Hacking the Tor network: Follow up complete guide by Blackhat Pakistan 2023
Today we will learn about Hacking the Tor network.
In a previous post, I presented the main techniques used to hack Tor networks and deanonymize Tor users. Law enforcement and intelligence agencies consider the “de-anonymization” of Tor users a primary goal.
Authorities may attempt to implement techniques to break the encryption used to anonymize traffic or to exploit a vulnerability in one of the software modules that allow the user’s online experience to be anonymized.
The authorities also have another option: try to covertly destroy Tor’s overall architecture or attack the hidden services to disrupt the traffic flowing to them.
Operation Onymous[Hacking the Tor network]
Since the last post, authorities have dealt a blow to cybercriminals who use the Tor network for illegal purposes. In a joint effort, the police and intelligence agencies have taken down several illegal markets as part of Operation Onymous. Operation Onymous, coordinated by Europol’s European Cybercrime Center (EC3), targeted a criminal organization that was abusing the Tor network to run black markets.
The operation is considered an important success in the fight against cybercrime, but many experts have begun to question how law enforcement agencies were able to locate the servers hosting the hidden services and the operators who ran illegal activities. The developers of the Tor project published an interesting blog post titled “Thoughts and Concerns about Operation Onymous” in which they explained the possible techniques adopted by authorities to locate hidden services and de-anonymize the operators who ran the most popular black markets. , including Silk Road 2.0.
“Over the past few days, we have received and read reports that several Tor relays have been seized by government officials.” We do not know why the systems were seized, nor do we know anything about the investigative methods that were used,” the post said.
The main assumptions made by law enforcement authorities regarding the possible attack scenarios implemented by these authorities are:
- Lack of operational security of hidden services
Exploiting bugs in a web application
Attacks on the Tor network
The members of the Tor project pointed out that the police compromised the anonymity of the location of the servers behind the hidden services due to the failure to meet one of the following conditions:
- The hidden service must be configured correctly.
- The web server should not be vulnerable: that is, it must not be affected by any error and must be properly configured.
- The web application should not have any flaws.
An attacker who is able to exploit a vulnerability in a web server or web application (eg an e-commerce system exposed by an operator to design illegal products) could easily hack a targeted hidden service.
Restoring, to deanonymize Tor users, it is possible to compromise a misconfigured server or the web application it exposes, and there is no need to seek out and exploit an alleged vulnerability in Tor’s architecture.
By exploiting a vulnerability in a third-party application used by a dark market, it is possible to install a backdoor on a server that reveals its location and the identity of its operators.
Another option for law enforcement is to infect the machine of one of the alleged administrators with spyware. The computer could be located through routine investigation.
Also Read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023
Traffic analysis attack based on NetFlow
Exactly one week after Operation Onymous was revealed, a group of researchers presented the results of a study conducted between 2008 and 2014 on the deanonymization of Tor users. Researchers have analyzed the possibility of identifying Tor users and revealing their original IP addresses; they claimed to have achieved 100% “detection” success under laboratory conditions. A group led by Professor Sambuddho Chakravarty, now researching network anonymity and privacy at the Indraprastha Institute of Information Technology in Delhi, has published several papers on the subject in the past few years.
A study revealed that more than 81 percent of Tor clients can be de-anonymized using NetFlow technology designed by Cisco for its network devices.
NetFlow was implemented by the IT giant in its routers to implement a tool to collect IP network traffic as it enters or exits the interface. It is a valuable tool for analyzing the network traffic managed by the router and identifying the causes of congestion. The protocol is widespread and many experts consider it a de facto standard. In fact, it runs standard on hardware from many other networking manufacturers.
The technique proposed by Chakravarty and his team implements active traffic analysis based on the introduction of specific server-side traffic failures. Researchers are able to de-anonymize Tor users by evaluating the effect of a similar client-side failure through statistical correlation.
In a previous study, Chakravarty demonstrated that an attacker can monitor a significant percentage of network paths from Tor nodes to target servers by accessing multiple Internet exchange points. Controlling multiple Internet exchange points allows tracing a significant percentage of network paths from Tor nodes to target servers. This means that a strong and persistent attacker can perform traffic analysis attacks by observing similar traffic patterns at different points in the network.
