Collecting Threat Intelligence From Tor Netwok

A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Security

by Tarun Trivedi 14/MS/027

Under the Supervision of Dr. B. M. Mehtre (Associate Professor) Center For Cyber Security Institute For Development And Research In Banking Technology, Hyderabad (Established by Reserve Bank Of India)

COMPUTER SCIENCE AND ENGINEERING DEPARTMENT SARDAR PATEL UNIVERSITY OF POLICE, SECURITY AND CRIMINAL JUSTICE JODHPUR – 342304, INDIA May, 2016 UNDERTAKING

I declare that the work presented in this thesis titled “Collect- ing Threat Intelligence From Tor Netwok”, submitted to the Computer Science and Engineering Department, Sardar Patel Uni- versity of Police, Security and Criminal Justice, Jodhpur, for the award of the Master of Science degree in Cyber Security, is my original work. I have not plagiarized or submitted the same work for the award of any other degree. In case this undertaking is found in- correct, I accept that my degree may be unconditionally withdrawn.

May, 2016 Jodhpur

(Tarun Trivedi)

ii CERTIFICATE

Certified that the work contained in the thesis titled “Collecting Threat Intelligence From Tor Netwok”, by Tarun Trivedi, Registra- tion Number 14/MS/027 has been carried out under my supervision and that this work has not been submitted elsewhere for a degree.

(Dr. B. M. Mehtre) (Associate Professor) Center For Cyber Security, Institute For Development And Research In Banking Technology, Hyderabad (Established by Reserve Bank Of India) May, 2016

iii Acknowledgment

I would like to take this opportunity to express my deep sense of gratitude to all who helped me directly or indirectly during this thesis work. First, I would like to thank my supervisor, Associate Professor Dr. B.M. Mehtre, for being a great mentor and the best adviser I could ever have. His advise, encouragement and critics are source of innovative ideas, inspiration and causes behind the successful completion of this dissertation. The confidence shown on me by him was the biggest source of inspiration for me. It has been a privilege working with him from last five months. He gave me many opportunities to explore inner me. I wish to express my sincere gratitude to Dr. Bhupendra Singh , Vice Chancellor and Sh. M.L. Kumawat (Former), Vice Chancellor, for providing me all the facilities required for the completion of this thesis work. I would like to express my sincere appreciation and gratitude towards faculty mem- bers at S.P.U.P., Jodhpur, especially Mr. Arjun Choudhary & Mr.Vikas Sihag, for their encouragement, consistent support and invaluable suggestions. I thanks to Mr. Vinod Parihar, who helped me, guided me at the time I needed the most. Whenever I get ner- vous, I used to talk with my colleagues. They always tried to encourage me, without all mentioned above, this work could not have achieved its goal.

iv Finally, I am grateful to my father Mr.Mangilal Trivedi , my mother Mrs. Usha Trivedi for their support. It was impossible for me to complete this thesis work without their love, blessing and encouragement.

Tarun Trivedi

v Biographical Sketch

Tarun Trivedi

8B Badi Brhmpuri PIN-306401 E-Mail: [email protected], Contact. No. +91- 7737939573

Father’s Name : Mr. Mangilal Trivedi Mother’s Name : Mrs. Usha Trivedi

Education

• Pursuing Master of Science in Cyber Security, Computer Science & Engineering branch from S.P.U.P., Jodhpur,2016

• B.Tech. in Computer Science and Engineering from Rajasthan Technical Univer- sity,Kota with 64% in 2010.

• Intermediate from MBM School,Pali with 62% in 2006.

• High School from Bangur School,Pali with 53% in 2003.

vi Dedicated to My Loving Family for their kind love & support. To my friends for showing confidence in me.

vii cGenius is one percent inspiration, ninety-nine percent perspiration.d -Thomas Edison

viii Synopsis

Threat intelligence is evidence-based data and information for detecting and preventing attacks. It includes context, keywords, and indicator’s, etc. about the attack and advance information to predict what will happen in the real world. Many sources like- chats, com- ments, blogs, etc. are helpful to the intelligence agency in decision making. Intelligence agencies monitor the dark world for how the attackers plan and engineer attacks. The main aim of threat intelligence is to find out different types of attacks such as hacking, anonymity, hidden services, etc. in the dark world. The onion sites in the dark world provide resources devoted to hacking, security, anonymity, fake IDs, weapons, services, drugs, pornography, and other malicious services. Well-known browsers such as Google chrome, Internet explorer, Mozilla Firefox, etc. can not access the onion sites, whereas Tor browser is capable of accessing onion sites. Government and intelligence agencies monitor the hidden services in the dark world. Essentially, they look for the hidden networks and their connection to the dark world. To use Tor browser there is need to create an account on the onion site and then start monitoring the comments, blogs, Question and Answer etc. We proposed a scheme for collecting threat intelligence from Tor network. First, we monitored the activities of more than 200 onion sites in the dark world which are used for hacking, attacking, and tracing. Secondly, we extracted the information about attacks from the onion sites. This is based on the discussion on various attacks that would be happening in the group. The discussion

ix of a particular attack acts as an indicator that on some malicious users are interested in the particular attack. Based on this information, we would be finding out vulnerable sites (for this attack) and will inform that the site could be under attack. Threat intelligence is not just restricted in predicting the attacks, but also to discover the attack that have already happened. Our focus is on both the above stated goals. We have developed a TNT Tool(Threat intelligence tool) for extracting the keywords from the onion sites using Tor proxy. Our tool collects all the keywords related to attacks such as hacking, tracing, tracking, bandwidth, etc. from the onion sites. After collecting keywords our Tool identifies URL’s of onion sites whenever the keywords are found. Once URL’s extracted, we have sent an email to the owner of the onion site as a client. The onion site owner replied the mail and then we got Email header. Finally we have located the geographical location of the site and IP as well from the Email header.Thus, we can locate enhance in the Darkworld.

