Collecting Threat Intelligence From Tor Netwok
A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Security
by Tarun Trivedi 14/MS/027
Under the Supervision of Dr. B. M. Mehtre (Associate Professor) Center For Cyber Security Institute For Development And Research In Banking Technology, Hyderabad (Established by Reserve Bank Of India)
COMPUTER SCIENCE AND ENGINEERING DEPARTMENT SARDAR PATEL UNIVERSITY OF POLICE, SECURITY AND CRIMINAL JUSTICE JODHPUR – 342304, INDIA May, 2016 UNDERTAKING
I declare that the work presented in this thesis titled “Collect- ing Threat Intelligence From Tor Netwok”, submitted to the Computer Science and Engineering Department, Sardar Patel Uni- versity of Police, Security and Criminal Justice, Jodhpur, for the award of the Master of Science degree in Cyber Security, is my original work. I have not plagiarized or submitted the same work for the award of any other degree. In case this undertaking is found in- correct, I accept that my degree may be unconditionally withdrawn.
May, 2016 Jodhpur
(Tarun Trivedi)
ii CERTIFICATE
Certified that the work contained in the thesis titled “Collecting Threat Intelligence From Tor Netwok”, by Tarun Trivedi, Registra- tion Number 14/MS/027 has been carried out under my supervision and that this work has not been submitted elsewhere for a degree.
(Dr. B. M. Mehtre) (Associate Professor) Center For Cyber Security, Institute For Development And Research In Banking Technology, Hyderabad (Established by Reserve Bank Of India) May, 2016
iii Acknowledgment
I would like to take this opportunity to express my deep sense of gratitude to all who helped me directly or indirectly during this thesis work. First, I would like to thank my supervisor, Associate Professor Dr. B.M. Mehtre, for being a great mentor and the best adviser I could ever have. His advise, encouragement and critics are source of innovative ideas, inspiration and causes behind the successful completion of this dissertation. The confidence shown on me by him was the biggest source of inspiration for me. It has been a privilege working with him from last five months. He gave me many opportunities to explore inner me. I wish to express my sincere gratitude to Dr. Bhupendra Singh , Vice Chancellor and Sh. M.L. Kumawat (Former), Vice Chancellor, for providing me all the facilities required for the completion of this thesis work. I would like to express my sincere appreciation and gratitude towards faculty mem- bers at S.P.U.P., Jodhpur, especially Mr. Arjun Choudhary & Mr.Vikas Sihag, for their encouragement, consistent support and invaluable suggestions. I thanks to Mr. Vinod Parihar, who helped me, guided me at the time I needed the most. Whenever I get ner- vous, I used to talk with my colleagues. They always tried to encourage me, without all mentioned above, this work could not have achieved its goal.
iv Finally, I am grateful to my father Mr.Mangilal Trivedi , my mother Mrs. Usha Trivedi for their support. It was impossible for me to complete this thesis work without their love, blessing and encouragement.
Tarun Trivedi
v Biographical Sketch
Tarun Trivedi
8B Badi Brhmpuri PIN-306401 E-Mail: [email protected], Contact. No. +91- 7737939573
Father’s Name : Mr. Mangilal Trivedi Mother’s Name : Mrs. Usha Trivedi
Education
• Pursuing Master of Science in Cyber Security, Computer Science & Engineering branch from S.P.U.P., Jodhpur,2016
• B.Tech. in Computer Science and Engineering from Rajasthan Technical Univer- sity,Kota with 64% in 2010.
• Intermediate from MBM School,Pali with 62% in 2006.
• High School from Bangur School,Pali with 53% in 2003.
vi Dedicated to My Loving Family for their kind love & support. To my friends for showing confidence in me.
vii cGenius is one percent inspiration, ninety-nine percent perspiration.d -Thomas Edison
viii Synopsis
Threat intelligence is evidence-based data and information for detecting and preventing attacks. It includes context, keywords, and indicator’s, etc. about the attack and advance information to predict what will happen in the real world. Many sources like- chats, com- ments, blogs, etc. are helpful to the intelligence agency in decision making. Intelligence agencies monitor the dark world for how the attackers plan and engineer attacks. The main aim of threat intelligence is to find out different types of attacks such as hacking, anonymity, hidden services, etc. in the dark world. The onion sites in the dark world provide resources devoted to hacking, security, anonymity, fake IDs, weapons, services, drugs, pornography, and other malicious services. Well-known browsers such as Google chrome, Internet explorer, Mozilla Firefox, etc. can not access the onion sites, whereas Tor browser is capable of accessing onion sites. Government and intelligence agencies monitor the hidden services in the dark world. Essentially, they look for the hidden networks and their connection to the dark world. To use Tor browser there is need to create an account on the onion site and then start monitoring the comments, blogs, Question and Answer etc. We proposed a scheme for collecting threat intelligence from Tor network. First, we monitored the activities of more than 200 onion sites in the dark world which are used for hacking, attacking, and tracing. Secondly, we extracted the information about attacks from the onion sites. This is based on the discussion on various attacks that would be happening in the group. The discussion
ix of a particular attack acts as an indicator that on some malicious users are interested in the particular attack. Based on this information, we would be finding out vulnerable sites (for this attack) and will inform that the site could be under attack. Threat intelligence is not just restricted in predicting the attacks, but also to discover the attack that have already happened. Our focus is on both the above stated goals. We have developed a TNT Tool(Threat intelligence tool) for extracting the keywords from the onion sites using Tor proxy. Our tool collects all the keywords related to attacks such as hacking, tracing, tracking, bandwidth, etc. from the onion sites. After collecting keywords our Tool identifies URL’s of onion sites whenever the keywords are found. Once URL’s extracted, we have sent an email to the owner of the onion site as a client. The onion site owner replied the mail and then we got Email header. Finally we have located the geographical location of the site and IP as well from the Email header.Thus, we can locate enhance in the Darkworld.
