BRKSEC-2011
About Garlic and Onions A little journey…
Tobias Mayer, Technical Solutions Architect About Garlic and Onions
We are all looking for privacy on the internet, for one or the other reason. This Session is about some technologies you can use to anonymise your network traffic, such as Tor (The Onion Router). The first part will give an introduction and explain the underlaying technology of Tor. We will take look at how you can not only use the Tor browser for access but also how the Tor network is working. We will learn how you can establish a Tor session and how we can find hidden websites and give examples of some websites...So we will enter the Darknet together. Beside Tor, we will also take a quick look at other techniques like I2P (Garlic Routing). In the last section we will make a quick sanity check what security technologies we can use to (maybe) detect such traffic in the network. This presentation is aimed at everyone who likes to learn about anonymization techniques and have a little bit of fun in the Darknet.
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Me…
CCIE Security #14390, CISSP & Motorboat driving license… Working in Content Security & TLS Security tmayer{at}cisco.com Writing stuff at “blogs.cisco.com”
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-2011
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Agenda • Why anonymization?
• Using Tor (Onion Routing)
• How Tor works • Introduction to Onion Routing • Obfuscation within Tor
• Detect Tor
• I2P – Invisible Internet Project • Introduction to Garlic Routing
• Freenet Project
• Conclusion
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Different Intentions
Hide me from Government! Hide me from ISP! Hide me from tracking!
Bypass Corporate Bypass Country Access Hidden policies restrictions (Videos…) Services
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Browser Identity
Tracking does not require a “Name” Tracking is done by examining parameters your browser reveals https://panopticlick.eff.org
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Proxies EPIC Browser
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Firepower App Detector for Proxy Traffic
Traffic to external Proxy detected
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 VPN VPN
Combine VPN Service with Proxies Provides additional anonymization Layer You have to have trust in the VPN Provider that they do not log…
https://thatoneprivacysite.net/vpn-section/
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Trust your VPN / Proxy?
• Statement from “Hide-my- Ass”
• “If you do illegal things, we cooperate with Law Enforcement”
• They track the User…
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Trust your VPN / Proxy? https://thebestvpn.com/chrome-extension-vpn-dns-leaks/
• Chrome Browser leaking real IP because of DNS Prefetching • Despite using a VPN Service…
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Tracking VPN & Proxies
Enumerating known VPN & Proxy IPs
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Deep Web / Dark Web The Deep Web / The Dark Web
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 The (partial) Reality https://gizmodo.com/the-deep-web-is-mostly-full-of-garbage-1786857267
Bill, stop searching …
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 About Tor The Onion router
Open source SW / public design specs Data is constantly encrypted at multiple layers Sent through multiple routers. Each router decrypts the outer layer and finds routing instructions Sends the data to the next router Result is a completely encrypted path using random routers
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 How is the Tor Network built?
• The Tor network consists of relays
• Relays are just nodes where the Tor software is installed
• They build encrypted connections to other relays, forming an overlay network
• Everyone can run a Tor relay and contribute to the network…
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 The Tor Browser – Connecting to the Tor Network
• Goal: Provide anonymity and access to censored and/or hidden resources • Special browser based on mozilla firefox to establish a circuit through the Tor network • Can connect directly or through proxies • Often used in combination with VPNs
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Tor Relay OR1
OR2
OR3 PK OR1
PK OR2
PK OR3
Tor Client selects 3 random Routers out of all Tor Relays and get their public keys
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Tor Relay OR1
OR2
OR3 PK OR1
PK OR2
PK OR3
Tor Client sends DH Handshake to OR1, encrypted with public key of OR1, called “relay_create”
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2
PK OR3
OR1 completes handshake, symmetric key is created
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2
PK OR3
Tor Client sends “relay_extend” to OR1, requesting to extend the circuit to OR2. Keyshare for OR2 is protected by the public key of OR2
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2 SK2
PK OR3
OR1 send “relay_create” to OR2, OR2 responds and circuit with symmetric key is created to OR2
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2 SK2
PK OR3 SK3
“relay_extend” to OR3, create a circuit
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2 SK2
PK OR3 SK3
Web Request follow the circuits
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Tor Directory Authorities https://atlas.torproject.org/#search/flag:authority
Every hour all Authorities calculate a common status document called the “consensus”
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Tor Directory Authorities
Very trusted servers that hold the list of all active Tor relays Tor client comes with this predefined list and the corresponding public keys Every hour they agree on the most recent list of relays (“voting”) They create a document called “consensus”. Each DirAuth publishes and signs its own relay list to all other DirAuth Tor client downloads the consenus at first start Client receives consenus plus hashes of the consenus of all other authorities. Will only trust the consensus if more than half of the hashes match. Tor relays can be “Directory caches” where clients can get an updated version of the consensus without the directory authorities
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 List of all Tor Relays https://torstatus.blutmagie.de/
Flags
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Tor Relay EXIT_NODE: if you OR1 request HTTP, your traffic is visible to the EXIT_NODE
OR2
OR3
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Tor Browser - Don’t leak information!