x Contents

Acknowledgment v

Biographical Sketch vii

Synopsis x

1 Introduction 1 1.1 The Threat intelligence ...... 1 1.2 The Onion Routing(Tor) ...... 2 1.3 The onion sites ...... 3 1.4 Problem statement ...... 3 1.5 Organization of thesis ...... 3

2 Literature survey 5 2.1 Tor...... 5 2.1.1 Anonimity of Tor ...... 5 2.1.2 Working of TOR ...... 6 2.2 Deep web onion services ...... 9 2.2.1 What is Deep web onion sites? ...... 9 2.2.2 The Dark Web versus the Deep Web ...... 10

xi 2.2.3 Number of onion sites in the dark world ...... 10 2.2.4 How deep web onion sites work? ...... 12 2.2.5 Why the onion site owner take payment in Bitcoin ? ...... 12

3 Methodology 13 3.1 Working of the Tool ...... 14 3.1.1 Application is running through Tor proxy ...... 15 3.1.2 Searching keyword on an onion site ...... 16 3.1.3 If URL link is present ...... 16 3.1.4 Apply text mining tool ...... 16 3.1.5 Collecting keyword related to the threat intelligence ...... 16 3.1.6 When a keyword is found, pick up a complete sentence ...... 16 3.1.7 Show URL address of the onion site ...... 17 3.2 List of onion sites use for Hacking ...... 17

4 Results and Discussions 36 4.1 How we can trace the owner of an onion site ? ...... 36

5 Conclusions and future work 43

References 46

xii List of Figures

1 Selection of nodes in a Tor network...... 2

2 Anonimity layer in an OSI Model...... 6 3 Tor client request to Directory server to establish connection...... 7 4 Tor client connected to server through Tor node...... 7 5 Tor client chooses different random path for establishing connection for next time...... 8 6 Working of Diffie-Hillman key exchange algorithm...... 9 7 List of items selling in the dark world...... 10 8 Details of item in the Dark world ...... 11 9 Protocols found in the Deep Web apart from HTTP/HTTPS...... 11

10 Flowchart of working of the Tool...... 15

11 Reply mail by piratecrackers@sigaint.org(owner of the onion site). . . . 37 12 Trace E-mail header of a [email protected][23](owner of the onion site)...... 37 13 Reply mail by [email protected](owner of the onion site)...... 38 14 Trace E-mail header of a [email protected][23](owner of the onion site)...... 38

xiv 15 Reply mail by [email protected](owner of the onion site)...... 39 16 Trace E-mail Header of a [email protected][23](owner of the onion site)...... 39 17 Reply mail by [email protected][23](owner of the onion site)...... 40 18 Trace E-mail Header of a [email protected][23](owner of the onion site)...... 40 19 Reply mail by [email protected](owner of the onion site). . . . 41 20 Trace E-mail of a [email protected][23](owner of the onion site). 41

xv Chapter 1

Introduction

1.1 The Threat intelligence

The main aim of Threat intelligence is detecting and preventing attacks in the dark world. The intelligence agencies monitoring the hidden deep web and always surveillance of an activity in the dark world. We find out the indication of the attack and then detecting of the attack at the place where the attack happened. Many types of attacks like as hacking, tracing, tracking, DDos, brute force etc[20]. in the dark world that happening in the real world. Intelligence agencies monitoring the hidden services activity in the dark world. Government agencies monitoring hidden network and its connection to the dark world. They check all the services provided by .onion sites to the client and find out all the ac- tivities when an attack will possible on websites or social accounts[17]. The Intelligence agencies also monitoring proxy based traffic and check data packets which are doubtful in a network[16].

1 1.2 The Onion Routing(Tor)

The Onion Routing (TOR) is a free open source software that provides anonymity in the network, Using Tor browser it’s difficult to trace a user in the network and communi- cation between user and server. Its work as an onion in which data are multiple times encrypted and on the last node of a Tor, data is decrypted and converted into plain text form or original data. Tor encrypted data multiple times in a virtual circuit which is trans- fer client to a server. These all communication are happening on an application layer. Journalist, activist, Researcher, law enforcement officer, IT professionals, whistleblower, Non-governmental organization (NGO), military, intelligence agent and much private or- ganization using Tor to improve his privacy and communicate more safely. Military field agents using Tor to mask the sites which are related to privacy, operations and protect- ing to physical harm. A Journalist in all over the world using Tor to ensure his privacy of information and physical security. Human right activist using Tor for anonymity and privacy during legitimate activities[3].

Figure 1: Selection of nodes in a Tor network.

1. Client :- The user of a Tor network

2. Server :- The target web server

3. Tor (onion) router:- Special proxy node used in a Tor network.

4. Directory server:- A server which provide a node of a Tor network.

2 1.3 The onion sites

The .onion site is like as a normal site but it is only accessed through a hidden network called Tor (The onion routing). Tor is indirectly a VPN (Virtual private network) proxy service. In the hidden dark world, many sites are legal like as a search engine (Torch, not evil, Duck duck go, Snowden, etc.) and many are illegal which are selling drugs, heroin, weapons etc. The hidden deep web (Dark world) under several activities includes hacking, cyber crime, cyber warfare, hacking, anonymity, adult, politics, weapons, credit card fraud, guns, chat, gambling, books, porn, hosting, blog, search engine, drugs, forum, Bitcoin, fake mail, market services which take payment in Bitcoins[2]. The Bitcoin is an electronic transfer money which is secure money transfer in the dark world uses the pretty good privacy (PGP) technique. These services provided by onion sites (use dynamic IP address) in the dark world and it also uses Tor proxy for hiding his identity. We filter out only those onion site that is working for hacking, attacking, bandwidth, chatting, cybercrimes, IRC (Internet relay chat), blogging, Email hacking, attack, DDoS attack, Syn-flood, sniffer attack etc. in the dark world.