A recent study conducted by a team of researchers revealed how to launch an effective traffic analysis attack with less traffic monitoring capabilities, such as Cisco NetFlow, and launch a large-scale traffic analysis attack.
In fact, previous research has indicated significant efforts to de-anonymize users on a large scale. Experts believe that previous techniques required an effort sustainable only on the part of a government or intelligence agency. The researcher explained that a single AS (autonomous system) could monitor more than 39 percent of randomly generated Tor circuits.
The traffic analysis attack developed in the latest study does not require the enormous infrastructure effort of previous techniques, but uses one or more high-bandwidth and high-performance Tor relays. For their tests, the team used a modified public Tor server, hosted at Columbia University at the time, running on Linux.
A group of experts simulated the Internet activity of a typical Tor user: they injected a repeating pattern of traffic (ie, HTML files) into the TCP connections they saw originating from the target exit node, and then analyzed the traffic at the exit node as derived from router flow logs to improved client identification.
In the first phase, scientists conducted specific tests in a laboratory environment with surprising results. In the second phase, the team started live sessions using real Tor traffic. The team analyzed traffic obtained from its public Tor relay, which simultaneously served hundreds of Tor circuits.
The targeted victims were located at three different locations in Planetlab, a global research network that supports the development of new network services. The selected locations were Texas (USA), Leuven (Belgium) and Corfu (Greece).
The victim’s clients downloaded a large file from the server that intentionally disrupted the traffic of the incoming TCP connection, intentionally injecting a traffic pattern into the stream between the server and the exit node.
“The process was terminated after a short while, and we calculated the correlation between the bytes transferred between the server and the recently terminated connection from the exit node to the entry node and the number of clients that used it during that interval,” the paper states. .
The test sessions were organized in two phases based on the source of the analyzed data: the first session to evaluate the efficiency in obtaining data from open source NetFlow packets and the second part based on sparse data obtained from an institutional Cisco router accessed by a group of researchers.
“We present an active traffic analysis method based on the intentional disruption of user traffic characteristics on the server side and observing a similar disruption on the client side through statistical correlation. We evaluate the accuracy of our method using both laboratory testing and data collected from a public Tor relay serving hundreds of users. Our method detected the true sources of anonymous traffic with 100% accuracy for lab tests and achieved an overall accuracy of about 81.4% for real-world experiments with an average false-positive rate of 6.4,” the paper said.
The method developed by the researchers achieved excellent results: the researchers were able to de-anonymize traffic with 100% accuracy using laboratory tests and achieved an accuracy of about 81 percent in live sessions.
Many experts speculate that the recent Onymous operation, which enabled the takeover of several dark markets, may have used a traffic analysis attack against the Tor network to identify black market operators.
Deanonymize Tor users from their Bitcoin transactions
While most Bitcoin users consider Bitcoin to be one of the safest online payment systems without being tracked by law enforcement, members of the Tor Project have warned of the possibility that the recent Onymous operation misused Bitcoin to identify operators behind seized black markets. .
In fact, it is possible to de-anonymize clients in the Bitcoin P2P network, as demonstrated by a team of researchers working at the University of Luxembourg.
Researchers Alex Biryukov, Dmitrij Khovratovich, and Ivan Pustogarov published a paper titled “Deanonymizing Clients in the Bitcoin P2P Network” to explain how to exploit a built-in flaw in Bitcoin’s architecture to reveal the IP address of a client making a payment. with virtual currency.
The attack consists of generating a “false message” that pretends to have been sent by a user via the Bitcoin peer-to-peer network. These malformed messages cause the penalty score of the IP address to increase, and if the fake messages exceed 100, the IP may be banned for 24 hours.
The mechanism is implemented as DoS protection and could be exploited to separate Tor from Bitcoin.
Attackers force Bitcoin servers to refuse connections through Tor and other anonymous services. This results in clients using their real IP addresses when connecting to other peers and thus exposed to the main phase of the attack, which correlates pseudonyms with IP addresses. At this point, every time a user’s client connects to a Bitcoin server, their address will be exposed.
Continuing, if a bitcoin client uses its connection through a Tor relay and sends malformed messages, the IP address of that relay will be blocked after a certain number of messages and the bitcoin client will continue to work with its original IP address.
