Home | Community | Message Board

Avalon Magic Plants
This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: Kraken Kratom Red Vein Kratom   Original Sensible Seeds Autoflowering Cannabis Seeds   Unfolding Nature Unfolding Nature: Being in the Implicate Order   Bridgetown Botanicals Bridgetown Botanicals   PhytoExtractum Buy Bali Kratom Powder

Jump to first unread post Pages: 1
Offlineluckytriple6
spun, confused, and needing hugs
Male User Gallery


Folding@home Statistics
Registered: 08/25/03
Posts: 3,114
Loc: lost in head... come find... Flag
Last seen: 6 months, 5 days
tor honeypot hacks true identity of tor users
    #22328812 - 10/03/15 03:08 PM (8 years, 3 months ago)

I tried to post this in the news section but it was taken down, so I'll post it here, if any mods object to this being in this section please move it to the appropriate section  of the forums.

I feel this is something any user of tor should read. This was one researcher, not an alphabet soup government agency with nearly unlimited funds. If one man can unmask as many users as he did I can only imagine what a government agency is capable of doing.  I originally ran across this article on fossbytes:

http://fossbytes.com/tor-honeypot-how-to-hack-the-true-identity-of-tor-users/

There is a link at the bottom of the page to this article which was the original article that fossbytes based theirs from:

http://geekslop.com/2015/catching-pedophiles-running-secret-dark-web-tor-honeypot

Three honeypots were set up, one for drugs, one for card scamming/hacking, and one for pedophilia. The pedophiles flocked to their honeypot where as the other two honeypots didn't draw many users. It was quite sickening to read some of the info gathered, honestly I never even finished reading it. Here is most of it just what I posted is a long read, for the full article with pics and supporting tech info check out the second link I posted.

4 days running a secret Dark Web pedophile honeypot (and why I now think Tor is the devil)
// July 7th, 2015 // Hacking and Security

15 days running a secret Dark Web honeypot (and why I now think Tor is the devil)

Honeypot [noun] – a container for honey

Honeypot [noun] – a trap set to detect, deflect, or in some manner counteract attempts to access a computer system, generally consisting of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to visitors.

Note: I tried to keep technical details in their own sections.  See “Tech Background” sections if you are interested in setting up a Tor honeypot.  Don’t hesitate to shoot me an email if you have any questions.

Update (7/9/15): I have received comments from Tor supporters and project leaders expressing concern over the headline of this post. Before assuming the headline says it all, please read the entire article.  The headline *does* reflect my underlying feelings, disappointment that the anonymity provided by the Tor network is being widely abused, but does not imply I feel the network is without purpose.  I run Tor myself, operate a hidden service (legit), run a private VPN on several machines, and use encryption all over the place.  Tor provides a beneficial, possibly even crucial, service – but I firmly believe that if we continue to hide our heads in the sand, we may well lose the right to utilize it.

Preface
The answer to the question on your mind
Sample security scanner output captured identifying information for Tor userBefore discoursing the lengthy analysis of the Dark Web honeypots (there were three), let’s answer the question that is surely on everyone’s mind – did the honeypot allow me to reveal the true identity of the person visiting the Tor site? In many cases enough evidence was gathered to provide a pretty good guess or at least a good launching point for identification of the person that visited the site. Surprisingly, in some cases, the identity of the person was undeniably revealed and included the person’s name, unique personal computer footprint, and true external IP address (see partial data example above). And to answer the second question, “no”, this did not require the placement of malicious malware.  Read on…

A potentially unhealthy hatred of pedophiles?
Although this project was initially intended to secretly track the activities and behavior of three types of Tor users – those interested in or seeking counterfeiting services, illegal drug products, and pedophiles – the faux-pedophile Tor hidden service struck a particularly disheartening chord with me. First, the pedo site saw magnitudes more traffic than the counterfeiting or drugs websites – in the order of 100 times more traffic than the other two combined. Secondly, I have a deep-rooted personal (and admittedly unhealthy) disdain for pedophiles. Contrary to what you might initially assume, I have never been sexually abused. However, I have adopted a beautiful daughter who was abused in the most unimaginable ways (physically and sexually beginning at age 5). Her abuse was doled out via multiple pedophiles as she shuffled in and out of the child protective services system (which repeatedly failed to protect her) while legal cases against the perpetrators were left hanging in a void.

Given my circumstances, I have seen first-hand, the psychological damage a pedophile’s actions cause. The damage done to these children is permanent and no matter how much counseling and assistance they seek – the experience is forever embedded into their self, shaping (and sometimes limiting) what they become as adults.

The immorality of a pedophile honeypot?
All honeypots beg this question: are they fair to the user who stumbled across it? Pedophilia exists on both the Clearnet (i.e. the Internet) and the Dark Web (i.e. Darknet or Tor). I have been deeply involved with website engineering and software development since the early days of the Internet and am familiar with every nook and cranny on these networks. Regardless, not once have I run across child pornography. Oh, I’ve seen the links of course, but never blundered across one, polluting my mind with images that can never be un-seen (I’m a firm believer that whatever we put into our minds becomes a part of who we are and ultimately what we become). Point being, pedophiles actively solicit, seek, and choose to find and view pedophilia material. It is never by accident that they run across illegal, pornographic material featuring children – and it was surely not by chance that they ran across my Dark Web honeypot.