1.4 Problem statement

The main motive of onion site is doing illegal activity in the physical world. The intel- ligence agency monitoring and surveillance on the onion sites and try to find out which type of attack will happening in the future but completely it is not possible because onion sites change his URL address randomly. Lack of onion sites is present in the dark world so it is not possible to block all the onion sites.

1.5 Organization of thesis

The work carried out has been summarized in five chapters. Chapter 1 Highlights the brief introduction of Threat intelligence, Tor(The onion rout- ing) and Dark web onion sites. Chapter 2 Describe the working of Tor, working of Deep web onion services and Bit coin payment transaction.

3 Chapter 3 Explain the main aim of threat intelligence , list of onion sites which are used for attacking purpose and working of the Tool. Chapter 4 Explain, How we trace the owner of the onion site who have done an attack with example. Chapter 5 Explain the result and the future work of this project.

4 Chapter 2

Literature survey

2.1 Tor

2.1.1 Anonimity of Tor

The onion routing (TOR) network is a group of hidden servers that provide people with security and privacy in a network. The Tor network design and implemented by the Naval research Laboratory for privacy and security of government communications but present it is open source for public user. Tor hidden services hide user’s location when they provide IMS (Instant messaging services) and web publishing services. Tor browser has beneficial for the journalist, bloggers, whistleblowers, military and activist to hidden their activity and protects their identity[13].

5 Figure 2: Anonimity layer in an OSI Model.

The anonymity layer is present between Application layer and presentation layer. The anonymity depends on the security which presents in the application layer.

2.1.2 Working of TOR

Tor provides distributed and anonymous network for protecting Internet surveillance. Tor working is divided into three steps:- In the first step, a Tor client (Alice) connect to a Directory server (Dave) for getting the list of Tor nodes in a network. A Distributed server provides a random path through different relays so no any eavesdropper find out data where it comes from and where it is going. Every time a client software (Tor browser) choose a different path when it connects to another server or destination[15].

6 Figure 3: Tor client request to Directory server to establish connection.

In the second step, once a Tor circuit established in a network. Tor client connects to a first entry node and then middle node and the last exit node which is connecting to a Destination server. The first entry node connected to the middle node using Diffie- Hellman key exchange algorithm for encryption of a packet. In this first node working as a proxy, a Tor network node knows an address of the only previous node and next node in a network. Tor client send a packet to exit node in an encrypted format and after exit node to destination server packets are in decrypted format means in plaintext form. In the Diagram green links show a data packets in an encrypted format and red links show data packets in plaintext format.

Figure 4: Tor client connected to server through Tor node.

In the last step, when a Tor client connects to another destination server, it chooses

7 different random path next time. Tor always not solve anonymity problem but its pro- tecting transportation of data between sender and receiver because on the exit node data packets is converted in plain text form so man-in-the-middle attack is possible on this node[14][3].

Figure 5: Tor client chooses different random path for establishing connection for next time.

Tor uses Diffie-Hellman key exchange algorithm for encryption of packet from client to server. The packets are encrypted form so its not possible to read out data in a packet. When a client sends a request to Directory server, the server provides a list of Tor node in a network. The client sends a packet which are multiple times encrypted and go to the exit node of a network. When packets go to exit node to the destination server its change into plaintext form[6]. The steps of Diffie-Hellman key exchange algorithm is:- Alice and Bob are select the large prime number n and g where g is primitive mod n[18]. A protocol goes as follows:-

8 Figure 6: Working of Diffie-Hillman key exchange algorithm. .

2.2 Deep web onion services

2.2.1 What is Deep web onion sites?

The hidden Deep web is not accessing by the search engine like as Google, yahoo, Bing etc. The hidden dark web content is not crawled by the normal search engine like Google because of technical limitations.The content of an onion sites is only accessing through a Tor proxy.[5] The hidden web services offer services to users which are hacking services, drugs, pornog- raphy, and password of stolen credit card, change money into Bitcoin, weapons, and mal- ware[19]. They also contain government database and reports according to 2010 Defense science board report[8]. It was 400 to 500 times bigger than the clear web or surface web. The clear web or the surface web uses .net, .com, and .org extensions but hidden web services use .onion extensions. Many Dark sites provide users anonymity to a user when its chat to another user. In this situation, IP addresses cannot be tracked by an attacker who tries to eavesdrop a data packet[2].

9 2.2.2 The Dark Web versus the Deep Web

The Dark Web and the Deep Web is the different web in the Dark world. The Dark webs depend on the networks in which the trusted peers are made connections between them. Tor (The onion routing), Invisible Internet project (I2P) and The Freenet are the examples of the Dark Web system. For accessing the Deep web, we required the special tool like as Tor VPN proxy for accessing the contents. Deep web is selling illegal drugs, weapons, heroines and also news about the Darknet market [5].

2.2.3 Number of onion sites in the dark world

According to cox, joseph in his paper on ”Study Claims Dark Web Sites Are Most Com- monly Used for Crime” on web based hidden services in Feb 2016.

Figure 7: List of items selling in the dark world.

We not easily connect to the hidden web, first we install the Tor browser and then able to access the hidden sites in the network. Tor browser provides a secure connection to a user in which data packets are transmitted in encrypted form in a tunnel.

10 Figure 8: Details of item in the Dark world

Figure 9: Protocols found in the Deep Web apart from HTTP/HTTPS.

The intelligence agencies monitoring and surveillance on the dark web for preventing and finding cyber-crime in the cyber world. They use tools and applications for mon- itoring wireless communication on the internet. The intelligence agencies spend very much time to finding Internet users who transfer sensible document in the dark web. The deep web could be harm for national security so monitoring activity is necessary on this. The method of Deep inspects traffic used for recognizing the pattern of anonymizing net- works[21].

11 2.2.4 How deep web onion sites work?

