How do they catch secret site administrators in Tor/DarkWeb?

Tomcat

Tomcat

Professional
Messages
2,689
Reaction score
916
Points
113
In this article I will talk about how resource administrators are identified on the Tor Network, that is, on the dark web. We'll look at the structure of Tor sites, discuss known cases of deanon, and many other features of this dark corner of the Internet, which is considered anonymous. Along the way, I will recommend programs that will help you with your work.

I think you already know that sites whose address ends in .onion are not simple and cannot be opened in a regular browser without additional effort. The so-called dark web consists of sites like these. Very often they are dedicated to the trade in illegal goods and services. Of course, the administrators of these sites do not have to fill in their contact information when registering, there is no censorship, and “onion” routing through a series of proxy servers should ensure anonymity.

Sites on the Tor Network are not indexed by regular search engines, but there are specialized search engines that search only in Tor. In general, as you understand, this is a whole separate world.

How does the Tor Network work?​

With normal direct IP routing, everything is relatively simple: one node makes a request to some address, the other responds to the same address from which the request came. In onion routing, any request first passes through three nodes called Tor nodes. By default, the input and output nodes encrypt information so that it passes through the next node.

Ideal protection against surveillance? Not really. Anyone, in theory, can make their computer a mediator node and collect data about requests. You may ask, who needs this if the information is encrypted? What if the attacker collects some of the information before encryption, infecting the input node? Or vice versa - a day off and receive data about the requested resources? It is the second option that is the most common.

In addition, an attacker can modify or completely change the information transmitted from the server to the client. This can even infect the client's device with malicious code.

In 2020, the hacker group KAX17 was discovered, which controlled 900 infected servers, which were accessed by up to 16% of Tor users.

Here are some tools that help you explore Tor nodes:
As on the regular Internet, sites on Tor can receive information from the client about screen resolution, the number of computer cores and other parameters, which together can form a unique fingerprint.

This is why experts advise not to enable JavaScript on sites on the darknet, or at least not to use the browser in full-screen mode, so as not to reveal the screen size. A digital fingerprint is, of course, not as scary as real personal data, but it allows you to distinguish a unique visitor from a certain number.

image2.jpg


"Onion" DNS​

Intelligence through Whois and services like DNSdumpster in the Tor network is simply impossible, because the onion domain system works completely differently than a regular one. Here are its main differences:
  1. There is only a single .onion domain zone; domains consist of generated identifiers, which is why, in principle, there is no hierarchical structure with TLDs, SLDs and subdomains.
  2. Decentralized storage is the main problem for the information collector, because it makes it impossible to send a Whois request. In classic DNS, information about domains and their corresponding IP addresses is stored on centralized DNS servers. In Tor, information about .onion domains and their addresses is stored on distributed nodes in the Tor network.
  3. The protocols also differ. While classic DNS uses UDP queries and TCP queries, Tor DNS directly accesses distributed storage nodes to obtain the desired address.

WWW​

TorWhois is something like a Whois service for Tor. Allows you to get information about open ports, certificates, keys and information about robots.txt.

There is a study that showed that DNS traffic on the Tor network can be used to accurately determine which sites are visited. Researchers used different methods to analyze DNS requests passing through Tor exit nodes and find out the correlations of these requests with specific sites.

You can simply search for domains in queries. Because domains in .onion addresses are made up of generated identifiers, they can be easily compared to identifiers in DNS queries and matched. This allows you to determine which specific sites the user visited through Tor.

In rare cases, administrators do not remove metadata from files posted on the site, and metadata can include information such as camera model, name, geolocation and much more. Now even regular social networks remove metadata when uploading files.

Site structure​

Sites on Tor use ordinary CMS, just like sites on the Clearnet. Of course, inside there are all the same HTML, CSS and other familiar technologies. That is, there is nothing surprising or new here. In the screenshot you can see that the author of the site made it using Bootstrap. And the use of popular technologies, of course, opens up the possibility of automating audits for intelligence purposes. For this there is:
  • Onionscan (onion site audit);
  • Onion Nmap (Nmap for onion site);
  • OWASP ZAP (scanner);
  • Nikto (scanner);
  • WPScan (scanner);
  • Burp Suite (scanner);
  • Wapiti (scanner);
  • List of vulnerabilities on Miter.org .

image3.jpg


Shadow economy​

Most often, the dark web is used to trade prohibited goods and services. The proceeds then need to be withdrawn somehow, and here the merchants of the forbidden invent the most sophisticated schemes. Usually using cryptocurrency. It is at the stage of withdrawing money that marketplace owners most often get caught.

