SlideShare a Scribd company logo

Deanonymize Tor Hidden Services

F
Fabrizio Farinacci

Tor Hidden Services enables server anonymity, which may lead potentially to illegal and criminal activities. In this presentation, state-of-the-art literature method against hidden service anonymity are presented to overcome this issue.

Software
1 of 49
Download to read offline
Deanonymize Tor Hidden Services Master in Engineering in Computer Science Web Security and Privacy a.y. 2016-17 Prof. Marchetti Spaccamela Alberto 1
About Us Andrea Bissoli Fabrizio Farinacci Andrea Prosseda Sara Veterini 2
What is Tor1 3
Tor in a nutshell The most popular volunteer-based anonymity network consisting of over 3000 relays. 4
How it works Client Onion Proxy Server 5
Hidden Services2 6
About HS ● Hidden services are the websites located inside the Tor Networks, which receive inbound connection only through Tor. ● They provide server anonymity in addition to Tor-default client one. ● They protect the location of the server hosting the service and provide encryption at every hop from a client to the hidden service. 7
Set up ● HS chooses some relays as Introduction Point (IP) that will be used to receive inbound connections from clients, building simple tor circuits to them. Server DB Client Onion Proxy 8
Set up (cont’d) ● HS creates an hidden service descriptor containing its: ○ public key ○ Introduction Points signed with its private key. ● It sends the descriptor to a directory (HSDir). ● An onion address xyz.onion, where xyz is first 80 bits of the hashed (SHA1) public key, is generated and sent to HSDir. 9
Client connection ● Client queries the HSDir with the onion address, obtaining HS descriptor. ● Chooses a Rendezvous Point (RP), builds a circuit to it and communicates a one-time secret (auth cookie). 10
Client connection (2) ● Client establishes a connection to one of the IPs and sends it an introduce message signed with HS public key containing: ○ RP address ○ One-time secret 11
Client connection (3) ● HS decrypts the message and builds a connection to the RP providing the one-time secret 12
Client connection (4) ● RP verifies the one-time secret and notifies the eventual success of connection to the client. ● Now client and service can communicate through the RP. 13
Deanonymization Attacks3 14
Types and Goals of Attacks Active Passive Misconfiguration Types The adversary injects malicious nodes in the tor network and eventually obtain the control of the HS entry guard with the possibility of disabling benign relays The adversary observes traffic looking for temporal and structural identifying patterns allowing him to discover the relays involved in the communication. The administrator of the HS injects unintentionally identifying information in either/both configuration files or/and hidden service content. Goals Deanonymize the hidden service’s IP through attacker controlled relays. Deanonymize first the clients involved in HS communications and then the specific HSs targeted by these ones. Deanonymize the owner identity (identity leaks) or the IP address of the hidden server (location leaks). 15
References ● Misconfiguration Attacks ○ “CARONTE: Detecting Location Leaks for Deanonymizing Tor Hidden Services” , Matic, et al., 2015 ● Passive Attacks ○ “Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services” , Kwon, et al., 2015 ○ “POSTER: Fingerprinting Tor Hidden Services” , Mitseva, et al., 2016 ● Active Attacks ○ “Protocol-level Hidden Server Discovery” , Ling et al., 2013 ○ “The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network” , Jansen et al., 2014 16
Active Attacks3.1 17
“ Goal: “Deanonymize the hidden service’ IP through attacker controlled relays”. 18
Protocol Level Attack Attacker controls a client, a rendezvous point and some other relays of the Tor network. Furthermore, it has a central server where its nodes store relevant events of the connection. General idea: Since only entry nodes of the server knows its location (IP address) the attacker consists in trying several attempts of connections to the HS until this chooses an entry guard controlled by the attacker. Desired scenario: “Protocol-level Hidden Server Discovery” , Ling et al., 2013 19
Attack phases ● Phase 1 client continues to create circuits to the HS until one of attacker’s entry nodes sees a particular combination of cells. ● Phase 2 The attacker starts a testing phase on the previous entry point to understand if it is the actual entry guard of the HS, manipulating a cell in the Rendezvous Point. ● Phase 3 He concludes the test checking temporal correlation of events triggered by his nodes. If the presumably identified entry router is chosen by the hidden server, he can locate it accordingly. 20
Phase 1 ● The client continues to establish new connections with HS and recording every kind of cell in the central server. ● It repeats this loop until one of its entry point sees the following combination of cells However… This doesn’t imply that our entry point was chosen by THAT particular HS, but just by some HS. 21
Phase 2 ● In this phase the attacker want to be sure its relay is chosen as HS entry guard. ● When the client is about to establish the conversation with the server, it automatically sends a begin cell. ● The RP without even decrypting, it modifies 1 bit of the cell so that the server will not understand its content. Note that it works because the integrity check is performed ONLY at HS. ● The above triggers a destroy cell to be sent back to the client to tear down the complete circuit. ● Every attackers relay is waiting for this cell and, if it arrives, reports it to the central server (including the timestamp) 22
Phase 2 (cont’d) Client HS Central Server 23
Phase 3 ● The central server check the following ○ Both RP and entry node trigger a Destroy event ○ Timeliness of them is consistent: given Tb the timing of the begin cell and Te the timing of the destroy cell at RP and Td the timing of the destroy cell at entry point. If Tb < Td < Te timing of event is consistent ● This implies the attacker controls an HS entry guard so… he is directly connected with the server and consequently it knows its location 24
