Hacking Tor and Online Anonymity 2023

Ahmad Khan April 28, 2023April 28, 2023 0 Comments black hat pakistan, Ethical hacking, hacking, Hacking Tor and Online Anonymity

In this article we will learn about Hacking Tor and Online Anonymity.

What is Hacking Tor and Online Anonymity?

Tor stands for “The onion router”, a system implemented to maintain online anonymity. The Tor client software routes Internet traffic through a worldwide voluntary network of servers that hide user information and avoid government and other bad actors.

The Tor project was born in the military sector, sponsored by the US Naval Research Laboratory and supported by the Electronic Frontier Foundation between 2004 and 2005. Today, the software is developed and maintained by the Tor Project Team.

The encryption processes implemented in the Tor network make it possible to protect the privacy of users. Tor traffic is encrypted multiple times and passes through various network nodes, also known as Tor relays.

Law enforcement and intelligence agencies around the world are making significant efforts to try to crack the encryption used with Tor. Virtually every government is trying to penetrate the network and de-anonymize its users. The Tor network is widely used by digital activists and individuals in many critical regions to evade internet censorship operated by governments in China, Syria, Bahrain and Iran. According to Tor Metrics, the number of people worldwide who directly access the anonymization network is 2.5 million.

Figure – Users directly connected to Tor network

This post provides an overview of recent developments regarding Tor and attacks on its infrastructure, with specific reference to major initiatives undertaken by governments to de-anonymize Tor users.

Governments vs. Tor

Governments are making great efforts to improve monitoring capabilities. Tor and other anonymization networks present a barrier to Internet surveillance. Governments say technologies like Tor are misused by cybercriminals and terrorists and are a potential source of threats, but online privacy and free speech organizations say intelligence agencies are trying to expand their monitoring capabilities over anonymizing networks.

The Russian government wants to break Tor

Intelligence agencies have declared war on the anonymization network. Edward Snowden revealed months ago that US intelligence was concerned about possible misuse of the Tor network and had invested in compromising it. The Russian government is also actively working to attempt to crack Tor’s encryption and de-anonymize its users. The Ministry of Internal Affairs of the Russian Federation (MVD) recently launched an initiative “to study the possibilities of obtaining technical information about users (user equipment) of the anonymous Tor network.”

The Russian government has announced a tender to recruit companies and organizations interested in developing technology to track users and their activities within the Tor network. Authorities are offering nearly 4 million rubles, about $111,000, to develop technology to decrypt data sent over Tor and identify Tor users. The tender, titled “Do Research, Code ‘TOR’ (Navy),” was published on July 11 on the official procurement website.

Figure – Competition promoted by the Ministry of the Interior of the Russian Federation (MVD)

Officially the Kremlin is sustaining similar projects “in order to ensure the country’s defense and security”. Russian intelligence fears that the anonymizing networks could be used by terrorists and foreign intelligence to conspire against the government of Moscow. A few days ago I asked a colleague to help me to translate the original tender, the spelling of “TOP” comes from that original document (all-caps, Russian transliteration). The tender is about Tor indeed and the term “Scientific Production Association” (Научно -производственное Объединение) is a Soviet/Russian cover word for a military or a KGB/FSB R&D outlet. The one in question belongs to the Interior Ministry, which is in charge of police and penitentiary.

The tender requires active security clearance specifically in the LI (though I wonder if “legal” is applicable to Russia at all) and a general high level security clearance.

Every company that desires to participate in the initiative has to pay a 195,000 ruble (about $5,555) application fee.

Who is spying on Tor network exit nodes from Russia?

The researchers Philipp Winter and Stefan Lindskog of Karlstad University in Sweden presented the results of a four-month study conducted to test Tor network exit nodes for sneaky behavior. The expert noticed that a not-specified Russian entity is eavesdropping on nodes at the edge of the Tor network.

The principle on which their investigation is based is the possibility to monitor for exit relays to snoop and tamper with anonymized network trafﬁc. The researchers have worked to define a methodology to expose malicious exit relays and document their actions. The researchers used a custom tool, a “fast and modular exit relay scanner”, for their analysis, and they discovered that the entity appeared to be particularly interested in users’ Facebook traffic.

They designed several scanning modules for detecting common attacks and used them to probe all exit relays.

