Ripping Apart Surface and Dark Web via OSINT

#whoami 👉 Ashwani kumar a.k.a CyberK@Lki 👉 Hobbies – Gaming & finding new places to go solo 👉 Interest area – OSINT, Network Pentest, Malware analysis, Social engineering , DevSecOps, Geopolitics & Quantum physics 👉 Professional CS GO & Fortnite Player : Nick : GodWA 👉 Certified ICS Security skills from US Homeland Security & CISA 👉 Reported Scada bugs for BSNL, Railtel & other National critical infrastructures 👉 Provide OSINT training and consultancy to govt agencies & Private entities 👉 Work closely with CyberPeace NGO helping Indian masses to stay safe in cyberspace and build next-gen cyber warriors 2 Website – hack.cyberkalki.com

Key takeaways World Wide Web is composed of the three layers: Surface Web, Deep Web and Darknet. ● Surface Web covers only 5 % of the World Wide Web. ● Deep Web includes any kind of web services and constitutes a very interesting data source for OSINT investigations. ● Darknet can be accessed only by using dedicated technology, such as TOR or I2P.

OSINT integration with DML model

Surface Web Efficient OSINT analysis requires Federated Search including the following data sources: ● Search engines, such as Google, Bing, Yahoo, and others. ● Deep web search engines, such as DuckDuckGo. ● Social media, for example Twitter, Weibo, Instagram, Facebook, or LinkedIn. ● RSS feeds from websites of interest. ● New Data-as-a-Service providers, e.g. for financial figures or other information.

Surface Web Federated search retrieves information from a variety of sources via a search application built on top of one or more search engines whereas metasearch engine is an online Information retrieval tool that take input from a user and immediately query search engines for results. Sufficient data is gathered, ranked, and presented to the users. Ref: OSINT Open Source Intelligence tools resources methods techniques

Deep Web Contents on the Deep Web cannot be indexed because: ● it is either protected with a password, such as your cloud storage, webmail solution, digital libraries, online magazines, or newspapers. ● or it is stored behind web services or APIs preventing direct access to the raw data. ● There are many deep web data sources available: ● Google patent database ● Google academic database ● EU Sanction Lists ● HaveIBeenPwned The extracted deep-web links helps OSINT analyst in use cases like crypto, fraud, criminal intelligence investigation scenarios to articulate and correlate hidden data points.

Dark Web - The Cult of OSINT The dark web is a subset of the internet that is accessed via special means, such as a TOR browser, and not immediately available from the clear net. Another common darknet is Zeronet. Each has different access requirements or methods. Different darknet details: ● TOR: https://www.torproject.org ● Zeronet: https://zeronet.io/ ● I2P: https://geti2p.net/en/ ● Freenet: https://freenetproject.org/index.html

Dark Web - Illegal Services

Dark Web - Legal Services

Is TOR Really Safe ?

How is traffic on TOR network ? Torflow is an uncharted app which places each relay on a world map and illustrate traffic exchanged between relays as animated dots. Similarly, tor-metrics shows list of exit nodes as per geolocation tagged. Some investigators will have a requirement to identify & monitor new .onion sites as they arise. This could be to observe patterns, identify new vectors, or simply to create additional pipelines of new .onion URLs to feed into custom crawling engines for advanced users.

DarkWeb TTP Tools , techniques and tactics for OSINT Investigation

Dark Web - Marketplace to watch ● General Markets ● PII & PHI ● Credit Cards ● Digital identities ● Information Trading ● Remote Access ● Personal Documents ● Electronic Wallets ● Insider Threats

Dark Web - Sites examples

Dark Web - Product examples

Dark Web - Automating Threat hunting

Dark Web - Automating Crawler

Dark Web - Tools to try out ● Scrapy ● Tor ● OnionScan ● Privoxy ● Elastic ● Redis ● Torbot ● OnionSearch ● Darkdump / Darksearch ● Maltego / Lampyre ● Hunchly ● Searchlight / Spectrum ● OnionIngestor / Poopak : Hidden service crawler

Dark Web - Scrapy

Dark Web : Katana Scanner Katana-ds (ds for dork_scanner) is a simple python tool that automates Google Hacking/Dorking and supports Tor. It becomes a more powerful in combination with GHDB. IT supports google dorking for finding exposure points & enumeration, help finding exposed PLC and SCADA devices with tor and proxy support.

Dark Web : Crawler & bots TorCrawl.py is a python script to crawl and extract (regular or onion) webpages through TOR network. Similarly, TorBot is an open source intelligence tool developed in python. The main objective of this project is to collect open data from the deep web (aka dark web) and with the help of data mining algorithms, collect as much information as possible and produce an interactive tree graph. The interactive tree graph module will be able to display the relations of the collected intelligence data. On same pattern, onionscan and other tools are made and widely used with variant features and scope of data intel.

Dark Web OnionScan OnionScan is a free and open source tool for investigating the Dark Web. It helps to detect :- ● Build a better fingerprint of your server, including php and other software versions. ● Determine client IP addresses if you are co-hosting a clearnet site. ● Determine your IP address if your setup allows. ● Determine other sites you are co-hosting. ● Determine how active your site is. ● Find secret or hidden areas of your site ● Open Directories ● Server Fingerprint ● Analytics IDs ● Protocol Detection

Dark Web : Dumping darkweb links Tools like Onionsearch, darkdump, darksearch performs scanning of top darknet forums, websites and marketplaces against provided keywords and collate it to user for further analysis.

Dark Web :Monitoring hidden services

Q/A Session

Next Session Agenda ● Understanding Darkweb and TOr ● Planning and readiness for conducting darkweb investigation ● Strategies and approaches based on use cases ● Investigative workflow ● Toolkit and tactics ● Reporting and concerns ● Challenges and workarounds

Follow my social media handles & website i.am.psy.ber_kalki