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Do your own spylink
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Tor Exit Relay List https://check.torproject.org/cgi-bin/TorBulkExitList.py
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Customizing Tor
“torrc” = config file
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Customizing Tor (2)
Also use IPv6 relays
Define Geolocation of your ExitNodes
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Customizing Tor (3)
ExitNode from Germany
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Customizing Tor (4) – some settings for torrc
ClientOnly 1 #never, ever act as an exitNode ExcludeNodes #avoid the nodes / countries listed StrictNodes #if set to 1, Tor will strictly avoid #ExcludeNodes settings EnforceDistinctSubnets #Don‘t select two nodes that are close FascistFirewall 1 #only 80/443 entry & exit nodes EntryNodes # only use those entry node ExitNodes # only use those exit nodes ExcludeExitNodes
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 DNS for access to well known websites OR1
DNS Server OR2
OR3
Tor Exit Relay is responsible for the DNS Resolution
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 DNS Leaking for access to cleartext websites https://nymity.ch/tor-dns/
• ISP Resolver • Traversing the least amount of AS • Own Resolver • QNAME Minimization
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 1.1.1.1 - DNS over Tor https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Bridges
Bridges are relays that are not announced in the directory servers You can request bridges but will not get the full list 3 bridges are provided
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Custom Bridges
Fingerprint
IP & Port
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Custom Bridges
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Hidden Websites - ”.onion” links http://xmh57jrzrnw6insl.onion/
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 DEMO: Some websites in the Darknet…. Some links
• Tor Mailbox http://torbox3uiot6wchz.onion/
• Torch http://xmh57jrzrnw6insl.onion/
• The Hidden Wiki http://zqktlwi4fecvo6ri.onion/wiki/Main_Page
• Imperial Library of Trantor http://xfmro77i3lixucja.onion/
• DuckDuckGoGo https://3g2upl4pq6kufc4m.onion/
• The Federalist Paper (Onion v3 Service) http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Some links
• Deepdotweb http://deepdot35wvmeyd5.onion/
• The Unbelievable tale of a hitman… https://www.wired.co.uk/article/kill-list-dark-web-hitmen
• Hidden Answers Forum http://answerszuvs3gg2l64e6hmnryudl5zgrmwm3vh65hzszdghblddvfiqd.onion/
• Fake Identity Generator http://elfq2qefxx6dv3vy.onion/fakeid.php
• Daniels Onion Link List http://donionsixbjtiohce24abfgsffo2l4tk26qx464zylumgejukfq2vead.onion/onions.ph p
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Facebook via Tor
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Onionrouting
Onion server
Introduction point
Rendezvous point HS Directory server
Client
Setup hidden service (create public and private key) and create a circuit to chosen Introduction point(s)
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Onionrouting (2)
IP, Pk Onion server
Introduction point (IP)
Rendezvous point HS Directory server
Client Publish hidden service in six of the directory servers. The servers are calculated based on a function including the consensus status document and the “.onion” address. Repeat once a day (different HSDirs…)
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Onionrouting (3)
Onion server
Introduction point
Rendezvous point HS Directory server
Client
Client asks one of the directory server for the hidden service. Client gets the public key and the Introduction Points for that service.