x Contents
Acknowledgment v
Biographical Sketch vii
Synopsis x
1 Introduction 1 1.1 The Threat intelligence ...... 1 1.2 The Onion Routing(Tor) ...... 2 1.3 The onion sites ...... 3 1.4 Problem statement ...... 3 1.5 Organization of thesis ...... 3
2 Literature survey 5 2.1 Tor...... 5 2.1.1 Anonimity of Tor ...... 5 2.1.2 Working of TOR ...... 6 2.2 Deep web onion services ...... 9 2.2.1 What is Deep web onion sites? ...... 9 2.2.2 The Dark Web versus the Deep Web ...... 10
xi 2.2.3 Number of onion sites in the dark world ...... 10 2.2.4 How deep web onion sites work? ...... 12 2.2.5 Why the onion site owner take payment in Bitcoin ? ...... 12
3 Methodology 13 3.1 Working of the Tool ...... 14 3.1.1 Application is running through Tor proxy ...... 15 3.1.2 Searching keyword on an onion site ...... 16 3.1.3 If URL link is present ...... 16 3.1.4 Apply text mining tool ...... 16 3.1.5 Collecting keyword related to the threat intelligence ...... 16 3.1.6 When a keyword is found, pick up a complete sentence ...... 16 3.1.7 Show URL address of the onion site ...... 17 3.2 List of onion sites use for Hacking ...... 17
4 Results and Discussions 36 4.1 How we can trace the owner of an onion site ? ...... 36
5 Conclusions and future work 43
References 46
xii List of Figures
1 Selection of nodes in a Tor network...... 2
2 Anonimity layer in an OSI Model...... 6 3 Tor client request to Directory server to establish connection...... 7 4 Tor client connected to server through Tor node...... 7 5 Tor client chooses different random path for establishing connection for next time...... 8 6 Working of Diffie-Hillman key exchange algorithm...... 9 7 List of items selling in the dark world...... 10 8 Details of item in the Dark world ...... 11 9 Protocols found in the Deep Web apart from HTTP/HTTPS...... 11
10 Flowchart of working of the Tool...... 15
11 Reply mail by piratecrackers@sigaint.org(owner of the onion site). . . . 37 12 Trace E-mail header of a [email protected][23](owner of the onion site)...... 37 13 Reply mail by [email protected](owner of the onion site)...... 38 14 Trace E-mail header of a [email protected][23](owner of the onion site)...... 38
xiv 15 Reply mail by [email protected](owner of the onion site)...... 39 16 Trace E-mail Header of a [email protected][23](owner of the onion site)...... 39 17 Reply mail by [email protected][23](owner of the onion site)...... 40 18 Trace E-mail Header of a [email protected][23](owner of the onion site)...... 40 19 Reply mail by [email protected](owner of the onion site). . . . 41 20 Trace E-mail of a [email protected][23](owner of the onion site). 41
xv Chapter 1
Introduction
1.1 The Threat intelligence
The main aim of Threat intelligence is detecting and preventing attacks in the dark world. The intelligence agencies monitoring the hidden deep web and always surveillance of an activity in the dark world. We find out the indication of the attack and then detecting of the attack at the place where the attack happened. Many types of attacks like as hacking, tracing, tracking, DDos, brute force etc[20]. in the dark world that happening in the real world. Intelligence agencies monitoring the hidden services activity in the dark world. Government agencies monitoring hidden network and its connection to the dark world. They check all the services provided by .onion sites to the client and find out all the ac- tivities when an attack will possible on websites or social accounts[17]. The Intelligence agencies also monitoring proxy based traffic and check data packets which are doubtful in a network[16].
1 1.2 The Onion Routing(Tor)
The Onion Routing (TOR) is a free open source software that provides anonymity in the network, Using Tor browser it’s difficult to trace a user in the network and communi- cation between user and server. Its work as an onion in which data are multiple times encrypted and on the last node of a Tor, data is decrypted and converted into plain text form or original data. Tor encrypted data multiple times in a virtual circuit which is trans- fer client to a server. These all communication are happening on an application layer. Journalist, activist, Researcher, law enforcement officer, IT professionals, whistleblower, Non-governmental organization (NGO), military, intelligence agent and much private or- ganization using Tor to improve his privacy and communicate more safely. Military field agents using Tor to mask the sites which are related to privacy, operations and protect- ing to physical harm. A Journalist in all over the world using Tor to ensure his privacy of information and physical security. Human right activist using Tor for anonymity and privacy during legitimate activities[3].
Figure 1: Selection of nodes in a Tor network.
1. Client :- The user of a Tor network
2. Server :- The target web server
3. Tor (onion) router:- Special proxy node used in a Tor network.
4. Directory server:- A server which provide a node of a Tor network.
2 1.3 The onion sites
The .onion site is like as a normal site but it is only accessed through a hidden network called Tor (The onion routing). Tor is indirectly a VPN (Virtual private network) proxy service. In the hidden dark world, many sites are legal like as a search engine (Torch, not evil, Duck duck go, Snowden, etc.) and many are illegal which are selling drugs, heroin, weapons etc. The hidden deep web (Dark world) under several activities includes hacking, cyber crime, cyber warfare, hacking, anonymity, adult, politics, weapons, credit card fraud, guns, chat, gambling, books, porn, hosting, blog, search engine, drugs, forum, Bitcoin, fake mail, market services which take payment in Bitcoins[2]. The Bitcoin is an electronic transfer money which is secure money transfer in the dark world uses the pretty good privacy (PGP) technique. These services provided by onion sites (use dynamic IP address) in the dark world and it also uses Tor proxy for hiding his identity. We filter out only those onion site that is working for hacking, attacking, bandwidth, chatting, cybercrimes, IRC (Internet relay chat), blogging, Email hacking, attack, DDoS attack, Syn-flood, sniffer attack etc. in the dark world.
