You are on page 1of 51

hLLp://lrongeek.

com
Adrlan Crenshaw
hLLp://lrongeek.com
l run lrongeek.com
l have an lnLeresL ln lnfoSec
educaLlon
I dont know everything - Im just a
geek wlLh Llme on my hands
Sr. lnformaLlon SecurlLy ConsulLanL
aL 1rusLedSec
Co-lounder of uerbycon
hLLp://www.derbycon.com
Twitter: @Irongeek_ADC
hLLp://lrongeek.com
l wlll be Laklng Lwo perspecLlves
eople Lrylng Lo sLay anonymous
eople Lrylng Lo de-anonymlze users
Im not really a privacy guy
lAnAL
8e careful where you surf, conLraband awalLs
hLLp://lrongeek.com
hLLp://lrongeek.com
uarkneLs
1here are many deflnlLlons, buL mlne ls
anonymizing private network
use of encrypLlon and proxles (some Llmes oLher
peers) Lo obfuscaLe who ls communlcaLlng Lo whom
SomeLlmes referred Lo as Clpherspace
(love LhaL Lerm)
hLLp://lrongeek.com
1he Cnlon 8ouLer
hLLp://lrongeek.com
!"#$
llrsL Lhe uS naval 8esearch LaboraLory, Lhen Lhe Lll and now Lhe 1or ro[ecL
(301c3 non-proflL).
hLLp://www.Lorpro[ecL.org/
!"%$
Tor is free software and an open network that helps you defend against a form
of neLwork survelllance LhaL LhreaLens personal freedom and prlvacy,
confldenLlal buslness acLlvlLles and relaLlonshlps, and sLaLe securlLy known as
traffic analysis. ~ As defined by their site
!"&'$
Access normal lnLerneL slLes anonymously, and 1or hldden servlces.
(#)$
Locally run SCCkS proxy LhaL connecLs Lo Lhe 1or neLwork.
hLLp://lrongeek.com
Layered encrypLlon
8l-dlrecLlonal Lunnels
Pas dlrecLory servers
MosLly focused on ouL proxylng Lo Lhe lnLerneL
More lnfo aL hLLps://www.Lorpro[ecL.org
Internet Server
Directory Server
hLLp://lrongeek.com
hLLp://lrongeek.com
Image from http://www.torproject.org/hidden-services.html.en
hLLp://lrongeek.com
Image from http://www.torproject.org/hidden-services.html.en
hLLp://lrongeek.com
Image from http://www.torproject.org/hidden-services.html.en
hLLp://lrongeek.com
Image from http://www.torproject.org/hidden-services.html.en
hLLp://lrongeek.com
Image from http://www.torproject.org/hidden-services.html.en
hLLp://lrongeek.com
Image from http://www.torproject.org/hidden-services.html.en
hLLp://lrongeek.com
CllenL
!usL a user
8elays
1hese relay Lrafflc, and can acL as exlL polnLs
8rldges
8elays noL adverLlsed ln Lhe dlrecLory servers, so harder Lo block
Cuard nodes
used Lo mlLlgaLe some Lrafflc analysls aLLacks
lnLroducLlon olnLs
Pelpers ln maklng connecLlons Lo hldden servlces
8endezvous olnL
used for relaylng/esLabllshlng connecLlons Lo hldden servlces
hLLp://lrongeek.com
hLLp://lrongeek.com
1alls: 1he Amneslc lncognlLo Llve SysLem
hLLps://Lalls.boum.org/
1or2Web roxy
hLLp://Lor2web.org
1or Pldden Wlkl:
hLLp://kpvz7kl2v3agwL33.onlon
Scalllon (make hosL names)
hLLps://glLhub.com/lachesls/scalllon
Cnlon CaL
hLLp://www.cypherpunk.aL/onloncaL/
8eddlL Cnlons
hLLp://www.reddlL.com/r/onlons
hLLp://lrongeek.com
*+#,
lf you can Lunnel lL Lhrough a SCCkS proxy, you can make
[usL abouL any proLocol work.
1hree levels of proxylng, each node noL knowlng Lhe one
before lasL, makes Lhlngs very anonymous.
-#.,
Slow
uo you LrusL your exlL node?