First step: the Dark Web spider and lessons learned
The idea for the honeypot project began with a Dark Web spider, a computer software application which, using the Tor protocol, crawls the blackest recesses of the Dark Web cataloging links and websites (hidden services) while attempting to categorize the content it discovers. My Dark Web spider is a 1,400 line PHP program which uses Curl to jump from Tor to HTTP and back. It kicks off at midnight each night and runs for eight hours before gracefully shutting itself down. Upon termination, it generates a series of HTML reports listing crawl statistics, URLs that were found, and information on the Dark Web sites it has discovered. The reports are published nightly on a hacker-related Dark Web site that I am involved with.

From the spider, I gleaned two surprising bits of information. Firstly, the hidden darknet is not nearly as large as legend claims. Of the 1 million+ URLs discovered, only about 4,000-5,000 hidden services are running at any given time. Secondly, the content served by these sites is almost universally illegal or immoral (by my definition anyway). A conservative estimate would be maybe 1 out of 200 or so hidden service websites contain content I would deem worthy of the protection an anonymous network provides. Sites featuring free speech proxies or libraries of hard-to-find underground literature are few and far between on the Dark Web.

At first I was shocked, then disheartened at the depravity of my fellow man (to the point of shutting down the crawler and .onion hidden service). Then I became angry (sort of the reverse order of the normal five stages of loss and recovery, I guess). Anger lead to action after I wondered: could I determine the identity of these Dark Web users who chose to take advantage of the anonymous Tor service?

TECH BACKGROUND: The Dark Web spider
The PHP web crawler consists of five stages: (1) quick site connectivity test, (2) crawl a limited number of uncrawled websites, (3) attempt to re-crawl sites that have recently errored, (4) attempt to re-crawl sites that errored in the last 24 hours, (5) attempt to re-crawl sites that errored during the past week.

The crawl job pulls URLs from a MySQL database which began with a single seed site URL. As new URLs are found, they are added to the database which records the date/time of the connection attempt, ticks error counters, and derives a few parsed data fields related to categorization of the content discovered.

SIGINT signals are caught so that the job can gracefully perform shut down processing when a termination is requested. New URLs are validated and cleaned. Non-onion related sites are kicked out. For legal reasons, I specifically reject links to images and take care not to pull down binaries during the crawl.

Curl is used to proxy between Tor and HTTP. User Agent and Referrer strings are forged and passed to the target in an attempt to avoid being detected as an automated spider.

The Dark Web honeypots
How Tor works
Before delving too deeply into the honeypot configurations, a quick rehash of Tor is needed. Tor, or The Onion Router, is a network consisting of tens of thousands of volunteer computers which together, provide a distributed anonymous network. Data packets on the Tor network take a pseudo-random pathway through several “relays” that serve to cover your tracks by ensuring that no observer at any single point in the circuit can tell where the data came from or where it is going.

To create a private network pathway with Tor, the user’s client software incrementally builds a “circuit” of encrypted connections through the relays on the network. The circuit is extended, one hop at a time, and each relay along the way knows only which relay gave it the data packet and which relay it is to hand the data packet off to. With this architecture, no single relay ever knows the complete path that a data packet has taken.

In addition, the client negotiates a separate set of encryption keys for each hop along the circuit to ensure that no single hop can view (and trace) these connections as they pass through. Thus, all data passing through the network is wrapped in an encrypted packet with multiple layers of encryption added incrementally (like layers in an onion) as the packet passes through a Tor node.

As a part of the Tor protocol, anonymous websites can be configured which are offered the same anonymity the Tor network provides its users. These anonymous websites are called “hidden services”.

Three honeypots: counterfeiting, drugs, and pedophilia
Three Tor hidden service honeypots were created, each strongly hinting that illegal content lie behind a secure “locked door”. The three websites (drugs, counterfeiting, and pedophilia) were then seeded in the Dark Web spider report described above and flagged so they would never be marked as “offline” or “inactive” in the nightly Dark Web crawl.  The faux-websites were then seeded on two additional Dark Web sites (each on a different site, typically in the comments area of the site’s forum).

None of the honeypot websites contained any illegal content. Since I am not a legal authority (nor an expert in the law), I had to scale back the content. No illegal pictures nor files existed on any of the sites. In fact, each site contained exactly one image – a decorative background image to give the site a bit of flair (hidden service sites are notoriously lean and “ugly”). In fact, none of the honeypot sites explicitly *offered* to provide illegal content and instead, served to lure the user in by a vague promise of what may be found behind the locked door. Admittedly, lack of genuine content was a huge disadvantage over a FBI-driven honeypot and likely the reason why many visitors did not apply for membership and quickly moved on after landing on the site’s home page.

The basics of a Tor hidden service honeypot (semi-technical explanation)
Here, in a nutshell, is how the honeypot was built.  Techies: I give much more detail on the configuration and setup at the end of the article.

Hidden services running on a portable, virtual machine
The honeypot websites (hidden services) were hosted on a single Linux virtual machine masquerading (somewhat) as a firewalled Windows Server. This virtual configuration allowed for easy takedown and backup of the “machine”.

Use a supplemental Clearnet server
An external Clearnet (Internet) server (angelroar.com) was used to capture Clearnet data. Although accessing the Clearnet through a Tor connection does not reveal the user’s true IP address, it does remove one disadvantage of a Tor hidden service – the exit node IP address is not hidden from the web server. With this setup, if you can trick the user into visiting the Clearnet Internet site, you can use the Clearnet site’s log files to reveal the exit node IP address of the user’s Tor circuit.

Capture raw network packets
Network packets were captured and recorded upon arrival at the Tor server. This provides another means to determine the specific exit node IP address used in the circuit by matching the raw network packets (which contain the user’s exit node IP address) to the website’s activity log. Since Tor hidden services are low-traffic sites, this is a surprisingly easy task. For instance, if the web activity log shows a visitor arrived at the site at 10:03 AM, and there were no other visitors within minutes of that time (a common scenario), we can assume that the visitor’s website activity matches network packets captured at that time.