In a Tor cloud, computers data are in encrypted form when to passing through each other for providing anonymity. The deep web onion services provide drugs, books, cocaine, heroin, Bitcoin transfer, and pornography, credit card cloning, digital devices, hacking and attacking. If we want to access the deep web then we need a Tor network. The black market in which much illegal activity is running is a part of the hidden web. Blocking of onion services is not possible for the government because onion sites use dynamic IP so it’s not possible to block all the onion sites. The onion sites provide the Distributed denial of service (DDoS) attack try to a services or site unavailable for users due to an unlimited request sent in a short period of time[22].

2.2.5 Why the onion site owner take payment in Bitcoin ?

Bit coin is an electronic payment system which is an open-source software in 2009. It is a first decentralized digital currency and users can transact money directly without an intermediate. The main purpose of Bit coin is it can send and receive money transactions. An attacker demand money in Bit coin because the bank is not involved in money trans- action in one account to another account. A wallet is used to store information of a Bit coin which is used in a transaction. Bit coin is based on a concept of Mining. Mining is a service which stored a record of a block in a block chain. Miners verifying the block in a transaction. A Block chain is verified a transaction by network nodes. It is a distributed database which records Bitcoin transactions without any trusted central authority.A Bit- coin software performed all the communication in the network . A user spend his Bitcoins using his particular unique address. For security purpose, Bitcoin payment system uses public-key cryptography in which two keys are used which are a public key and private key. A cryptography SHA-256 algorithm is used to hash a previous block in a Blockchain. A sender (payer) digitally signs the transaction using his private key without private key the Bitcoins cannot be used for transaction[9].

12 Chapter 3

Methodology

My aim is to collect threats to the onion sites for detecting and preventing the attack. Collect and parse the chats, blogs, and other web pages and extract out the relevant infor- mation by using keywords like attacks, bandwidth, DDoS, etc. If we try to access hidden sites using the normal browser then our location is easy to find out by an attacker. We cannot access the hidden onion sites using Internet explorer or Mozilla Firefox or Google chrome because these sites are encrypted on the Internet which is called Tor hidden ser- vices. These hidden services URLs are a combination of numbers and characters which are meaningless and end with .onion. The main benefit of Tor browser is, it does not provide true location of a user. My application working automatically on the onion sites through Tor proxy. We get information to onion sites through the keyword (In the dark world) and predict which type of attack (Email hacking, website attack, DDoS attack, Syn-flood and Sniffer attack) is possible on a particular network. It also predicts which type of attack is possible in the near future. This project main work is predicting which type of attack will possible on the banks, government sites and military sites in near future. It also quick finds out which type of attack was done in a network, sites, email hack, DDoS etc.

13 This application finds out particular keywords (attacks, bandwidth, IRC, blogs, hack- ing etc.) on the .onion sites in the Dark world. It also finds out in URL link on the .onion site and searches on the next page which are open to click on URL (but actually not nec- essary to click on URL link). When we get a paragraph in which a keyword is present applying text mining tool(start crawling on a website) to meaning out what the summary of this paragraph and what will be done[10]. These all procedure is done by the applica- tion which is in python language. This application predict which attack is done, which attack in a process and which attack is possible in near future. First,I have collected 4,350 onion sites in the dark world and then filter out 242 onion sites which are only used for attacking purpose[11].

3.1 Working of the Tool

After getting a list of the thousands of onion sites in the dark world, I filter out only those sites which uses only for hacking, attacking, tracing and tracking purpose and then extract keywords through the application.

14 Figure 10: Flowchart of working of the Tool.

3.1.1 Application is running through Tor proxy

An application is in a python language so it is easily executed on the many platforms. When an application run, first it is crawling on an onion site web page through Tor proxy. Tor proxy is use specific for onion sites because without Tor proxy we cant access the onion site.

15 3.1.2 Searching keyword on an onion site

When an application is crawling on the home page of an onion sites, it extracts a partic- ular keyword(which we required like as hacking, tracing, tracking, bandwidth, attacking, DDoS etc. ) and returns output[10].

3.1.3 If URL link is present

Yes

If URL link is present on the Home page of an onion site then go to the next page and extract keyword of the onion site.

No

If URL link is not present on the onion site then applying text mining tool on the home page.

3.1.4 Apply text mining tool

Applying text mining tool on all the pages of the onion sites includes hyper link which present on the site.

3.1.5 Collecting keyword related to the threat intelligence

Collect all the keyword related to the threat intelligence and find out onion sites where this particular keyword (Hacking, attacking etc.) is present there.

3.1.6 When a keyword is found, pick up a complete sentence

When a keyword is found on the onion site, my Tool pick up a complete sentence in which keyword is present.

16 3.1.7 Show URL address of the onion site

Show URL address of the onion site where a particular keyword is found.

3.2 List of onion sites use for Hacking

1. http://agenttoe2dlvxdei.onion/ Email hacking site

2. http://deepweblinks.org/

3. https://defcongroups.org/ defcon web

4. http://torlinkbgs6aabns.onion/

5. http://torlinkbgs6aabns.onion/

6. http://hss3uro2hsxfogfq.onion/ Search engine for dark world

7. http://torbox3uiot6wchz.onion/sm/src/webmail.php Tor mailbox

8. http://hackcanl2o4lvmnv.onion/hackcanada/index.html Hack Canada

9. http://msydqstlz2kzerdg.onion/ Hidden services for TOR

10. http://sonntag6ej43fv2d.onion/ Blogging site for hacking purpose

11. http://54ogum7gwxhtgiya.onion/blog/index.php/language/en/ Best technodrome based on TOR

17 12. https://www.reddit.com/r/onions/comments/1cjf3w/ How would you ddos a onion website/ best comments