“We are able to detect and thwart many man-in-the-middle attacks which makes the network safer for its users,” they reported in the paper published in their research.

Winter and Lindskog identified 25 nodes that tampered with web traffic, decrypted the traffic, or censored websites. On the overall nodes compromised, 19 were tampered with using a man-in-the-middle attacks on users, decrypting and re-encrypting traffic on the fly.

Figure – Tor network infiltrated by malicious nodes

Tor network anonymizes users’ web experience, under specific conditions, bouncing encrypted traffic through a series of nodes before accessing the web site through any of over 1,000 “exit nodes.”

The study proposed is based on two fundamental considerations:

User’s traffic is vulnerable at the exit nodes. For bad actors, the transit through an exit node of the traffic exposes it to eavesdropping. The case of WikiLeaks was very popular, which was initially launched with documents intercepted from the Tor network eavesdropping on Chinese hackers through a bugged exit node.
Tor nodes are run by volunteers that can easily set up and take down their servers every time they need and want.
The attackers in these cases adopted a bogus digital certificate to access the traffic content. For the remaining six cases, it has been observed that impairment resulted from configuration mistakes or ISP issues.

The study revealed that the nodes used to tamper the traffic were configured to intercept only data streams for specific websites, including Facebook, probably to avoid detection of their activity.

Also Read:Ethical Hacking Interview Questions 2023

The researchers passive eavesdropped on unencrypted web traffic on the exit nodes. By checking the digital certificates used over Tor connections against the certificates used in direct “clear-web sessions”, they discovered numerous exit nodes located in Russia that were used to perform man-in-the-middle attacks.

The attackers control the Russian node access to the traffic and re-encrypt it with their own self-signed digital certificate issued to the made-up entity “Main Authority.”

It is difficult to attribute the responsibility for these attacks. Researchers speculated the attacks are part of a sophisticated operation conducted to de-anonymize the Tor network. The experts also noticed that when blacklisting the “Main Authority” Tor nodes, new ones using the same certificate would be setup by the same entity.

The experts exclude that any government agency was conducting the attack because the technique adopted is too noisy. They suspect that a group of isolating individuals is responsible for the anomalous activity. One of the most noisy choices of the attackers is the use of self-signed certificates that cause a browser warning to Tor users when they visit the bogus website or were victims of MITM attacks.

“It was actually done pretty stupidly,” says Winter.

The National Security Agency wants to overwhelm Tor Anonymity

American Whistleblower Edward Snowden released a collection of classified NSA documents titled ‘Tor Stinks‘, which explain how the NSA agency has developed the capability to de-anonymize a small fraction of Tor users manually. Tor Stinks isn’t an architecture for surveillance on a large-scale, but it allows US agents to track specific individuals during their navigation inside the Tor network. “We will never be able to de-anonymize all Tor users all the time, [but] with manual analysis we can de-anonymize a very small fraction of Tor users,” reports of the slides disclosed.

In reality the intelligence agency is doing much more, trying to compromise the entire Tor network and degrading the user experience to dissuade people from using it.

Figure – NSA Tor Stinks Project to overwhelm Tor Anonymity

The NSA works in a variety of ways to achieve its goals. Its strategy relies on the following principles to remove Tor’s anonymity. It launches malicious Tor nodes to infiltrate Tor networks while trying to exploit unknown flaws in every part of the anonymization architecture, both client-side and server-side.

The images leaked by Snowden about Project Stinks reveal that the NSA conducts the following operations:

Infiltrate the Tor network with your Tor nodes. Both the NSA and GCHQ operate Tor nodes to trace traffic back to a specific user. The method is based on the reconstruction of the circuit from the knowledge of the ‘entry, transfer and exit’ nodes between the user and the target site.
Exploiting a zero-day vulnerability in the Firefox browser bundled with Tor. Using this technique, the NSA was able to obtain a user’s IP address. In this way, the FBI arrested the owner of the service provider Freedom Hosting accused of facilitating child pornography.
The NSA also uses web cookies to track Tor users extensively. This technique is also effective for the Tor browser. Cookies are used to analyze the user experience on the Internet. The intelligence agency owned or controlled a number of websites that were able to read the last saved cookies from the browser on the victim’s computer. Using this technique, the agency collects user data, including the IP address. Of course. advanced users can avoid this type of control in a number of ways, such as using a specialized browser for exclusive Tor navigation, using only the official pre-configured Tor package, or properly managing the cookies stored on their computer. Unfortunately, tracking methods have proven to be effective for a large number of individuals. I always recommend using a virtual machine with a live OS to protect your Tor anonymity. This way cache and cookies will be lost when you turn off your computer. Documents leaked by Snowden show that the NSA uses online advertisements, i.e. Google Ads, to get its surveillance sites online.
German public broadcaster ARD recently published a report on the use of the XKeyscore platform to compromise Tor anonymity. The media agency reported that two German Tor Directory Authority servers were targeted by US intelligence services. The broadcaster first published the source code from Xkeyscore, although ARD did not provide information on its origin or how they obtained it.