Proxies everywhere
Proxies come in many varieties and serve many different purposes. In essence, on a hidden services server, Tor itself is a type of proxy which sits between the end user and the web server. For the honeypot machine, I used proxy services placed both before and after the Tor service (in the network chain) in order to provide additional security (for the hidden service website), additional logging sources, and to provide the ability to manipulate the network data packets both before and after they travel through the Tor service.

Database, reporting interfaces, and custom reports
All log files, network packet captures, etc. were stored in a database using a product called Elasticsearch. Using a common data store provides categorization and query facilities for the captured data. This makes reporting and aggregation of data from various sources much easier to report off of.

Can you catch a pedophile on Tor?
The hidden service websites posed as new hidden service sites that were in the process of “coming online”. There was no direct mention of illegal content but it was strongly hinted that what they sought lie behind the curtain. For instance, counterfeit documents were simply referred to as documents, drugs as “product”, and pedophile content as “files”. Using suggestive site names and promoting a sense of secrecy was all it took to convince users that the content that was locked away behind the authentication system was what they were seeking. Thus, users were encouraged to register in order to see what lie behind the authorization system.

The websites were promoted with the promise of a safe, highly secure professional service operating under an tightly-controlled, selective membership process. One site’s tagline read:

“The objective is simple – provide a safe, friendly environment for like-minded people. Membership is selective – and strictly controlled.”

Attention to security is a somewhat different sell from other Dark Web sites which often seem wild and uncontrolled. Giving the site a polished look and feel while maintaining a lightweight footprint also hinted at a professionally designed service.

Tor inherently provides anonymity and secrecy – important attributes to the point of fanaticism for Tor users. Emphasizing a “new site” that focuses on security proved to be a great draw. The mention of a “friendly environment for like-minded people” struck a particularly strong chord with the pedophiles.

Potential “members” were told that they must register to access the product (files, chat forums, merchandise, etc.) and that membership was based on five levels. Higher level members were granted more access but to reach those levels, the potential member must complete more and more stringent “tests” to be granted access to the higher membership level and related website content.

All registered users were automatically started at a level 1 “membership level” and were provided more access than a user that had not logged into the site. For instance, content on the website changed after the user logged in and revealed more information about the service as their membership level rose.  Also, registered users were given more detailed status updates and security notices than non-registered members.

The various methods used to capture the user’s identifying information were ratcheted up over time. As the days rolled on, more intrusive methods were introduced in an attempt to secure more information about the user while dangling the carrot of “exclusive membership” before them. This period of time allowed a sense of trust to be built between me and the site’s visitors. While they may not have liked the more intrusive methods introduced in order to secure the site, they seemed to appreciate that someone was taking the time to build a solution that took great care to guarantee their anonymity on the Dark Web.

At first, only login data and network packet captures were used to deduce the user’s identity. Later, link traps were introduced before finally introducing a “security scanner” as a requirement to gain the highest level of membership. Of course, in order to validate the client’s machine was secure, the security scanner took a snapshot of their personal computer system (minus 1 point for choosing to run the security scanner in the first place).

Admittedly, after introducing the security scanner, traffic patterns changed. Scans on the server dropped and some of the users who opted to run the software appeared to be government or private researchers. Most visitors were reluctant to run the security scanner but for those that did, their anonymity completely dropped. Around 4-7% of the daily registered users chose to run the scanner and thus, stepped outside of the Tor network and revealed their true identity.

Lessons learned from the Tor Hidden Service honeypots
Traffic patterns
Pedophile traffic was shockingly high – magnitudes higher than traffic on the counterfeiting and drug honeypot sites. For instance, after the first five days, the counterfeiting site had two registrations while the faux-drug sales site saw six registrations. Both sites saw hundreds of visitors. The pedophile site however, saw several *thousand* visitors in just five days and brought in over 200 member registrations during its first few days of operation. In addition, the counterfeiting and drug websites saw no additional registrations after five days while the pedophile site continued serving content to over 1,000 visitors each day. By the end of the 14 day test, nearly 600 pedophiles had registered on the honeypot website.

Information the pedophiles freely supplied
Usernames and email addresses
The sites required an email address be used as the username. The reason for this requirement was not disclosed to the visitor leaving them to wonder if an email verification link was going to be used to validate their registration. Out of hundreds of registrations, only a single user complained about having to use their email address to register.

Given the sense of trust within the tight-knit pedophile community, and the site’s emphasis on “community”, “friendship”, and a high level of security, a surprising number of pedophiles freely provided their Clearnet email addresses as their username. The number of legit email addresses was astounding and in many cases, the registered users attempted to communicate with me through these email addresses (despite the fact that one of the conditions that I clearly stated throughout the websites were that I would never communicate with them via email). Note: in order to avoid communication via email, the honeypot sites contained internal messaging systems which provided a permanent record of all conversations – see details below.

On the other hand, a significant number of people provided anonymous email accounts and some obviously made up an email address just to get through the username validation.

Pedophile passwords
No validation requirements were placed on the password field leaving the user to pretty much enter whatever they wanted. Thus, in many cases the passwords were quite disturbing and often sexually suggestive (see samples at end of article). It was obvious that many used legit passwords, likely the same password they would use on other websites. Still, quite a few seemed to use “throwaway” passwords hinting that the user intended to review the site quickly and then move on or change their password to a more permanent password once they were convinced the site was legit.