1.4 Problem statement
The main motive of onion site is doing illegal activity in the physical world. The intel- ligence agency monitoring and surveillance on the onion sites and try to find out which type of attack will happening in the future but completely it is not possible because onion sites change his URL address randomly. Lack of onion sites is present in the dark world so it is not possible to block all the onion sites.
1.5 Organization of thesis
The work carried out has been summarized in five chapters. Chapter 1 Highlights the brief introduction of Threat intelligence, Tor(The onion rout- ing) and Dark web onion sites. Chapter 2 Describe the working of Tor, working of Deep web onion services and Bit coin payment transaction.
3 Chapter 3 Explain the main aim of threat intelligence , list of onion sites which are used for attacking purpose and working of the Tool. Chapter 4 Explain, How we trace the owner of the onion site who have done an attack with example. Chapter 5 Explain the result and the future work of this project.
4 Chapter 2
Literature survey
2.1 Tor
2.1.1 Anonimity of Tor
The onion routing (TOR) network is a group of hidden servers that provide people with security and privacy in a network. The Tor network design and implemented by the Naval research Laboratory for privacy and security of government communications but present it is open source for public user. Tor hidden services hide user’s location when they provide IMS (Instant messaging services) and web publishing services. Tor browser has beneficial for the journalist, bloggers, whistleblowers, military and activist to hidden their activity and protects their identity[13].
5 Figure 2: Anonimity layer in an OSI Model.
The anonymity layer is present between Application layer and presentation layer. The anonymity depends on the security which presents in the application layer.
2.1.2 Working of TOR
Tor provides distributed and anonymous network for protecting Internet surveillance. Tor working is divided into three steps:- In the first step, a Tor client (Alice) connect to a Directory server (Dave) for getting the list of Tor nodes in a network. A Distributed server provides a random path through different relays so no any eavesdropper find out data where it comes from and where it is going. Every time a client software (Tor browser) choose a different path when it connects to another server or destination[15].
6 Figure 3: Tor client request to Directory server to establish connection.
In the second step, once a Tor circuit established in a network. Tor client connects to a first entry node and then middle node and the last exit node which is connecting to a Destination server. The first entry node connected to the middle node using Diffie- Hellman key exchange algorithm for encryption of a packet. In this first node working as a proxy, a Tor network node knows an address of the only previous node and next node in a network. Tor client send a packet to exit node in an encrypted format and after exit node to destination server packets are in decrypted format means in plaintext form. In the Diagram green links show a data packets in an encrypted format and red links show data packets in plaintext format.
Figure 4: Tor client connected to server through Tor node.
In the last step, when a Tor client connects to another destination server, it chooses
7 different random path next time. Tor always not solve anonymity problem but its pro- tecting transportation of data between sender and receiver because on the exit node data packets is converted in plain text form so man-in-the-middle attack is possible on this node[14][3].
Figure 5: Tor client chooses different random path for establishing connection for next time.
Tor uses Diffie-Hellman key exchange algorithm for encryption of packet from client to server. The packets are encrypted form so its not possible to read out data in a packet. When a client sends a request to Directory server, the server provides a list of Tor node in a network. The client sends a packet which are multiple times encrypted and go to the exit node of a network. When packets go to exit node to the destination server its change into plaintext form[6]. The steps of Diffie-Hellman key exchange algorithm is:- Alice and Bob are select the large prime number n and g where g is primitive mod n[18]. A protocol goes as follows:-
8 Figure 6: Working of Diffie-Hillman key exchange algorithm. .
2.2 Deep web onion services
2.2.1 What is Deep web onion sites?
The hidden Deep web is not accessing by the search engine like as Google, yahoo, Bing etc. The hidden dark web content is not crawled by the normal search engine like Google because of technical limitations.The content of an onion sites is only accessing through a Tor proxy.[5] The hidden web services offer services to users which are hacking services, drugs, pornog- raphy, and password of stolen credit card, change money into Bitcoin, weapons, and mal- ware[19]. They also contain government database and reports according to 2010 Defense science board report[8]. It was 400 to 500 times bigger than the clear web or surface web. The clear web or the surface web uses .net, .com, and .org extensions but hidden web services use .onion extensions. Many Dark sites provide users anonymity to a user when its chat to another user. In this situation, IP addresses cannot be tracked by an attacker who tries to eavesdrop a data packet[2].
9 2.2.2 The Dark Web versus the Deep Web
The Dark Web and the Deep Web is the different web in the Dark world. The Dark webs depend on the networks in which the trusted peers are made connections between them. Tor (The onion routing), Invisible Internet project (I2P) and The Freenet are the examples of the Dark Web system. For accessing the Deep web, we required the special tool like as Tor VPN proxy for accessing the contents. Deep web is selling illegal drugs, weapons, heroines and also news about the Darknet market [5].
2.2.3 Number of onion sites in the dark world
According to cox, joseph in his paper on ”Study Claims Dark Web Sites Are Most Com- monly Used for Crime” on web based hidden services in Feb 2016.
Figure 7: List of items selling in the dark world.
We not easily connect to the hidden web, first we install the Tor browser and then able to access the hidden sites in the network. Tor browser provides a secure connection to a user in which data packets are transmitted in encrypted form in a tunnel.
10 Figure 8: Details of item in the Dark world
Figure 9: Protocols found in the Deep Web apart from HTTP/HTTPS.
The intelligence agencies monitoring and surveillance on the dark web for preventing and finding cyber-crime in the cyber world. They use tools and applications for mon- itoring wireless communication on the internet. The intelligence agencies spend very much time to finding Internet users who transfer sensible document in the dark web. The deep web could be harm for national security so monitoring activity is necessary on this. The method of Deep inspects traffic used for recognizing the pattern of anonymizing net- works[21].
11 2.2.4 How deep web onion sites work?