13. http://trdealmgn4uvm42g.onion/users/login How DDoS attack happen

14. Kpvz7ki2v5agwt35.onion/

15. http://hpuuigeld2cz2fd3.onion/

16. http://wn323ufq7s23u35f.onion/

17. http://zw3crggtadila2sg.onion/downornot/

18. http://zw3crggtadila2sg.onion/downornot/

19. http://utovvyhaflle76gh.onion/sTORage

20. http://utovvyhaflle76gh.onion/ Static/exit the matrix/index.html

21. http://p43g3uyr4dhneura.onion/blog/matrix/index.html

22. http:// gcirdquvlyh4terx.onion

23. http:// ad52wtwp2goynr3a.onion/6667

24. http://nekrooxwwskakacj.onion/ For IRC

25. http://nissehqau52b5kuo.onion/6667

26. http://renko743grixe7ob.onion/6667

27. http://ftwircdwyhghzw4i.onion/6667

28. http://jkpos24pl2r3urlw.onion/6667

29. http://rustlewnuz6kbapu.onion/6667

30. http://smt4wjpa3r7tkczs.onion/6667

18 31. http://msydqstlz2kzerdg.onion

32. http://jh32yv5zgayyyts3.onion/

33. http://wikitjerrta4qgz4.onion/

34. http://newsiiwanaduqpre.onion/

35. http://torbox3uiot6wchz.onion/relay-en.php

36. http://sigaintevyh2rzvw.onion/signup.php Hidden email service

37. http://sfjdg275q2ash3jt.onion/thread-aaac3a37c3.html

38. http://servnetshsztndci.onion/

39. https://www.reddit.com/r/I2P For IRC chat

40. http://67p4weg7hoowpvc3.onion/projects/cor/index.html connection oriented routing

41. http://4fvfamdpoulu2nms.onion/lechat/ Le chat script

42. https://mike.tig.as/onionbrowser/ Onion browser

43. http://wi7qkxyrdpu5cmvr.onion/en/index.html Mailing list and chat

44. http://2ysyukgriqx2mv7t.onion/#hacking For hacking purpose

45. http://3mrdrr2gas45q6hp.onion/ Tor duckin

19 46. http://4ecwfvbvxojjequ4.onion/info.html Mail server

47. http://4qt45wbulqipigwa.onion/ Encrypted and decrypted distributed sharing software

48. http://5eme2auqilcux2wq.onion/ Rent a hacker

49. http://5l2fikyudbqg2pse.onion/ Julion wos home page for encrypting data

50. http://5sn2hxofsu6b55lo.onion/roundcube/ Web mail

51. http://5wfoa3o42xhzevfi.onion/ strategic intelligence network for messaging

52. http://6d6hycywwcshn3hl.onion/ Email identity

53. http://6dvj6v5imhny3anf.onion/ For IRC

54. http://lelantoss7bcnwbv.onion/ Private email service

55. http://6hgchounjuuwxewa.onion/ Onion mail server

56. http://sigaintevyh2rzvw.onion/ Dark net email service

20 57. http://7faq6ixireuaiksj.onion/mereinfo.htm Web mail

58. https://www.pirateparty.ca/chat/ IRC chat and mail

59. http://nfokjgfj3hxs4nwu.onion/ Best hidden service site

60. http://7w65g63fgumvpuvd.onion/ For chatting purpose

61. http://7uifkyord3spxfjb.onion/ Best site for chatting, messaging and discussing

62. http://a4wzhhaukx4arl5i.onion/ social account hack

63. http://a64r6szrpegnggoj.onion/ crypto storm

64. http://anon4jmy3f3ozlv6.onion/ Tor search engine

65. http://anonymzn3twqpxq5.onion/read.php?9,8837 Best DDoS attack comment

66. http://answersbbddrdcwo.onion/85595/onion?show=85644#a85644 (Best Tor hid- den services and attack)

67. http://answersbbddrdcwo.onion/deepweb-and-tor Best TOR and deep web hidden service

68. http://7alod7zpcztoxvwv.onion/ Debian bug report

21 69. http://aq4cfxeee4xnv4aj.onion Anonymous Content Distribution Network

70. http://aqdlgvf4jqm4gnn6.onion/member.php Receive mail service

71. http://archmail5fanreo5.onion/ Webmail service

72. http://arch3rsecgjqcmjb.onion/ Hidden services

73. http://lelanto2f3vf5imi.onion/ Best fake mail create private email service

74. http://e4c4xzz3hl772fti.onion/ Tor chat directory

75. https://stoptorscam.wordpress.com/2015/09/23/multiscam-server-exposing-or-tor-wallets- are-not-safe-too/#comments Best list of TOR scam

76. http://bpbhygpupahcgzlr.onion/ Linux centOS

77. http://bpo4ybbs2apk4sk4.onion/en/guide/malware Protect to malware

78. http://bptfp7py2wclht26.onion/blog.html The Tor BSD Diversity Project (TDP), blog

79. http://chatjbbxxotrumic.onion/index.php For chat purpose

22 80. http://chattorci7bcgygp.onion/ Chat through TOR

81. http://cheftse4cnjzsgid.onion/blog/ Best Low-cost point of sales (PoS) hacking

82. http://cpartywvpihlabsy.onion/ IRC chat

83. http://crackgknbxpcvc24.onion/showthread.php?tid=34 Best hacking tools and tutorials

84. https://www.cryptoparty.in/connect/contact/jabber Jabber instant messaging

85. http://d33pzjppzy7d37r2.onion/dedi.html Deep hosting

86. http://dtt6tdtgroj63iud.onion/ Chatting and hidden hosting

87. http://edsec5zn26zqjwry.onion/ Provide Hacker

88. http://egqy3sj4bdxk27v2.onion/ Hack Netflix account

89. http://edaethwo3476axnq.onion/OnionChat/ Onion chat

90. http://ecvzydgb66ibwll7.onion/ Hackers labs

23 91. http://encryptor3awk6px.onion/ Ransom ware as a service

92. http://darkodei7qdze3pl.onion/install/index.php Creating community

93. http://dbshmc5frbchaum2.onion/Raspian-wheezy-iVPN-Tor-Gateway-Workspace-r0.html Implementing Physical Networking/Workspace Isolation with Raspberry Pi2

94. http://rsprjqyxhf25l3qd.onion/mission.php DW - DETECTIVE (check anyone by access special databases)

