About Garlic and Onions a Little Journey…
Total Page:16
File Type:pdf, Size:1020Kb
About Garlic and Onions A little journey… Tobias Mayer, Technical Solutions Architect BRKSEC-2011 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 About Garlic and Onions We are all looking for privacy on the internet, for one or the other reason. This Session is about some technologies you can use to anonymise your network traffic, such as Tor (The Onion Router). The first part will give an introduction and explain the underlaying technology of Tor. We will take look at how you can not only use the Tor browser for access but also how the Tor network is working. We will learn how you can establish a Tor session and how we can find hidden websites and give examples of some websites...So we will enter the Darknet together. Beside Tor, we will also take a quick look at other techniques like I2P (Garlic Routing). In the last section we will make a quick sanity check what security technologies we can use to (maybe) detect such traffic in the network. This presentation is aimed at everyone who likes to learn about anonymization techniques and have a little bit of fun in the Darknet. BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Me… CCIE Security #14390, CISSP & Motorboat driving license… Working in Content Security & TLS Security tmayer{at}cisco.com Writing stuff at “blogs.cisco.com” BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Agenda • Why anonymization? • Using Tor (Onion Routing) • How Tor works • Introduction to Onion Routing • Obfuscation within Tor • Domain Fronting • Detect Tor • I2P – Invisible Internet Project • Introduction to Garlic Routing • Freenet Project BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Different Intentions Hide me from Government! Hide me from ISP! Hide me from tracking! Bypass Corporate Bypass Country Access Hidden policies restrictions (Videos…) Services BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Browser Identity Tracking does not require a “Name” Tracking is done by examining parameters your browser reveals https://panopticlick.eff.org BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Proxies EPIC Browser BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Firepower App Detector for Proxy Traffic Traffic to external Proxy detected BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 VPN VPN Combine VPN Service with Proxies Provides additional anonymization Layer You have to have trust in the VPN Provider that they do not log… ☺ https://thatoneprivacysite.net/vpn-section/ BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Trust your VPN / Proxy? • Statement from “Hide-my- Ass” • “If you do illegal things, we cooperate with Law Enforcement” • They track the User… BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Trust your VPN / Proxy? https://thebestvpn.com/chrome-extension-vpn-dns-leaks/ • Chrome Browser leaking real IP because of DNS Prefetching • Despite using a VPN Service… BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Tracking VPN & Proxies Enumerating known VPN & Proxy IPs BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Deep Web / Dark Web The Deep Web / The Dark Web BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 The (partial) Reality https://gizmodo.com/the-deep-web-is-mostly-full-of-garbage-1786857267 Bill, stop searching … BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 About Tor The Onion router Open source SW / public design specs Data is constantly encrypted at multiple layers Sent through multiple routers. Each router decrypts the outer layer and finds routing instructions Sends the data to the next router Result is a completely encrypted path using random routers BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 How is the Tor Network built? • The Tor network consists of relays • Relays are just nodes where the Tor software is installed • They build encrypted connections to other relays, forming an overlay network • Everyone can run a Tor relay and contribute to the network… BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 The Tor Browser – Connecting to the Tor Network • Goal: Provide anonymity and access to censored and/or hidden resources • Special browser based on mozilla firefox to establish a circuit through the Tor network • Can connect directly or through proxies • Often used in combination with VPNs BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Tor Relay Tor Dir OR1 OR2 OR3 PK OR1 Web Server PK OR2 PK OR3 Tor Client selects 3 random Routers out of all Tor Relays and get their public keys BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Tor Relay OR1 OR2 OR3 PK OR1 Web Server PK OR2 PK OR3 Tor Client sends DH Handshake to OR1, encrypted with public key of OR1, called “relay_create” BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Tor Relay OR1 OR2 OR3 PK OR1 SK1 Web Server PK OR2 PK OR3 OR1 completes handshake, symmetric key is created BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Tor Relay OR1 OR2 OR3 PK OR1 SK1 Web Server PK OR2 PK OR3 Tor Client sends “relay_extend” to OR1, requesting to extend the circuit to OR2. Keyshare for OR2 is protected by the public key of OR2 BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Tor Relay OR1 OR2 OR3 PK OR1 SK1 Web Server PK OR2 SK2 PK OR3 OR1 send “relay_create” to OR2, OR2 responds and circuit with symmetric key is created to OR2 BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Tor Relay OR1 OR2 OR3 PK OR1 SK1 Web Server PK OR2 SK2 PK OR3 SK3 “relay_extend” to OR3, create a circuit BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Tor Relay OR1 OR2 OR3 PK OR1 SK1 Web Server PK OR2 SK2 PK OR3 SK3 Web Request follow the circuits BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Tor Directory Authorities https://atlas.torproject.org/#search/flag:authority Every hour all Authorities calculate a common status document called the “consensus” BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Tor Directory Authorities • Very trusted servers that hold the list of all active Tor relays • Tor client comes with this predefined list and the corresponding public keys • Every hour they agree on the most recent list of relays (“voting”) • They create a document called “consensus”. • Each DirAuth publishes and signs its own relay list to all other DirAuth • Tor client downloads the consenus at first start • Client receives consenus plus hashes of the consenus of all other authorities. Will only trust the consensus if more than half of the hashes match. • Tor relays can be “Directory caches” where clients can get an updated version of the consensus without the directory authorities BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 List of all Tor Relays https://torstatus.blutmagie.de/ Flags BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Tor Relay EXIT_NODE: if you OR1 request HTTP, your traffic is visible to the EXIT_NODE OR2 OR3 BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Tor Browser - Don’t leak information! BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Do your own spylink ☺ BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Tor Exit Relay List https://check.torproject.org/cgi-bin/TorBulkExitList.py BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Customizing Tor “torrc” = config file BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Customizing Tor (2) Also use IPv6 relays Define Geolocation of your ExitNodes BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Customizing Tor (3) ExitNode from Germany BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Customizing Tor (4) – some settings for torrc ClientOnly 1 #never, ever act as an exitNode ExcludeNodes #avoid the nodes / countries listed StrictNodes #if set to 1, Tor will strictly avoid #ExcludeNodes settings EnforceDistinctSubnets #Don‘t select two nodes that are close FascistFirewall 1 #only 80/443 entry & exit nodes EntryNodes # only use those entry node ExitNodes # only use those exit nodes ExcludeExitNodes BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 DNS for access to well known websites OR1 DNS Server OR2 OR3 Tor Exit Relay is responsible for the DNS Resolution BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 DNS Leaking for access to cleartext websites https://nymity.ch/tor-dns/ • ISP Resolver • Traversing the least amount of AS • Own Resolver • QNAME Minimization BRKSEC-2011 © 2020 Cisco and/or its affiliates.