Posts Tagged ‘Tor’

So you thought Tor was bad enough. Check out Tor’s Hidden Web Services.

Monday, July 25th, 2011

Recently and article appeared at NPR titled “Senators Target Internet Narcotics Trafficking Website Silk Road”. I only bothered to hit the link because I saw it mentioned on the website Anit-forensics.com. The short article complained of drugs blatantly sold on the Internet and something needed to be done about it and Congress is going to solve that one for us. Although selling drugs on the Internet is nothing new, the place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function.  The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the orient to the west.

For the power user of the Tor network Hidden Services is probably nothing new. For the average online investigator though you may have heard of Tor and may have even tried to use it (especially of you read my last article on using Tor in your investigations). But were you aware that webpages can be hidden within the Tor network? Have you ever seen a .onion domain name? if you haven’t then read on.

Hidden services were introduced to the Tor network in 2004. Tor’s Hidden Services are run on a Tor client using special server software. This “Hidden Service” uses a pseudo top-level-domain of “.onion”. Using this domain, the Tor network routes traffic through its network without the use of IP addresses.

To get to these hidden services you must be using the Tor Network and have your browser enable to use Tor.  How do you find sites using the hidden services? Start at the core…

http://eqt5g4fuenphqinx.onion/ 

Welcome to .onion Welcome to .onion

Core.onion according to its hidden services site has been in the network since 2007.

Once in the Core.onion you find a simple directory to start exploring Hidden Services on the Tor network.

TorDir TorDir

TorDir is a directory of Hidden Services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media type sites and marketplaces.

Black Market Black Market

 

In the markets a variety of things are for sale, most look to be illegal though. File sharing also looks to be popular and can be found in several .onion sites.

File Sharing File Sharing

 

To make purchases bitcoin seems to be the most popular virtual currency and is regularly mentioned throughout the .onion sites.

Bitcoin Bitcoin

 

Another good location to start finding out about what Tor’s Hidden Services have to offer is a wiki located at:

http://xqz3u5drneuzhaeo.onion/users/hackbloc/index.php/Mirror/kpvz7ki2v5agwt35.onion/Main_Page

 

Also, if you are an IRC fan Tor hidden services can be used there also. The Freenode website gives the instructions on how to access Freenode IRC servers on Tor’s Hidden Services.

If you are interested in learning more about Tor’s Hidden Services here are a few sites that can get you on your way:

http://www.onion-router.net/Publications/locating-hidden-servers.pdf

http://www.irongeek.com/i.php?page=videos/tor-hidden-services

http://www.torproject.org/docs/tor-hidden-service.html.en

 

Not to make it any worse but if you have not heard Ip2 (another anonymizing network that is becoming increasingly popular) also has its own “eeepsites” similar to the Hidden Services offered in Tor that a user can post content to like a website.

Hidden Services are going to increasingly become a location that will be misused by many. It will also become a place on the Internet that investigators will need to become increasingly familiar with if they are to further their online investigations.

Tor and its use during online investigations

Monday, July 18th, 2011

When investigating crimes on the Internet the investigator needs to consider how much information that he presents to servers and webpages that he may be investigating.  Hiding oneself on the Internet used to be the purview of hackers. However, technology changes and so has the ability to easily implement the same techniques hackers use to hide themselves during your investigations. There are many techniques for eluding identification on the Internet. Proxies have been used for years for this purpose. Proxies act as just that a “Proxy” or a go between. It’s a computer that acts on your behalf and forwards to the server you are looking at any requests you make. The server you are investigating only sees the “Proxy”.

Another significant tool in the “I need to hide on the Internet” world is the venerable tool “Tor”. Tor (The Onion Router) was developed from a concept originally written about by the U.S. Navy. According to the Tor website,  “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.”