Comments and suggestions
A “comments, suggestions, and preferences” field was included on the registration form. As with the email addresses and passwords collected, the comments were disturbing to the point of depression (see detailed discussion below). Many freely told me what type of content (i.e. victim) they preferred. Their crass and frank attitudes, as if all of this were perfectly normal, were deeply unsettling.

Information that the pedophiles leaked
Exit node IP address
Simulated HTTP error

The exit node IP address does not uniquely identify a visitor but rather, provides the endpoint used in the tor circuit.  Regardless, I did find it was surprisingly difficult to determine the user’s exit node IP address from a hidden service web server.

The exit node IP address of the tor circuit was obtained using the two different methods discussed briefly above. The “link trap” method required an active click by the user. A link trap links the user to a Clearnet website where the exit node IP address of the particular circuit becomes easily visible and allows for capture of other information as well (browser version, operating system – all the typical data a Clearnet website can capture). Ironically, the link trap clearly linked to web services on another website that I own and operate – angelroar.com, a website for victims of child abuse.

The honeypot application programmatically created an exclusive custom link for each user that visited the page in order to provide the means to uniquely identify the visitor. This custom link was passed to the page hosted on the Clearnet Internet website in order to isolate the user that clicked through. The Clearnet site subsequently displayed a stock HTTP error on a plain white page in order to encourage the user to quickly “back arrow” through their browser history to take them back to the Tor site (hopefully, before noticing the URL was a Clearnet site). Normal traffic on the Clearnet site did not increase allowing me to deduce that most visitors did not recognize that they had been redirected to an off-Tor Internet website.

Network packet captures also provide the exit node IP address but since the packets are encrypted, there is no easy way to tie them to the website user once the packet reaches the webserver. The Tor network packets can be recognized however, particularly the SSL negotiation that occurs at the beginning of the Tor hidden service connection. Since traffic on a Tor website is low, the packets can be recorded and timing used to determine which packet corresponds to the HTTP web server traffic. A simple query against the Elasticsearch database that was filtered on time (to the millisecond) would tie the exit node IP address for the Tor circuit to the user’s browsing session.

Of course, the problem with exit nodes is that a substantial number are professionally hosted. Many hosts contribute hundreds of exit nodes to the Tor network. Often these hosts provide other anonymous services hinting that no logs are kept of the Tor exit node traffic and thus, guaranteeing anonymity for the user whose circuit is directed through their exit node.  This scenario differs from a normal Tor-user who could expect a visit from legal authorities if illegal content passes through their exit node.

The pedophile’s true IP address
Sample security scanner output captured identifying information for Tor userA “security scanner” was offered to registered users and described as a Tor security test to ensure the client’s configuration was secure and correctly configured (a requirement placed on the user before being granted a higher membership level). The premise behind this requirement was pitched as this:

“Nobody is granted higher level access to the site until they have proven that their client configuration is safe, secure, with no leaks. A weak client puts everyone at risk.”

The scanner is a simple Windows program which grabs network configuration information from the client machine along with the login username, running processes, software installed, and a sample of filenames from the user’s My Pictures folder. Indeed, analysis of these items could be used to determine whether a user’s machine configuration were secure and worthy of elevated access to the website (in one instance I saw signs of malware running on the user’s computer and in another instance, picture file names suggesting a professional researcher). Not only is the information collected related to client security measurement, but it reveals without question, the true identity of the user including their PC footprint, Windows username, real name, true IP address, internal network IP address (if on a home or business network), and much more.

Since site visitors were already providing their Clearnet email addresses, real names, and clicking through the Clearnet link trap, I shouldn’t have been surprised that they would also choose to execute the security scanner. During each of the last five days, about 4-7 percent of the daily registered users opted to run the security scan leaking their real name and true external IP address. Had I been the FBI, they would have been caught.

The disturbing details pedophiles revealed
Pedophiles operate within their own tight online communities
In just two weeks, I discovered much that I had not known about pedophile behavior. For instance, pedophiles form their own tight-knit communities and within those communities, a deep sense of trust is developed. Despite visitors knowing nothing about my new website, I managed to invoke this sense of trust in many of the visitors. One user mentioned not hearing about the website in “the usual forums”, my first clue that they operated within their own trusted online communities on the Dark Web.

jetspizza@sigaint.org: Looking for a new community, others are stale.

Humphreez@mail2tor.com: I am interested in a place where I can share some of my uploads and communicate with other like minded people with similar interests.

Pedophiles have their own slang
In more than one instance, the pedophiles slang caught me off-guard and left me puzzled. Some of their slang was easy to figure out. Other terms were just bizarre. Below are several of the slang terms used by the pedophiles when communicating with me.

CP – child pornography – was easy enough to figure out

amy1234567@fuck.com: give me cp

PTHC – Preteen hardcore.

beso**esta@hotmail.com: i found a good pthc streaming site the other nite and want MORE

TK – Toddler/Kindergarten

anonymous@anonymous.com: [like] tk, lolitas.

Lolita – 6-10 year olds

jon_doe60@yahoo.com: adore lolitas

elen***son.ar@gmail.com: I love lolita

Nu or nubile – older sexually mature teenager

jones***@gmail.com: I prefer young but developed nubile girls 14 and up

Hebe – “hebe” was the ancient Greek god of youth. It means “youth” or “prime of life”. It also refers to hebephilia, the sexual preference to girls of ages 11 through 13 (pre-teen ages).

awesome**@gmail.com: Happy Hebe!

taken2@nothere.com: hebe girls are good

PT – In pedophile slang, “pt” refers to pre-teens or early “hebe’s”.