In a Tor cloud, computers data are in encrypted form when to passing through each other for providing anonymity. The deep web onion services provide drugs, books, cocaine, heroin, Bitcoin transfer, and pornography, credit card cloning, digital devices, hacking and attacking. If we want to access the deep web then we need a Tor network. The black market in which much illegal activity is running is a part of the hidden web. Blocking of onion services is not possible for the government because onion sites use dynamic IP so it’s not possible to block all the onion sites. The onion sites provide the Distributed denial of service (DDoS) attack try to a services or site unavailable for users due to an unlimited request sent in a short period of time[22].
2.2.5 Why the onion site owner take payment in Bitcoin ?
Bit coin is an electronic payment system which is an open-source software in 2009. It is a first decentralized digital currency and users can transact money directly without an intermediate. The main purpose of Bit coin is it can send and receive money transactions. An attacker demand money in Bit coin because the bank is not involved in money trans- action in one account to another account. A wallet is used to store information of a Bit coin which is used in a transaction. Bit coin is based on a concept of Mining. Mining is a service which stored a record of a block in a block chain. Miners verifying the block in a transaction. A Block chain is verified a transaction by network nodes. It is a distributed database which records Bitcoin transactions without any trusted central authority.A Bit- coin software performed all the communication in the network . A user spend his Bitcoins using his particular unique address. For security purpose, Bitcoin payment system uses public-key cryptography in which two keys are used which are a public key and private key. A cryptography SHA-256 algorithm is used to hash a previous block in a Blockchain. A sender (payer) digitally signs the transaction using his private key without private key the Bitcoins cannot be used for transaction[9].
12 Chapter 3
Methodology
My aim is to collect threats to the onion sites for detecting and preventing the attack. Collect and parse the chats, blogs, and other web pages and extract out the relevant infor- mation by using keywords like attacks, bandwidth, DDoS, etc. If we try to access hidden sites using the normal browser then our location is easy to find out by an attacker. We cannot access the hidden onion sites using Internet explorer or Mozilla Firefox or Google chrome because these sites are encrypted on the Internet which is called Tor hidden ser- vices. These hidden services URLs are a combination of numbers and characters which are meaningless and end with .onion. The main benefit of Tor browser is, it does not provide true location of a user. My application working automatically on the onion sites through Tor proxy. We get information to onion sites through the keyword (In the dark world) and predict which type of attack (Email hacking, website attack, DDoS attack, Syn-flood and Sniffer attack) is possible on a particular network. It also predicts which type of attack is possible in the near future. This project main work is predicting which type of attack will possible on the banks, government sites and military sites in near future. It also quick finds out which type of attack was done in a network, sites, email hack, DDoS etc.
13 This application finds out particular keywords (attacks, bandwidth, IRC, blogs, hack- ing etc.) on the .onion sites in the Dark world. It also finds out in URL link on the .onion site and searches on the next page which are open to click on URL (but actually not nec- essary to click on URL link). When we get a paragraph in which a keyword is present applying text mining tool(start crawling on a website) to meaning out what the summary of this paragraph and what will be done[10]. These all procedure is done by the applica- tion which is in python language. This application predict which attack is done, which attack in a process and which attack is possible in near future. First,I have collected 4,350 onion sites in the dark world and then filter out 242 onion sites which are only used for attacking purpose[11].
3.1 Working of the Tool
After getting a list of the thousands of onion sites in the dark world, I filter out only those sites which uses only for hacking, attacking, tracing and tracking purpose and then extract keywords through the application.
14 Figure 10: Flowchart of working of the Tool.
3.1.1 Application is running through Tor proxy
An application is in a python language so it is easily executed on the many platforms. When an application run, first it is crawling on an onion site web page through Tor proxy. Tor proxy is use specific for onion sites because without Tor proxy we cant access the onion site.
15 3.1.2 Searching keyword on an onion site
When an application is crawling on the home page of an onion sites, it extracts a partic- ular keyword(which we required like as hacking, tracing, tracking, bandwidth, attacking, DDoS etc. ) and returns output[10].
3.1.3 If URL link is present
Yes
If URL link is present on the Home page of an onion site then go to the next page and extract keyword of the onion site.
No
If URL link is not present on the onion site then applying text mining tool on the home page.
3.1.4 Apply text mining tool
Applying text mining tool on all the pages of the onion sites includes hyper link which present on the site.
3.1.5 Collecting keyword related to the threat intelligence
Collect all the keyword related to the threat intelligence and find out onion sites where this particular keyword (Hacking, attacking etc.) is present there.
3.1.6 When a keyword is found, pick up a complete sentence
When a keyword is found on the onion site, my Tool pick up a complete sentence in which keyword is present.
16 3.1.7 Show URL address of the onion site
Show URL address of the onion site where a particular keyword is found.
