Task x: Read and summarize: Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser
The Tor Browser is a chapter in “Hiding Behind the Keyboard. Uncovering Covert Communication Methods with Forensic Analysis” written by Brett Shavers and John Bair. The chapter describes the principles of the The Onion Router network and methods of investigating crimes committed using the TOR browser.
TOR browser is a browser based on Mozilla Firefox, which allows users to anonymously use Internet resources. The idea of onion routing is that a request to an Internet resource comes from a client through a chain of relays, also known as a TOR Circuit. There are Entry/Guard, Middle and Exit relays in a TOR Circuit.
Each relay only knows the previous and next traffic recipient, so the middle relay does not know the sender and the final recipient. Internet traffic is encrypted as many times as there are relays in the circuit and only the traffic between the Exit relay and the end resource is not encrypted.
Tor relays are run by volunteers around the world and the IP addresses of the relays can be found on the website of the Tor project Metrics. In addition, there are Bridges whose IP addresses are not published. They can be used in countries where public relays can be blocked by the government, such as China. At the time of writing this article, there were about 7000 Relays and 2000 Bridges around the world.
Installing and using the Tor browser is very simple. It is enough to download the installation package from the page of the Tor project and install it on the local machine. After that, it is enough to use the default browser settings.
The Tor browser does not create artifacts on the local machine, but traces of using the Tor network can be found on the computer. It is more secure to use the TOR browser from an operating system from a USB or DVD media that does not require installation, for example, Tails, which has a pre-installed Tor. Alternatively, you can configure the Linux bootloader (GRUB2) to bypass the operating system and boot from the ISO image. Black Hat also recommends using a good VPN with Tor browser. I downloaded and ran Tails in a VMWare virtual machine from an ISO image.
Since the Tor browser uses the Mozilla Firefox engine, the vulnerabilities in it also extend to the Tor browser. So the FBI was able to reach the distributors of child pornography Freedom Hosting using a vulnerability CVE-2013-1690 in Firefox ESR 17.x before 17.0.7
Hidden services on the tor network are also known as the Dark Web. These services provide email or web hosting services. Unlike conventional Internet resources in the TOR network, hidden services do not use Exit relays, and therefore provide end-to-end encryption of Internet traffic between the user and the hidden service. Hidden services are not indexed by search engines and are therefore almost invisible to the Internet. Hidden services use a top – level domain .onion and have the form juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion/i2p/ (AHMIA i2p network search). Many hidden services sell illegal goods such as drugs, weapons, credit card numbers, child porn and much more.
Source: Shavers & Bair 2016: Hiding Behind the Keyboard.
Task a: Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).
I am using Kali linux distribution release 2022.1 on the VMWare Workstation 15 Pro hypervisor. I found instructions for installing the TOR browser for Kali linux and installed the TOR Browser using these instructions
$ sudo apt update
$ sudo apt install -y tor torbrowser-launcher
After that, TOR Browser and TOR Browser Launcher appeared in the main menu as installed programs
Task b: Browse TOR network, find, take screenshots and comment
- search engine for onion sites
Since hidden services are not indexed by conventional search engines, then to search in the domain .onion need to use special search engines. Unfortunately, hidden services often change URL addresses and even close. Links to search engines can be found on their websites on the clearnet. The stable search engines in the Tor network are AHMIA, TORCH.
There are also lists of links on the Tor network, such as a The Hidden Wiki page and OnionLinks.
In the vastness of the Tor network there are marketplaces where you can buy illegal goods such as drugs, weapons, stolen credit card numbers and much more.
From what I understand, some of them provide escrow payment services. So the buyer can be sure that the seller will not scam him.
One of the most popular types of fraud that I have encountered on the Tor network is carding. Carding is a whole underground industry in which fraud is committed with the victims’ credit cards. In carding, the roles are strictly divided between the participants, someone steals credit card data, someone uses them by buying and ordering goods online, someone sells the goods received in this way for real money. If you are interested in carding and credit card security, read my article.
There are communication forums on the hidden services of the Tor network. Many of them require registration to access them, which I don’t want to do. Therefore, I found one forum in which registration is not needed to read the messages, and it also turned out to be on the topic of carding.