Using Tor during online investigations is much easier now that it has been in the past. This is due to the increase in most users Internet bandwidth, the constant upgrading and improving of the Tor software and it easy integration into the popular browsers. So how does the investigator implement Tor during his investigations? Well the simplest method is to use the Tor network to hide browsing activity. If you are investigating a webpage or website we know that there is certain information that our browser tells that server or website about who we are and potentially where we are. Our browsers can reveal our IP addresses what kind of browser we are using and its version. We can use Tor to prevent a suspect webpage from identifying us.

Let’s take a look at how to install and implement Tor so we can us it during our investigations. Installation for Tor is pretty starting forward now. Go to the Tor project website and download the current “Vidalia” (like the onion) Windows installer. Click on the executable file and the project installs. The trick to using Tor is setting the proxy setting in your browser to use the Tor network. Your browser normally makes a call out through your Internet Service to servers on the Internet. These servers easily identify who you are by your Internet Protocol (IP) address so they can communicate back with you.  This exposure of your IP address is what can tell the bad guy who you are and possible who where you are in the world. The Tor network in its simplest description strips that information out and only provides the end user with an IP address belonging to the Tor network and not you. Thus you have effectively hidden from the end website you are visiting or target user that you may be communicating with through the Internet (Please note this is an over simplification of the process and exact details of how the Tor network works can be found on the project website).

So once Tor is installed your next actions are to set up your browser to use the Tor network as its proxy (proxy being a server acting as your entry point to the Internet and in this hiding your real IP address). Using Windows Internet Explorer version 8 go to Tools|Internet Options|

Changing Internet Explorer Settings

Changing Settings in Internet Explorer

 The select “Connections” and click on “LAN Settings”.

Image 2 -Tor IE LAN settings

IE LAN Settings

 

IE LAN Settings Address and Port IE LAN Settings Address and Port

In the Local Area Network (LAN) Settings box you need to click on the box “Use a Proxy server for your LAN” in the address box add 127.0.0.1 and add in the Port box 8118. Click OK twice to exit and you are now able to use the Tor network.  You will continue to use the Tor network as your proxy until you uncheck the “Proxy server” box. This will then return you to your normal web access.

The Tor Project has a page you can go to that will verify that you are using the Tor Network or you can go to one of the websites on the Internet that grabs your IP address like http://whatismyipaddress.com/

In the Windows taskbar a little Onion symbol when opened will show you the “Vidalia” Control Panel. The control panel lets you know you are connected to the Tor network  and can change the IP address you are coming from by clicking on the “Use new identify” button.

Tor Control Panel

Control Panel

Once connected click on the setting button in the control panel. For our investigative purposes click on “Run as client only”.  This will ensure that other users of the network are not using your system as a relay server on the network (Tor data would actually be passing through your computer). 

Tor Settings Tor Settings

To see the other computers, and their description, on the Tor system click on the “View the Network” button.

We are no ready to go online and start our investigation without being identified.

Things to note here, the online application being used by the tor network in this configuration is Windows Internet Explorer. If you send an email to the target from your normal email client on your desktop, use another browser, instant messaging, or use P2P software you will potentially expose who you really are by your IP address. To use any other applications through the Tor network you need to set them up to use the Tor proxy settings.

Other things to consider in your Browser set up that need to be turned off.  Turn off running scripts, ActiveX and cookies. Also block pop-ups. But “I can’t access all the good content on the Internet”. Correct you can’t but then the end user can’t identify you either. Each of these features enhance our web surfing experience, but they also require code be downloaded through your browser and run on your machine. This can allow for the code to default to a port it use that is not being redirected to the Tor network, thereby exposing who you are. This may not be important in all the cases you work, but be aware of it. If you lock down your browser and don’t get the content you want you can always relax the controls and go back and look at the site, but at least you are aware then of the risks and make that decision based on the investigation.

Using WebCase with Tor requires just installing Tor as described above. WebCase collects web –based evidence through Internet Explorer even when piped through the Tor Proxy. The collection times will be extended because of the way Tor functions and has nothing to do with WebCase.