3.2 List of onion sites use for Hacking
1. http://agenttoe2dlvxdei.onion/ Email hacking site
2. http://deepweblinks.org/
3. https://defcongroups.org/ defcon web
4. http://torlinkbgs6aabns.onion/
5. http://torlinkbgs6aabns.onion/
6. http://hss3uro2hsxfogfq.onion/ Search engine for dark world
7. http://torbox3uiot6wchz.onion/sm/src/webmail.php Tor mailbox
8. http://hackcanl2o4lvmnv.onion/hackcanada/index.html Hack Canada
9. http://msydqstlz2kzerdg.onion/ Hidden services for TOR
10. http://sonntag6ej43fv2d.onion/ Blogging site for hacking purpose
11. http://54ogum7gwxhtgiya.onion/blog/index.php/language/en/ Best technodrome based on TOR
17 12. https://www.reddit.com/r/onions/comments/1cjf3w/ How would you ddos a onion website/ best comments
13. http://trdealmgn4uvm42g.onion/users/login How DDoS attack happen
14. Kpvz7ki2v5agwt35.onion/
15. http://hpuuigeld2cz2fd3.onion/
16. http://wn323ufq7s23u35f.onion/
17. http://zw3crggtadila2sg.onion/downornot/
18. http://zw3crggtadila2sg.onion/downornot/
19. http://utovvyhaflle76gh.onion/sTORage
20. http://utovvyhaflle76gh.onion/ Static/exit the matrix/index.html
21. http://p43g3uyr4dhneura.onion/blog/matrix/index.html
22. http:// gcirdquvlyh4terx.onion
23. http:// ad52wtwp2goynr3a.onion/6667
24. http://nekrooxwwskakacj.onion/ For IRC
25. http://nissehqau52b5kuo.onion/6667
26. http://renko743grixe7ob.onion/6667
27. http://ftwircdwyhghzw4i.onion/6667
28. http://jkpos24pl2r3urlw.onion/6667
29. http://rustlewnuz6kbapu.onion/6667
30. http://smt4wjpa3r7tkczs.onion/6667
18 31. http://msydqstlz2kzerdg.onion
32. http://jh32yv5zgayyyts3.onion/
33. http://wikitjerrta4qgz4.onion/
34. http://newsiiwanaduqpre.onion/
35. http://torbox3uiot6wchz.onion/relay-en.php
36. http://sigaintevyh2rzvw.onion/signup.php Hidden email service
37. http://sfjdg275q2ash3jt.onion/thread-aaac3a37c3.html
38. http://servnetshsztndci.onion/
39. https://www.reddit.com/r/I2P For IRC chat
40. http://67p4weg7hoowpvc3.onion/projects/cor/index.html connection oriented routing
41. http://4fvfamdpoulu2nms.onion/lechat/ Le chat script
42. https://mike.tig.as/onionbrowser/ Onion browser
43. http://wi7qkxyrdpu5cmvr.onion/en/index.html Mailing list and chat
44. http://2ysyukgriqx2mv7t.onion/#hacking For hacking purpose
45. http://3mrdrr2gas45q6hp.onion/ Tor duckin
19 46. http://4ecwfvbvxojjequ4.onion/info.html Mail server
47. http://4qt45wbulqipigwa.onion/ Encrypted and decrypted distributed sharing software
48. http://5eme2auqilcux2wq.onion/ Rent a hacker
49. http://5l2fikyudbqg2pse.onion/ Julion wos home page for encrypting data
50. http://5sn2hxofsu6b55lo.onion/roundcube/ Web mail
51. http://5wfoa3o42xhzevfi.onion/ strategic intelligence network for messaging
52. http://6d6hycywwcshn3hl.onion/ Email identity
53. http://6dvj6v5imhny3anf.onion/ For IRC
54. http://lelantoss7bcnwbv.onion/ Private email service
55. http://6hgchounjuuwxewa.onion/ Onion mail server
56. http://sigaintevyh2rzvw.onion/ Dark net email service
20 57. http://7faq6ixireuaiksj.onion/mereinfo.htm Web mail
58. https://www.pirateparty.ca/chat/ IRC chat and mail
59. http://nfokjgfj3hxs4nwu.onion/ Best hidden service site
60. http://7w65g63fgumvpuvd.onion/ For chatting purpose
61. http://7uifkyord3spxfjb.onion/ Best site for chatting, messaging and discussing
62. http://a4wzhhaukx4arl5i.onion/ social account hack
63. http://a64r6szrpegnggoj.onion/ crypto storm
64. http://anon4jmy3f3ozlv6.onion/ Tor search engine
65. http://anonymzn3twqpxq5.onion/read.php?9,8837 Best DDoS attack comment
66. http://answersbbddrdcwo.onion/85595/onion?show=85644#a85644 (Best Tor hid- den services and attack)
67. http://answersbbddrdcwo.onion/deepweb-and-tor Best TOR and deep web hidden service
68. http://7alod7zpcztoxvwv.onion/ Debian bug report
21 69. http://aq4cfxeee4xnv4aj.onion Anonymous Content Distribution Network
70. http://aqdlgvf4jqm4gnn6.onion/member.php Receive mail service
71. http://archmail5fanreo5.onion/ Webmail service
72. http://arch3rsecgjqcmjb.onion/ Hidden services
73. http://lelanto2f3vf5imi.onion/ Best fake mail create private email service
74. http://e4c4xzz3hl772fti.onion/ Tor chat directory
75. https://stoptorscam.wordpress.com/2015/09/23/multiscam-server-exposing-or-tor-wallets- are-not-safe-too/#comments Best list of TOR scam
76. http://bpbhygpupahcgzlr.onion/ Linux centOS
77. http://bpo4ybbs2apk4sk4.onion/en/guide/malware Protect to malware
78. http://bptfp7py2wclht26.onion/blog.html The Tor BSD Diversity Project (TDP), blog
79. http://chatjbbxxotrumic.onion/index.php For chat purpose
22 80. http://chattorci7bcgygp.onion/ Chat through TOR
81. http://cheftse4cnjzsgid.onion/blog/ Best Low-cost point of sales (PoS) hacking
82. http://cpartywvpihlabsy.onion/ IRC chat
83. http://crackgknbxpcvc24.onion/showthread.php?tid=34 Best hacking tools and tutorials
84. https://www.cryptoparty.in/connect/contact/jabber Jabber instant messaging
85. http://d33pzjppzy7d37r2.onion/dedi.html Deep hosting
86. http://dtt6tdtgroj63iud.onion/ Chatting and hidden hosting
87. http://edsec5zn26zqjwry.onion/ Provide Hacker
88. http://egqy3sj4bdxk27v2.onion/ Hack Netflix account