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Onionrouting (4)
Onion server
Introduction point
Rendezvous point HS Directory server
Client
Client selects a random relay node as a rendezvous point
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Onionrouting (5)
Onion server
Introduction point
message Rendezvous point HS Directory server secret
Client Client contacts the introduction point, requesting to forward the information about the rendezvous point to the hidden server. Message includes a one- time secret
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Onionrouting (6)
message secret Onion server
Introduction point
Rendezvous point HS Directory server
Client
IP contacts the hidden server, telling him about the RP
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Onionrouting (7)
Onion server secret
Introduction point
Rendezvous point HS Directory server
Client
Server builds a circuit to the RP, providing the one-time secret from the client
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Onionrouting (8)
Onion server
Introduction point
Rendezvous point HS Directory server
3 relays from client, 3 relays from server Client
Client communicates to the hidden server via the rendezvous point
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 DEMO: Onionshare #1 HSDir Hash Function FIRST 80 bits of the SHA1 of the 1024 bit Public Key http://xmh57jrzrnw6insl.onion/
Desc ID0 - Predict the selected HSDir relay at a certain point in HSDir time…. n - If you are the selected HSDir HSDir, you can control n+1 access or monitor connections for statistics HSDirn+2
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 #2 Protocol leaking
Onion server
http://xmh57jrzrnw6insl.onion/
HS Directory server - The HS Directory server learns your .onion address - Can be used to enumerate hidden servers
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 #1 HSDir Hash Function with Onion Service v3 https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt
Add a global value into the HSDir hash function that: - Everyone has agreed upon - Is not predictable
This is done once a day a part of the consensus
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 #2 Protocol leaking with Onion Service v3
The Descriptor is signed by a subkey that prevents the HSDir Server to derive the real .onion address
Only the client , who knows the real .onion address, can derive the real public key
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Onion Service v3 https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt
SearX with v3 .onion address (52 characters vs. 16 characters) http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion/ Base32 of the complete public key a) Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519) b) Improved directory protocol leaking less to directory servers. c) Improved directory protocol with smaller surface for targeted attacks. d) Better onion address security against impersonation e) More extensible introduction/rendezvous protocol f) A cleaner and more modular code base
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 DEMO: Some more websites in the Darknet…. Obfuscation Tor Pluggable Transport https://www.torproject.org/docs/pluggable-transports.html.en
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Tor Pluggable Transport
loopback Client App PT Client (Socks)
Obfuscated traffic
loopback Server App PT Client (Socks)
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Tor Pluggable Transport https://www.torproject.org/docs/pluggable-transports.html.en
• Obfs2 • Use a additional encryption layer to obfuscate. Key is exchanged in cleartext.
• Obfs3 • Negotiation of a DH Key for obfuscation. Not resistant for active probing.
• Obfs4 • Authenticate with a pre-shared key, distributed out-of-band. Resistant against active probing. Obfuscate with DHE.
• Meek • Obfuscate in http and TLS, leveraging domain fronting
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Domain Fronting Domain Fronting – the concept https://www.bamsoftware.com/papers/fronting/ • Using different domain names at different levels • Leveraging the fact that CDN Network can forward requests that are not in their own domain DNS TLS A www.google.com SNI: www.google.com
HTTP ….. Host: www.evilrats.com
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Domain Fronting with Tor
Hidden domain Front Domain
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Domain Fronting with Tor
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Google and Amazon on Domain Fronting
https://arstechnica.com/information-technology/2018/05/amazon-blocks-domain-fronting- threatens-to-shut-down-signals-account/
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Snowflake https://trac.torproject.org/projects/tor/wiki/doc/Snowflake
Leveraging WebRTC Broker Access via different methods Domain-fronted DNS over HTTPS
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 The Request
First relay, located in russia
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 The TLS Client hello
SNI Name not really matching the website
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 The TLS Server hello
CN Name different from SNI String
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 The Certificate, decoded…
Issuer, yet another generated domain
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 The other two relay nodes
Port 9001
Generated strings for common name
Self-signed….
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 The other two relay nodes
This is another proof that Tor does not really care about the content of the TLS certificates
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Tor Relay Certificates
• SNI String , CN-Name and Issuer are just generated strings…
• Certificates are self-signed
• Purpose of certificates is simply to provide a common method to exchange the keys using the TLS Protocol
• Tor client and relays do not care much about the certificate values
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Detecting Tor WSA - Decryption Policy
Categories “Pass Through” will still check for certificate errors! Invalid certificate or expired certificate on the server will fail the “Pass through”
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 WSA - Decryption Policy
Custom URLs (best used for making an exception for decryption) “Pass Through” will bypass all certificate check -> true Pass Through “Decrypt” -> certificates will be checked and the user will get a prompt (“untrusted CA”) Custom categories take precedence over predefined categories!