Sniper Attack It is based on a DoS attack towards HS critical Tor relays. Attacker controls just a client and at least one relay (GA). General idea: The attacker wants GA to be chosen as HS entry guard in order to identify the server location (as in the previous attack). To do that he needs first to disable ALL the HS entry guards until GA is chosen to be one of them. So keeps building a normal Tor connection to the HS until GA is directly connected to HS entry guard. At this point the attacker disables it performing a Sniper Attack. When GA becomes the HS entry guard it knows the HS location. “The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network” , Jansen et al., 2014 25
Phase 1: Identify guards ● Adversary keeps building Tor circuits to the HS until GA is directly connected to HS entry guard. For these circuits, the adversary can directly observe the guards’ identities. ● To understand he is in this situation, he perform a simple request/response with the server. This implies RP sends a pattern of 50 PADDING cells to HS followed by a DESTROY cell. ● If GA observes a pattern of 2 cells (used to build the circuit) on a rendezvous circuit FROM a hidden service and 52 cells on the same circuit TO the hidden service (50 + 2 to build the circuit), followed by a DESTROY cell shortly after one is sent by the rendezvous, it concludes that GA is directly connected a guard of H. 26
Phase 2: Disable guards ● Once HS’s guards have been identified, the adversary builds a custom circuits by selecting targets as circuit entries and uses Sniper Attack to kill them. ● This can be done by repeatedly sending SENDMEs cells and blocking reading of packets in node GA. 27
Phase 3: Test for Guard Selection ● By repeating Sniper attack many times, the attacker eventually ends up in making the HS choose its relay GA as an entry guard. ● To determine if his guard GA was selected by HS, he uses techniques very similar to those used to identify guards in Phase 1. ● Since now the attacker controls an HS entry guard… he is directly connected with the server and consequently it knows its location 28
Passive Attacks3.2 29
“ Goal: “Deanonymize the clients involved in HS communications and then the specific HSs addressed by these firsts, exploiting circuit and traffic fingerprinting techniques”. 30
Circuit Fingerprinting Attack General idea: Since each circuit has unique structural and temporal characteristics, attacker can look at Tor traffic and classify observed circuits, looking at those particular characteristics. Once client-HS circuits are identified, Web Site Fingerprinting techniques employing traffic characteristics are used to identify the receiver HS that is so deanonymized. “Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services” , Kwon, et al., 2015 Attacker uses traffic fingerprinting techniques to identify Tor circuits, so he can determine the user's’ involvement with hidden services. 31
Attack phases ● Phase 1: Circuit Fingerprinting Attack Client-HS connection employs different circuits: HS-IP, Client-IP, HS-RP and Client-RP. The aim of this phase is classify these different circuits with fingerprint techniques. ● Phase 2: Website fingerprinting (WF) Attack Attacker can perform website fingerprinting (WF) attacks to deanonymize the hidden service clients and servers with the information of the phase 1. 32
Phase 1: Circuit Fingerprinting Attack ● We can distinguish 4 circuits: ○ HS - Introduction Point ○ Client - Introduction Point ○ Client - Rendezvous Point ○ HS - Rendezvous Point 33
Phase 1: observations ● Streams for different HS for the same client are not multiplexed in the same circuit (i.e. single RP/entry points is exploited for each) ● General circuits have different structure with respect to HS circuits (i.e. they do not employ RP and IP) and so different construction patterns, especially for client-RP circuits ● HS-IP circuits are long-lived (they need to stay up to accept incoming connection from clients), conversely from client-IP (short-lived) and general circuits (small duration on average) ● Incoming-Outgoing cells patterns, useful in identifying: ○ Client-IP (3 out + >3 in) and HS-IP circuits (>3 out = >3 in) ○ HS-RP (out >> in) because they serve content, conversely to client-RP (in >> out) sending small request and getting content 34
Phase 1: features and algorithms ● From the previous observation, we can derive the features: ○ Duration of activity: the time circuits are up ○ The number of incoming and outgoing cells ○ Circuit construction sequences toward the RP ● Tree-based and k-NN classifiers are used for circuit classification 35
Phase 2: Website Fingerprinting Attack ● Hidden service deanonymization through website fingerprinting using as features: ○ General traffic features as transmission size and time and number of incoming and outgoing cells in the transmission ○ Packet ordering, so the location of each outgoing cell ○ Bursts, so the number of consecutive cells of the same type both for incoming/outgoing traffic and performing WF in both ○ open world (i.e. looking at ALL the possible HSs) and ○ closed world (i.e. restricting the list to plausible HSs) settings. Conclusion: through website fingerprinting, the contacted HS is identified. 36
Circuit fingerprinting attack: problem ● Streams for different HS for the same client are not multiplexed in the same circuit (i.e. single RP/entry points is exploited for each) ● General circuits have different structure with respect to HS circuits (i.e. they do not employ RP and IP) and so different construction patterns, especially for client-RP circuits ● HS-IP circuits are long-lived (they need to stay up to accept incoming connection from clients), conversely from client-IP (short-lived) and general circuits (small duration on average) ● Incoming-Outgoing cells patterns, useful in identifying: ○ Client-IP (3 out + >3 in) and HS-IP circuits (>3 out = >3 in) ○ HS-RP (out >> in) because they serve content, conversely to client-RP (in >> out) sending small request and getting content 37