89. http://edaethwo3476axnq.onion/OnionChat/ Onion chat
90. http://ecvzydgb66ibwll7.onion/ Hackers labs
23 91. http://encryptor3awk6px.onion/ Ransom ware as a service
92. http://darkodei7qdze3pl.onion/install/index.php Creating community
93. http://dbshmc5frbchaum2.onion/Raspian-wheezy-iVPN-Tor-Gateway-Workspace-r0.html Implementing Physical Networking/Workspace Isolation with Raspberry Pi2
94. http://rsprjqyxhf25l3qd.onion/mission.php DW - DETECTIVE (check anyone by access special databases)
95. http://onjjabp3oubn7mdp.onion/ Shadow web
96. http://deadcertniishzbg.onion/ Dead Cert Tor Certificate Authority)
97. http://deepirc23ukiben3.onion/ kiwi IRC chat
98. http://derpmailod2b4axq.onion/ derp mail
99. http://entropisth3ctkzd.onion/ Tor client protocol implementation
100. http://eon3o2n4tohozwsu.onion/portal.php Related to Tor
101. http://ep2jddbvpsfl7iz4.onion/ Http server
24 102. http://epicctfau2hw4w7a.onion/ Chatting purpose
103. http://erl3zrxqjgrpj27k.onion/?s=scripts List of scripts for brute force
104. http://es2adizg32j3kob5.onion/ Chatting purpose
105. http://escrow4vvhj4yqn7.onion/privacy.html Information collecting
106. http://esebhwmgzlrbsvlb.onion/useful-articles/ Information of dark web
107. http://ezufh7iro33kwryw.onion/ (threadlist.php?PHPSESSID=0bkvmeemf0uhgs9dhkdhgnd1a5) Social networking, hacking eBooks
108. http://ezuwnhj5j6mtk4xr.onion/ Real hosting
109. http://nfokjgfj3hxs4nwu.onion/ Hidden service TOR, UBUNTU
110. http://f2mz6ttcwyslnz5u.onion/ Best site for hacking
111. http://f6tch6hxjpazaowz.onion/about.html Onion mail server
112. http://chattorci7bcgygp.onion/ Chat Tor
113. http://exhaonjdb6j6wlah.onion/(wiki/index.php/Category:Computernetworksecurity)
25 114. http://fiextazvoirx4dzd.onion/faq.php?sid=2faf4c004284e22a3c1f3231b110106e Tor community
115. http://flowerk3r3nud4nc.onion/index.php?action=help Posting and personal message
116. http://fogmailr2btefrrq.onion/ Fog mail
117. http://freedomqbueysrt3.onion/ Private hosting
118. http://funwito6ykzrupsj.onion/blog.html Malware generator
119. http://fzkj6aco2loauhul.onion/ IRC
120. http://giftboxto6czglks.onion/memberlist.php Chatting
121. http://giyvshdnojeivkom.onion/ XMPP SERVER
122. http://gjobqjj7wyczbqie.onion/ Candle search engine
123. http://globe223ezvh6bps.onion/ GLOBE explore TOR relay and bridges
124. http://grr7fri2vhnzvd3v.onion/ Knowledge database
125. http://grrmailb3fxpjbwm.onion/ Best fake mail provide temporary email address
26 126. http://gvd3fzsecouzy2bb.onion/ Pirate hacker
127. http://hackarmgq2n2erux.onion/ Hacking tools
128. http://hackeroql4l2mejs.onion/ Rent a hacker
129. http://hackerrljqhmq6jb.onion/ Hack group
130. http://hackharhoaw3yk5q.onion/ Hacker for hire
131. http://hackpdatf4kryh54.onion/ For hacking
132. http://hackslciome4eshp.onion/ Russian account hacker best Russian hacker
133. http://has53mr655kevoht.onion/ par Rent a hacker
134. http://haxedcwi5duu363s.onion/ Have i been hacked
135. http://hc3sz3i2rb5dljqq.onion/ Secure anonymous calling best ghost call
136. http://hostie65cxwr4tza.onion/ private hosting
137. http://hosting6iar5zo7c.onion/ real hosting
27 138. http://htg6l2ngbayepylm.onion/ dimension x
139. http://i2dem5bn2mcetkhf.onion/ hack magic
140. http://igql7o3o5k5cmsby.onion/ a free social network
141. http://intelexi7yo7mj7j.onion/ A caring human at the end of the encrypted channel of communication to us
142. http://inus3amwshmaedba.onion/ Telegram Pedo Community
143. http://irc2p5zrbdk25rdy.onion/ Important for IRC
144. http://iqij37quu7cvaktl.onion/ Tips for reporting abusive UseNet or e-mail messages
145. http://irc2p5zrbdk25rdy.onion/ Important for IRC chat
146. http://nfokjgfj3hxs4nwu.onion/ Hidden service using Ubuntu
147. http://jhu5pr7ahdldvpct.onion/ Important for cloud, mail, chat, hotspot
148. http://jhu5pr7ahdldvpct.onion/ SKS Open PGP Key server
28 149. http://jiuofpytdpozlbhb.onion/memberlist.php The Dark room http://answerstedhctbek.onion/86395/need-bruteforce-password-hacker- hack-bruteforse-protected Best hidden answer
150. http://lchudifyeqm4ldjj.onion/?category=114 Hacking guide and tools
151. http://torbox3uiot6wchz.onion/faq-en.php Best relay
152. https://lists.riseup.net/directory/community/ Creating community
153. http://degooglisons-internet.org/#leds (cyber village)
154. http://jlve2y45zacpbz6s.onion/index.php#AppServer TOR network and server
155. http://jratiejtelswmbov.onion/ jRAT jRAT is a Remote Administration Tool
156. http://jvauzb4sb3bwlsnc.onion/ privoxy Privoxy is a non-caching web proxy with advanced filtering capabilities for enhanc- ing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk
157. https://guardianproject.info/code/ Guardian code and tools
158. http://kgcfwmjmft5nfklq.onion/ How to open the Ashley Madison dump files
29 159. http://l33tefec57h7yjcp.onion/functions/search.php?category=12 hacking tools
160. http://onionmail.info/repo.html onion mail server
161. http://lu4qfnnkbnduxurt.onion/ hacking tools
162. http://mail2tor2zyjdctd.onion/ anonymous email service provider
163. http://bpo4ybbs2apk4sk4.onion/en security tools