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 WSA - Certificate Error Handling
Default Values provide a good balance between Security and User Experience Remember: EUN in case of a “Drop” requires “Decryption for EUN”! “Drop” : log the certificate error in the access log, decrypt and display EUN “Decrypt” : log the certificate error in the access log, decrypt with a purposely “invalid” certificate and let the client decide if he accepts the connection. “Monitor” : don’t do anything, it’s all on the client to decide…
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 WSA Logs
1513893450.780 65269 192.168.178.55 TCP_MISS/502 39 CONNECT tunnel://85.31.186.98:443/ "tmayer@TOBYLAB" DIRECT/85.31.186.98 - DECRYPT_WEBCAT_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893461.688 76177 192.168.178.55 NONE/504 0 CONNECT tunnel://192.99.11.54:443/ "tmayer@TOBYLAB" DIRECT/192.99.11.54 - OTHER-NONE- ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893461.688 76178 192.168.178.55 NONE/504 0 CONNECT tunnel://154.35.22.9:443/ "tmayer@TOBYLAB" DIRECT/154.35.22.9 - OTHER-NONE- ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893471.762 86252 192.168.178.55 TCP_MISS/502 39 CONNECT tunnel://85.31.186.26:443/ "tmayer@TOBYLAB" DIRECT/85.31.186.26 - DECRYPT_WEBCAT_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893509.387 584 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://193.23.244.244:443/ "tmayer@TOBYLAB" DIRECT/193.23.244.244 - DECRYPT_ADMIN_MISMATCHED_HOSTNAME_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893509.479 766 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://185.96.180.29:443/ "tmayer@TOBYLAB" DIRECT/185.96.180.29 - DECRYPT_ADMIN_MISMATCHED_HOSTNAME_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 WSA Logs (Invalid Leaf Certificate set to “Decrypt”)
1515881089.066 605 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://149.56.233.142:443/ "tmayer@TOBYLAB" DIRECT/149.56.233.142 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1515881089.815 356 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://89.163.224.250:443/ "tmayer@TOBYLAB" DIRECT/89.163.224.250 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1515881090.876 419 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://185.125.33.58:443/ "tmayer@TOBYLAB" DIRECT/185.125.33.58 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Tor and WSA
• Activate HTTPS Proxy
• Tune WSA to handle crypto errors in the log
• Block category “Anonymizers and Filters” • Will not block all connections, but some
• Check logs for a combination of • Reputation blocks and Category blocks • Errors on hostname mismatch • Errors on unrecognized root • Connections to IP • Connections to non-web ports
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Add Rules to FTD for Certificate Checking
Block
Self- signed Certificate Certificate Errors Errors
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Firepower and Tor Some relays are detected and classified as Tor Traffic
..and some are not
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 Firepower and Tor (2) obfs4 obfuscated traffic No cert informations availible
Detecting Tor as Application
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Firepower and Tor (3)
obfs4 obfuscated traffic Tor relay No App Detected tcp/80
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 Cognitive Analytics
As users go through a web proxy, access logs are generated
Cisco Cognitive Threat Analytics (CTA) Time | IP | URL | User Agent | … 2:45 | 54.62.37.10 | www.google.com | Mozilla (… 2:45 | 68.62.37.10 | www.yahoo.com | Mozilla (… 2:45 | 22.62.37.10 | www.cnn.com | Chrome (… Proxy 2:45 | 59.62.37.10 | www.seznam.com | Mozilla (… HTTP/HTTPS Headers (meta data) HTTP/HTTPS
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96 CTA and WSA – Tor detection Distinguishes Tor by time, sequences, and recognition of hidden IP’s
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Tor and Stealthwatch
• Stealthwatch downloads Tor directory list of entry and exit nodes every hour
• Cognitive downloads the Tor directory list every hour
• Cognitive analyzes connections on a global basis and tries to identify potential Tor relays • Analyzing certificate details from the TLS Handshake (via Stealthwatch & ETA netflow) • Correlating requests globally • Detection of new relays can come in retrospectively • No complete list of discovered gateways is being kept or exported
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 Tor and Stealthwatch
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Tor and Stealthwatch with Cognitive
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 Tor and Stealthwatch with Cognitive
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 Tor and AMP for Endpoints
Obvious search for the Tor browser EXE
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 Tor and AMP for Endpoints
Deeper Analysis of the connections being made
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 Embedded Tor in Browser https://brave.com/
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 TorChat
• Chat application based on Tor Network • Easy to use, just exchange Tor Client ID • https://github.com/prof7bit/TorChat • Forked for Mac OSX
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 Enterprise Onion Toolkit
• Enterprise Onion Toolkit https://github.com/alecmuffett/eotk
https://blog.torproject.org/volunteer- spotlight-alec-helps-companies-activate- onion-services
https://open.nytimes.com/https-open- nytimes-com-the-new-york-times-as-a- tor-onion-service-e0d0b67b7482
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 DEMO: SSH over Tor SSH Server behind Tor