Imagine: a client buys a cryptocurrency, buys something on the darknet with it, the cryptocurrency is stored on a deposit of the marketplace, then most of it goes to the seller, and then he tries to exchange it for fiat currency.

It turns out that you can determine which exchanger the seller uses if you know the address of his cryptocurrency wallet. To do this, it is enough to visualize its activity using a special program. The exchanger's wallet, of course, will contain a huge number of transactions and a significant amount of money.

Visualizers are often paid, but there are also several free ones:
Cryptocurrency mixers are often used in money laundering. They allow you to hide cryptocurrency assets by distributing them across many other wallets and then transferring them back into one. This makes transactions difficult to track, but does not make them completely anonymous.

If you visualize the transactions of the wallet that the mixer used, you will notice the following features:
  • multiple inputs and outputs in a single transaction, including addresses not associated with the original wallet;
  • mixing of funds between different addresses and wallets;
  • connections with other transactions - chains and clusters of transactions associated with the Bitcoin mixer;
  • heterogeneity of transaction amounts;
  • unusual time intervals between transactions.
Finding the real address of the buyer is difficult, but quite possible. However, software for analyzing mixer transactions is not yet publicly available. So you just have to follow the chain of transactions until you find something that looks like a wallet that belongs to a person.

As you understand, money laundering and its tracking is a separate big topic. But you need to know about it, at least at a basic level. There are a huge number of schemes for laundering proceeds from crime, from the creation of offshore organizations to the purchase of various property. Of course, we won't go into all this here.

Search engines​

Search engines and dorks (query recipes) have always been the main weapon of a modern OSINT specialist, and in the Tor network everything is exactly the same. Let's see what search engines search on the dark web.

Here are the search engines available on the clearnet and indexing onion sites:
Many of them are convenient and allow you to combine results from the clearnet and the dark web.

And here is a list of search engines that have sites on the Tor network (links are provided to onion addresses):
With these systems, you can try basic tricks like searching for an exact match (double quotes), specifying the site to search on (operator site), operator, intextand others in the same spirit. This will work in most search engines.

Info​

Read more about dorks in the articles “Using little-known Google functions to find hidden things” and “Google as a hacking tool. We look at the latest Google Dork Queries recipes.”

If our goal is to identify the forum administrator, then any reconnaissance techniques are used. For example, if his interests are known, then you can go through thematic forums looking for mentions of his nickname.

Here is an example of a query that will return the result of a search in the archives of the “Hacker” forum in search of the user moon:
Code: 
site:eek:oldforum.xakep.ru intext:moon

By the way, about thematic forums. There are wikis that collect links to sites on the dark web, and from there it's easy to get a selection of addresses for criminal forums. Here are some of them:
If you know that a person is interested in, for example, reading, you can check the relevant sections of the forums.

image5.png

They are people too!

Forum users and marketplace administrators are also not robots, so they tend to make mistakes. For example, someone might send a photo of themselves to someone they met online. I personally heard about several cases when administrators of the largest illegal sites were detained, offering to meet. Experts use a variety of traps and honeypots to slip the criminal a file, a link, and sometimes an entire fake application or marketplace.

Traps​

Traps like IP Logger or Canary Tokens are the simplest and most low-budget that exists. In the case of Canary Tokens, you can deploy your server using a ready-made image for Docker, which the developers kindly provided to us. This tool has a lot of interesting features and, in my opinion, is often underestimated.

As for IP Logger, I don't recommend using it when trying to track down professionals. This program is more reminiscent of a children's toy rather than a working tool, and a more or less advanced user will immediately suspect something is wrong.

Fingerprinting​

Since sites on Tor are not prohibited from using all standard technologies, fingerprinting can also work here - tracking users through unique fingerprints.

For an example, let's look at the website AmIUnique.org. The service will easily determine the engine version, OS, language, fonts, plugins and, with some accuracy, audio and video plugins supported by the browser. This is difficult to call an accurate identification, but identifying one suspect out of a thousand can help.

Tor Browser specifically masks screen resolution to make identification difficult, plus users can change their fingerprint based on the canvas tag. All this makes fingerprinting less accurate, but does not prevent it completely.

image7.jpg


There are also more sophisticated tactics based on fingerprinting. Not everyone knows that if you open the Tor Browser and the regular one and then switch between them with hotkeys or the mouse, you can reveal the connection between your real IP and the IP on the Tor network. Unique patterns like the position of the mouse cursor, which can be tracked, are let down. The same applies to using two tabs in the Tor Browser. Tor will use different input nodes for them, but if JavaScript is enabled, the relationship between the tabs can still be established.

demo.gif


Text analysis​

It's no secret that everyone has their own style of posting on social networks, and forum and marketplace administrators are no exception. Some people often put spaces before commas, some are not a fan of capital letters, and some simply have a broken keyboard and some button is often not pressed.