Seml-flxed lnfrasLrucLure:
SepL 23Lh 2009, CreaL llrewall of Chlna blocks 80 of 1or
relays llsLed ln Lhe ulrecLory, buL all hall brldges!!!
hLLps://blog.Lorpro[ecL.org/blog/Lor-parLlally-blocked-chlna
hLLp://yro.slashdoL.org/sLory/09/10/13/1910229/Chlna-SLrangles-1or-Ahead-of-naLlonal-uay
lalrly easy Lo Lell someone ls uslng lL from Lhe server slde
hLLp://www.lrongeek.com/l.php?page=securlLy/deLecL-Lor-exlL-node-ln-php
hLLp://lrongeek.com
(keep ln mlnd, Lhls ls [usL Lhe defaulLs)
Local
9030/Lcp 1or SCCkS proxy
9031/Lcp 1or conLrol porL
(9130 and 9131 on 1or 8rowser 8undle)
8emoLe
443/Lcp and 80/Lcp mosLly
Servers may also llsLen on porL 9001/Lcp, and dlrecLory
lnformaLlon on 9030.
More deLalls
hLLp://www.lrongeek.com/l.php?page=securlLy/deLecL-Lor-
exlL-node-ln-php
hLLp://www.room362.com/Lor-Lhe-yln-or-Lhe-yang
hLLp://lrongeek.com
hLLp://geLl2p.neL
hLLp://lrongeek.com
CrypLo Currency
roof of work
8lLcoln Addresses & rlvaLe keys
8lock Chaln (ledger)
1umblers (launderlng)
Way more lnfo by 8ob Welss
hLLp://www.lrongeek.com/l.php?page=vldeos/bsldesde2013/2-6-
hacklng-ben[amlns-bob-welss-pwcrack-lnLo-Lo-blLcoln
hLLp://lrongeek.com
On Dec. 16th 2013 a bomb threat was made to Harvards student news
paper and some offlclals.
1he person used hLLps://www.guerrlllamall.com Lo send
emall afLer connecLlng over 1or
Cuerrllla Mall puLs an x-CrlglnaLlng-l header on LhaL
marked who senL Lhe message, ln Lhls case a 1or exlL polnL
1o: "lrongeek[lrongeek.com" <lrongeek[lrongeek.com>
lrom: <e9[nqrz+oo4[3w[guerrlllamall.com>
Sub[ecL: Pey baby!
x-CrlglnaLlng-l: [/012341341/0]
ConLenL-1ype: LexL/plaln, charseL="uLf-8"
shrapnel bombs placed in:
science center
sever hall
emerson hall
thayer hall
2/4.
guess correctly.
be quick for they will go off soon
hLLp://lrongeek.com
All 1or nodes are publlcly known (excepL brldges):
hLLp://LorsLaLus.bluLmagle.de
Lasy Lo correlaLe who was aLLached Lo Parvard neLwork
and uslng 1or aL Lhe same Llme Lhe emall was senL (unless
you use a brldge).
Lldo klm was connecLed Lo Lhe 1or neLwork around LhaL
Llme.
SuspecL Lldo klm wanLed Lo geL ouL of a flnal and admlLLed
he made Lhe bomb LhreaL when lnLervlewed.
More ueLalls:
hLLp://arsLechnlca.com/securlLy/2013/12/use-of-Lor-helped-fbl-flnger-
bomb-hoax-suspecL/
hLLp://www.scrlbd.com/doc/192371742/klm-Ll-uo-Parvard
hLLp://lrongeek.com
Lessons Learned:
Dont be the only person using 1or on a
monlLored neLwork aL a glven Llme
use a brldge?
Dont admit anything
CorrelaLlon aLLacks are a blLch
hLLp://lrongeek.com
5MB
8MB
Client
Client
Client
Client
hLLp://lrongeek.com
Client
Client
Client
l could [usL
waLch Lhe
Llmlngs.
ulse Lhe
daLa flows
myself.
Cr even [usL
change Lhe load
on Lhe paLh.
uoS ouLslde
hosL Lo affecL
Lrafflc.
hLLp://lrongeek.com
DNS
Query
Monitored DNS Server
If I dont use the
proxy for unS, l
may send Lhe
query Lo a unS
server. It wont
see my Lrafflc
Lo/from Lhe
desLlnaLlon, buL
may now know
Im visiting
someplace.com/
.onlon/.l2p
hLLp://lrongeek.com
PecLor xavler Monsegur (Sabu) normally
used 1or for connecLlng Lo l8C buL was
caughL noL uslng lL once and l8l found
hls home l. AfLer belng caughL, he
sLarLed Lo collaboraLe.
PecLor spoke wlLh !eremy Pammond
(sup_g) on l8C, and !eremy casually leL
sllp where he had been arresLed before
and groups he was lnvolved wlLh.
1hls narrowed Lhe suspecL pool, so Lhe
l8l goL a courL order Lo monlLor hls
lnLerneL access.
hLLp://lrongeek.com
Pammond used 1or, and whlle Lhe crypLo
was never busLed, l8l correlaLed Llmes
sup_g was Lalklng Lo Subu on l8C wlLh
when Pammond was aL home uslng hls
compuLer.