• Potential usecase: Remote Access in your network for SSH • Deploy a SSH Server in your network • Deploy a hidden TOR Server in front • Don’t advertise the public key • Works behind NAT • No Open Ports in the firewall • Secure Login with DUO MFA
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 Tails
• https://tails.boum.org • Secure OS based on modified Linux • Only communicates outside via Tor • Has Thunderbird, Pidgin IM, etc. already preconfigured • Can be run from USB Stick
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Summary of Tor usage guidelines Basic security:
• Disable automatic launch of scripts by using setting of “safest”
• Avoid darknet sites that do not offer HTTPS
• Do not reuse same logins on darknet and clearnet! (Silk Road..)
• Communicate using PGP (email, IM, etc…) Intermediate security = Basic security plus
• Use Tor over VPN
• Learn to use bridges with Tor
• Use a safe OS like “Tails” High Security = Intermediate security plus
• Dedicated, trusted hardware (no virtual image)
• Use Qubes https://www.qubes-os.org/
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 How SILK ROAD owner was revealed
• Ross Ulbricht, the mastermind behind Silk Road
• On October 11, 2011, an account named “altoid” posted on bitcointalk.org a thread titled “a venture backed bitcoin startup company”, looking for partners for a bitcoin startup. Altoid referred people to contact him at [email protected]. He also discussed the “Silk Road” marketplace in the thread. Shortly after, Silk Road was advertised on the forum “shroomery.org” by a user also named “altcoin”.
• Ross’s Youtube channel and Google Plus page included links to Mises Institute, an Austrian blog that published content related to the economic theory. On the Silk Road forum, DRP also backlinked to Mises Institute and shared the site’s content there. Through one of these posts, he mentioned that his time zone is the (PT), i.e. the Pacific Time zone.
• Ross posted on Stakoverflow this question “How can I connect to a Tor hidden service using curl in PHP?”. Initially, Ross posted the question using an account aliased with his real name, yet less than a minute later, the account’s alias was changed to “frosty”.
• Ross bought 9 fake identification documents that included his real picture, yet different names. The US border customs intercepted the package which had been shipped from Canada to Ross’s apartment in San Francisco.
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 I2P – Invisible Internet Project I2P https://geti2p.net/en/ • Packet-switched anonymous network layer (ard. 70K users)
• Distributed Network database of routers (no Directory Servers)
• Provides anonymous web browsing, chat, email, IM, file sharing, …
• Opensource
• Built as its own hidden network, not as an anonymization tool
• Using UDP for transport
• Java based
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 Inbound and Outbound Tunnels
• Every routers has one or more inbound and outbound tunnels
• Lifetime of 10 min
• Routers are both relays and nodes • Relay: forward other message to other routers • Nodes: sending or receiving messages for themselves
• Inbound tunnels require port forwarding for optimizing throughput • Cumbersome to use within corporate networks (but not impossible ;) )
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 I2P – Technolgy
NetDB 3 Alice: 1,2 4 Simon: 3,4 InboundTunnels Bob: 5,6 1 Simon 2
Alice 5 6 Outbound Tunnels Bob
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 NetDB
• Super-Peers (aka floodfill peers) hold a network database (distributed hashtable)
• This contains two informations : “routerInfo” and “leaseSets”
• routerInfo – stores information on specific I2P routers and how to contact them (public key, identifier, contact information)
• leaseSets – stores information on a offered service (i.e. I2P websites, email servers, etc.); entry point of a specific tunnel
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 Initialization
• Initial set of active peers is loaded from some public sources • Hardcoded into the software
• Every router collects a local statistic of other active peers
• When a router is successfully selected for establishing a tunnel, key exchange is happening
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 Garlic Routing
• Each message sent can be sent through any other router
• Several different messages can be sent within one encrypted packet
• Similar to Garlic that can hold several cloves
Many cloves inside the “head”
Garlic Cloves
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 I2P – Joining the network
Alice Peter Jan
NetDB
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 I2P – Building a tunnel
Build tunnel Build tunnel
Alice Peter Jan
NetDB
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 I2P – Building a connection
CONNECT Tunnel
Alice Peter Jan Clara Simon Bob
NetDB
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 I2P – Encryption
Garlic
Outbound Tunnel Inbound Tunnel
Alice Peter Jan Harry Eve Clara Simon Bob
Tunnel Encryption: AES Transport Encryption: DH + AES
Garlic Encryption: El Gamal + AES
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122 I2P – shared Tunnels
All nodes act as a router
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 I2P
Point your browser to your local I2P router
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124 I2P
Accessing hidden websites within the I2P network I2P is mainly about hidden websites, NOT so much about reaching the cleartext internet
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125 I2P Can be defined on ANY Port!
