidden services Tor project says

    there are over 30,000 hidden services.
  20. 20 https://bdpuqvsqmphctrcs.onion List of 174,523 hidden services

  21. 21 { "aaData": [ [ "0", "torlinkbgs6aabns.onion", "TorLinks | .onion

    Link List The Hidden Wiki TheHiddenWiki Onion Urls onionland Tor linklist Deepweb", "https://encrypted.google.com/search?q=¥".onion¥"", "1442342899", "1369353102", "388", "2328" ], [ "1", "ci3hn2uzjw2wby3z.onion", "Talk.onion", "https://encrypted.google.com/search?q=¥".onion¥"", "1375548844", "1369353102", "396", … But, how many of them still alive?
  22. Scraping • • Confirm the existence of services from the

    list. 22 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion] Same as Tor browser html You should scrape only html to avoid child pornography
  23. Scraping • • Confirm the existence of services from the

    list. • 4,102/174,523 • Found 4,102/174,523 sites still alive! 23 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion]
  24. Word Cloud • html • Now we have html files

    of the top pages. • • Visualize word frequency 24 #!/usr/bin/env python2 import sys from os import path from wordcloud import WordCloud d = path.dirname(__file__) argvs = sys.argv text = open(path.join(d, argvs[1])).read() wordcloud = WordCloud(max_font_size=600,width=2560,height=1440).generate(text) wordcloud.to_file(path.join(d, argvs[1]+".png"))
  25. 25 • Word cloud of all sites

  26. 26 • Word cloud of sites which contain “malware” •

    • Black hat hacker likes sophomoric words. lol
  27. Clustering • html • Strip html tags, extract text 27

  28. Clustering • Calculate tf-idf • • Term frequency • •

    Inverse document frequency • tf*log_2(N/df) 28 0.0896242738109923 facebook 0.0811608402477274 checkthis 0.0763369146951766 words 0.0637879047442443 sign 0.0599923671251114 039 0.0494245419919427 try https://www.facebookcorewwwi.onion
  29. Clustering • Pearson score 29 a b c d e

  30. Clustering • 100 sites (randomly chosen) 30

  31. Clustering • 1,000 sites (randomly chosen) 31 __ ━┓ ―

    ┏┛ ( ) ( ) ⌒ __ | / _ / | | | |
  32. Clustering • 4,102 sites (all) • • O(N^2) 32

  33. 33

  34. Tor shops • PHP • Template written in PHP for

    black markets • Bitcoin • 48 • Used at 48 sites 34
  35. Clustering (Tor shops) 35

  36. Clustering (Tor shops) 36

  37. Clustering (Tor shops) 37

  38. Clustering (Tor shops) 38

  39. Clustering (Tor shops) 39

  40. Clustering (Tor shops) 40

  41. Clustering (Tor shops) 41

  42. Clustering (Tor shops) 42

  43. Clustering (Tor shops) 43

  44. Clustering (Tor shops) 44

  45. Clustering (Tor shops) 45

  46. Clustering (Tor shops) 46

  47. Clustering (Tor shops) 47

  48. Clustering (Tor shops) 48

  49. Clustering (Tor shops) 49

  50. Clustering (Tor shops) • About 12 clusters • Hitman, Drug,

    Phone, Tablet, Kush, LSD, Cannabis, Cocaine, USD, Hacker, US Passport, UK Passport 50
  51. 51 https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998 Previous research of clustering web-based hidden services But

    not focused on black markets
  52. Conclusion • Tor hidden services • There are hidden services

    for criminal purpose. • 12 • There are about 12 types of black markets. • k-means • We will do further analysis by using a k-means in the future. 52
  53. Running Exit Node 53

  54. Tor 54 Exit node can sniff unencrypted packet. So you

    should use SSL. IP Entry node can knows source IP address.
  55. Tor 55 Exit node can sniff unencrypted packet. Tor We

    can monitor attacks via Tor.
  56. • • For victim, attacker is YOU. • IPS •

    IPS is required. 56
  57. 57

  58. Attack to exit node • .torrc • You can specify

    exit nodes by .torrc. • 58
  59. Pass the back (bad idea) 59 Tor Passing to Tor

    once more. Entry node
  60. Appendix 60

  61. 61 https://goo.gl/PFWpYn

  62. 62 https://goo.gl/PFWpYn

  63. 63 https://goo.gl/PFWpYn

  64. 64 https://goo.gl/PFWpYn

  65. 65 https://www.reddit.com/r/SilkRoad/

  66. 66 https://www.reddit.com/r/DarkNetMarkets

  67. 67 “The Dark Net: Inside the Digital Underworld” ( )

  68. 68 Session of anonymizing data https://www.usenix.org/conference/usenixsecurity15/technical-sessions/session/forget- me-not BGP/AS Tor BGP/AS-level

    de-anonymization of Tor Fingerprinting hidden service connections
  69. 69 http://panopticlick.eff.org Tor browser on this machine(default setting)

  70. 70 https://torstatus.blutmagie.de There are only ~7000 exit nodes Tor is

    not fully secure. Tor Tor Research is not in the stage about whether it can be de-anonymized or not. It is just about its efficiency.
  71. • 187 deep web architectures • Alternative internet alter the

    world, crime as well. 71 https://github.com/redecentralize/alternative-internet