95. http://onjjabp3oubn7mdp.onion/ Shadow web

96. http://deadcertniishzbg.onion/ Dead Cert Tor Certificate Authority)

97. http://deepirc23ukiben3.onion/ kiwi IRC chat

98. http://derpmailod2b4axq.onion/ derp mail

99. http://entropisth3ctkzd.onion/ Tor client protocol implementation

100. http://eon3o2n4tohozwsu.onion/portal.php Related to Tor

101. http://ep2jddbvpsfl7iz4.onion/ Http server

24 102. http://epicctfau2hw4w7a.onion/ Chatting purpose

103. http://erl3zrxqjgrpj27k.onion/?s=scripts List of scripts for brute force

104. http://es2adizg32j3kob5.onion/ Chatting purpose

105. http://escrow4vvhj4yqn7.onion/privacy.html Information collecting

106. http://esebhwmgzlrbsvlb.onion/useful-articles/ Information of dark web

107. http://ezufh7iro33kwryw.onion/ (threadlist.php?PHPSESSID=0bkvmeemf0uhgs9dhkdhgnd1a5) Social networking, hacking eBooks

108. http://ezuwnhj5j6mtk4xr.onion/ Real hosting

109. http://nfokjgfj3hxs4nwu.onion/ Hidden service TOR, UBUNTU

110. http://f2mz6ttcwyslnz5u.onion/ Best site for hacking

111. http://f6tch6hxjpazaowz.onion/about.html Onion mail server

112. http://chattorci7bcgygp.onion/ Chat Tor

113. http://exhaonjdb6j6wlah.onion/(wiki/index.php/Category:Computernetworksecurity)

25 114. http://fiextazvoirx4dzd.onion/faq.php?sid=2faf4c004284e22a3c1f3231b110106e Tor community

115. http://flowerk3r3nud4nc.onion/index.php?action=help Posting and personal message

116. http://fogmailr2btefrrq.onion/ Fog mail

117. http://freedomqbueysrt3.onion/ Private hosting

118. http://funwito6ykzrupsj.onion/blog.html Malware generator

119. http://fzkj6aco2loauhul.onion/ IRC

120. http://giftboxto6czglks.onion/memberlist.php Chatting

121. http://giyvshdnojeivkom.onion/ XMPP SERVER

122. http://gjobqjj7wyczbqie.onion/ Candle search engine

123. http://globe223ezvh6bps.onion/ GLOBE explore TOR relay and bridges

124. http://grr7fri2vhnzvd3v.onion/ Knowledge database

125. http://grrmailb3fxpjbwm.onion/ Best fake mail provide temporary email address

26 126. http://gvd3fzsecouzy2bb.onion/ Pirate hacker

127. http://hackarmgq2n2erux.onion/ Hacking tools

128. http://hackeroql4l2mejs.onion/ Rent a hacker

129. http://hackerrljqhmq6jb.onion/ Hack group

130. http://hackharhoaw3yk5q.onion/ Hacker for hire

131. http://hackpdatf4kryh54.onion/ For hacking

132. http://hackslciome4eshp.onion/ Russian account hacker best Russian hacker

133. http://has53mr655kevoht.onion/ par Rent a hacker

134. http://haxedcwi5duu363s.onion/ Have i been hacked

135. http://hc3sz3i2rb5dljqq.onion/ Secure anonymous calling best ghost call

136. http://hostie65cxwr4tza.onion/ private hosting

137. http://hosting6iar5zo7c.onion/ real hosting

27 138. http://htg6l2ngbayepylm.onion/ dimension x

139. http://i2dem5bn2mcetkhf.onion/ hack magic

140. http://igql7o3o5k5cmsby.onion/ a free social network

141. http://intelexi7yo7mj7j.onion/ A caring human at the end of the encrypted channel of communication to us

142. http://inus3amwshmaedba.onion/ Telegram Pedo Community

143. http://irc2p5zrbdk25rdy.onion/ Important for IRC

144. http://iqij37quu7cvaktl.onion/ Tips for reporting abusive UseNet or e-mail messages

145. http://irc2p5zrbdk25rdy.onion/ Important for IRC chat

146. http://nfokjgfj3hxs4nwu.onion/ Hidden service using Ubuntu

147. http://jhu5pr7ahdldvpct.onion/ Important for cloud, mail, chat, hotspot

148. http://jhu5pr7ahdldvpct.onion/ SKS Open PGP Key server

28 149. http://jiuofpytdpozlbhb.onion/memberlist.php The Dark room http://answerstedhctbek.onion/86395/need-bruteforce-password-hacker- hack-bruteforse-protected Best hidden answer

150. http://lchudifyeqm4ldjj.onion/?category=114 Hacking guide and tools

151. http://torbox3uiot6wchz.onion/faq-en.php Best relay

152. https://lists.riseup.net/directory/community/ Creating community

153. http://degooglisons-internet.org/#leds (cyber village)

154. http://jlve2y45zacpbz6s.onion/index.php#AppServer TOR network and server

155. http://jratiejtelswmbov.onion/ jRAT jRAT is a Remote Administration Tool

156. http://jvauzb4sb3bwlsnc.onion/ privoxy Privoxy is a non-caching web proxy with advanced filtering capabilities for enhanc- ing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk

157. https://guardianproject.info/code/ Guardian code and tools

158. http://kgcfwmjmft5nfklq.onion/ How to open the Ashley Madison dump files

29 159. http://l33tefec57h7yjcp.onion/functions/search.php?category=12 hacking tools

