BSidesWLG 2017 - ss23 - Onionland Explorers!

okay so first of all now I feel bad about how bad my slides were the guy in the last room had these amazing had written slides that were like perfected so I've tried to do my best but I just handwriting some slides pretty amazing as you'll see so I am talking about the tour today as you might realize and tour and it's two modes of operation so had a good one here hands up if you have used tour to access the internet like get around a block at university school something like that yep quite a few people hands up if you have brought illegal drugs on tour there's always one there's always one ok so you've all

passed the first challenge also I'm assistant e3 as mentioned also go by Steven sometimes so before we start we'll talk about how tour works it's important to understand that so here we are his autograph got our talk-line here this is what runs on the end-users computer it will talk to this first guy here who is contributed bandwidth you know this is one of the relays that you can run yourself you could be this first guy here and you'll encrypt a message that goes to him then you'll pick another guy and you'll send a message this guy and say hey talk to this guy and then that'll go across there and you do the same with this one here and

because this is layer encryption onions right that's where the name comes from this guy here knows who you are but not we are going this guy here knows neither who you are or where you're going and this guy here only knows where you're going and not who you are and that's the core of when you're accessing the cleaner how the anonymity works that no one person has enough information to D anonymize you this here is another slide that shows it it's pretty simple it's got some more green arrows it's on here even more simple so you get the idea tor is pretty simple hidden services not so much this one has much more arrows and each of these little arrows here is

an entire one of these things and then here's another one and this one has literal pictures of onions on it you know it's getting complicated this one here has three different parts to it this one here has like eight and oh no oh no hidden services they're pretty complicated so we will briefly go over how it works the hidden server there he is Silk Road he's always Silk Road he talks to the directory service and says hey I'm Silk Road if anyone wants to find me go to this dude here and then the client goes hey I want to go to Silk Road to buy some drugs and it goes hey talk to him here and then you

talk to this guy and you're like I'm gonna make Silk Road here and then so grow here's that you talk to him and he goes meet you there long story short you get to talk to Silk Road and each of these connections is also anonymized so once again you can talk to Silk Road Silk Road doesn't know who you are and you don't know who Silk were toes and that's how the onion services work it lets you host a website reasonably resilient Li that people can't take down they don't know where it is who's hosting at anything like that but of course as per you might have imagined there are some flaws with this idea like this can happen so what are we

gonna go over gonna go over some attacks on the protocol that tor is not designed to protect against it's really important to understand what tor is going to do for you when it's not we're gonna go over some things that it is designed to predict against but maybe doesn't do as well as it could some attacks on the Tor software itself some of the in user client software like the tor browser bundle attacks on end users being idiots and ones oh it's fun and lastly we'll go over some of the end-user server software side of things like a onions game so Street modeling everyone's favorite topic it's really important to understand the Tor threat model and how

it doesn't protect you from a global passive adversary so if you are trying to hide yourself from the NSA or someone powerful like that and of course the eunice it's not a true global passive adversary but they're pretty close you can have a bad time these guys right here these people not having a good time would not recommend that so if a global person ever Siri is trying to attack you and you were using tor you may be DN Onam eyes but not necessarily decrypted and of course this does rely on monitoring the right traffic but the three model itself does not protect a global against a global passive adversary there are certain steps you

can take to help it's not really going to help you so don't make an enemy of the NSA it's not gonna work out well protocol the tax this is a great little paper here which I think was one of the first papers that really talked about hidden services and some of their issues is very very old now and before tour was really in use much and this was how you could do you naanum eyes those hidden services so as we can see here we have our client who is also a relay and he's running BSD as hackers do and the key point here is that if those three nodes that we talked about if they have chosen

equally from the entire pool of nodes and you run a node all you need to do is do 100 connections a thousand connections 10,000 connections and eventually you'll be picked as that number one node right and so you can do traffic confirmation where you access Silk Road and you send through a 50 byte packet and then you see a 55 packet come through on your tour relay you say okay that could have been out you do it again and eventually you can get to the point where you can say okay someone is - I'm talking to Silk Road over this tour relay and then you can work out with your one two or three just based on am I