All these little features will help you find other accounts on other forums, social networks, and so on. They say that Ross Ulbricht, the owner of the large Silk Road marketplace, made exactly these mistakes.

Crawlers, spiders, scrapers​

There are different types of tools for collecting data on the Internet.
  • Crawler is a program that automatically crawls websites and collects information. It works similar to spiders, but is capable of collecting different types of information.
  • Scraper is a program that extracts data from websites, often automatically, and stores it in a structured format for later use or analysis.
  • Spider is a program that automatically follows links on websites, analyzes the content of pages and indexes them for search or other purposes.
These tools are useful in analyzing sites on the Tor network. They help to collect information about photographs, directories and a variety of information about the structure of sites. They are interesting because they provide maximum information about what is happening on the site, without visiting the site itself.

Let's start with crawlers, they can be used to collect a certain type of data on a website, for example photos, videos, text, and so on. For example, you want to go through all the photos on the site and find those that contain metadata.

Here are some crawlers for Onion:
Scrapers work according to a preset algorithm that determines what data to collect and how to extract it. They typically make requests to the server and then parse the resulting HTML to extract the information they need. Various methods of parsing pages are used - HTML parsing, searching by tags and CSS classes, regular expressions, and so on. Often sites are downloaded entirely for further analysis.

Here are some programs and libraries for scraping:
Spiders are designed to index hundreds and thousands of links. For Tor there are Onioff and Onion Spider .

Forensics​

Finally, let's touch a little on the topic of forensics, not OSINT. When performing a forensic technical examination of a computer on which Tor was used, it is first worth checking:
  1. A folder C:\Windows\Prefetchwhere files related to running Tor Browser may be located (the browser executable file or DLL files loaded when it runs). Analyzing their timestamps allows you to determine when the browser was launched.
  2. Cache of thumbnails. It can store previews of images viewed through Tor. They can be matched to specific sites.
  3. Swap file. There may also be information about launching a browser, visiting sites, and file operations associated with using Tor.
  4. Windows Registry. Helps retrieve browser settings, browsing history, cached data, as well as records of downloaded extensions and plugins.
Dump analysis is also an integral part of forensic technical examination. They contain a lot of information about what happened on the computer. You can capture a RAM dump, for example, using Belkasoft RAM Capturer.

The Regshot program can be useful for analyzing the registry.

To analyze network traffic, I recommend Wireshark and NetworkMiner. Wireshark is good for identifying different types of packets and establishing connections between nodes. It helps identify the characteristics of the protocols used in Tor. And NetworkMiner specializes in analyzing network traffic and identifying hidden connections and patterns. NetworkMiner can help detect and analyze activity on the Tor network, including information sharing and the use of anonymous proxies.

And of course, you need to study the database of Tor Browser itself. It is located along this path:
Code: 
TorBrowser\Browser\TorBrowser\Data\Browser\Profile.default

Here, with certain browser settings, browsing history, bookmarks, saved passwords, cookies and other user data can be stored.

Studying Bitcoin wallet data is a separate and complex topic, but you can use the Internet Evidence Finder to collect evidence.

Conclusions​

Given the apparent anonymity of sites in Tor, there are always ways to identify their owners. Yes, some of them are complex and require serious work, but since administrators also make mistakes, no, no, they work. I recommend that everyone involved in such investigations remember to use not only the tactics described, but also those methods that work on the clearnet.

Source - https://xakep.ru/2023/07/28/tor-deanon/
 
You must log in or register to reply here.

Similar threads

Man
Choose from the five most private and secure messengers
Replies
0
Views
103
Man
Man
Man
How to tell if an IP address has been used as a Tor exit node
Replies
0
Views
190
Man
Man
Man
Secret Correspondence. Choosing a mail service with the best protection.
Replies
0
Views
142
Man
Man
BitBrowser Anti - Detect
Blocked by a website? 10 ways to force access (the last one is recommended)
Replies
0
Views
180
BitBrowser Anti - Detect
BitBrowser Anti - Detect
chushpan
The best anonymous internet
Replies
0
Views
122
chushpan
chushpan
Back
Top