Anonymization techniques are a double-edged sword invention as they can be used by journalists to communicate more safely with whistle blowers or by malicious users to commit cyber-crimes without getting caught but the problem is that neither party is anonymous nor safe from being exposed. In the presentation Mohamed discussed a tool that he developed "dynamicDetect" to de-anonymize TOR clients and browsers and abstracting the user's original IP address and fingerprint. The tool then uses this information as a launchpad to perform defensive and offensive against that TOR user.

1. Attacking The Unknown
www.dts-solution.com
Mohamed Bedewi – Sr. Security Researcher and Penetration Testing Consultant
Network+ | CCNA | MCSE | Linux+ | RHCE | Security+ | CEH | ECSA | LPT | PWB | CWHH | OSCP
mohamed@dts-solution.com | https://ae.linkedin.com/in/mbedewi | https://twitter.com/mbedewi

2. DTS Solution

3. Attacking The Unknown
Escalation
Exploitation
Enumeration
Discovery
The Unknown is
such a general term!
The Unknown can
literally be anything
You can’t attack The
Unknown!
What The Unknown
really is?

4. What The Unknown Really is?
• The Unknown is an internet user who think he is fully anonymous or untraceable.
• The Unknown will use anonymity technologies which never promised full anonymity.
• The Unknown can be your neighbor, friend, boss or the person sitting next to you.
• The Unknown has his own reasons to become anonymous but not all reasons are good.
Technologies
Web Proxy
Proxy Chains
VPN
TOR

5. Anonymity Technologies - Web Proxy
Web Proxy is a computer that acts as an intermediary and privacy shield between a client
computer and the rest of the Internet. It accesses the Internet on the user's behalf,
protecting personal information by hiding the client computer's identifying information.
Privacy Implications:
• Web Proxy servers are poorly maintained.
• The internet is full of rouge Web Proxy servers.
• DNS leakage can reveal Web Proxy users’ identity.
• The data travels unencrypted in most use cases.
• Web Proxy is vulnerable to client-side attacks.
Web Proxy is now considered as an old and
deprecated technology since it’s far away from
being stable, secure, fast, practical nor flexible
while being a single point of failure from both
security and functionality perspectives.

6. Anonymity Technologies – Proxy Chains
Proxy Chains is a daemon which chains a list of proxy servers and route any TCP traffic
through them. The last proxy server in the chain accesses the Internet on the user's behalf,
protecting personal information by hiding the client computer's identifying information.
Privacy Implications:
• Proxy servers are poorly maintained.
• The internet is full of rouge Proxy servers.
• DNS leakage can reveal Proxy Chains users’ identity.
• The data travels unencrypted in most use cases.
• Proxy Chains is vulnerable to client-side attacks.
Proxy Chains is now considered as an old and
deprecated technology since it’s far away from
being stable, secure, fast, practical nor flexible
even with the fact it can route any TCP traffic
through a chained network of proxy servers.

7. Anonymity Technologies – VPN
VPN is an intermediate computer which tunnels and encrypts all network traffic initiated or
destined to a client computer. It accesses the Internet on the user's behalf, protecting
personal information by hiding the client computer's identifying information.
Privacy Implications:
• VPN activity logs can reveal VPN users’ identity.
• The internet is full of vulnerable VPN servers.
• DNS leakage can reveal VPN users’ identity.
• Service payment can reveal VPN users’ identity.
• VPN is vulnerable to client-side attacks.
VPN is now considered as the second favorite
choice when it comes to anonymity since it's
stable, semi-fast, practical and flexible with the
ability to handle and route any IP-based service
robustly through the encrypted magical tunnel.

8. Anonymity Technologies – TOR
TOR is based on a VPN distributed network which takes a random pathway through several
encrypted servers to an exit node which accesses the Internet on the user's behalf,
protecting personal information by hiding the client computer's identifying information.
Privacy Implications:
• TOR exit nodes are poorly maintained.
• Compromised nodes can reveal TOR users’ identity.
• DNS leakage can reveal TOR users’ identity.
• Correlation attacks can reveal TOR users’ identity.
• TOR is vulnerable to client-side attacks.
TOR is now considered as the favorite choice
when it comes to anonymity since it's free,
stable, semi-fast, practical and flexible with the
ability to handle and route any IP-based service
robustly and securely through a VPN network.

9. Anonymity Technologies Facts
• If the technology in question is free of charge then it’s poorly maintained and vulnerable.
• Anonymity technologies are vulnerable to client-side attacks which will reveal users identity.
• If the technology in question is paid then it’s most probably monitored even if told otherwise.
• Anonymity technologies are vulnerable to DNS information leakage if not specially configured.
• Intermediate mediums used by anonymity technologies can be sniffing traffic for any purpose.

10. Privacy is an Illusion

11. How to Exploit The Unknown?
Attack
Any successful exploitation starts with discovering the target in question then enumerating
the target for potential vulnerabilities then exploiting the discovered vulnerabilities then
finally escalading privileges and backdooring the target in question to ensure further access.
The target in questions is anonymous and to
take the previous approach further, we need
to deanonymize and identify the target first
otherwise exploitation won’t be possible.
The entire process of deanonymizing,
identifying, attacking and profiling (DIAP)
the target needs to be automated via a
smart light weight offensive module.
Deanonymization
Identification
Enumeration
Exploitation
Escalation
Persistence

12. Now Since We Know How it Should be Done
Let Me Introduce to You dynamicDetect

13. What is dynamicDetect?
Despite it’s friendly name, dynamicDetect is a very sophisticated offensive module which
can effectively and robustly deanonymize, identify, attack and profile (DIAP) malicious users
basically behind TOR, VPN and Proxies automatically and with zero human interaction.
dynamicDetect Technical Features:
• Capable of deanonymizing any anonymous user flawlessly and accurately on the fly.
• Capable of identifying the anonymous user’s IP address, country, city and coordinates.
• Capable of enumerating the anonymous user’s machine to spot every single weakness.
• Capable of exploiting every single weakness identified in the anonymous user’s machine.
• Capable of escalading privileges under any system despite deployed security controls.
• Capable of maintaining access and staying stealthy even in the most strict environments.
• Capable of profiling every and each anonymous user efficiently with detailed activity log.
The anonymous user never suspects the activity happening in the
background and it all happens in a maximum of 3.10 seconds!

14. How dynamicDetect Works?
Deanonymization
Identification
Enumeration
Exploitation
Escalation
Persistence
Excellent
Alice thinks that she's fully anonymous till she clicks on a rouge link and out of the sudden,
her machine isn't hers anymore after being fully deanonymized and got her identity exposed!
The best way to deliver a malicious payload is over an encrypted channel and we don’t
even have to worry about raising any suspicions because Alice is the one who initiated it
Payload successfully
delivered and Alice
doesn’t even know!

15. Talk is Cheap, Show us dynamicDetect

16. Thanks and Have a Good Day