Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Peeling Onions

Yuma Kurogome
November 15, 2015
Research
7
3.2k

Peeling Onions

AVTOKYO 2015 発表資料

Yuma Kurogome

November 15, 2015
Tweet

More Decks by Yuma Kurogome

See All by Yuma Kurogome
The Art of De-obfuscation
ntddk
16
26k
死にゆくアンチウイルスへの祈り
ntddk
55
38k
Windows Subsystem for Linux Internals
ntddk
10
2.6k
なぜマルウェア解析は自動化できないのか
ntddk
6
3.8k
Linear Obfuscation to Drive angr Angry
ntddk
4
760
CAPTCHAとボットの共進化
ntddk
2
970
マルウェアを機械学習する前に
ntddk
3
1.4k
仮想化技術を用いたマルウェア解析
ntddk
8
27k
An Introduction to Drawbridge(ja)
ntddk
11
2.9k

Other Decks in Research

See All in Research
[輪講資料] LoRA: Low-Rank Adaptation of
Large Language Models
hpprc
24
15k
論文紹介 / Ego-Body Pose Estimation via Ego-Head Pose Estimation
forest1988
0
140
単語の通時的な意味変化のモデル化
seiichiinoue
3
700
【論文紹介】Google. 2023. PaLM 2 Technical Report
chokkan
PRO
9
4.6k
20230425 PRIVACY TECH NIGHT #02 「統計化すれば安全」の罠 ──差分プライバシーの背景
nrryuya
0
380
Collaborative AI: 視覚・言語・行動の融合
kyoun
16
5.4k
2023 東工大 情報通信系 研究室紹介 (大岡山) / [email protected], Tokyo Tech (Ookayama Campus) 2023
icttitech
0
5.2k
そのリファレンス誰のため?ユーザ活用に向き合う/finjaws31
mhrtech
0
120
zk-SPARQL: SPARQLクエリに対して検証とプライバシ保護が可能な結果を返すパーソナルRDFデータストア
yamdan
0
700
コロナ禍だからこそ考えるオフラインコミュニティの意義 / significance of community
ariaki
0
1.1k
AWS Mac も IaC したい! / AWS Mac also wants to IaC!
nttcom
0
350
JSAI2023 チュートリアル「解釈可能な機械学習 〜説明は人のためか〜」
yuyay
5
630

Featured

See All Featured
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Ruby is Unlike a Banana
tanoku
93
9.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
8.9k
Embracing the Ebb and Flow
colly
76
3.7k
Visualization
eitanlees
130
12k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
9
5.3k
Building Your Own Lightsaber
phodgson
96
5k
The Invisible Customer
myddelton
113
12k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
[RailsConf 2023] Rails as a piece of cake
palkan
7
1.5k

Transcript

  1. Peeling Onions
    @ntddk
    AVTOKYO 2015
    2015.11.14
    1

    View Slide

  2. $ whoami
    • http://ntddk.github.io
    • Student
    • Security Camp Lecturer
    • CODE BLUE 2015 Speaker
    2

    View Slide

  3. Peeling Onions
    3

    View Slide

  4. The Onion Routing
    4

    View Slide

  5. Tor

    • One of the most common anonymous
    communication systems
    5

    View Slide

  6. Tor
    6
    AES encryption

    View Slide

  7. Tor
    7
    Exit node can sniff plaintext packet.
    So you should use SSL.
    IP
    Entry node can knows source IP address.

    View Slide

  8. Tor
    8
    Tor hidden services
    Hidden services can only be accessed through Tor
    Exit nodes are not used
    at this time.
    .onion TLD
    These are also called “deep web”.

    View Slide

  9. 9
    http://blog.trendmicro.co.jp/archives/12349
    Investigation of underground community in Japan

    View Slide

  10. 10
    https://www.facebookcorewwwi.onion
    Hash of public key

    View Slide

  11. 11
    https://www.facebookcorewwwi.onion

    View Slide

  12. Tor
    12

    View Slide

  13. 13
    https://goo.gl/PFWpYn

    View Slide

  14. 14
    Tor
    Measurement of drug marketplace on Tor network
    https://www.usenix.org/conference/usenixsecurity15/technical-
    sessions/session/measurement

    View Slide

  15. 15
    Confidence is most important in underground. One review, one transaction.

    View Slide

  16. 16

    View Slide

  17. Crawling Deep Web
    17

    View Slide

  18. 18
    http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for-
    cybercriminals/
    900 hidden services
    Kaspersky found 900 hidden services.

    View Slide

  19. 19
    http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for-
    cybercriminals/
    Tor 30,000 hidden services
    Tor project says there are over 30,000 hidden services.

    View Slide

  20. 20
    https://bdpuqvsqmphctrcs.onion
    List of 174,523 hidden services

    View Slide

  21. 21
    {
    "aaData": [
    [
    "0",
    "torlinkbgs6aabns.onion",
    "TorLinks | .onion Link List The Hidden Wiki TheHiddenWiki Onion Urls
    onionland Tor linklist Deepweb",
    "https://encrypted.google.com/search?q=¥".onion¥"",
    "1442342899",
    "1369353102",
    "388",
    "2328"
    ],
    [
    "1",
    "ci3hn2uzjw2wby3z.onion",
    "Talk.onion",
    "https://encrypted.google.com/search?q=¥".onion¥"",
    "1375548844",
    "1369353102",
    "396",

    But, how many of them still alive?