This technique makes it possible to isolate any target client from the entire Tor network if an attacker is able to force the separation of Bitcoin clients from the entire Tor network by sending false messages to each Tor server.
“At the time of writing, there are 1,008 Tor exit nodes.” So the attack requires creating 1008 connections and sending several MB of data. This can be repeated for all Bitcoin servers, banning all Tor connections for 24 hours at the cost of a million connections and less than 1 GByte of traffic. In case the IP address of a particular Bitcoin node can be spoofed, it can also be banned,” the paper said.
“Once a hacker knows this address, they can trick the Bitcoin server into revealing the user’s IP address,” the post states.
The researchers described their technique with the following statements:
“The key idea behind our attack is to identify each client by the octet of outgoing connections it makes. This octet of bitcoin peers [input nodes] serves as a unique client identifier for the duration of a user session and will differentiate even those users who share the same NAT IP address.
“Once an attacker receives a transaction from just two to three entry nodes, he can link the transaction to a specific client with a very high probability.”
The researchers explained in the paper that anonymity in the Bitcoin virtual currency scheme is weak. Many features could be exploited to launch a cyber attack on a cryptocurrency and reveal the user’s identity.
Using Tor could increase the level of anonymity, but a hacker can always track users from their bitcoin payments.
“We show that using Tor does not preclude an attack, as Tor connections can be disabled for the entire network. It shows that the level of network anonymity provided by Bitcoin is quite low. Several features of the Bitcoin protocol allow the attack. In particular, we emphasize that a stable set of only eight input nodes is too small because most of the connections of these nodes can be intercepted by an attacker,” the paper states.
Another problem with Bitcoin’s anonymity is that the virtual currency’s lack of a robust authentication system makes it easy for an attacker to trick nodes into blocking IP addresses of seemingly malfunctioning connections.
“We found that very short messages can cause a daily IP ban, which can be used to isolate a given node or an entire network from anonymous services such as proxies or Tor. If the Bitcoin community wishes to use Tor, this part of the protocol needs to be re-evaluated.”
Experts at the Tor Project speculated that a similar technique may have been used by law enforcement in the recent Onymous operation against black markets on the Tor network, allowing authorities to pursue their operators.
Mary-Ann Russon in the International Business Times reports that, researchers explained, a hacker could de-anonymize a Bitcoin user from their transactions through Tor for €1,500.
Not just deanonymization… sequestration of directory authorities
So far we’ve discussed the ability to expose the IP addresses of Tor users, but there’s also the ability to compromise the entire architecture, targeting critical components such as directory authorities.
The Tor network relies on nine directory authorities located in Europe and the United States, which provide a signed list of all Tor network transmissions. Experts from the Tor Project emphasized that an attack on these servers could “incapacitate” the entire Tor architecture.
“The Tor Project has identified that in the next few days there may be an attempt to disable our network by seizing specialized servers on the network called directory authorities,” Tor Project Lead Roger Dingledine explained in a blog post.
“We are now taking steps to ensure the safety of our users and our system is already built to be redundant so that users remain anonymous even if the network is compromised. Tor remains safe to use… We hope this attack does not happen; Tor is used by many good people.”
Seizing directory authorities might have the primary goal of sabotaging the entire Tor network, but would not be effective in revealing the identities of its users. By seizing at least five directory authorities belonging to the Tor network, an attacker could force Tor clients to connect additional relays.
This kind of attack can only be performed by a player interested in dismantling the Tor network. Experts speculate that law enforcement could conduct undercover operations that would block infrastructure and thwart criminal crews that use the anonymization system.
This can be a serious problem. Remember that the Tor network provides a safe network from surveillance and censorship for millions of people living under repressive regimes.
“Every person has the right to privacy. This right is the foundation of a democratic society.”
- Hacking Tor online anonymity
- Tor traffic analysis
- Law enforcement operation onymous
- Possible upcoming attempts disable Tor network
- Tor traffic analysis – Security affairs
- Operation onymous vs dark markets
- Techreport Columbia
- Bitcoin anonymity
- bitcoin anonymity there’s way hackers find out your IP address