Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Peeling Onions

Yuma Kurogome
November 15, 2015

Peeling Onions

AVTOKYO 2015 発表資料

Yuma Kurogome

November 15, 2015
Tweet

More Decks by Yuma Kurogome

Other Decks in Research

Transcript

  1. Peeling Onions
    @ntddk
    AVTOKYO 2015
    2015.11.14
    1

    View full-size slide

  2. $ whoami
    • http://ntddk.github.io
    • Student
    • Security Camp Lecturer
    • CODE BLUE 2015 Speaker
    2

    View full-size slide

  3. Peeling Onions
    3

    View full-size slide

  4. The Onion Routing
    4

    View full-size slide

  5. Tor

    • One of the most common anonymous
    communication systems
    5

    View full-size slide

  6. Tor
    6
    AES encryption

    View full-size slide

  7. Tor
    7
    Exit node can sniff plaintext packet.
    So you should use SSL.
    IP
    Entry node can knows source IP address.

    View full-size slide

  8. Tor
    8
    Tor hidden services
    Hidden services can only be accessed through Tor
    Exit nodes are not used
    at this time.
    .onion TLD
    These are also called “deep web”.

    View full-size slide

  9. 9
    http://blog.trendmicro.co.jp/archives/12349
    Investigation of underground community in Japan

    View full-size slide

  10. 10
    https://www.facebookcorewwwi.onion
    Hash of public key

    View full-size slide

  11. 11
    https://www.facebookcorewwwi.onion

    View full-size slide

  12. 13
    https://goo.gl/PFWpYn

    View full-size slide

  13. 14
    Tor
    Measurement of drug marketplace on Tor network
    https://www.usenix.org/conference/usenixsecurity15/technical-
    sessions/session/measurement

    View full-size slide

  14. 15
    Confidence is most important in underground. One review, one transaction.

    View full-size slide

  15. Crawling Deep Web
    17

    View full-size slide

  16. 18
    http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for-
    cybercriminals/
    900 hidden services
    Kaspersky found 900 hidden services.

    View full-size slide

  17. 19
    http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for-
    cybercriminals/
    Tor 30,000 hidden services
    Tor project says there are over 30,000 hidden services.

    View full-size slide

  18. 20
    https://bdpuqvsqmphctrcs.onion
    List of 174,523 hidden services

    View full-size slide

  19. 21
    {
    "aaData": [
    [
    "0",
    "torlinkbgs6aabns.onion",
    "TorLinks | .onion Link List The Hidden Wiki TheHiddenWiki Onion Urls
    onionland Tor linklist Deepweb",
    "https://encrypted.google.com/search?q=¥".onion¥"",
    "1442342899",
    "1369353102",
    "388",
    "2328"
    ],
    [
    "1",
    "ci3hn2uzjw2wby3z.onion",
    "Talk.onion",
    "https://encrypted.google.com/search?q=¥".onion¥"",
    "1375548844",
    "1369353102",
    "396",

    But, how many of them still alive?

    View full-size slide

  20. Scraping

    • Confirm the existence of services from the list.
    22
    torsocks wget ¥
    --connect-timeout=10 --tries=1 ¥
    --user-agent= ¥
    “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥
    [.onion]
    Same as Tor browser
    html
    You should scrape only html to avoid child pornography

    View full-size slide

  21. Scraping

    • Confirm the existence of services from the list.
    • 4,102/174,523
    • Found 4,102/174,523 sites still alive!
    23
    torsocks wget ¥
    --connect-timeout=10 --tries=1 ¥
    --user-agent= ¥
    “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥
    [.onion]

    View full-size slide

  22. Word Cloud
    • html
    • Now we have html files of the top pages.

    • Visualize word frequency
    24
    #!/usr/bin/env python2
    import sys
    from os import path
    from wordcloud import WordCloud
    d = path.dirname(__file__)
    argvs = sys.argv
    text = open(path.join(d, argvs[1])).read()
    wordcloud = WordCloud(max_font_size=600,width=2560,height=1440).generate(text)
    wordcloud.to_file(path.join(d, argvs[1]+".png"))

    View full-size slide

  23. 25
    • Word cloud of all sites

    View full-size slide

  24. 26
    • Word cloud of sites which contain “malware”

    • Black hat hacker likes sophomoric words. lol

    View full-size slide

  25. Clustering
    • html
    • Strip html tags, extract text
    27

    View full-size slide

  26. Clustering
    • Calculate tf-idf

    • Term frequency

    • Inverse document frequency
    • tf*log_2(N/df)
    28
    0.0896242738109923 facebook
    0.0811608402477274 checkthis
    0.0763369146951766 words
    0.0637879047442443 sign
    0.0599923671251114 039
    0.0494245419919427 try
    https://www.facebookcorewwwi.onion