While I was studying the possibilities of the Tor network, I noticed that the Tor makes it possible to circumvent the prohibitions on viewing Internet resources in a particular country. For example, at the time of writing this article, many Russian resources are blocked for viewing on the territory of the European Union and in particular Finland. Using some Tor circuits you with an exit node in a country where there is no ban, makes it possible to view these resources. For example, the website of the news agency Russia Today is blocked for viewing in Finland, but it can be viewed on the Tor network.
If take a look at circuit, there can see all the relays. Guard or Entry relay in the Netherlands, Middle relay in France and Exit relay in Germany, where from rt.com site is not blocked.
Task c: Find an example where anonymity of TOR user was compromized. How was it done? Who did it? Could the deanonymization be replicated?
One example where anonymity has been compromised is the FBI’s operation to infect Freedom House servers with an exploit that exploited a vulnerability CVE-2013-1690 in Mozilla, on which the Tor browser is built. FBI agents managed to configure the site server so that it infects users’ computers, where malicious code was run and searched for the victim’s MAC address and hostname and sent them back as an HTTP web request to the FBI server.
I believe that at the moment this particular vulnerability cannot be repeated with the new version of the Tor browser, where this vulnerability has been eliminated. However, vulnerabilities in programs are constantly being found, and I do not exclude the possibility of using other vulnerabilities for deanonymization of Tor network users.
Task d: What other pseudonymous/anonymous networks are there? What’s their killer feature? How are they different from TOR?
As stated on the I2P website it is a fully encrypted private network layer that has been developed with privacy and security by design in order to provide protection for activity, location and identity. I2P uses encryption to form various properties of the tunnels used and the messages supported over them. I2P tunnels use NTCP2 and SSU transports. The network is made up of peers (“routers”) and unidirectional inbound and outbound virtual tunnels. The software provides a router that connects to the network. Routers communicate with each other using protocols built on existing transport mechanisms (TCP, UDP, etc), passing messages. I2P provides its own unique DNS. The I2P network is almost completely decentralized, with the exception of the so-called Reseed servers, through which you first join the network.
Comparisons of I2P and Tor can be found on the project’s website. Here are some advantages of I2P:
- Hidden services are much faster than in Tor
- Fully distributed and self organizing
- Peers are selected by continuously profiling and ranking performance, rather than trusting claimed capacity
- Peer-to-peer friendly
- Packet switched instead of circuit switched
- Both TCP and UDP transports
- Java, not C
Freenet is a peer-to-peer network designed for decentralized distributed storage of data without the possibility of censorship, created to provide users with electronic freedom of speech by making it impossible to delete or block files.
Freenet can be thought of as a large storage device. When you save a file in it, you get a key that you can use to retrieve the file. When you insert a key into Freenet, it will return the corresponding file (if it is on the system). Storage space is shared among all connected nodes in Freenet.
Freenet is a peer-to-peer network that is decentralized and anonymous. The nodes you connect to know only their nearest neighbors and do not know how the network as a whole works.
Task e: In your own words, how does anonymity work in TOR? (e.g. how does it use: public keys, encryption, what algorithms?)
Communication between relays in circuit occurs using AES, asymmetric key cryptography. The key is agreed using Diffie-Hellman. The user encrypts Internet traffic using the keys received from all relays in the circuit. It turns out an onion from layers of encryption, where each layer can only open the next relay in the circuit. Upon receiving the message, the relay decrypts its layer and forwards the message to the next relay. Thus, the request reaches the existential encrypted. The information is encrypted back by each relay and the user receives back the onion, which he encrypts.
Private and public keys, asymmetric encryption are used to publish hidden services. You can read more about it here.
Task f: What kind of the threat models could TOR fit?
There is an attack in which the attacker tries to control both ends of the chain, called the Sylbil Attack. Named after the main character in Flora Rheta Schreiber’s book Sybil. Sybil attacks are not theoretical. In 2014 researchers at Carnegie Mellon University appeared to successfully carry out a Sybil Attack against the real-life Tor network.
Jansen and others. described an attack in which they DDOS out of the nodes. By degrading the network (removing exit nodes), the attacker increases the chance of getting an exit node.
Some applications, under Tor, reveal your true IP address. One such application is BitTorrent.
Usually, most Tor users get caught in crimes because of insufficient OpSec, and not because of security problems with Tor.