XKeyscore provides the “broadest” collection of online data, analyzing email content, social media and browsing history. In August 2014, The Guardian published an exclusive report on the NSA’s surveillance program, which provided several NSA training images from the secret program.

Facebook chats and private messages become accessible to intelligence agents simply by providing them with a Facebook username and time period for investigation. In fact, XKeyscore provides the tools necessary for analysis, which is also carried out without any legal authorization or warranty.

“The National Security Agency’s top-secret program allows analysts to search without prior authorization vast databases containing the emails, online chats and browsing history of millions of individuals, according to documents provided by whistleblower Edward Snowden. The NSA boasts in training materials that a program called XKeyscore is its “most extensive” system for developing intelligence from the Internet.

The source code released by ARD shows that the NSA is tracking people believed to live outside the US who request information about the Tor bridge via email, or who search for or download Tor or the live TAILS operating system. The NSA was able to track their IP addresses. The expert-analyzed XKeyScore includes the IP addresses of the target Tor Directory Authority, which is part of the backbone of the Tor network. These permissions are updated hourly with information regarding new Tor relays.

The post also explains that authors, including popular expert Jacob Appelbaum, were targeted by XKeyscore.

“Their research into this story is completely independent of the Tor Project and in no way reflects the views of the Tor Project… The investigation further revealed that another computer system operated by Jacob Appelbaum for his NSA volunteer was targeted for work helping to operate part of the Tor network . Additionally, all members of this team are Tor users and appear to have been targeted by the mass surveillance described in the investigation,” ARD said.

Going deep into the source code, it is possible to verify that the NSA is also targeting users of the anonymous remailer MixMinion.

[c]
/**
* Placeholder fingerprint for Tor hidden service addresses.
* Real fingerpritns will be fired by the plugins
* ‘anonymizer/tor/plugin/onion/*’
*/
fingerprint(‘anonymizer/tor/hiddenservice/address’) = nil;
// END_DEFINITION
// START_DEFINITION
appid(‘anonymizer/mailer/mixminion’, 3.0, viewer=$ascii_viewer) =
http_host(‘mixminion’) or
ip(‘128.31.0.34’);
// END_DEFINITION
[/c]

Law enforcement agencies, Tor Network and cybercrime

De-anonymizing Tor users is also a goal for law enforcement agencies that need to track users to identify and prevent illegal activities. The FBI revealed last year that Bureau experts had compromised Freedom Hosting during a child pornography investigation. Freedom Hosting was probably the most popular company of the Tor hidden service operator. The FBI exploited a malicious script that uses Firefox Zero-day to identify some users of the anonymous Tor network.

FBI Special Agent Brooke Donahue revealed in an Irish court that the FBI had control over Freedom Hosting to investigate child pornography activities. Freedom Hosting was considered by US law enforcement to be the largest provider of child pornography on the planet.

For its analysis, the FBI used Firefox Zero-day (MFSA 2013-53) for Firefox 17, also confirmed by Mozilla, which allowed it to track Tor users. It exploited flaws in the Tor browser to implant a tracking cookie that fingerprinted suspects through a specific external server.

“Security researcher Nils reported that specially crafted web content using the onreadystatechange event and page reloads can sometimes cause unmapped memory startup failures. This crash is potentially exploitable.”

The exploit is based on JavaScript, which is a small Windows executable hidden in a variable called “Magneto”. The Magneto code looks up the victim’s hostname and MAC address in Windows and sends the information back to the FBI’s Virginia server, revealing the victim’s real IP address. The script sends the data back using a standard HTTP web request outside the Tor network.