I2P recommends to poke a hole in your firewall for incoming traffic udp/23852 tcp/23852 Will dramatically improve performance
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 Things to do…
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 Firepower & I2P (default config)
Lot of requests for udp/23852…(but remember, port defineable…)
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 Stealthwatch & I2P (default config)
Classified as P2P File Traffic
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 I2P on AMP for Endpoints
I2P is java based….
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130 More Infos about I2P
• https://www.cdc.informatik.tu- darmstadt.de/fileadmin/user_upload/Group_CDC/Documents/Lehre/SS13/ Seminar/CPS/cps2014_submission_4.pdf
• https://geti2p.net/en/docs/how/tech-intro
• http://hor6372x6soyyts2.onion/mirrors/HiddenWikiClean/A_Radical's_Intro duction_to_Anonymity.html#Weaknesses
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131 Freenet Project Freenet Project Completely distributed network of ard. 10K nodes Main purpose is to anonymously store and retrieve data Data is stored in encrypted chunks on multiple servers Data is inserted into the “network”, original uploader can go offline The “network” does not delete data actively but will only forget data if it is not requested after some time
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133 Freenet Project
Offers a “Opennet” and “Darknet” mode Opennet: Peers are constantly searching for other peers and stored information Darknet: Each peer is only giving out his key to other known peers directly
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134 Freenet protocol, on a high level
• Files are stored in encrypted chunks, no 1 File 3 File node has the complete File ? 2 File ? file
File ? • Chunks are cached on the path to the requestor File ? 4 (at least in a 3 nodes
File distance) 5 • This results in files being requested very often to scale better • Protocol is UDP based
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135 Request file or site
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136 Request file or site
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137 Freenet with Umbrella
Freenet in “Openmode” uses predefined seednodes. Access some via DNS, can potentially be picked up…
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 138 CTR: one of the seed IPs of Freenet
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Freenet and Stealthwatch
Classified as P2P file traffic
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140 Freenet and Firepower
Some IP are classified as Freenet Client
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 “Darknet” mode – connect to a friend directly
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142 Freenet Project
• https://en.wikipedia.org/wiki/Freenet
• https://freenetproject.org/pages/about.html
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 Conclusion Conclusion Blocking Tor completely is very hard, but a check on TLS certificate errors can provide some decent blocking & visibility for enterprises Combination of netflow analysis, anomaly detection & certificate checking on the gateways is probably your best bet Leveraging Stealthwatch with CTA and ETA Combine it with AMP for Endpoints for further analysis and visibility Other Tools like I2P and Freenet exist, but purpose is to exchange information, not so much for anonymizing your browsing I2P optimizing performance over special ports that need to be open No support over web proxies with I2P Port-forwarding on firewalls is recommended for I2P -> cumbersome to use within corporate environments Freenet purpose of sharing information with the public
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145 Result check for our intentions
Hide me from Government! Hide me from ISP! Hide me from tracking!
Bypass Corporate Bypass Country Access Hidden policies restrictions Services
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146 Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-2011
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147 Complete your online session survey
• Please complete your Online Session Survey after each session
• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148 Continue Your Education
Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings
BRKSEC-2011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149 Thank you