160. http://onionmail.info/repo.html onion mail server

161. http://lu4qfnnkbnduxurt.onion/ hacking tools

162. http://mail2tor2zyjdctd.onion/ anonymous email service provider

163. http://bpo4ybbs2apk4sk4.onion/en security tools

164. http://mwl3znktk7mqogdv.onion/#service TOR hosting

165. http://p335zjal4bumv6dr.onion/ Facebook ID hack

166. http://ofqixpcxwjq5au7h.onion/ hack account

167. http://ojgnw7wt6ozfzeeh.onion/squirrelmail/src/login.php webmails for nuts

168. http://onionbr5zulufnuj.onion/ onion browser TOR check

169. https://git.volatile.ch/wowaname/PRC peer relay chat

30 170. http://opnju4nyz7wbypme.onion/zerobin/index.php?ec48a4b9e4af810b#wX9VgdNuYyy9LibBP9hV9WBZd+dQnGXQpNnJUIQIeMg= online pastebin Question answer

171. http://nfokjgfj3hxs4nwu.onion/ Hidden service ubuntu+apache+TOR)

172. http://p335zjal4bumv6dr.onion/ Facebook password hack

173. http://p6x47b547s2fkmj3.onion/ Onion mail

174. http://parckwartvo7fskp.onion/?page=computerstuffarticle=sshserverbehindonionservice (SSH server behind onion service)

175. http://pfoxkj3p65uyc5pe.onion/ A Firefox profile configuration optimized for Tor browsing

176. http://pirateceo5dz3q4b.onion/en/hacking-services/services.html facebook, twitter, email hacking)

177. http://pmwdzvbyvnmwobk5.onion/equipment/hackablesbiofeedback best brain hacking

178. http://publicibkxahavzc.onion/ Search engine for source code

179. https://github.com/diafygi/webrtc-ips Web RTC

180. http://pyl7a4ccwgpxm6rd.onion/w/index.php/Tools#DDoS tools hacking tools

31 181. http://qj3m7wxqk4pfqwob.onion/ IRC

182. http://answersbbddrdcwo.onion/Hacking-malware-tech Best hidden answers

183. http://qlrlf4q6x3mxu5uu.onion/products.html Dark net hacking products

184. http://qwzxd7r5pbrn7cqv.onion/ Email for hacking advice

185. http://qza32xuddl3guikc.onion/tutorials/darknets/i2p-browser-setup-guide.html Best I2P browser setup

186. http://qzbkwswfv5k2oj5d.onion/forum-30.html Best hacking tools and news

187. http://rkphrici4u5ffhhm.onion/ Secure drop server

188. http://rnqan3iu7nizbcyg.onion/ Hack group

189. http://servnetshsztndci.onion/ Software

190. http://shv34p5cckiljkww.onion/index.php Hidden host

191. http://torxmppu5u7amsed.onion/ Tor xmpp jabber

32 192. http://tty5bznsfoqxvkpy.onion/index.php rent a hacker

193. http://ubho6ub2lp6y2mai.onion/ Russian email, Facebook....hacker

194. http://vb75uj2ap3hyyava.onion/ Hacking is art

195. http://www.grrmailb3fxpjbwm.onion/ fake mail

196. https://github.com/blog github blog

197. http://xudusaoheq6vzp54.onion/feed.xml Best hack fest

198. http://zzzcgjit65yyn4ji.onion/gdrwpl/ jabber

199. http://answerstedhctbek.onion/97496/hacking-a-website?show=97954#a97954 Best question and answer

200. http://kpynyvym6xqi7wz2.onion/files.html#hp Best question and answer

201. http://nikcubxroppyzzld.onion How FBI found location of Silk Road

202. http://nikcubxroppyzzld.onion/posts/onymous-part1/ Best question and answer

33 203. http://nikcubxroppyzzld.onion/posts/analyzing-fbi-explanation-silk-road/ Best question and answer

204. http://w363zoq3ylux5rf5.onion/blog/group/137404/all Best question and answer

205. http://hrkdpwrkh3lbow2l.onion/rss.xml Best question and answer

206. http://dustriic3kdutvvc.onion/b/atom.xml Best attack code)

207. http://kobrabd77ppgjd2r.onion/blog/2015/05/crusade-against-bad-code Best code attack

208. http://kobrabd77ppgjd2r.onion/blog/2015/05/crusade-against-bad-code Best timing attack to object injection

209. kobrabd77ppgjd2r.onion/research/view/pastebin-captcha-evasion Best Pastebin Captcha Evasion

210. http://kobrabd77ppgjd2r.onion/research/view/ad-bypass-free-web-hosting Bypass free web hosting

211. http://kobrabd77ppgjd2r.onion/blog/2015/01/package-signing-thread-modelling Best thread modeling

212. http://kobrabd77ppgjd2r.onion/ Scott Arciszewski For hacking purpose

213. https://thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/ For hacking purpose

34 214. https://docs.google.com/forms/d/1eMtmQWNggvIMlre1Vu3aDQA-eK5R36qRtYqh0fh1ufM/viewform?c=0w=1 Best drabbed

215. https://github.com/blog comments Best blog comments

216. http://vb75uj2ap3hyyava.onion/comments/ Best blog comments

217. http://vb75uj2ap3hyyava.onion/posts/ Best Post

35 Chapter 4

Results and Discussions

4.1 How we can trace the owner of an onion site ?

After collecting keyword my application finds out URL of an onion site where the key- word was found. When I am getting URL of an onion site , I mail to the owner of the onion site as a client and wait for a reply. The owner of the onion site send me to reply mail and I got Header of the Email.I trace the email header and find out IP address and location of the owner of the onion site who was responsible for attack. [email protected] [email protected] [email protected] [email protected] [email protected]

36 widthwidth

Figure 11: Reply mail by [email protected](owner of the onion site).

widthwidth

Figure 12: Trace E-mail header of a [email protected][23](owner of the onion site).

37 widthwidth

Figure 13: Reply mail by [email protected](owner of the onion site).

widthwidth

Figure 14: Trace E-mail header of a [email protected][23](owner of the onion site).

38 widthwidth

Figure 15: Reply mail by [email protected](owner of the onion site).

widthwidth

Figure 16: Trace E-mail Header of a [email protected][23](owner of the onion site).