Figure – Magneto script used by FBI

The investigation led to the identification and arrest of Eric Eoin Marques, the 28-year-old Irish owner and operator of Freedom Hosting.

Freedom Hosting hosted hundreds of websites, many of which were used to conduct illegal activities using the anonymity provided by the Tor network. Tor is commonly used by cybercriminals for illegal activities such as money laundering, child porn exchange, hacking services, and drug and weapon sales.

Freedom Hosting offered hosting services to criminal gangs that were moving their business to the Deep Web. Consider that the company hosted hundreds of hacking sites like HackBB.

Donahue revealed that Freedom Hosting hosted at least 100 child pornography sites that provided illegal content to thousands of users, and claimed that Marques visited some of the sites himself.

Eric Eoin Marques knew he was being followed, he apparently sent the earnings to his girlfriend in Romania. When the FBI analyzed Marques’ seized computer, it found that he had inquired about obtaining a visa and entry into Russia and residency and citizenship in the country.

Marques was also looking for a US passport template and a US passport hologram star. He was probably planning to escape.

Court documents and FBI files released under FOIA describe CIPAV (Computer and Internet Protocol Address Verifier) as software that the FBI can deliver through a browser to collect information from a suspect’s machine and send it to the bureau’s server in Virginia. .

The event is confirmation that the Tor network provides another layer of obfuscation, but it must be clear that it does not provide bulletproof online anonymity. Many researchers have shown that it is possible to de-anonymize users by exploiting a bug in the protocol itself or in one of the many applications in use, such as web browsers and live distributions.

Break the anonymity of the Tor network with just $3,000

It is well known that deanonymizing the Tor network requires a large effort in terms of resources and computing power. Many security experts have begun to investigate the possibility that US intelligence agencies and others have found a way to compromise the Tor network.

A few weeks ago, two hackers, Alexander Volynkin and Michael McCord, revealed that they were able to easily de-anonymize Tor users. They also announced that they would present the results of their study at Black Hat 2014, however, they canceled their participation in the event a few days ago.

“Unfortunately, Mr. Volynkin will not be able to speak at the conference because the materials he will be speaking about have not yet been approved by the Carnegie Mellon University/Software Engineering Institute for public release,” reads a statement posted on the official website. event website.

Christopher Soghoian, chief technologist at the American Civil Liberties Union, speculated that the researchers may have feared prosecution for illegally monitoring Tor exit traffic.

“Monitoring traffic at Tor exits is a potential violation of several federal criminal statutes,” he added.

The expert was preparing a presentation, NSA YOU WILL BREAK, NSA: DEANONYMIZE USERS ON A BUDGET, to explain how to identify Tor users on a very small budget of only $3,000.

“There is nothing stopping you from using your resources to de-anonymize network users by exploiting fundamental flaws in the design and implementation of Tor. And you don’t need an NSA budget to do it. Looking for a Tor user’s IP address? Not a problem. Trying to reveal the location of a hidden service? Done. We know this because we tested it in the wild… In this talk, we show how the distributed nature, combined with newly discovered flaws in the design and implementation of the Tor network, can be exploited to break Tor’s anonymity,” are the statements used by the two researchers to describe their work.

According to the researchers, it is possible to deanonymize users on a budget. The troubling news is that a persistent adversary like an intelligence agency “with a handful of powerful servers and a few gigabit links can de-anonymize hundreds of thousands of Tor clients and thousands of hidden services in a matter of months.”

The discovery made by the researchers, although never made public, seems to confirm the fact that the popular anonymization network suffers from serious flaws that attackers could exploit to track users.

One of the creators of the Tor Project, Roger Dingledine, when speaking about the discovery announced by the two researchers, admitted that the Tor Project had been “informally” shown some of the material that the two researchers would submit.

“In response to our questions, we were informally shown some materials. We never received the slides or any description of what would be presented in the talk itself beyond what was available on the BlackHat website.

“I think I know what they did and how to fix it. We’ve been trying to find subtle ways to explain that we think we know what they’ve done, but it also sure would have been easier if they’d decided to tell us everything. The main reason for trying to be subtle is that I don’t want to discourage future researchers from telling us about the nice things they find. I am currently waiting for them to respond to their email so I can continue… Based on our current plans, we will release a patch that the relays can use that should close the specific bug they found. A mistake is a nice mistake, but it’s not the end of the world,” he added.