164. http://mwl3znktk7mqogdv.onion/#service TOR hosting
165. http://p335zjal4bumv6dr.onion/ Facebook ID hack
166. http://ofqixpcxwjq5au7h.onion/ hack account
167. http://ojgnw7wt6ozfzeeh.onion/squirrelmail/src/login.php webmails for nuts
168. http://onionbr5zulufnuj.onion/ onion browser TOR check
169. https://git.volatile.ch/wowaname/PRC peer relay chat
30 170. http://opnju4nyz7wbypme.onion/zerobin/index.php?ec48a4b9e4af810b#wX9VgdNuYyy9LibBP9hV9WBZd+dQnGXQpNnJUIQIeMg= online pastebin Question answer
171. http://nfokjgfj3hxs4nwu.onion/ Hidden service ubuntu+apache+TOR)
172. http://p335zjal4bumv6dr.onion/ Facebook password hack
173. http://p6x47b547s2fkmj3.onion/ Onion mail
174. http://parckwartvo7fskp.onion/?page=computerstuffarticle=sshserverbehindonionservice (SSH server behind onion service)
175. http://pfoxkj3p65uyc5pe.onion/ A Firefox profile configuration optimized for Tor browsing
176. http://pirateceo5dz3q4b.onion/en/hacking-services/services.html facebook, twitter, email hacking)
177. http://pmwdzvbyvnmwobk5.onion/equipment/hackablesbiofeedback best brain hacking
178. http://publicibkxahavzc.onion/ Search engine for source code
179. https://github.com/diafygi/webrtc-ips Web RTC
180. http://pyl7a4ccwgpxm6rd.onion/w/index.php/Tools#DDoS tools hacking tools
31 181. http://qj3m7wxqk4pfqwob.onion/ IRC
182. http://answersbbddrdcwo.onion/Hacking-malware-tech Best hidden answers
183. http://qlrlf4q6x3mxu5uu.onion/products.html Dark net hacking products
184. http://qwzxd7r5pbrn7cqv.onion/ Email for hacking advice
185. http://qza32xuddl3guikc.onion/tutorials/darknets/i2p-browser-setup-guide.html Best I2P browser setup
186. http://qzbkwswfv5k2oj5d.onion/forum-30.html Best hacking tools and news
187. http://rkphrici4u5ffhhm.onion/ Secure drop server
188. http://rnqan3iu7nizbcyg.onion/ Hack group
189. http://servnetshsztndci.onion/ Software
190. http://shv34p5cckiljkww.onion/index.php Hidden host
191. http://torxmppu5u7amsed.onion/ Tor xmpp jabber
32 192. http://tty5bznsfoqxvkpy.onion/index.php rent a hacker
193. http://ubho6ub2lp6y2mai.onion/ Russian email, Facebook....hacker
194. http://vb75uj2ap3hyyava.onion/ Hacking is art
195. http://www.grrmailb3fxpjbwm.onion/ fake mail
196. https://github.com/blog github blog
197. http://xudusaoheq6vzp54.onion/feed.xml Best hack fest
198. http://zzzcgjit65yyn4ji.onion/gdrwpl/ jabber
199. http://answerstedhctbek.onion/97496/hacking-a-website?show=97954#a97954 Best question and answer
200. http://kpynyvym6xqi7wz2.onion/files.html#hp Best question and answer
201. http://nikcubxroppyzzld.onion How FBI found location of Silk Road
202. http://nikcubxroppyzzld.onion/posts/onymous-part1/ Best question and answer
33 203. http://nikcubxroppyzzld.onion/posts/analyzing-fbi-explanation-silk-road/ Best question and answer
204. http://w363zoq3ylux5rf5.onion/blog/group/137404/all Best question and answer
205. http://hrkdpwrkh3lbow2l.onion/rss.xml Best question and answer
206. http://dustriic3kdutvvc.onion/b/atom.xml Best attack code)
207. http://kobrabd77ppgjd2r.onion/blog/2015/05/crusade-against-bad-code Best code attack
208. http://kobrabd77ppgjd2r.onion/blog/2015/05/crusade-against-bad-code Best timing attack to object injection
209. kobrabd77ppgjd2r.onion/research/view/pastebin-captcha-evasion Best Pastebin Captcha Evasion
210. http://kobrabd77ppgjd2r.onion/research/view/ad-bypass-free-web-hosting Bypass free web hosting
211. http://kobrabd77ppgjd2r.onion/blog/2015/01/package-signing-thread-modelling Best thread modeling
212. http://kobrabd77ppgjd2r.onion/ Scott Arciszewski For hacking purpose
213. https://thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/ For hacking purpose
34 214. https://docs.google.com/forms/d/1eMtmQWNggvIMlre1Vu3aDQA-eK5R36qRtYqh0fh1ufM/viewform?c=0w=1 Best drabbed
215. https://github.com/blog comments Best blog comments
216. http://vb75uj2ap3hyyava.onion/comments/ Best blog comments
217. http://vb75uj2ap3hyyava.onion/posts/ Best Post
35 Chapter 4
Results and Discussions
4.1 How we can trace the owner of an onion site ?
After collecting keyword my application finds out URL of an onion site where the key- word was found. When I am getting URL of an onion site , I mail to the owner of the onion site as a client and wait for a reply. The owner of the onion site send me to reply mail and I got Header of the Email.I trace the email header and find out IP address and location of the owner of the onion site who was responsible for attack. [email protected] [email protected] [email protected] [email protected] [email protected]
36 widthwidth
Figure 11: Reply mail by [email protected](owner of the onion site).
widthwidth
Figure 12: Trace E-mail header of a [email protected][23](owner of the onion site).
37 widthwidth
Figure 13: Reply mail by [email protected](owner of the onion site).
widthwidth
Figure 14: Trace E-mail header of a [email protected][23](owner of the onion site).
38 widthwidth
Figure 15: Reply mail by [email protected](owner of the onion site).
widthwidth
Figure 16: Trace E-mail Header of a [email protected][23](owner of the onion site).
