API tools faq
paste
Advertisement
_d3f4ult

[+] Tor Hidden Service Servers not Safe? [+]

_d3f4ult
Nov 10th, 2014
3,732
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.52 KB | None | 0 0
raw download clone embed print report
  1. We are...
  2. _____ _________
  3. / _ \ ____ ____ ____ / _____/ ____ ____
  4. / /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\
  5. / | \ | ( <_> ) | \/ \ ___/\ \___
  6. \____|__ /___| /\____/|___| /_______ /\___ >\___ >
  7. \/ \/ \/ \/ \/ \/
  8. //Laughing at your security since 2012*
  9. =================================================================================================
  10. Official Members: Mrlele - AnonSec666 - 3r3b0s - d3f4ult - 4prili666h05t - Hannaichi - ap3x h4x0r
  11. - Gh05tFr3ak - xCyb3r 3vil7 - spider64
  12. =================================================================================================
  13.  
  14. When i say not safe, i mean for the web service itself; not necesaryily the users. If you have good OpSec and encrypt all connections
  15. with PGP and dont connect directly to Tor you should be safe. However, a Tor Hidden Services actual physical servers location may not be...
  16. Anyone who is reading this and has programming skills i beg you to please help with the OpenBazaar Beta as i see it is the future of
  17. invincible p2p marketplaces. https://github.com/OpenBazaar/OpenBazaar
  18.  
  19. Between the malicious NSA Tor Nodes, Tortilla tool and Metadata Heuristics; Tor has become increasingly less secure. Now recently i have comes across some information (thanks to 'nachash' ‏@loldoxbin) about possible way for FBI/NSA to possibily deanonimize a .onion Hidden Services original IP Address. So far its not 100% confirmed but the evidence is very strong given logs, uptimes(thanks to tor-dev), and traffic graphs that this is possible.
  20.  
  21. "Apparently the DDoS attack was an attempt to force connections to the site’s various .onion addresses to follow paths that went over Tor network nodes set up by law enforcement. By filling up the “circuits” through secure Tor network nodes, law enforcement operatives could have made it possible to connect to the services only through Tor routing servers they controlled—allowing them to see the real Internet Protocol address of the server hosting them.
  22. From August 21 to August 28, the logs show a wave of requests that include text proceeded by %5C%22—which in PHP requests would be parsed as a quotation mark by PHP code. Trailing the “escaped” quote, the requests include what appear to be URLs for websites such as Twitter and Hack Forums. However, those websites were actually loaded with fake subdirectories such as “/old/code/fail”: "
  23.  
  24. [+] Doxbin Picture of Log from DDoS Crawler [+]
  25. https://anonfiles.com/file/caf74d4f9ae27093631c7d10754a85a7
  26.  
  27.  
  28. The kid who started doxbin had a similar theory that I'm just going to paste verbatim:
  29.  
  30. <founder> ANYWAY
  31. <founder> i think
  32. <nachash> CONTINUE
  33. <founder> the attack
  34. <founder> was to DoS you
  35. <founder> until you created circuits
  36. <founder> entirely made of dickbleedable nodes
  37. <founder> and then dickbleeding them
  38. <nachash> but the server
  39. <nachash> got seized
  40. <founder> yeah, the IP was discovered by dickbleed though
  41. <founder> the entire circuit was leaking info
  42. <nachash> lol, did you just reproduce this?
  43. <founder> not yet, i'll be trying
  44. <nachash> Do you mind if I share this with tor devs?
  45. <founder> go ahead
  46. <founder> its just a theory at the moment
  47.  
  48.  
  49.  
  50. Doxbin went down on November 6, the same day that Silk Road 2.0 was seized, at or before 1 PM UTC, nachash wrote:
  51.  
  52. “I checked the most current Doxbin onion and attempted to ssh into the box every couple of hours for around the first 24 hours, until a friend pointed out that one of the old Doxbin onions was serving up the Silk Road 2.0 seizure page. At the time, the main onion was serving up some 404 page (Which I expected to eventually point to some sort of honeypot, but the pigs really let me down on that one), while other onions were unresponsive. This had changed by the next day, when all the onions from the Doxbin box were pointed to the seizure page. The speculation has been that the cops were adding onions one at a time, and my personal experience supports that. Police who are dedicated to seizing and taking control of hidden services are still struggling with managing a torrc file [the Tor service configuration file] efficiently. Go figure."
  53.  
  54.  
  55. [+] Doxbin & SilkRoad Uptime Logs thanks to a tor-dev [+]
  56. http://pastebin.com/pVxQDS9u
  57. http://pastebin.com/jQvgz0VF
  58.  
  59. [+] Doxbin Traffic Graph [+]
  60. https://anonfiles.com/file/875668461a7ded9c7402fec364e593b3
  61.  
  62.  
  63. I think its safe to say that this same technique was used abroad throughout entire "Operation Onymous"...
  64. While Tor is an amazing tool for share information and standing up to oppressive governments, i think
  65. recent events have made it clear that a Tor Hidden Service Server's IP address can be found even with
  66. the best OpSec. As weev from GoastSec puts it:
  67. "@rabite @loldoxbin had the best opsec of any public Tor hidden service operator I’ve ever seen.
  68. His just got seized. Feds obviously broke Tor."
  69.  
  70. It may be time to move to something more secure such a p2p technology like i2p and now markets like OpenBazaar \!/
  71. Or at least not hosting the servers in the United States... -__-
  72.  
  73. [+] Sources [+]
  74. https://lists.torproject.org/pipermail/tor-dev/2014-November/007731.html
  75. http://arstechnica.com/security/2014/11/silk-road-other-tor-darknet-sites-may-have-been-decloaked-through-ddos/
  76. https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous
  77. https://github.com/OpenBazaar/OpenBazaar
  78. https://openbazaar.org/
  79. https://geti2p.net/en/
  80. https://github.com/CrowdStrike/Tortilla
  81. www.crowdstrike.com/tortilla/Tortilla_v1.1.0_Beta.zip
  82.  
  83. [+] More Tor De-anonymization Research [+]
  84.  
  85. http://freehaven.net/anonbib/cache/sniper14.pdf - "The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network"
  86. http://fc14.ifca.ai/papers/fc14_submission_152.pdf - "Short Paper: Challenges in protecting Tor hidden services from botnet abuse"
  87. http://www.robgjansen.com/publications/kist-sec2014.pdf - "Never Been KIST: Tor’s Congestion Management Blossoms with Kernel-Informed Socket Transport"
  88. http://freehaven.net/anonbib/cache/ccs2013-pctcp.pdf - "... 10,000+ sockets active in fast exits"
  89. http://www.f-secure.com/weblog/archives/00002764.html
  90. http://thestack.com/chakravarty-tor-traffic-analysis-141114
  91.  
  92. [+] New Tor Hidden Service Build in Process [+]
  93. https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!