39 widthwidth

Figure 17: Reply mail by [email protected][23](owner of the onion site).

widthwidth

Figure 18: Trace E-mail Header of a [email protected][23](owner of the onion site).

40 heightheight

Figure 19: Reply mail by [email protected](owner of the onion site).

heightheight

Figure 20: Trace E-mail of a [email protected][23](owner of the onion site).

41 42 Chapter 5

Conclusions and future work

• We designed the TNT Tool(Threate intelligence tool) for extracting the keywords from the onion sites using Tor proxy.The TNT tool collected all the keywords re- lated to attacks such as hacking, tracing, tracking, bandwidth, etc. from the onion sites.

• After collecting keywords our Tool find out URL address of an onion site where the keywords found.

• When I got URL address of the onion site I send an email to the owner of the onion site.

• The onion site owner replied my mail and then I got Email header.I were trace the location and IP of the owner of an onion site using Email header.

• This application is useful for intelligence agencies which are collecting threats and evidence in the hidden dark web.

• They also monitoring and surveillances on the activity in the hidden dark web. We use this technique to preventing the DDoS attack, Syn-flood attack, and Sniffer

43 attack.

• It also helps to detect attack which was done in the past like as website attack, email hacking, social account hacking and money fraud. We also predicting that which type of attack will possible in the near future on banks and military sites.

• We also monitoring and eavesdropping on onion site where attacker comments and blogs about the attack which will happen in the near future. After getting this information we stop the attack which will happen through the onion sites in the dark world.

• The other method is monitoring and surveillance the onion sites of the Dark world.We found the true location of the servers of onion sites applying fiddling with the onion site login page until onion site leaked his true location and also mis configure the element of login page which revealed IP (Internet protocol) address of the onion sites [6].

44 Authors Publications

• Tarun Trivedi, B.M.Mehtre, “Collecting Threat Intelligence from Tor Network”, Submitted to Second International Symposium on Intelligent Systems Technolo- gies and Applications (ISTA16), Jaipur, India.

45 References

[1] Gartner Definition: Threat intelligence www.gartner.com/doc/2487216/definition- threat-intelligence.

[2] Pierluigi Paganini & Richard Amores The Deep Dark Web, The hidden world.

[3] Tor: Overview www.torproject.org/about/overview.html.en

[4] https://www.torvpn.com/en/onion

[5] Dr. Vincenzo Ciancaglini, Dr. Marco Balduzzi, Robert McArdle, and Martin Rsler Forward-Looking Threat Research Team Below the Surface: Exploring the Deep Web

[6] Ivan Pustogarov Deanonymisation techniques for Tor and Bitcoin Presented on 12/06/2015 in Luxembourg to obtain the degree of DOCTEUR DE LUNIVERSIT DU LUXEMBOURG EN INFORMATIQUE

[7] https://www.fbi.gov/news/pressrel/press-releases/

[8] Defence science board report 2010 http://www.acq.osd.mil/dsb/reports2010s.html

[9] Andreas M Antonopoulos Mastering Bitcoin Published by OReilly Media, Inc.

[10] Sriram Raghavan, Hector Garcia-Molina Crawling the Hidden Web Computer Science Department, Stanford University Stanford, CA 94305, USA

46 [11] http://skunksworkedp2cg.onion/sites.html.

[12] Xiao Wang, Jinqiao Shi, Binxing Fang and Li Guo AnEmpiricalAnalysisofFami- lyintheTorNetwork IEEE ICC 2013

[13] Aaron Johnson, Paul Syverson,Roger Dingledine,Nick mathewson Trust-based Anonymous Communication: Adversary Models and Routing Algorithms. U.S. Naval Research Laboratory anonymity-trust-ccs2011

[14] Philipp Winter1, Richard Kwer3, Martin Mulazzani2, Markus Huber2, Sebastian Schrittwieser2, Stefan Lindskog1, and Edgar Weippl2. Spoiled Onions: Exposing Malicious Tor Exit Relays Karlstad University, Sweden 2 SBA Research, Austria 3 FH Campus Wien, Austria.

[15] Masoud Akhoondi, Curtis Yu, and Harsha V. Madhyastha LASTor: A Low-Latency AS-Aware Tor Client 2012 IEEE Symposium on Security and Privacy

[16] Philipp Winter and Stefan Lindskog How the Great Firewall of China is Blocking Tor Karlstad University philwint, [email protected]

[17] Sambuddho Chakravarty Georgios Portokalidis Michalis Polychronakis Angelos D. Keromytis. Detection and analysis of eavesdropping in anonymous communica- tion networks Springer-Verlag Berlin Heidelberg 2014

[18] Dario Catalano Mario Di Raimondo Dario Fiore Rosario Gennaro Orazio Puglisi. Fully non-interactive onion routing with forward secrecy Published online: 20 De- cember 2012 Springer-Verlag Berlin Heidelberg 2012.

[19] Matteo Casenove,Armando miraglia Botnet over Tor: The Illusion of Hiding 2014 6th International Conference on Cyber Con ict P.Brangetto, M.Maybaum, J.Stinissen (Eds.) 2014 NATO CCD COE Publications, Tallinn.

[20] Muhammad Aliyu Sulaiman ,sami zhioua Attacking Tor through Unpopular Ports 2013 IEEE 33rd International Conference on Distributed Computing Systems Work- shops.

47 [21] Taro Ishitaki, Donald Elmazi, Yi Liu , Tetsuya Oda , Leonard Barolli and Kazunori Uchida. Application of Neural Networks for Intrusion Detection in Tor Networks. 2015 29th International Conference on Advanced Information Networking and Ap- plications Workshops

[22] Ibrahim Ghafir *, Jakub Svoboda and Vaclav Prenosil * TOR-BASED MALWARE AND TOR CONNECTION DETECTION Faculty of Informatics, Masaryk Univer- sity Institute of Comouter Science, Masaryk University

[23] http://www.cyberforensics.in/OnlineEmailTracer

48