talking to the rendezvous point I know that am I talking to two tall servers I know that or am I talking to one tor server and another IP address away I don't know BAM you're now the anonymous little bro so this is kind of we're a lot of their hidden services attacks have been going over the last 10 years or whatnot so they came up with a way to prevent it of course and this is the entry guard nodes so this has two ways it works first of all it's an exclusive club that only the cool nodes can join so if you do not meet the cool criteria you are not gonna be able to hack any

one buddy that means you have to have high bandwidth you have to be stable people can't know you're hacking them the Tor project don't like that they they show you out pretty quick but you can be in that Club and the second prediction here is that once Silk Road picks a set of entry guards it will maintain that for a very long period because of course even if you were in that Club if you weren't picked right away and you had to wait six months your next attempt and it's still only a one in a hundred thousand chance it's really hard to carry out these attacks right so that's kind of the two ways that this can't be done but of course if

the club isn't exclusive enough enough you can get into it and you can just kill or rather DDoS everyone in the club and then Silk Road has to choose to either go down or pick some you guard nodes and hey you might just run a lot of guard nodes so the kind of end result right now is if someone has a lot of money they can probably do your naanum eyes your hidden server and you see this occasionally some of the darknet markets the smart ones will be like hey we've noticed a bunch of people attacking us they haven't even on alized us but they think they think the we think they might we're gonna stop running for a while and

if you were looking for this kind of attack you could see it pretty clearly right you'd see a lot of kind of relay attacks going on and you'd be like okay someone's tried to do naanum eyes me maybe we should ease off the drugs for a bit so someone did carry out this kind of attack on the Tor network live there was a talk pulled from blackhat back in 2014 it was basically talking about this kind of thing I'm not proceeding in you attacks here sorry anyone who wants to find some but these guys did and they had some fancy ways of doing their traffic confirmation kind of like in circuit and some other things that made

this attack a lot more viable talk about pulled so we don't actually know all of the content but we did see the attack happen on the Tor network which gives us more data and then when everyone was like hey if CMU did you guys do this they said no wasn't our soil we don't know what's happening and then finally someone was like you got paid for selling the exploit and they were like we didn't not get paid for that so I was like oh really that was that was the problem so of course some people out there are trying to DN on almost all servers and they have lots of money and connections but Tory is working hard to prevent

these kind of attacks so proposal 2 4 7 sounds really fancy defending against gar discovery attacks using Vanguard's if gods aren't enough we'll have Vanguard's so they basically put more guards ahead of your guards but I kind of like guards and the idea is now you have a tiered selection of guards where each guard is like guiding the other guards and then so before where it was like you had it one God all these gods on gods and gods you need to attack anyway that's really good it's kind of like exponentially increases the cost of the attack and I mean I'm not a cryptographer but it looks pretty good to me so this is being

looked at being implemented and I think it goes through it'll be good but at the moment there's kind of that weakness yeah there's also been a bunch of changes lately around the next gene hidden services but this is more of kind of like a cleanup you might have seen they now have longer names that's because they're using more crypto they're switching from RSA to elliptic curve cryptography that kind of thing so they are making changes all the time to make these things more secure better attacks on the Tor Damon can have a bad time buddy this is the CVE search from a little while ago there b8c the ease on the Tor Damon over the life of it that's

that's very long number for those who know about see des so good luck with that if you find something great but I just don't think it's very likely contrast that to text from the tor browser bundle for those who know Firefox it's gonna be a little bit more fruitful 1468 there was like I got the screenshot like six months ago it's probably doubled by now tripled I don't know I wouldn't want to be running Firefox so that's that's where a lot more of these kind of non protocol attacks happen sad and it is the most common attack people care about we saw when the FBI had a kilometer coordinated takedown of freedom hosting which was