    View Slide

  22. Scraping

    • Confirm the existence of services from the list.
    22
    torsocks wget ¥
    --connect-timeout=10 --tries=1 ¥
    --user-agent= ¥
    “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥
    [.onion]
    Same as Tor browser
    html
    You should scrape only html to avoid child pornography

    View Slide

  23. Scraping

    • Confirm the existence of services from the list.
    • 4,102/174,523
    • Found 4,102/174,523 sites still alive!
    23
    torsocks wget ¥
    --connect-timeout=10 --tries=1 ¥
    --user-agent= ¥
    “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥
    [.onion]

    View Slide

  24. Word Cloud
    • html
    • Now we have html files of the top pages.

    • Visualize word frequency
    24
    #!/usr/bin/env python2
    import sys
    from os import path
    from wordcloud import WordCloud
    d = path.dirname(__file__)
    argvs = sys.argv
    text = open(path.join(d, argvs[1])).read()
    wordcloud = WordCloud(max_font_size=600,width=2560,height=1440).generate(text)
    wordcloud.to_file(path.join(d, argvs[1]+".png"))

    View Slide

  25. 25
    • Word cloud of all sites

    View Slide

  26. 26
    • Word cloud of sites which contain “malware”

    • Black hat hacker likes sophomoric words. lol

    View Slide

  27. Clustering
    • html
    • Strip html tags, extract text
    27

    View Slide

  28. Clustering
    • Calculate tf-idf

    • Term frequency

    • Inverse document frequency
    • tf*log_2(N/df)
    28
    0.0896242738109923 facebook
    0.0811608402477274 checkthis
    0.0763369146951766 words
    0.0637879047442443 sign
    0.0599923671251114 039
    0.0494245419919427 try
    https://www.facebookcorewwwi.onion

    View Slide

  29. Clustering
    • Pearson score
    29
    a
    b
    c
    d
    e

    View Slide

  30. Clustering
    • 100 sites (randomly chosen)
    30

    View Slide

  31. Clustering
    • 1,000 sites (randomly chosen)
    31
    __ ━┓
    ― ┏┛
    ( )
    ( ) ⌒
    __ |
    /
    _
    /
    | |
    | |

    View Slide

  32. Clustering
    • 4,102 sites (all)

    • O(N^2)
    32

    View Slide

  33. 33

    View Slide

  34. Tor shops
    • PHP
    • Template written in PHP for black markets
    • Bitcoin
    • 48
    • Used at 48 sites
    34

    View Slide

  35. Clustering (Tor shops)
    35

    View Slide

  36. Clustering (Tor shops)
    36

    View Slide

  37. Clustering (Tor shops)
    37

    View Slide

  38. Clustering (Tor shops)
    38

    View Slide

  39. Clustering (Tor shops)
    39

    View Slide

  40. Clustering (Tor shops)
    40

    View Slide

  41. Clustering (Tor shops)
    41

    View Slide

  42. Clustering (Tor shops)
    42

    View Slide

  43. Clustering (Tor shops)
    43

    View Slide

  44. Clustering (Tor shops)
    44

    View Slide

  45. Clustering (Tor shops)
    45

    View Slide

  46. Clustering (Tor shops)
    46

    View Slide

  47. Clustering (Tor shops)
    47

    View Slide

  48. Clustering (Tor shops)
    48

    View Slide

  49. Clustering (Tor shops)
    49

    View Slide

  50. Clustering (Tor shops)
    • About 12 clusters
    • Hitman, Drug, Phone, Tablet, Kush, LSD, Cannabis,
    Cocaine, USD, Hacker, US Passport, UK Passport
    50

    View Slide

  51. 51
    https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998
    Previous research of clustering web-based hidden services
    But not focused on black markets

    View Slide

  52. Conclusion
    • Tor hidden services
    • There are hidden services for criminal purpose.
    • 12
    • There are about 12 types of black markets.
    • k-means
    • We will do further analysis by using a k-means
    in the future.
    52

    View Slide

  53. Running Exit Node
    53

    View Slide

  54. Tor
    54
    Exit node can sniff unencrypted packet.
    So you should use SSL.
    IP
    Entry node can knows source IP address.

    View Slide

  55. Tor
    55
    Exit node can sniff unencrypted packet.
    Tor
    We can monitor attacks via Tor.

    View Slide


  56. • For victim, attacker is YOU.
    • IPS
    • IPS is required.
    56

    View Slide

  57. 57

    View Slide

  58. Attack to exit node
    • .torrc
    • You can specify exit nodes by .torrc.

    58

    View Slide

  59. Pass the back (bad idea)
    59
    Tor
    Passing to Tor once more.
    Entry node

    View Slide

  60. Appendix
    60

    View Slide

  61. 61
    https://goo.gl/PFWpYn

    View Slide

  62. 62
    https://goo.gl/PFWpYn

    View Slide

  63. 63
    https://goo.gl/PFWpYn

    View Slide

  64. 64
    https://goo.gl/PFWpYn

    View Slide

  65. 65
    https://www.reddit.com/r/SilkRoad/

    View Slide

  66. 66
    https://www.reddit.com/r/DarkNetMarkets

    View Slide

  67. 67
    “The Dark Net: Inside the Digital Underworld”
    ( )

    View Slide

  68. 68
    Session of anonymizing data
    https://www.usenix.org/conference/usenixsecurity15/technical-sessions/session/forget-
    me-not
    BGP/AS Tor
    BGP/AS-level de-anonymization of Tor
    Fingerprinting hidden service connections

    View Slide

  69. 69
    http://panopticlick.eff.org
    Tor browser on this machine(default setting)

    View Slide

  70. 70
    https://torstatus.blutmagie.de
    There are only ~7000 exit nodes
    Tor is not fully secure.
    Tor
    Tor
    Research is not in the stage about whether it can be de-anonymized or not.
    It is just about its efficiency.

    View Slide

  71. • 187 deep web architectures
    • Alternative internet alter the world, crime as
    well. 71
    https://github.com/redecentralize/alternative-internet

    View Slide