Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Peeling Onions

5c6358240ec94522f70cf7b0e657f58f?s=47 Yuma Kurogome
November 15, 2015
Research
7
3.1k

Peeling Onions

AVTOKYO 2015 発表資料

5c6358240ec94522f70cf7b0e657f58f?s=128

Yuma Kurogome

November 15, 2015
Tweet

More Decks by Yuma Kurogome

See All by Yuma Kurogome
The Art of De-obfuscation
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
16
26k
死にゆくアンチウイルスへの祈り
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
55
38k
Windows Subsystem for Linux Internals
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
10
2.5k
なぜマルウェア解析は自動化できないのか
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
6
3.7k
Linear Obfuscation to Drive angr Angry
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
4
740
CAPTCHAとボットの共進化
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
2
930
マルウェアを機械学習する前に
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
3
1.3k
仮想化技術を用いたマルウェア解析
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
8
26k
An Introduction to Drawbridge(ja)
5c6358240ec94522f70cf7b0e657f58f?s=48 ntddk
11
2.8k

Other Decks in Research

See All in Research
2022松井研研究室紹介
6bd63bb363d2cb9933b263463f6305cf?s=48 matsui_528
0
610
Local search and metaheuristics for combinatorial optimization problems
D0167b760673d702a06427fb3f878696?s=48 umepon
0
200
AI時代に向けたクラウドにおける信頼性エンジニアリングの未来構想 / DICOMO2022 6A-1
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
5
830
論文紹介 / GeoDiff: A Geometric Diffusion Model for Molecular Conformation Generation
2ad725754b7ea0ff9e0abb9b7017fc07?s=48 forest1988
1
130
PLDI '21論文読み会: Provable Repair of Deep Neural Networks
5148cbb852e980b3b3d0e71d579ddbf8?s=48 ideininc
0
950
Traps and Transport Resistance—The Next Frontier for Stable State-of-the-Art Non-Fullerene Acceptor Solar Cells
334f01a47399398d714386a72edb727a?s=48 deibel
0
520
予測の不確かさの活用について
5fc3f0d4c30da8595270ff76f046b337?s=48 masatoto
0
150
第13回チャンピオンズミーティング・タウラス杯ラウンド1集計 / Umamusume Taurus 2022 Round1
9782dd351a8f1737d4ef02d839e821f9?s=48 kitachan_black
0
780
Making CRDTs Byzantine fault tolerant
0d4ef9af8e4f0cf5c162b48ba24faea6?s=48 ept
0
440
組込み向けROS 2ノード実行環境の定量的評価 [ROBOMECH2022再演+α]
91b03a57e0ef56fee59fbddc66a7f6fd?s=48 takasehideki
0
340
第14回チャンピオンズミーティング・ジェミニ杯ラウンド2集計 / Umamusume Gemini 2022 Round 2
9782dd351a8f1737d4ef02d839e821f9?s=48 kitachan_black
0
870
自然言語処理とVision-and-Language / A Tutorial on NLP & Vision-and-Language
067c2e9dfad1914df731f6f0d65d9890?s=48 kyoun
13
7k

Featured

See All Featured
Keith and Marios Guide to Fast Websites
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
404
21k
The Invisible Customer
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
110
11k
Learning to Love Humans: Emotional Interface Design
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
37k
VelocityConf: Rendering Performance Case Studies
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
316
22k
Docker and Python
Ecdea9b9714877b86cee08458f085481?s=48 trallard
27
1.6k
How GitHub (no longer) Works
78b475797a14c84799063c7cd073962f?s=48 holman
297
140k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
Building Applications with DynamoDB
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
84
4.8k
Designing on Purpose - Digital PM Summit 2013
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.7k
How to train your dragon (web standard)
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
60
3.9k
StorybookのUI Testing Handbookを読んだ
50fc0fdc2327ecbe7350645812de52e3?s=48 zakiyama
6
2.5k
Mobile First: as difficult as doing things right
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
213
7.6k

Transcript

  1. Peeling Onions @ntddk AVTOKYO 2015 2015.11.14 1

  2. $ whoami • http://ntddk.github.io • Student • Security Camp Lecturer

    • CODE BLUE 2015 Speaker 2

  3. Peeling Onions 3

  4. The Onion Routing 4

  5. Tor • • One of the most common anonymous communication

    systems 5

  6. Tor 6 AES encryption

  7. Tor 7 Exit node can sniff plaintext packet. So you

    should use SSL. IP Entry node can knows source IP address.

  8. Tor 8 Tor hidden services Hidden services can only be

    accessed through Tor Exit nodes are not used at this time. .onion TLD These are also called “deep web”.

  9. 9 http://blog.trendmicro.co.jp/archives/12349 Investigation of underground community in Japan

  10. 10 https://www.facebookcorewwwi.onion Hash of public key

  11. 11 https://www.facebookcorewwwi.onion

  12. Tor 12

  13. 13 https://goo.gl/PFWpYn

  14. 14 Tor Measurement of drug marketplace on Tor network https://www.usenix.org/conference/usenixsecurity15/technical-

    sessions/session/measurement

  15. 15 Confidence is most important in underground. One review, one

    transaction.

  16. 16

  17. Crawling Deep Web 17

  18. 18 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ 900 hidden services Kaspersky found 900 hidden

    services.

  19. 19 http://securelist.com/blog/incidents/58542/tor-hidden-services-a-safe-haven-for- cybercriminals/ Tor 30,000 hidden services Tor project says

    there are over 30,000 hidden services.