JB – “jb” refers to “just budding”, a reference to a female body in the early stages of puberty. Update: a reader suggested “jailbait” was a more likely definition.

In this particularly disturbing case, a father of three hints that he is willing to share pictures of his children.

npt@hotmail.com: hi im a married dad of 3, i prefer girls from pt to jb. I’m looking forward to joining in and sharing in the community

Pedophiles have clearly defined sexual preferences
I also found that pedophiles have clearly defined sexual preferences, particularly with regards to the age range of the victims – and they were quite eager to share these preferences with me.

noo**man@hotmail.ru: [I like] girls 11-14

jchall321**@hotmail.com: 10 – 12 yo girls penetration

gio@gmail.cn: Girls 10 yo

ybdiqrgq@guerrillamailblock.com: I like girls age 8-13

ronjeremy@safe-mail.net: 5-10 yo

svendros**t@gmail.com: girls, 6-12

ghsfgyb@sfh.nlt: girls 6 -14

drey**@net.com: 3-10 age

taikhoanmu**@yahoo.com: love young girls

biguccel**@outlook.com: like baby pussy

Many visitors to the site appeared to be active pedophile predators
Several visitors to the pedophile honeypot did more than look at pictures – many actively abuse children.  Apparently some pedophile sites offer means for pedos to “date”, “sell”, or “trade” children with each other as evidence by visitors who asked for a “dating service” to lure children in.

ukkinky@safe-mail.net : Will you offer dating??

Many visitors offered photos from their “private collection” as a means to bribe me for entrance to the website. They took care to note that the material they were offering me was original. One pedophile even sent me a link to a picture of a “young New York girl” that he took (I refused to click through).

mcloll**@gmail.com: Have original mat approve me :smile:

whinceypuffi**@gmail.com: Let me in please .i have original mat

andreiovi**@gmx.com: Want to look around to see what I can offer you.

The results were surprising, and alarming (I guess I secretly hoped that pedophiles sought pictures and nothing more).  Unfortunately, I later researched and found a Mayo study (further supported by a later federal prison study) which found that more than 3/4 of persons convicted of possessing child pornography admitted to actively molesting children.  Thus my dream of a slightly less-evil world was shattered.

The end of the experiment (what a relief – it’s over)
Rather than alert the hidden service visitors to the purpose of the research project, after 14 days, the honeypot sites were shutdown with no notice and no explanation. No matter how much I wanted to act on my anger and scare the holy shit out of those who had been identified, I decided to depart quietly and leave the playing field open for the legal authorities and other security researchers.

Note: Stepping on the toes of legal authorities or impeding ongoing investigations should always be a concern for honeypot operators.  On two different occasions I contacted legal authorities about the project and offered to provide full sets of data that had been collected. The first contact was before the hidden services went online (at which time I reported a few pedophiles sites that the Dark Web spider had uncovered), the second contact a few days before the hidden services were shut down (at which time I notified them that I was about to take the Dark Web pedophile honeypot offline with the intent to hand over the VM and/or data collected during the project if they were interested).

Retrospection
To date I have not brought the honeypots back online.  The Tor host file and private key were deleted just in case the hidden services accidentally went online when I started the VM and thus, the website addresses are gone forever.  In retrospect, here are items I would have done differently or will do differently if I ever decide to kick the project back off again.

Add an additional “legit” hidden services site
In retrospect, I should have added a fourth “legit” website against which I could have measured non-criminal Tor traffic.  Many Tor supporters of course, disliked this project (and told me so), believing it intended to blacken Tor’s eye (it did not).  A more balanced array of hidden services would have lent credence to my claim that the Tor network is widely abused.

Plant and monitor Tor nodes
This one’s tricky since I’m not familiar enough with Tor’s traffic patterns.  Still, having a variety of host machines available, it would be interesting to implement and monitor a pool of Tor nodes and attempt to coordinate traffic across the nodes (packet counting, timing, etc.).  I’m just not sure how many nodes it would take, how beneficial owning both entry and exit nodes would be, and/or how long they’d have to run to produce results.

Put up a functioning chat board with uploads disabled
Given more time, a functioning (but moderated) chat board could have provided additional information without drawing too much suspicion.  Uploads of course, would have been disabled and promoted as a feature of a higher membership level.

TECH BACKGROUND: Honeypot configuration
Linux on a VMWare virtual machine
The server ran a secure Linux variant (Debian) on a VMWare virtual machine. The server included a copy of a “hacking installation” chock full of hacking and penetration testing tools that I could quickly invoke if needed.

Firewalled (lightly)
Although the server was hardened, I wanted to allow some hack attempts through. Thus the firewall was left loosely configured with the understanding that I would rely on the IDS systems to capture and report malicious network traffic.

Bro, Snort, and OSSEC IDS systems
Three different IDS systems were used. Bro provides good, configurable alerts and programmatic access. All Bro alerts were sent to the Elasticsearch database.

Snort was run in promiscuous mode, capturing low level detail from the network packets. Barnyard was used to parse Snort’s binary packets and to insert the results into the Elasticsearch database.

Finally, OSSEC IDS was used to alert me to any true malicious traffic.

A fourth pseudo-IDS, a custom alert system, was operated at the application level. The applications within the honeypot website watched for certain events and user actions (including CSRF attacks, of which I saw a few) and used this custom IDS to inject messages into a log file which was also fed into the Elasticsearch database.

Squid proxy
A squid proxy placed before Tor allowed the examination and manipulation of packets before they entered Tor. I had originally intended to inject the exit node IP address into the header using Squid.

