Nov 29, 2022
We talked about how to access the tor network, what it is, what a tor circuit and torrc file are, and other stuff. For this one, I'd like to focus on some of the core Tor concepts, as well as possible considerations, issues, weaknesses, risks inherent to Tor, and their appropriate management and mitigation.
This is basically just a relay that offers a web service or any other Internet service; A hidden service is a type of service that's accessible only through a .onion URL, and its actual IP address is basically hidden behind the Tor circuit.
To host a hidden service, you need to install a web server or any other service you want to host; add this to your torrc file:
HiddenServiceDir /var/lib/tor/service HiddenServicePort 80 <ip>:80
Tor will then generate a public-private key pair for your service, and it will write it to a file called private_key. It will also create a hostname file.
The hostname file will have the name of your .onion address, as well as the information about your public key.
Obviously, to run a service such as this, you need to know what's at stake, and if you're doing it in the first place, you're probably of the general idea to hide your IP; thus, you should appropriately harden your systems and take the risks into account.
This can be achieved in a myriad of ways, so I like to ponder these topics from a more general/high-level perspective. One possible way to isolate yourself is true virtualization and compartmentalization. Whoonix also comes to mind, as its double VMs setup makes all your traffic routed through the Whoonix gateway, and both of these systems are hardened and preconfigured out-of-the-box, of course, they should be reconfigured if necessary. This would be one example of how you might make it harder for attackers to figure out your real IP address.
However, I am not an expert on how to run hidden services, far from it, I just wanted to sort of 'define' them, so I can tie them into our whole narrative here.
Tor2web lets you access hidden service with a standard web browser. (No connection to the Tor network)
Basically, wherever you see a .onion URL, you can replace it with .onion.to, .onion.city, .onion.cab, .onion.direct, etc. Note that this is not anonymous, private or anything like that. This is just a way of accessing without connecting to the Tor network.
From the Tor2web site:
WARNING: Tor2web only protects publishers, not readers. As a reader installing Tor Browser will give you much greater anonymity, confidentiality, and authentication than using Tor2web. Using Tor2web trades off security for convenience and usability.
Tor - reflections - .onion URLs, stuff & risk
Since the darkweb is not indexed by the clearweb search engines finding/discovering hidden services can be difficult. Places where you can find the .onion links are usually Hidden Wikis, Twitter, Reddit, Pastebin, Github and internet forums. You should be able to google search for these links as well.
*A note on hidden wikis - there are many websites that claim to be the hidden wiki and the uncensored Tor hidden wiki - be mindful if/when clicking on here as you can't always be sure where that exit node is leading to.
As you know, Tor is decentralized by nature, so there is no list of all hidden services, but there are hidden services whose task is to catalog those known .onion addresses.
Such as this.
There are also Torch, Sinbad, and other search engines, but it remains to you to decide how worthy they are.
While we're on the topic, I'd like to point out that you should always be mindful of the potential risks you're opening yourself to. Every action counts, and you should take necessary precautions, always.
A good way to illustrate this are the CTFs I participated in, that required us to investigate data collected from Tor that pertains to a slew of illegal activities. The organizers simply didn't render any content, thus eliminating the risk for us analysts.
You could only see what was relevant for your investigation, be that a hash, bitcoin address, email address, or anything else that was of relevance and scraped to the dataset.
When you're doing this by yourself, there's no organizer to filter out stuff for you, so always be mindful of that.
More reflections on Tor and Mitigations
Tor prevents your ISP/local network from knowing what you visited, prevents tracking, and helps with avoiding censorship.
However, the 3-letter agencies dislike Tor; mainly because Tor is the best network for these uses, thus it is always under attack, and when it is, its mostly to deanonymyze its users.
If you're in locations that might be targeted and risk is high, or your adversary has significant resources, you should not rely on Tor to anonymyze you.
Another big weakness for Tor is you, the user. This is due to you not having good Opsec, which will defeat the purpose of Tor, by default.
Other weaknesses are browser-based attacks, as well as attacks against the host OS.
Of course, you can mitigate and reduce the probability of these attacks and this implies you having some controls implemented.
First and foremost, go back to Opsec basics, learn it inside and out, and create your model.
You should also leverage isolation, compartmentalization/virtualization to reduce the impact and possibility of browser exploits (or other attacks) being successful.
Never install Tor on your main OS, especially if the consequences are high.
Use hardened VMs.
Just running the tor browser in windows is NOT a good idea. Assume the Tor browser is exploitable and mitigate appropriately, use isolation.
Whatever is your isolation, it also needs to be hardened.
To future proof yourself against unknown threats, you need non-persistence; you should not rely on the Tor browser to purge all that data fully reliably. However, you can get this through Tails and other live OSes, VMs or you can use whole disk encryption and secure delete. You can also use combination of these methods to better protect yourself.
Be aware of the design documentation - https://2019.www.torproject.org/projects/torbrowser/design/
I hope I've put you on a path down the rabbit hole called Tor! There's so much more, and I will cover as much as I possibly can.
Cover image by JC Gellidon
#tor #risk #tracking #deanonymization
Another bi-weekly/monthly talk on Tor.
Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)j00sean (https://twitter.com/j00sean) July 11, 2023
CVE-2021-38294: Apache Storm Nimbus Command InjectionZeyad Abdelazim June 20, 2023
CVE-2023-21931 & CVE-2023-21839 RCE via post-deserializationMohammad Hussam Alzeyyat June 19, 2023
Have you missed them? The new reports feature is here!Noa Machter May 14, 2023
CVE-2021-45456 Apache Kylin RCE ExploitMohammad Hussam Alzeyyat April 30, 2023