Circuit fingerprinting attack: problem (cont’d) ● Streams for different HS for the same client are not multiplexed in the same circuit (i.e. single RP/entry points is exploited for each) ● General circuits have different structure with respect to HS circuits (i.e. they do not employ RP and IP) and so different construction patterns, especially for client-RP circuits ● HS-IP circuits are long-lived (they need to stay up to accept incoming connection from clients), conversely from client-IP (short-lived) and general circuits (small duration on average) ● Incoming-Outgoing cells patterns, useful in identifying: ○ Client-IP (3 out + >3 in) and HS-IP circuits (>3 out = >3 in) ○ HS-RP (out >> in) because they serve content, conversely to client-RP (in >> out) sending small request and getting content 38 No longer true!!
POSTER Fingerprinting ● Try to detect an HS communication with circuit fingerprints (FPs): this exploits the fact that an HS connection leaks the information that multiple entry nodes are used ● FPs are computed based on statistics computed on: ○ the number of entry nodes ○ chronological sequence of incoming/outgoing cells. The more the fingerprints, the higher the classification capabilities ● An SVM-based classifier is trained with a 10-fold cross-validation scheme to detect: ○ Unknown HS (open-world), if all the 8 FPs are used ○ Known HS (closed-world), if just one FP is user with high recall and precision (greater than 95%). “POSTER: Fingerprinting Tor Hidden Services” , Mitseva, et al., 2016 39
User misconfiguration Attacks3.3 40
“ Goal: “Deanonymize the owner identity (identity leaks) or the IP address of the hidden server (location leaks)”. 41
Caronte Caronte is an automated tool based on finding location leaks. The input is the onion address(es) of the interested hidden service(s). General idea: Leak are discovered in the content or configuration of a hidden service finding some candidate identity (e.g., phone numbers embedded in a page) or candidate Internet endpoint (e.g., an IP address or DNS domain in an error page). Then, candidates are validated looking if the IP and the onion address lead to the same service. Location leaks: information in the content or configuration of a hidden service that gives away its location. Location leaks are introduced by the hidden service administrators and cannot be centrally fixed by the Tor project. “CARONTE: Detecting Location Leaks for Deanonymizing Tor Hidden Services , Matic, et al., 2015 42
Caronte Overview 43
Phase 1: Exploration ● Caronte visits: ○ root page of HS ○ all HTML resources in root page (/xyz) ○ a random resource to trigger an error page that may leak information placed there by the administrator. ● For each previous URL, Caronte visits and stores: ○ both with HTTP and HTTPS (to get its certificate) ○ with two Host header values (the onion address and a random onion address). An hosting server can contain more than one public service besides the hidden one. Requesting a random address may push the server to return the default (public) site leaking information. 44
Phase 2: Candidate selection The next step is to extract a list of candidates for each onion URL: ● Internet endpoints Pages may contain URLs, email and IP addresses. If URLs contain very popular DNS domains (checked in a public list of popular domains), they are discarded, otherwise they are kept. ● Unique strings These are: ○ Identifiers i.e. Google Analytics and AdSense id, Bitcoin wallets ○ Titles of pages, often distinctive They are looked up in search engines to return Internet sites where they have observed, to date back their DNS domains and to use them as candidate, if they are not popular. 45
Phase 2: Candidate selection (cont’d) ● HTTPS certificates Caronte extracts from certificates: ○ Subject’s Common Name (SCN) and Subject’s Alternative Name (SAN) that contain IP addresses and/or DNS domains. ○ SHA1 of DER format certificate and then searches it in SONAR database (that keeps certificates seen on the Internet) to retrieve the IPs that have used them. ○ the public key and searches in SONAR certificates containing the same key and repeats the same process of above. Additionally it searches in SONAR for any certificate whose SCN or SAN contains an onion address. ● The output is a set of candidate pair <onion address, endpoint>. 46
Phase 3: Validation ● For every pair <onion address, endpoint> it checks similarities between the candidate and one of the hidden service page. ● If the similarity is high then the candidate is actually a DNS domain or IP address of the hidden service. Default error pages or recurrent ones are excluded from this check. ● Validation is divided in two steps and 7 checks: ○ Server similarity ○ Body similarity 47
Intentional Similarities Leaks can be intentional. Example: Facebook wants to make its hidden service public. How can we check intentional similarities? There are three methods: ● Onion address is compared with the endpoint. If their longest common substring is larger or equal to 4 it means that the onion address was obtained by brute forcing the first 80 bits SHA1 in the generation process. Example: www.facebook.com & facebookcorewwwi.onion ● Check if the endpoint contains the onion address of the HS ● Check if titles of HS pages embeds the internet endpoint. 48
Thanks! ANY QUESTIONS? 49 You can find us on LinkedIn: Andrea Bissoli: https://www.linkedin.com/in/andrea-bissoli-537768116/ Fabrizio Farinacci: https://www.linkedin.com/in/fabrizio-farinacci-496679116/ Andrea Prosseda: https://www.linkedin.com/in/andrea-prosseda-2b8651116/ Sara Veterini: https://www.linkedin.com/in/sara-veterini-667684116/