kind of the biggest tool hoster at the time they hosted anything so a bunch of sites that weren't dodgy but a bunch that were horrific like child abuse and anything else you'd imagine that's bad freedom hosting which doing it FBI took it down and what that is they put JavaScript on every page that was hosted on freedom hosting and D anonymized any user so it had some collateral damage right because if you were just hosting a blog there while you've also been doin onna mised but you know point is that they can they can use these attacks on people and they do they take someone down put this JavaScript then so what are the mitigations you could migrate to a

secure browser chrome though that has its own issues I would not recommend that but if someone invests at the time you could do it you could rewrite Firefox in a memory safe language which I used to think was a hilarious joke that someone would do that but I see Firefox is doing it now they're rewriting in rust so I'm not so sure anymore and so yeah it's been talking about briefly it's a huge undertaking but I guess they're doing it so that will hopefully help if you using a memory safe language maybe Firefox would be a little bit better now alternate earth mitigation is use no script like if you go to buy drugs and someone's like hey

do you wanna turn on JavaScript for these drugs we have like great pop-ups and like we do the JavaScript friendly the staff will recite don't do it it's a trap definitely recommend using no script attacks on end-user idiocy so these are the funny people like what if you don't want to be in an exam and so you just you just send a bomb threat right but you do it have a toy so you don't get caught and then you get out of your exams and the FBI comes because they don't like bomb threats it turns out they're pretty pretty against them and then the administrator of the school I just look into the logs right

and they're like who was using tor at the time of the bomb threat oh it was that one guy in that dorm we might go have a talk with them so you can't just use tor and be like I'm anonymous no one can find me doesn't quite work like that right you stick out pretty bad while using it now the mitigation here is dawn crack under interrogation because just using tor alone isn't enough to get you put in prison but this guy got interviewed by the FBI came not gonna distort did you do that and he was like yeah I'm sorry I'm sorry what have I done so don't don't talk to the police man gonna get caught yeah okay now we

are into the fun stuff I hope I'm not going too fast or too slow who cares about Firefox exploits speaking pop Apache and PHP man users who cares about their when a pop Silk Road and so we got some demos for you yeah ooh yeah xxx demo time so we can be looking at onion scan so this was some sweet software written by someone called Sarah oh no Twitter notifications I really thought they wouldn't happen this time I don't even have the Twitter tab open and it's still happening okay hang on I can't live okay we're going at this window here just connect dude let's hope my internet is still working so we're gonna start off we are going to

start off with running onions gang because it takes a little while I think okay so I've got the hostname there I've got onions game running C URL onion scan scans onions finely enough and it tries to find issues with their security so this Oh give me give me one second here can I just this is not easy

thinking why the code of conduct violation that I hand soon okay so I did I did add get install Apache apt-get install tour and configured tor to listen to this website so here's the website it's you could go to the snap if you want to I it's just the default Apache page nothing right if you installed Apache out-of-the-box it's gonna be secure is what you might think that you might be wrong if you go to slash server status as you might expect forbidden you don't have a mission sorry but I in a sense engine scanner still going we will leave that finish but if we go to here this is the tour page if you've never used it before that's what

comes up when you open tour it's like yay tor protecting people yay it's pretty good and it's like oh yeah you're gonna get hex bro don't worry about that anyway yeah yeah here's the same site so I sort of tour exact same thing except now I won't get distracted I won't get distracted here we are now you might be wondering what on earth is haven't here and you might be super sleuth and realize that it's all like 127.0.0.1 because well tor is talking to apache / localhost and apache is taught if you're connecting to me over the local address you are clearly trusted you are on the system you'll find it's not the case so the information

exposed by a default server status page out of the box is enough to really cause havoc these are just what happens when you run a server on the Internet right but there's often a lot of information in here enough that you can be completely dead on the most and if you had any other status pages if you ever had something like an admin panel there just is like oh your localhost you'll pretty be okay you're gonna be screwed here as well so it's kind of one of the weird interactions between tor and the other stuff so here we are onion scan ran I checked a lot of stuff it checks for things like images have

icons in Eclair ticks links it's SH keys anything you can use to link together different services or do you naanum eyes you it's going to search for that so really great tool if your inches and the stuff and it covers most the basic stuff so if you do run document market check out onion scan yeah why this is bad it's very bad I'll just quickly show you the toy config so you can see what's kind of happening where are we do is that readable it's not readable is it it's okay hang on one second I will