Dingledin’s words confirm that there is a flaw in Tor’s architecture that the two researchers likely exploited. This means that the software may have been compromised by intelligence agencies in the past.

Ongoing attacks

As we discussed in the previous paragraph, law enforcement, intelligence agencies, and individuals are interested in de-anonymizing Tor users for various purposes. Now it’s time to analyze the actual attack in progress and explain the modus operandi of the attackers.

On July 30, members of the Tor Project posted a security alert on the official website, revealing that earlier in the month, on July 4, 2014, the relay group had been targeted in a cyber attack aimed at de-anonymizing users. Tor Project experts have noticed that bad actors are targeting relays to track users accessing Tor networks or accessing Tor hidden services.

“They seem to be targeting people who operate or access Tor hidden.
services. The attack involved modifying Tor protocol headers to perform traffic confirmation attacks.

“The particular confirmation attack they used was an active attack where a relay at one end injects a signal into the Tor protocol headers and then a relay at the other end reads the signal. These attack relays were stable enough to receive the consensus flags HSDir (“suitable for a hidden service directory”) and Guard (“suitable as an entry guard”). They then inserted the signal whenever they were used as a hidden service directory and looked for the embedded signal whenever they were used as an entry guard.

The technique is simple and effective. The attack is possible when an attacker controls or monitors relays at both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are part of the same circuit that routes information from source to destination. .

In the case of the first relay in the circuit (“gatekeeper”), it knows the user’s IP address, and the last relay in the circuit (“egress nodes”) knows the source or destination that the user is accessing. After that, the attacker is able to deanonymize Tor users.

Attackers exploited a critical flaw in the Tor architecture to modify protocol headers to perform a traffic confirmation attack and inject special code into the protocol header used by attackers to compare certain metrics from transfers to deanonymize users.

115 malicious fast non-exit relays (6.4% of the entire Tor network) were involved in the attack. Servers actively monitored relays at both ends of the Tor circuit in an attempt to de-anonymize users. Malicious relays used Tor versions 50.7.0.0/16 or 204.45.0.0/16 and were used by bad actors in an attempt to de-anonymize Tor users visiting and running so-called hidden services. Malicious relays joined the Tor network on January 30, 2014, and were removed from the network by Tor Project experts on July 4, 2014.

Members of the Tor project team also advised hidden service operators to change the location of their hidden service.

“While we don’t know when they started the attack, users who ran or accessed hidden services between early February and July 4th should assume they were affected,” Tor said.

When users access the Tor network using the Tor software, their IP address is not visible and appears on the Internet as the IP address of a Tor exit relay, which could be anywhere.

Bad actors launching an attestation attack looked for users who obtained hidden service handles. This means that attackers were not able to see the pages that users loaded or whether users visited the hidden service that they searched for.

“The attack likely also tried to find out who published the hidden service descriptors, which would allow attackers to discover the location of that hidden service. In theory, the attack could also be used to connect users to their targets on regular Tor circuits, but we found no evidence of attackers operating any exit relays, making this attack less likely. Finally, we do not know how much data the attackers retained, and due to how the attack was deployed (more details below), modifications to their log headers may have helped other attackers de-anonymize users,” the security said. advisory.

To address the critical flaw, the Tor project team suggests Tor Relay operators upgrade the Tor software to the latest version, either 0.2.4.23 or 0.2.5.6-alpha. The Tor Project has released a software update to prevent such attacks.

Conclusions

Law enforcement and intelligence agencies are making great efforts to de-anonymize the Tor user experience to discourage the use of anonymizing networks.

Attackers can follow two directions:

Try to crack the encryption used to anonymize traffic.
Try to exploit flaws in one of the many components present in the anonymization architecture.

As recent attacks on anonymizing software like Tails Live Distribution have shown, the second option is probably the most appropriate. The presence of an unknown bug in one of these components could allow the entire architecture to be compromised.

Attackers know this and focus all their efforts on exposing such flaws… but if you are a researcher, remember that everyday anonymization networks allow many individuals to evade censorship and monitoring by authoritarian regimes.