Recommended

Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Identity Days
 
Onion protocol
Onion protocolOnion protocol
Onion protocolAnshu Raj
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 

Recommended

Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Identity Days
 
Onion protocol
Onion protocolOnion protocol
Onion protocolAnshu Raj
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...Identity Days
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting StartedTaswar Bhatti
 
SC-900+2022.pdf
SC-900+2022.pdfSC-900+2022.pdf
SC-900+2022.pdfRitish H
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIBGA Cyber Security
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
The Dark web | Presentation
The Dark web | Presentation The Dark web | Presentation
The Dark web | Presentation Md. Sabbir Hossain
 
Dark web
Dark webDark web
Dark webSafwan Hashmi
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Shawn Ismail
 
Session hijacking
Session hijackingSession hijacking
Session hijackingGayatri Kapse
 
Building and deploying microservices with event sourcing, CQRS and Docker (QC...
Building and deploying microservices with event sourcing, CQRS and Docker (QC...Building and deploying microservices with event sourcing, CQRS and Docker (QC...
Building and deploying microservices with event sourcing, CQRS and Docker (QC...Chris Richardson
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Greg Castle
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...Amazon Web Services
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
De anonymization in tor
De anonymization in torDe anonymization in tor
De anonymization in torLoukikKhandare
 
Sniffing via dsniff
Sniffing via dsniffSniffing via dsniff
Sniffing via dsniffKshitij Tayal
 

More Related Content

What's hot

L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...Identity Days
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting StartedTaswar Bhatti
 
SC-900+2022.pdf
SC-900+2022.pdfSC-900+2022.pdf
SC-900+2022.pdfRitish H
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIBGA Cyber Security
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Shawn Ismail
 
Building and deploying microservices with event sourcing, CQRS and Docker (QC...
Building and deploying microservices with event sourcing, CQRS and Docker (QC...Building and deploying microservices with event sourcing, CQRS and Docker (QC...
Building and deploying microservices with event sourcing, CQRS and Docker (QC...Chris Richardson
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Greg Castle
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...Amazon Web Services
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 

What's hot (20)

L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
 
SC-900+2022.pdf
SC-900+2022.pdfSC-900+2022.pdf
SC-900+2022.pdf
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Open Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-IIOpen Source Soc Araçları Eğitimi 2020-II
Open Source Soc Araçları Eğitimi 2020-II
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
 
Ssrf
SsrfSsrf
Ssrf
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
The Dark web | Presentation
The Dark web | Presentation The Dark web | Presentation
The Dark web | Presentation
 
Dark web
Dark webDark web
Dark web
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
Building and deploying microservices with event sourcing, CQRS and Docker (QC...
Building and deploying microservices with event sourcing, CQRS and Docker (QC...Building and deploying microservices with event sourcing, CQRS and Docker (QC...
Building and deploying microservices with event sourcing, CQRS and Docker (QC...
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 

Similar to Deanonymize Tor Hidden Services

De anonymization in tor
De anonymization in torDe anonymization in tor
De anonymization in torLoukikKhandare
 
Arun prjct dox
Arun prjct doxArun prjct dox
Arun prjct doxBaig Mirza
 
Speedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhanSpeedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhanSadan Kumar
 
aGHLecture2_2017.pptx
aGHLecture2_2017.pptxaGHLecture2_2017.pptx
aGHLecture2_2017.pptxRituParna42
 