it's somewhere here there's a heavy font yeah you can tell them a pro at doing talks right 48 they'll be big enough why oh geez somewhere here here we are hidden service that you actually can't see it hidden service do all they've done in the default config is I'm coming down this line and the slide this connects back on port 80 to yourself and set up a directory for storing that stuff so that is onion scan that is a tool you can use to make sure you are not going to be hacked if you are running dodgy websites okay we're gonna go back into presentation mode where the notifications will go away I really hope at least look at that

they're gone hahaha okay so that was Lincoln scan I heard there helps check it out she does like a bunch of other research one of the things she does is quantifying exactly how many sites there are which kinds on the Internet if you ever thought of yourself like oh honey I've seen a sites on the dark near edges the most horrible atrocious web sites they mainly know they're mainly just dodgy people doing dodgy things that aren't quite that dodgy she's quantified a lot of that and kind of done some stuff there's another weakness in how hidden services work at the moment that you can actually kind of enumerate them with enough time you can list every site hosted on tour they're

kind of fixing there I think you can't even do it right now but it was for a long time that so you could quantify it exactly what percentage asides a dodgy hey yeah it's a default install of Apache it's localhost format you've got to be aware of that stuff when you're running a side especially if you take off the shelf software right like Apache you would think it'd be secure it's actually not the reasons now Silk Road had some other stuff going on here right like one of the core issues is that if you have unsecure software on your server which spoiler alert you totally do and someone hacks it and they can just go curl what is my IP com

like that's a really horrible situation to be in so Silk Road this is a reddit thread where someone logged in and they saw just a massive amount of debugging information on the front page including clear text IP addresses and for those who don't know that's because Dread Pirate Roberts was like a really good PHP developer who did everything in production there's just like Vlad umph there yeah I'll see what what that is and it had a bunch of stuff that could have been used to D anonymize so you know like that's kind of what's going to happen someone's going to leak some information eventually but you need to stop putting your hidden services on the public

Internet they don't need public Internet access all they need a sax is taught that it's it the other problem here is that if you have three different hidden services or even just one server serving some hidden services and some not you can you can do things like SSH keys timestamps you can correlate those and just be like I'm pretty sure it's Greg from down the road so you get the exact same timestamp down to the nanosecond things like that these are two things you can do to stop these kind of attacks happening now I made freedom host do you get it it's like freedom hosting but it's dumb so that's free dumb host so it's a set

of tools for hosting company platform infrastructure it's based on the grukk's portal of Pi which was also don't know there is basically same kind of idea if you want to access tor and you don't want to get hacked you can set up a little raspberry pi that X is a tor router plug that into your computer and turn off the Wi-Fi and everything and now you're guaranteed to be going through tor even if someone did one of those Firefox exploits on you it doesn't matter because that computer could be completely owned it still can't get past the raspberry pi that's acting kind of like a firewall here they'd have to have like a Linux remote exploit or an

exploit in the tour daemon itself which it doesn't seem particularly likely so this is one way to prevent that happening and this is kind of how our freedom host came about it doesn't require anyone to trust the service because if you're signing up for a host on the internet and it's free you just be like give me one and freedom host is just gonna be like sure buddy I don't have anything to verify you with so then you get a virtual machine right you log into that you don't need a trust the person who's hosting the verge machine because they can't know who you are there is no way for them to know who you are and

that's how freedom hosting works and of course because I am very smart I ran this in the real world as I said it was free and I just gave anyone on tour a free virtual machine and I'm not a lawyer but I think if you do it for free and you say it's research like they let you off so uh I think I'm okay but I did it anyway oh let's skip over that one because I didn't take that out clearly so how did it go right I had two people emailing me whenever the service went down so if you think like normal people are bad tour users they can be quite bad as well just down I know I unplugged it