Tor hidden services
Tor was configured to point to three different virtual web servers. Initially Scallion was used to generate a customer vanity URL for the Tor hidden service but in the interest of portability (users were told that for security reasons, the onion address of the website would be rotated every 90 days), I decided to use Tor’s generated hidden service key and address instead.

Tor, acting as a proxy, passes its traffic to the web server service. Since traffic arriving at the web service comes from the Tor proxy, the IP address is lost. In other words, the only way the web server can communicate to the Tor client is via the Tor proxy. This provides great anonymity for the client but makes analysis on the server side more difficult.

Pound proxy
Pound, a security-focused proxy service, was placed after Tor to allow examination and manipulation of the packets after they exited Tor (just before they were delivered to the web service).

Web server
Four virtual web servers were run through a single web service – three fake hidden service websites and one Clearnet admin interface for reporting and monitoring.

Two other web servers (Apache and nginx, aka Engine X) were installed and used for services such as Elasticsearch, Kibana, and Graylog2 web reporting interfaces.

Elasticsearch
All logs were sent to Elasticsearch, either directly from the logging application or via a intermediate utility such as Barnyard (for conversion and insertion of Snort binary logs). In many instances, raw versions of the logged events and/or network packet captures were also stored (redundantly) in a MySQL database.

Graylog2 and Kibana for reporting and dashboards
imageMost proxy services (e.g. Bro, Snort, Barnyard) had to be configured to parse their traffic into discrete fields that could be stored in the Elasticsearch database. Then Graylog2 and Kibana web interfaces were used to further parse, query, sort, and filter the data elements sent from the various proxy services.

Misc. services
Firewall status, website log, and server resources (CPU, memory, and network traffic) were actively monitored in real-time throughout the project.

Since the machine (a VM) was shutdown (briefly) quite often (primarily for frequent backups although the website users were told I was conducting security tests), startup scripts were used and each service scheduled to start on bootup.

Custom code framework
All three of the hidden service websites used a common code framework. The site’s colors, headers, and frequently used information (e.g. site name, description) were easily changeable via configuration parameters in order to give each site a somewhat unique appearance. All custom code (e.g. messaging, logging, registration and login, etc.) was shared between the sites and each site given a unique identifier.  Each record inserted into the database was tagged with this unique identifier in order to delineate which site the recorded activity occurred on.

TECH BACKGROUND: the honeypot traps and supporting software
Custom IDS log
A custom IDS log was used to record each time a visitor hit the site, when they log in, and to capture data from any malicious hacking attempts. Attempts to hack the site were much less common that I had anticipated. A few CSRF attacks were attempted and of course there were a few port scans. On at least one occasion, I suspected a light DOS attack was attempted. From user comments, I could tell that a handful of visitors were hackers looking to take down a pedophile site.

As with the other IDS system, all alerts were sent to the Elasticsearch database where Graylog2 and Kibana made it easy to categorize and view results.

Login information
Login information captured the visitors username (email address), password (saved in cleartext for research purposes), name (on occasion it appears as if they supplied their real name), and opportunity to pass along comments, suggestions and preferences.

A custom report was created to allow easy monitoring of new registrations and user logins.

Messaging
Each hidden service website emphasized that I would not communicate via email – not even anonymous email. A custom messaging system was used on each website. Messages sent through the “contact me” form were tagged with user login information. Responses to these messages were entered through an administrative interface and delivered to the end user via a “messaging” panel located on the sidebar of each page. With a design such as this, I had an easy means to record and save each conversation as well as providing an intermediary interface to isolate me from outside attacks or potential leaks.

IDS systems and network packet captures
Bro, Snort, and OSSEC IDS (intrusion detection systems) were installed. Snort ran in promiscuous mode to capture detailed packet information. Barnyard was used to parse the packets and insert into the Elasticsearch database.

Bro proved most useful for this project. It is easy to configure and flexible, allowing me to dictate which types of alerts were included in the service’s compilation and what type of data should be captured.

Link traps
The link traps captured just under 1,000 Tor exit node IP addresses gleaned from an active user click on a link on the site’s FAQ page (e.g. “Click here for samples”). When the FAQ page loaded, the link was generated with a unique identifiers. Each time the page that included the link trap was loaded, the identifier was generated and inserted into a MySQL database on the Tor machine.

The link pointed to a Clearnet website which recorded all browser and network traffic information into another MySQL database on the Clearnet machine. Each record recorded in the Clearnet database was keyed with the unique identifier passed from the Tor site.

An hourly Cron job ran to reconcile and consolidate the results. The job, a PHP application (I’m a C# programmer by trade so this project provided much needed PHP practice), used a web service on the Clearnet machine to retrieve the database results, match the record from the Clearnet host to the corresponding Tor host record. If the link was never clicked (leaving an “empty” record in the Tor host database), it was purged automatically after a couple of hours.

A custom report was written to allow easy viewing of link trap results.

Offsite web services
Offsite web services were used to communicate with the Clearnet host. The link trap mentioned above and the security scanner discussed below utilized these web services.

The Security Scanner
Sample security scanner output captured identifying information for Tor userAfter 12 days of operation, the final and most intrusive attempt to trap user information was introduced. A small Windows program was written to pop as a small window which displayed “scan progress and results”. A long intro was displayed when the program started up. This intro explained what the scanner would do and noted that the user had the option to cancel out of the scan at any time. What was not mentioned however, was that the scan ran while they were reading the intro. The option to cancel merely flagged the scan results as “cancelled” and would have purged them from the database had anyone actually attempted to cancel the scanner program. During its operation, only a single person cancelled out of the scanner (and they quickly returned to run it again to completion).