AN INTRODUCTION TO NETWORK ADDRESS SHUFFLING
AN INTRODUCTION TO NETWORK ADDRESS SHUFFLINGAN INTRODUCTION TO NETWORK ADDRESS SHUFFLING
AN INTRODUCTION TO NETWORK ADDRESS SHUFFLINGSreelekshmi S
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...cscpconf
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocolsphanleson
 
Detection of application layer ddos attack using hidden semi markov model (20...
Detection of application layer ddos attack using hidden semi markov model (20...Detection of application layer ddos attack using hidden semi markov model (20...
Detection of application layer ddos attack using hidden semi markov model (20...Mumbai Academisc
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full reportdeepakmarndi
 
what is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfwhat is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfbrijeshagarwa329898l
 
Exclusion of Denial of Service Attack using Graph Theory in MANETS
Exclusion of Denial of Service Attack using Graph Theory in MANETSExclusion of Denial of Service Attack using Graph Theory in MANETS
Exclusion of Denial of Service Attack using Graph Theory in MANETSIRJET Journal
 
Monitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a lanMonitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a laneSAT Publishing House
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxAsmaaLafi1
 

Similar to Deanonymize Tor Hidden Services (20)

De anonymization in tor
De anonymization in torDe anonymization in tor
De anonymization in tor
 
Sniffing via dsniff
Sniffing via dsniffSniffing via dsniff
Sniffing via dsniff
 
Arun prjct dox
Arun prjct doxArun prjct dox
Arun prjct dox
 
Speedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhanSpeedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhan
 
Aw36294299
Aw36294299Aw36294299
Aw36294299
 
aGHLecture2_2017.pptx
aGHLecture2_2017.pptxaGHLecture2_2017.pptx
aGHLecture2_2017.pptx
 
Fire wall security
Fire wall securityFire wall security
Fire wall security
 
AN INTRODUCTION TO NETWORK ADDRESS SHUFFLING
AN INTRODUCTION TO NETWORK ADDRESS SHUFFLINGAN INTRODUCTION TO NETWORK ADDRESS SHUFFLING
AN INTRODUCTION TO NETWORK ADDRESS SHUFFLING
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
 
As03402620266
As03402620266As03402620266
As03402620266
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
Detection of application layer ddos attack using hidden semi markov model (20...
Detection of application layer ddos attack using hidden semi markov model (20...Detection of application layer ddos attack using hidden semi markov model (20...
Detection of application layer ddos attack using hidden semi markov model (20...
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
 
1766 1770
1766 17701766 1770
1766 1770
 
1766 1770
1766 17701766 1770
1766 1770
 
what is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfwhat is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdf
 
Exclusion of Denial of Service Attack using Graph Theory in MANETS
Exclusion of Denial of Service Attack using Graph Theory in MANETSExclusion of Denial of Service Attack using Graph Theory in MANETS
Exclusion of Denial of Service Attack using Graph Theory in MANETS
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Monitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a lanMonitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a lan
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptx
 

More from Fabrizio Farinacci

A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesFabrizio Farinacci
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionFabrizio Farinacci
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesFabrizio Farinacci
 
RecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeoverRecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeoverFabrizio Farinacci
 
RecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeoverRecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeoverFabrizio Farinacci
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use CasesFabrizio Farinacci
 

More from Fabrizio Farinacci (8)

A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
 
Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detection
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection Approaches
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
 
RecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeoverRecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeover
 
RecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeoverRecipeX - Your personal caregiver and lifestyle makeover
RecipeX - Your personal caregiver and lifestyle makeover
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use Cases
 

Recently uploaded

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 

Recently uploaded (20)