    View full-size slide

  27. Clustering
    • Pearson score
    29
    a
    b
    c
    d
    e

    View full-size slide

  28. Clustering
    • 100 sites (randomly chosen)
    30

    View full-size slide

  29. Clustering
    • 1,000 sites (randomly chosen)
    31
    __ ━┓
    ― ┏┛
    ( )
    ( ) ⌒
    __ |
    /
    _
    /
    | |
    | |

    View full-size slide

  30. Clustering
    • 4,102 sites (all)

    • O(N^2)
    32

    View full-size slide

  31. Tor shops
    • PHP
    • Template written in PHP for black markets
    • Bitcoin
    • 48
    • Used at 48 sites
    34

    View full-size slide

  32. Clustering (Tor shops)
    35

    View full-size slide

  33. Clustering (Tor shops)
    36

    View full-size slide

  34. Clustering (Tor shops)
    37

    View full-size slide

  35. Clustering (Tor shops)
    38

    View full-size slide

  36. Clustering (Tor shops)
    39

    View full-size slide

  37. Clustering (Tor shops)
    40

    View full-size slide

  38. Clustering (Tor shops)
    41

    View full-size slide

  39. Clustering (Tor shops)
    42

    View full-size slide

  40. Clustering (Tor shops)
    43

    View full-size slide

  41. Clustering (Tor shops)
    44

    View full-size slide

  42. Clustering (Tor shops)
    45

    View full-size slide

  43. Clustering (Tor shops)
    46

    View full-size slide

  44. Clustering (Tor shops)
    47

    View full-size slide

  45. Clustering (Tor shops)
    48

    View full-size slide

  46. Clustering (Tor shops)
    49

    View full-size slide

  47. Clustering (Tor shops)
    • About 12 clusters
    • Hitman, Drug, Phone, Tablet, Kush, LSD, Cannabis,
    Cocaine, USD, Hacker, US Passport, UK Passport
    50

    View full-size slide

  48. 51
    https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998
    Previous research of clustering web-based hidden services
    But not focused on black markets

    View full-size slide

  49. Conclusion
    • Tor hidden services
    • There are hidden services for criminal purpose.
    • 12
    • There are about 12 types of black markets.
    • k-means
    • We will do further analysis by using a k-means
    in the future.
    52

    View full-size slide

  50. Running Exit Node
    53

    View full-size slide

  51. Tor
    54
    Exit node can sniff unencrypted packet.
    So you should use SSL.
    IP
    Entry node can knows source IP address.

    View full-size slide

  52. Tor
    55
    Exit node can sniff unencrypted packet.
    Tor
    We can monitor attacks via Tor.

    View full-size slide


  53. • For victim, attacker is YOU.
    • IPS
    • IPS is required.
    56

    View full-size slide

  54. Attack to exit node
    • .torrc
    • You can specify exit nodes by .torrc.

    58

    View full-size slide

  55. Pass the back (bad idea)
    59
    Tor
    Passing to Tor once more.
    Entry node

    View full-size slide

  56. 61
    https://goo.gl/PFWpYn

    View full-size slide

  57. 62
    https://goo.gl/PFWpYn

    View full-size slide

  58. 63
    https://goo.gl/PFWpYn

    View full-size slide

  59. 64
    https://goo.gl/PFWpYn

    View full-size slide

  60. 65
    https://www.reddit.com/r/SilkRoad/

    View full-size slide

  61. 66
    https://www.reddit.com/r/DarkNetMarkets

    View full-size slide

  62. 67
    “The Dark Net: Inside the Digital Underworld”
    ( )

    View full-size slide

  63. 68
    Session of anonymizing data
    https://www.usenix.org/conference/usenixsecurity15/technical-sessions/session/forget-
    me-not
    BGP/AS Tor
    BGP/AS-level de-anonymization of Tor
    Fingerprinting hidden service connections

    View full-size slide

  64. 69
    http://panopticlick.eff.org
    Tor browser on this machine(default setting)

    View full-size slide

  65. 70
    https://torstatus.blutmagie.de
    There are only ~7000 exit nodes
    Tor is not fully secure.
    Tor
    Tor
    Research is not in the stage about whether it can be de-anonymized or not.
    It is just about its efficiency.

    View full-size slide

  66. • 187 deep web architectures
    • Alternative internet alter the world, crime as
    well. 71
    https://github.com/redecentralize/alternative-internet

    View full-size slide