The security scanner provided a security snapshot and unique footprint of the machine.  All of the information from the scan was delivered to a remote Clearnet server via a web service where it was recorded in a database on the Clearnet host. Another web service was used by a scheduled job on the Tor host to retrieve the results, parse the data, and store the results in a database on the Tor server where they could be manually reviewed.

A report was created to allow easy viewing of the data. Items recorded included the machine’s true external IP address and host name, the internal IP address (e.g. 192.168.*.*), the OS and version, number of CPUs, user domain, all local networking interfaces and their IP addresses, the Windows username of the logged in user, a list of drive devices and their status, the path to the browser’s cookie file, all installed software on the machine, all running processes on the machine, and a sample of filenames from their My Pictures directory.

It should be pointed out that this was *not* malware. It did not retrieve passwords or a list of Windows users, did not replicate, and in fact, was run voluntarily by the user. The user was informed that a “security scan” was going to be run on their machine and in an effort to gain access to the secured content, they freely chose to run the scan. Also, nothing secret or permanent was installed on the machine during the execution of the scanner application.


--------------------
Let me out of this place
I'm outta place
I'm in outer space
I've just vanished without a trace
I'm going to a pretty place now where the flowers grow
I'll be back in an hour or so

[quote]Abuse said:
the dea can go fuck themselves! with the internet, the impossible is possible![/quote]


Extras: Filter Print Post Top
OfflineAlan RockefellerM
Mycologist
Male User Gallery
Registered: 03/10/07
Posts: 48,276
Last seen: 3 hours, 9 minutes
Re: tor honeypot hacks true identity of tor users [Re: luckytriple6]
    #22334390 - 10/04/15 07:43 PM (8 years, 3 months ago)

eek


Extras: Filter Print Post Top
InvisibleStonehenge
Alt Center
Male User Gallery
Registered: 06/20/04
Posts: 14,850
Loc: S.E.
Re: tor honeypot hacks true identity of tor users [Re: luckytriple6]
    #22355262 - 10/09/15 04:30 PM (8 years, 3 months ago)

There is a lot of irrelevant info in that long ass article. I kept scrolling down hoping it would get to the point but it never did. The exploits that unmask tor users require them to have java or java script enabled. Always disable java when you use tor.


--------------------
“A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves largesse from the public treasury. From that moment on, the majority always votes for the candidates promising the most benefits from the public treasury with the result that a democracy always collapses over loose fiscal policy, always followed by a dictatorship.” (attributed to Alexis de Tocqueville political philosopher Circa 1835)

Trade list http://www.shroomery.org/forums/showflat.php/Number/18047755


Extras: Filter Print Post Top
Offlineluckytriple6
spun, confused, and needing hugs
Male User Gallery


Folding@home Statistics
Registered: 08/25/03
Posts: 3,114
Loc: lost in head... come find... Flag
Last seen: 6 months, 5 days
Re: tor honeypot hacks true identity of tor users [Re: Stonehenge]
    #22364735 - 10/11/15 06:14 PM (8 years, 3 months ago)

He totally scammed them into giving up their identity, that's true, especially when he got them to do a "security check". It is a long article, but most of it is proof of concept. I didn't think it was just java script though that was at fault, he was capturing packets and matching them up, using custom links per person linking them to clearnet websites and a bunch other techniques all used together. It had to be more than just java at fault, a lot of it was users not using proper techniques to hide their identity, but it was much more than just that.

I posted this to create awareness in the fact that tor can be touchy and if not used properly a single person on a mission can find out who you are. If just one person on a mission can do this our governments most certainly can unmask users identity

Also, the fossbytes article was short and got right to the point, I posted that also, it was the first link


--------------------
Let me out of this place
I'm outta place
I'm in outer space
I've just vanished without a trace
I'm going to a pretty place now where the flowers grow
I'll be back in an hour or so

[quote]Abuse said:
the dea can go fuck themselves! with the internet, the impossible is possible![/quote]


Extras: Filter Print Post Top
InvisibleStonehenge
Alt Center
Male User Gallery
Registered: 06/20/04
Posts: 14,850
Loc: S.E.
Re: tor honeypot hacks true identity of tor users [Re: luckytriple6]
    #22364883 - 10/11/15 06:44 PM (8 years, 3 months ago)

One person on a mission can do it if the target does something stupid. Don't click on links, don't use java, don't give out any info.


--------------------
“A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves largesse from the public treasury. From that moment on, the majority always votes for the candidates promising the most benefits from the public treasury with the result that a democracy always collapses over loose fiscal policy, always followed by a dictatorship.” (attributed to Alexis de Tocqueville political philosopher Circa 1835)

Trade list http://www.shroomery.org/forums/showflat.php/Number/18047755


Extras: Filter Print Post Top
OfflineAlan RockefellerM
Mycologist
Male User Gallery
Registered: 03/10/07
Posts: 48,276
Last seen: 3 hours, 9 minutes
Re: tor honeypot hacks true identity of tor users [Re: Stonehenge]
    #22373879 - 10/13/15 03:06 PM (8 years, 3 months ago)

I don't think he used java at all - this was a pure social engineering attack.  He tricked people into giving up their identity. 

Good info though, cops love to trick people in similar ways.    They don't need to crack TOR when a good percentage of users don't understand basic anonymity principles.