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 

Deanonymize Tor Hidden Services

  • 1. Deanonymize Tor Hidden Services Master in Engineering in Computer Science Web Security and Privacy a.y. 2016-17 Prof. Marchetti Spaccamela Alberto 1
  • 2. About Us Andrea Bissoli Fabrizio Farinacci Andrea Prosseda Sara Veterini 2
  • 4. Tor in a nutshell The most popular volunteer-based anonymity network consisting of over 3000 relays. 4
  • 5. How it works Client Onion Proxy Server 5
  • 7. About HS ● Hidden services are the websites located inside the Tor Networks, which receive inbound connection only through Tor. ● They provide server anonymity in addition to Tor-default client one. ● They protect the location of the server hosting the service and provide encryption at every hop from a client to the hidden service. 7
  • 8. Set up ● HS chooses some relays as Introduction Point (IP) that will be used to receive inbound connections from clients, building simple tor circuits to them. Server DB Client Onion Proxy 8
  • 9. Set up (cont’d) ● HS creates an hidden service descriptor containing its: ○ public key ○ Introduction Points signed with its private key. ● It sends the descriptor to a directory (HSDir). ● An onion address xyz.onion, where xyz is first 80 bits of the hashed (SHA1) public key, is generated and sent to HSDir. 9
  • 10. Client connection ● Client queries the HSDir with the onion address, obtaining HS descriptor. ● Chooses a Rendezvous Point (RP), builds a circuit to it and communicates a one-time secret (auth cookie). 10
  • 11. Client connection (2) ● Client establishes a connection to one of the IPs and sends it an introduce message signed with HS public key containing: ○ RP address ○ One-time secret 11
  • 12. Client connection (3) ● HS decrypts the message and builds a connection to the RP providing the one-time secret 12
  • 13. Client connection (4) ● RP verifies the one-time secret and notifies the eventual success of connection to the client. ● Now client and service can communicate through the RP. 13
  • 15. Types and Goals of Attacks Active Passive Misconfiguration Types The adversary injects malicious nodes in the tor network and eventually obtain the control of the HS entry guard with the possibility of disabling benign relays The adversary observes traffic looking for temporal and structural identifying patterns allowing him to discover the relays involved in the communication. The administrator of the HS injects unintentionally identifying information in either/both configuration files or/and hidden service content. Goals Deanonymize the hidden service’s IP through attacker controlled relays. Deanonymize first the clients involved in HS communications and then the specific HSs targeted by these ones. Deanonymize the owner identity (identity leaks) or the IP address of the hidden server (location leaks). 15
  • 16. References ● Misconfiguration Attacks ○ “CARONTE: Detecting Location Leaks for Deanonymizing Tor Hidden Services” , Matic, et al., 2015 ● Passive Attacks ○ “Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services” , Kwon, et al., 2015 ○ “POSTER: Fingerprinting Tor Hidden Services” , Mitseva, et al., 2016 ● Active Attacks ○ “Protocol-level Hidden Server Discovery” , Ling et al., 2013 ○ “The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network” , Jansen et al., 2014 16
  • 18. “ Goal: “Deanonymize the hidden service’ IP through attacker controlled relays”. 18
  • 19. Protocol Level Attack Attacker controls a client, a rendezvous point and some other relays of the Tor network. Furthermore, it has a central server where its nodes store relevant events of the connection. General idea: Since only entry nodes of the server knows its location (IP address) the attacker consists in trying several attempts of connections to the HS until this chooses an entry guard controlled by the attacker. Desired scenario: “Protocol-level Hidden Server Discovery” , Ling et al., 2013 19
  • 20. Attack phases ● Phase 1 client continues to create circuits to the HS until one of attacker’s entry nodes sees a particular combination of cells. ● Phase 2 The attacker starts a testing phase on the previous entry point to understand if it is the actual entry guard of the HS, manipulating a cell in the Rendezvous Point. ● Phase 3 He concludes the test checking temporal correlation of events triggered by his nodes. If the presumably identified entry router is chosen by the hidden server, he can locate it accordingly. 20
  • 21. Phase 1 ● The client continues to establish new connections with HS and recording every kind of cell in the central server. ● It repeats this loop until one of its entry point sees the following combination of cells However… This doesn’t imply that our entry point was chosen by THAT particular HS, but just by some HS. 21
  • 22. Phase 2 ● In this phase the attacker want to be sure its relay is chosen as HS entry guard. ● When the client is about to establish the conversation with the server, it automatically sends a begin cell. ● The RP without even decrypting, it modifies 1 bit of the cell so that the server will not understand its content. Note that it works because the integrity check is performed ONLY at HS. ● The above triggers a destroy cell to be sent back to the client to tear down the complete circuit. ● Every attackers relay is waiting for this cell and, if it arrives, reports it to the central server (including the timestamp) 22
  • 23. Phase 2 (cont’d) Client HS Central Server 23
  • 24. Phase 3 ● The central server check the following ○ Both RP and entry node trigger a Destroy event ○ Timeliness of them is consistent: given Tb the timing of the begin cell and Te the timing of the destroy cell at RP and Td the timing of the destroy cell at entry point. If Tb < Td < Te timing of event is consistent ● This implies the attacker controls an HS entry guard so… he is directly connected with the server and consequently it knows its location 24