it's down there were multiple political and informational blogs and this is one of the really interesting things for me is that they were just people wanting to put out like weird opinions out there people just wanted to have a place where they can host some website especially for free because even on the clean it like getting a free website is kind of hard so there was that kind of thing it's an ITB proxy service so ICP is another anonymization network thing and i'm guessing this was someone who wanted to like use my bandwidth to contribute to their network which is fine like I'm all for that and I think it's like a really interesting use of kind of free services

it's like promoting more anonymity and stuff there was one likes in Bitcoin received child pornography site it was like purely text but I can see all that because I run the virtual machines so I immediately delete it so like it's really interesting because what do you think of when you think give anyone on tour a free virtual machine like if you're anything like me you probably thought like hell Nora that is gonna work out really bad and it actually works out ok at least for the amount of time I did it so I would totally recommend that you have think at least about doing this if you have something to contribute bandwidth servers maybe you should look at doing something with

us and getting a first-hand experience of what's actually on tour and why you might support it that kind of thing so I will briefly go over the architecture yeah physical raspberry pie once again you could replace this with any server I had so many issues with just like running tor on a Raspberry Pi turns oh those aren't powerful who knew so that was a cause of frustration for me each Raspberry Pi just runs toward Amon and configuration management it's all it runs each virtual machines in its own VLAN that can never talk to each other there's a management VLAN oh and there's transparent IP tables rules that route everything over tour so even if you pop

the virtual machine you get nothing if you then previous can use a hypervisor escape you still have nothing and I've got some O'Day so I would like someone to do that and then only if you find a bug in the tour Damon or something like that or in iptables do you didn't have a chance of DN on amaizing this server which is kind of like the ideal situation if you are running a dark net market and I would hope if someone like Shels your server and then does a guest a host I'd hope you'd have some we're figuring that out like before it gets to the point your DN Allah mised so that's kind of the hardened freedom hosting

situation yes so it's all running on super physical hardware pattern from the virtual machines and it's hardened Jindo based which back when I made it was actually a viable thing to do now hardened Ginty doesn't exist because the whole G asik thing so maybe you're gonna be a stay in the future but it's pretty posting and then you can go back there there's G's somewhere there was a good have link in there which you can check it out so I'm a gonna have on freedom postings on github you can check out the code and run it and there we are so anyone have any questions or anything like that are we doing questions ideally not again no questions but you can come

and see me after if anyone has a question you're now welcome to ask again yeah I so the question was how long did I run it for I'm gonna say around six months but it wasn't running the whole time because I was developing it as I was running it those are there like a two year long project and you have to get hardware and stuff I'd say around six months but yeah

yeah so the question was how can you detect or is there a way to take dodgy sites now I believe if if you talk to like dia you know the right people you can get hashes if images that you really don't want in your server that's one of the detection mechanisms is just a hash every image coming through and if you have a list of bad hashes you can immediately shut down these sites keywords would probably also work but you run the risk of shutting down slides in this case I don't think there's a big risk of like shutting down a legit site because it's free like I don't care remake it so there are some ways of

doing it but I think it's gonna be manually a lot of the time because what constitutes bad if they're new images if it's just a site dedicated to something really horrific but there's no images you probably gonna have to look at the stuff yourself which is a real downside if you did wanna run this is that you have to be constantly monitoring because you you don't want to especially in my case my rules where nothing immoral if you wanted to run Silk Road like go ahead I'm all for drugs but if you wanted to run something else then no not allowed I'm gonna be checking there I'm gonna be shutting this down and I guess

I'm lucky I didn't have to deal with any of that but automating it as a tough job maybe it'd be interesting to do as a project ya know so the question wasn't manually approved and the answer is no it was literally like I wish I had it running right now to just show you you literally click a button and it waits 30 seconds and then it says okay your version machines ready these are the details login you've got root on a virtual machine right away so it was it was fast it was free it was just click it and get it which is how like a lot of this free stuff should be especially on

tour where you don't want to give away personal information why not just make it instant and you can't really vit over tour anyway like greg mcgregor a like is he gonna do stuff how do you know like are you gonna ask for personal information well then it kind of defeats the purpose so yeah yeah you

you