39 widthwidth
Figure 17: Reply mail by [email protected][23](owner of the onion site).
widthwidth
Figure 18: Trace E-mail Header of a [email protected][23](owner of the onion site).
40 heightheight
Figure 19: Reply mail by [email protected](owner of the onion site).
heightheight
Figure 20: Trace E-mail of a [email protected][23](owner of the onion site).
41 42 Chapter 5
Conclusions and future work
• We designed the TNT Tool(Threate intelligence tool) for extracting the keywords from the onion sites using Tor proxy.The TNT tool collected all the keywords re- lated to attacks such as hacking, tracing, tracking, bandwidth, etc. from the onion sites.
• After collecting keywords our Tool find out URL address of an onion site where the keywords found.
• When I got URL address of the onion site I send an email to the owner of the onion site.
• The onion site owner replied my mail and then I got Email header.I were trace the location and IP of the owner of an onion site using Email header.
• This application is useful for intelligence agencies which are collecting threats and evidence in the hidden dark web.
• They also monitoring and surveillances on the activity in the hidden dark web. We use this technique to preventing the DDoS attack, Syn-flood attack, and Sniffer
43 attack.
• It also helps to detect attack which was done in the past like as website attack, email hacking, social account hacking and money fraud. We also predicting that which type of attack will possible in the near future on banks and military sites.
• We also monitoring and eavesdropping on onion site where attacker comments and blogs about the attack which will happen in the near future. After getting this information we stop the attack which will happen through the onion sites in the dark world.
• The other method is monitoring and surveillance the onion sites of the Dark world.We found the true location of the servers of onion sites applying fiddling with the onion site login page until onion site leaked his true location and also mis configure the element of login page which revealed IP (Internet protocol) address of the onion sites [6].
44 Authors Publications
• Tarun Trivedi, B.M.Mehtre, “Collecting Threat Intelligence from Tor Network”, Submitted to Second International Symposium on Intelligent Systems Technolo- gies and Applications (ISTA16), Jaipur, India.
45 References
[1] Gartner Definition: Threat intelligence www.gartner.com/doc/2487216/definition- threat-intelligence.
[2] Pierluigi Paganini & Richard Amores The Deep Dark Web, The hidden world.
[3] Tor: Overview www.torproject.org/about/overview.html.en
[4] https://www.torvpn.com/en/onion
[5] Dr. Vincenzo Ciancaglini, Dr. Marco Balduzzi, Robert McArdle, and Martin Rsler Forward-Looking Threat Research Team Below the Surface: Exploring the Deep Web
[6] Ivan Pustogarov Deanonymisation techniques for Tor and Bitcoin Presented on 12/06/2015 in Luxembourg to obtain the degree of DOCTEUR DE LUNIVERSIT DU LUXEMBOURG EN INFORMATIQUE
[7] https://www.fbi.gov/news/pressrel/press-releases/
[8] Defence science board report 2010 http://www.acq.osd.mil/dsb/reports2010s.html
[9] Andreas M Antonopoulos Mastering Bitcoin Published by OReilly Media, Inc.
[10] Sriram Raghavan, Hector Garcia-Molina Crawling the Hidden Web Computer Science Department, Stanford University Stanford, CA 94305, USA
46 [11] http://skunksworkedp2cg.onion/sites.html.
[12] Xiao Wang, Jinqiao Shi, Binxing Fang and Li Guo AnEmpiricalAnalysisofFami- lyintheTorNetwork IEEE ICC 2013
[13] Aaron Johnson, Paul Syverson,Roger Dingledine,Nick mathewson Trust-based Anonymous Communication: Adversary Models and Routing Algorithms. U.S. Naval Research Laboratory anonymity-trust-ccs2011
[14] Philipp Winter1, Richard Kwer3, Martin Mulazzani2, Markus Huber2, Sebastian Schrittwieser2, Stefan Lindskog1, and Edgar Weippl2. Spoiled Onions: Exposing Malicious Tor Exit Relays Karlstad University, Sweden 2 SBA Research, Austria 3 FH Campus Wien, Austria.
[15] Masoud Akhoondi, Curtis Yu, and Harsha V. Madhyastha LASTor: A Low-Latency AS-Aware Tor Client 2012 IEEE Symposium on Security and Privacy
[16] Philipp Winter and Stefan Lindskog How the Great Firewall of China is Blocking Tor Karlstad University philwint, [email protected]
[17] Sambuddho Chakravarty Georgios Portokalidis Michalis Polychronakis Angelos D. Keromytis. Detection and analysis of eavesdropping in anonymous communica- tion networks Springer-Verlag Berlin Heidelberg 2014
[18] Dario Catalano Mario Di Raimondo Dario Fiore Rosario Gennaro Orazio Puglisi. Fully non-interactive onion routing with forward secrecy Published online: 20 De- cember 2012 Springer-Verlag Berlin Heidelberg 2012.
[19] Matteo Casenove,Armando miraglia Botnet over Tor: The Illusion of Hiding 2014 6th International Conference on Cyber Con ict P.Brangetto, M.Maybaum, J.Stinissen (Eds.) 2014 NATO CCD COE Publications, Tallinn.
[20] Muhammad Aliyu Sulaiman ,sami zhioua Attacking Tor through Unpopular Ports 2013 IEEE 33rd International Conference on Distributed Computing Systems Work- shops.
47 [21] Taro Ishitaki, Donald Elmazi, Yi Liu , Tetsuya Oda , Leonard Barolli and Kazunori Uchida. Application of Neural Networks for Intrusion Detection in Tor Networks. 2015 29th International Conference on Advanced Information Networking and Ap- plications Workshops
[22] Ibrahim Ghafir *, Jakub Svoboda and Vaclav Prenosil * TOR-BASED MALWARE AND TOR CONNECTION DETECTION Faculty of Informatics, Masaryk Univer- sity Institute of Comouter Science, Masaryk University
[23] http://www.cyberforensics.in/OnlineEmailTracer
48