  • 25. Sniper Attack It is based on a DoS attack towards HS critical Tor relays. Attacker controls just a client and at least one relay (GA). General idea: The attacker wants GA to be chosen as HS entry guard in order to identify the server location (as in the previous attack). To do that he needs first to disable ALL the HS entry guards until GA is chosen to be one of them. So keeps building a normal Tor connection to the HS until GA is directly connected to HS entry guard. At this point the attacker disables it performing a Sniper Attack. When GA becomes the HS entry guard it knows the HS location. “The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network” , Jansen et al., 2014 25
  • 26. Phase 1: Identify guards ● Adversary keeps building Tor circuits to the HS until GA is directly connected to HS entry guard. For these circuits, the adversary can directly observe the guards’ identities. ● To understand he is in this situation, he perform a simple request/response with the server. This implies RP sends a pattern of 50 PADDING cells to HS followed by a DESTROY cell. ● If GA observes a pattern of 2 cells (used to build the circuit) on a rendezvous circuit FROM a hidden service and 52 cells on the same circuit TO the hidden service (50 + 2 to build the circuit), followed by a DESTROY cell shortly after one is sent by the rendezvous, it concludes that GA is directly connected a guard of H. 26
  • 27. Phase 2: Disable guards ● Once HS’s guards have been identified, the adversary builds a custom circuits by selecting targets as circuit entries and uses Sniper Attack to kill them. ● This can be done by repeatedly sending SENDMEs cells and blocking reading of packets in node GA. 27
  • 28. Phase 3: Test for Guard Selection ● By repeating Sniper attack many times, the attacker eventually ends up in making the HS choose its relay GA as an entry guard. ● To determine if his guard GA was selected by HS, he uses techniques very similar to those used to identify guards in Phase 1. ● Since now the attacker controls an HS entry guard… he is directly connected with the server and consequently it knows its location 28
  • 30. “ Goal: “Deanonymize the clients involved in HS communications and then the specific HSs addressed by these firsts, exploiting circuit and traffic fingerprinting techniques”. 30
  • 31. Circuit Fingerprinting Attack General idea: Since each circuit has unique structural and temporal characteristics, attacker can look at Tor traffic and classify observed circuits, looking at those particular characteristics. Once client-HS circuits are identified, Web Site Fingerprinting techniques employing traffic characteristics are used to identify the receiver HS that is so deanonymized. “Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services” , Kwon, et al., 2015 Attacker uses traffic fingerprinting techniques to identify Tor circuits, so he can determine the user's’ involvement with hidden services. 31
  • 32. Attack phases ● Phase 1: Circuit Fingerprinting Attack Client-HS connection employs different circuits: HS-IP, Client-IP, HS-RP and Client-RP. The aim of this phase is classify these different circuits with fingerprint techniques. ● Phase 2: Website fingerprinting (WF) Attack Attacker can perform website fingerprinting (WF) attacks to deanonymize the hidden service clients and servers with the information of the phase 1. 32
  • 33. Phase 1: Circuit Fingerprinting Attack ● We can distinguish 4 circuits: ○ HS - Introduction Point ○ Client - Introduction Point ○ Client - Rendezvous Point ○ HS - Rendezvous Point 33
  • 34. Phase 1: observations ● Streams for different HS for the same client are not multiplexed in the same circuit (i.e. single RP/entry points is exploited for each) ● General circuits have different structure with respect to HS circuits (i.e. they do not employ RP and IP) and so different construction patterns, especially for client-RP circuits ● HS-IP circuits are long-lived (they need to stay up to accept incoming connection from clients), conversely from client-IP (short-lived) and general circuits (small duration on average) ● Incoming-Outgoing cells patterns, useful in identifying: ○ Client-IP (3 out + >3 in) and HS-IP circuits (>3 out = >3 in) ○ HS-RP (out >> in) because they serve content, conversely to client-RP (in >> out) sending small request and getting content 34
  • 35. Phase 1: features and algorithms ● From the previous observation, we can derive the features: ○ Duration of activity: the time circuits are up ○ The number of incoming and outgoing cells ○ Circuit construction sequences toward the RP ● Tree-based and k-NN classifiers are used for circuit classification 35
  • 36. Phase 2: Website Fingerprinting Attack ● Hidden service deanonymization through website fingerprinting using as features: ○ General traffic features as transmission size and time and number of incoming and outgoing cells in the transmission ○ Packet ordering, so the location of each outgoing cell ○ Bursts, so the number of consecutive cells of the same type both for incoming/outgoing traffic and performing WF in both ○ open world (i.e. looking at ALL the possible HSs) and ○ closed world (i.e. restricting the list to plausible HSs) settings. Conclusion: through website fingerprinting, the contacted HS is identified. 36
  • 37. Circuit fingerprinting attack: problem ● Streams for different HS for the same client are not multiplexed in the same circuit (i.e. single RP/entry points is exploited for each) ● General circuits have different structure with respect to HS circuits (i.e. they do not employ RP and IP) and so different construction patterns, especially for client-RP circuits ● HS-IP circuits are long-lived (they need to stay up to accept incoming connection from clients), conversely from client-IP (short-lived) and general circuits (small duration on average) ● Incoming-Outgoing cells patterns, useful in identifying: ○ Client-IP (3 out + >3 in) and HS-IP circuits (>3 out = >3 in) ○ HS-RP (out >> in) because they serve content, conversely to client-RP (in >> out) sending small request and getting content 37