  20. 20 https://bdpuqvsqmphctrcs.onion List of 174,523 hidden services

  21. 21 { "aaData": [ [ "0", "torlinkbgs6aabns.onion", "TorLinks | .onion

    Link List The Hidden Wiki TheHiddenWiki Onion Urls onionland Tor linklist Deepweb", "https://encrypted.google.com/search?q=¥".onion¥"", "1442342899", "1369353102", "388", "2328" ], [ "1", "ci3hn2uzjw2wby3z.onion", "Talk.onion", "https://encrypted.google.com/search?q=¥".onion¥"", "1375548844", "1369353102", "396", … But, how many of them still alive?

  22. Scraping • • Confirm the existence of services from the

    list. 22 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion] Same as Tor browser html You should scrape only html to avoid child pornography

  23. Scraping • • Confirm the existence of services from the

    list. • 4,102/174,523 • Found 4,102/174,523 sites still alive! 23 torsocks wget ¥ --connect-timeout=10 --tries=1 ¥ --user-agent= ¥ “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0.1) Gecko/20100101Firefox/8.0.1” ¥ [.onion]

  24. Word Cloud • html • Now we have html files

    of the top pages. • • Visualize word frequency 24 #!/usr/bin/env python2 import sys from os import path from wordcloud import WordCloud d = path.dirname(__file__) argvs = sys.argv text = open(path.join(d, argvs[1])).read() wordcloud = WordCloud(max_font_size=600,width=2560,height=1440).generate(text) wordcloud.to_file(path.join(d, argvs[1]+".png"))

  25. 25 • Word cloud of all sites

  26. 26 • Word cloud of sites which contain “malware” •

    • Black hat hacker likes sophomoric words. lol

  27. Clustering • html • Strip html tags, extract text 27

  28. Clustering • Calculate tf-idf • • Term frequency • •

    Inverse document frequency • tf*log_2(N/df) 28 0.0896242738109923 facebook 0.0811608402477274 checkthis 0.0763369146951766 words 0.0637879047442443 sign 0.0599923671251114 039 0.0494245419919427 try https://www.facebookcorewwwi.onion

  29. Clustering • Pearson score 29 a b c d e

  30. Clustering • 100 sites (randomly chosen) 30

  31. Clustering • 1,000 sites (randomly chosen) 31 __ ━┓ ―

    ┏┛ ( ) ( ) ⌒ __ | / _ / | | | |

  32. Clustering • 4,102 sites (all) • • O(N^2) 32

  33. 33

  34. Tor shops • PHP • Template written in PHP for

    black markets • Bitcoin • 48 • Used at 48 sites 34

  35. Clustering (Tor shops) 35

  36. Clustering (Tor shops) 36

  37. Clustering (Tor shops) 37

  38. Clustering (Tor shops) 38

  39. Clustering (Tor shops) 39

  40. Clustering (Tor shops) 40

  41. Clustering (Tor shops) 41

  42. Clustering (Tor shops) 42

  43. Clustering (Tor shops) 43

  44. Clustering (Tor shops) 44

  45. Clustering (Tor shops) 45

  46. Clustering (Tor shops) 46

  47. Clustering (Tor shops) 47

  48. Clustering (Tor shops) 48

  49. Clustering (Tor shops) 49

  50. Clustering (Tor shops) • About 12 clusters • Hitman, Drug,

    Phone, Tablet, Kush, LSD, Cannabis, Cocaine, USD, Hacker, US Passport, UK Passport 50

  51. 51 https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998 Previous research of clustering web-based hidden services But

    not focused on black markets

  52. Conclusion • Tor hidden services • There are hidden services

    for criminal purpose. • 12 • There are about 12 types of black markets. • k-means • We will do further analysis by using a k-means in the future. 52

  53. Running Exit Node 53

  54. Tor 54 Exit node can sniff unencrypted packet. So you

    should use SSL. IP Entry node can knows source IP address.

  55. Tor 55 Exit node can sniff unencrypted packet. Tor We

    can monitor attacks via Tor.

  56. • • For victim, attacker is YOU. • IPS •

    IPS is required. 56

  57. 57

  58. Attack to exit node • .torrc • You can specify

    exit nodes by .torrc. • 58

  59. Pass the back (bad idea) 59 Tor Passing to Tor

    once more. Entry node

  60. Appendix 60

  61. 61 https://goo.gl/PFWpYn

  62. 62 https://goo.gl/PFWpYn

  63. 63 https://goo.gl/PFWpYn

  64. 64 https://goo.gl/PFWpYn

  65. 65 https://www.reddit.com/r/SilkRoad/

  66. 66 https://www.reddit.com/r/DarkNetMarkets

  67. 67 “The Dark Net: Inside the Digital Underworld” ( )

  68. 68 Session of anonymizing data https://www.usenix.org/conference/usenixsecurity15/technical-sessions/session/forget- me-not BGP/AS Tor BGP/AS-level

    de-anonymization of Tor Fingerprinting hidden service connections

  69. 69 http://panopticlick.eff.org Tor browser on this machine(default setting)

  70. 70 https://torstatus.blutmagie.de There are only ~7000 exit nodes Tor is

    not fully secure. Tor Tor Research is not in the stage about whether it can be de-anonymized or not. It is just about its efficiency.

  71. • 187 deep web architectures • Alternative internet alter the

    world, crime as well. 71 https://github.com/redecentralize/alternative-internet