Extras: Filter Print Post Top
OfflineAnahata


Registered: 02/25/12
Posts: 2,399
Last seen: 3 days, 1 hour
Re: tor honeypot hacks true identity of tor users [Re: Alan Rockefeller]
    #22454222 - 10/30/15 04:15 PM (8 years, 3 months ago)

Doesn't this article only aid the people in learning how to stay hidden so they can continue to do these things?


--------------------


Edited by Anahata (10/30/15 04:22 PM)


Extras: Filter Print Post Top
OfflineAlan RockefellerM
Mycologist
Male User Gallery
Registered: 03/10/07
Posts: 48,276
Last seen: 3 hours, 9 minutes
Re: tor honeypot hacks true identity of tor users [Re: Anahata]
    #22455256 - 10/30/15 08:06 PM (8 years, 2 months ago)

Quote:

Anahata said:
Doesn't this article only aid the people in learning how to stay hidden so they can continue to do these things?





Yes, that is why it was posted here.  : )


Extras: Filter Print Post Top
InvisibleDr.Satan
Mad Professor
I'm a teapot


Registered: 06/26/15
Posts: 2,182
Re: tor honeypot hacks true identity of tor users [Re: Alan Rockefeller]
    #22482914 - 11/05/15 08:20 PM (8 years, 2 months ago)

Good read, but if you use tails to run tor you're pretty much golden unless you don't know how to properly use tails and tor.


--------------------


Extras: Filter Print Post Top
InvisibleLateForTheFuture
Old Hand
I'm a teapot User Gallery


Registered: 02/24/03
Posts: 845
Re: tor honeypot hacks true identity of tor users [Re: Alan Rockefeller]
    #22529181 - 11/15/15 08:02 PM (8 years, 2 months ago)

Quote:

Alan Rockefeller said:
Quote:

Anahata said:
Doesn't this article only aid the people in learning how to stay hidden so they can continue to do these things?





Yes, that is why it was posted here.  : )




Thanks, Alan!

:heart:


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: tor honeypot hacks true identity of tor users [Re: LateForTheFuture]
    #22638849 - 12/10/15 02:29 PM (8 years, 1 month ago)

I think the gov has been able to un encrypt tor since the very beginning as it was developed after all by the U.S. navy. In my opinion tor could perhaps be some sort of social experiment to give people a false sense of security over the internet. From what I understand the NSA has cracked all possible internet encryption available to the public. It's very possible that the gov has allowed an is allowing hidden drug markets to operate in order to "draw in" an catch high level drug offenders.

Also by controlling entry/exit nodes the gov can discover tor users I don't think a honey pot is even necessary. 


Extras: Filter Print Post Top
OfflineAlan RockefellerM
Mycologist
Male User Gallery
Registered: 03/10/07
Posts: 48,276
Last seen: 3 hours, 9 minutes
Re: tor honeypot hacks true identity of tor users [Re: tdubz]
    #22639361 - 12/10/15 05:13 PM (8 years, 1 month ago)

Quote:

tdubz said:
I think the gov has been able to un encrypt tor since the very beginning as it was developed after all by the U.S. navy.




No probably not - the protocols are all open source, and no one has been able to crack them.  Does not matter who wrote it when they release the source for all to audit.


Quote:

From what I understand the NSA has cracked all possible internet encryption available to the public.





Source?

No, probably not true.  If the math is good, it would take thousands of years to crack a strong key even with a supercomputer.  If the government really wants to crack strong encryption, they need to do something more low-tech like sneak into your house and install a keylogger.




Quote:

Also by controlling entry/exit nodes the gov can discover tor users I don't think a honey pot is even necessary. 




They can see some things, depends on what you do.  If you use tor and type your real name, that could be an issue.

They probably do log what they can....whether or not this matters is the question.  If you are not killing lots of people for sport, it doesn't matter if they can crack tor or not.


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: tor honeypot hacks true identity of tor users [Re: Alan Rockefeller]
    #22639780 - 12/10/15 06:45 PM (8 years, 1 month ago)

http://news.mit.edu/2015/tor-vulnerability-0729 - on tor node vulnerability

http://thehackernews.com/2015/10/nsa-crack-encryption.html - on NSA ability to crack VPNs, HTTPS, ect


Extras: Filter Print Post Top
Jump to top Pages: 1

Shop: Kraken Kratom Red Vein Kratom   Original Sensible Seeds Autoflowering Cannabis Seeds   Unfolding Nature Unfolding Nature: Being in the Implicate Order   Bridgetown Botanicals Bridgetown Botanicals   PhytoExtractum Buy Bali Kratom Powder


Similar ThreadsPosterViewsRepliesLast post
* Tor: An anonymous Internet communication system garbage 932 1 04/10/05 08:59 AM
by newuser1492
* Personal/False Identities - Basic How To: Lana 3,391 3 08/08/01 08:13 AM
by Beatnik
* Tor/Privoxy does nothing? Disco Cat 1,762 15 03/25/07 05:18 PM
by Taharka
* Paranoia? Here?s paranoia for all you IE5 users baloo 2,548 7 10/24/01 06:29 PM
by Lana
* Tor and Privoxy Zepplin 2,914 1 11/16/06 04:38 PM
by OJK
* tor/privoxy configuration w/ azureus? atlas 757 1 03/06/06 08:17 AM
by OJK
* Has the shroomery ever been hacked? TheShroomHermit 1,710 10 03/14/04 05:47 PM
by The_Red_Crayon
* Tor - What Do You Know About It? daimyo 626 7 10/21/05 05:29 AM
by spooky

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Enlil, Alan Rockefeller
897 topic views. 0 members, 2 guests and 0 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.025 seconds spending 0.007 seconds on 15 queries.