  • 38. Circuit fingerprinting attack: problem (cont’d) ● Streams for different HS for the same client are not multiplexed in the same circuit (i.e. single RP/entry points is exploited for each) ● General circuits have different structure with respect to HS circuits (i.e. they do not employ RP and IP) and so different construction patterns, especially for client-RP circuits ● HS-IP circuits are long-lived (they need to stay up to accept incoming connection from clients), conversely from client-IP (short-lived) and general circuits (small duration on average) ● Incoming-Outgoing cells patterns, useful in identifying: ○ Client-IP (3 out + >3 in) and HS-IP circuits (>3 out = >3 in) ○ HS-RP (out >> in) because they serve content, conversely to client-RP (in >> out) sending small request and getting content 38 No longer true!!
  • 39. POSTER Fingerprinting ● Try to detect an HS communication with circuit fingerprints (FPs): this exploits the fact that an HS connection leaks the information that multiple entry nodes are used ● FPs are computed based on statistics computed on: ○ the number of entry nodes ○ chronological sequence of incoming/outgoing cells. The more the fingerprints, the higher the classification capabilities ● An SVM-based classifier is trained with a 10-fold cross-validation scheme to detect: ○ Unknown HS (open-world), if all the 8 FPs are used ○ Known HS (closed-world), if just one FP is user with high recall and precision (greater than 95%). “POSTER: Fingerprinting Tor Hidden Services” , Mitseva, et al., 2016 39
  • 41. “ Goal: “Deanonymize the owner identity (identity leaks) or the IP address of the hidden server (location leaks)”. 41
  • 42. Caronte Caronte is an automated tool based on finding location leaks. The input is the onion address(es) of the interested hidden service(s). General idea: Leak are discovered in the content or configuration of a hidden service finding some candidate identity (e.g., phone numbers embedded in a page) or candidate Internet endpoint (e.g., an IP address or DNS domain in an error page). Then, candidates are validated looking if the IP and the onion address lead to the same service. Location leaks: information in the content or configuration of a hidden service that gives away its location. Location leaks are introduced by the hidden service administrators and cannot be centrally fixed by the Tor project. “CARONTE: Detecting Location Leaks for Deanonymizing Tor Hidden Services , Matic, et al., 2015 42
  • 44. Phase 1: Exploration ● Caronte visits: ○ root page of HS ○ all HTML resources in root page (/xyz) ○ a random resource to trigger an error page that may leak information placed there by the administrator. ● For each previous URL, Caronte visits and stores: ○ both with HTTP and HTTPS (to get its certificate) ○ with two Host header values (the onion address and a random onion address). An hosting server can contain more than one public service besides the hidden one. Requesting a random address may push the server to return the default (public) site leaking information. 44
  • 45. Phase 2: Candidate selection The next step is to extract a list of candidates for each onion URL: ● Internet endpoints Pages may contain URLs, email and IP addresses. If URLs contain very popular DNS domains (checked in a public list of popular domains), they are discarded, otherwise they are kept. ● Unique strings These are: ○ Identifiers i.e. Google Analytics and AdSense id, Bitcoin wallets ○ Titles of pages, often distinctive They are looked up in search engines to return Internet sites where they have observed, to date back their DNS domains and to use them as candidate, if they are not popular. 45
  • 46. Phase 2: Candidate selection (cont’d) ● HTTPS certificates Caronte extracts from certificates: ○ Subject’s Common Name (SCN) and Subject’s Alternative Name (SAN) that contain IP addresses and/or DNS domains. ○ SHA1 of DER format certificate and then searches it in SONAR database (that keeps certificates seen on the Internet) to retrieve the IPs that have used them. ○ the public key and searches in SONAR certificates containing the same key and repeats the same process of above. Additionally it searches in SONAR for any certificate whose SCN or SAN contains an onion address. ● The output is a set of candidate pair <onion address, endpoint>. 46
  • 47. Phase 3: Validation ● For every pair <onion address, endpoint> it checks similarities between the candidate and one of the hidden service page. ● If the similarity is high then the candidate is actually a DNS domain or IP address of the hidden service. Default error pages or recurrent ones are excluded from this check. ● Validation is divided in two steps and 7 checks: ○ Server similarity ○ Body similarity 47
  • 48. Intentional Similarities Leaks can be intentional. Example: Facebook wants to make its hidden service public. How can we check intentional similarities? There are three methods: ● Onion address is compared with the endpoint. If their longest common substring is larger or equal to 4 it means that the onion address was obtained by brute forcing the first 80 bits SHA1 in the generation process. Example: www.facebook.com & facebookcorewwwi.onion ● Check if the endpoint contains the onion address of the HS ● Check if titles of HS pages embeds the internet endpoint. 48
  • 49. Thanks! ANY QUESTIONS? 49 You can find us on LinkedIn: Andrea Bissoli: https://www.linkedin.com/in/andrea-bissoli-537768116/ Fabrizio Farinacci: https://www.linkedin.com/in/fabrizio-farinacci-496679116/ Andrea Prosseda: https://www.linkedin.com/in/andrea-prosseda-2b8651116/ Sara Veterini: https://www.linkedin.com/in/sara-veterini-667684116/