More ueLalls:
hLLp://arsLechnlca.com/Lech-
pollcy/2012/03/sLakeouL-how-Lhe-fbl-
Lracked-and-busLed-a-chlcago-anon/
hLLp://lrongeek.com
Lessons Learned:
use 1or conslsLenLly
Dont give personal information
CorrelaLlon aLLacks are sLlll a blLch!
hLLp://lrongeek.com
lreedom PosLlng hosLed, amongsL oLher Lhlngs,
many chlld porn relaLed hldden servlce webslLes.
lreedom PosLlng had prevlously come under aLLack
by Anonymous durlng Cp uarkneL because of lL
hosLlng C.
ln !uly of 2013, Lhe l8l compromlsed lreedom
PosLlng, and lnserLed mallclous !ava ScrlpL LhaL
used llrefox bug CvL-2013-1690 ln verslon 17 LS8.
1he 1or 8rowser 8undle ls based on llrefox, and Lhe
newesL verslon was already paLched, buL noL
everyone updaLes ln a Llmely fashlon.
hLLp://lrongeek.com
The payload was Magneto, which phoned home
to servers in Virginia using the hosts public IP.
hLLp://ghowen.me/fbl-Lor-malware-analysls
It also reported back the computers:
MAC address
Wlndows hosL name
unlque serlal number Lo Lle a user Lo a slLe
May be same as LgoLlsLlcalClraffe.
See also:
Maglc LanLern
lCxAClu
CompuLer and lnLerneL roLocol Address verlfler (ClAv)
1hanks Lo !oe Clcero for "rlvacy ln a Survelllance
SLaLe, Lvadlng ueLecLlon" (.l.S.S.L.u.) Lalk.
I am the best Giraffe
EVAR!!! Bow to my
Giraffey goodness!
hLLp://lrongeek.com
An lrlsh man, Lrlc Loln Marques, ls alleged Lo be
Lhe operaLor of lreedom PosLlng. 1he servers
hosLlng lreedom PosLlng were Lled Lo hlm because
of paymenL records.
Marques was sald Lo have dlved for hls lapLop Lo
shuL lL down when pollce ralded hlm.
More ueLalls:
hLLp://www.wlred.com/LhreaLlevel/2013/09/freedo
m-hosLlng-fbl/
hLLp://lrongeek.com
Lessons Learned:
uon'L hosL CapLaln lcard or
!ullan 8ashlr
aLch, paLch, paLch
lollow Lhe money
Leave encrypLed lapLops ln a powered
down sLaLe when noL ln use!
hLLp://lrongeek.com
Lets see if the
hldden server
app ls
vulnerable Lo an
explolL (buffer
overflow/web
app shell
exec/eLc).
Send a payload
LhaL conLacLs an
l l monlLor.
Exploit &
Payload
hLLp://lrongeek.com
Someone going by the handle Dread lraLe
Roberts was the operator of the Sllk8oad, whlch
allows sellers and buyers Lo exchange less Lhan
legal goods and servlces.
hLLp://sllkroadvb3plz3r.onlon
WlLh abouL $1.2 8llllon ln exchanges on Sllk8oad,
l8l wanLed Lo know who was behlnd lL.
1hey sLarLed Lo look for Lhe earllesL references Lo
Lhe Sllk8oad on Lhe publlc lnLerneL.
5+#6 8#9+' :#896;.',<
As of SepLember 23, 2013, Lhere were nearly 13,000 llsLlngs for
conLrolled subsLances on Lhe webslLe, llsLed under Lhe caLegorles
"Cannabls," "ulssoclaLlves," "LcsLasy," "lnLoxlcanLs," "Cplolds,"
"recursors," "rescrlpLlon," "sychedellcs," and "SLlmulanLs," among
oLhers.
There were 139 llsLlngs on Lhe slLe under Lhe caLegory "Servlces." MosL
concerned compuLer-hacklng servlces: for example, one llsLlng was by a
vendor offerlng Lo hack lnLo lacebook, 1wlLLer, and oLher soclal
neLworklng accounLs of Lhe cusLomer's chooslng, so LhaL "?ou can 8ead,
WrlLe, upload, ueleLe, vlew All ersonal lnfo", anoLher llsLlng offered
LuLorlals on "22 dlfferenL meLhods" for hacklng A1M machlnes. CLher
llsLlngs offered servlces LhaL were llkewlse crlmlnal ln naLure. lor
example, one llsLlng was for a "PuCL 8lackmarkeL ConLacL LlsL,"
descrlbed as a llsL of "connecLs" for "servlces" such as "Anonymous 8ank
AccounLs," "CounLerfelL 8llls (CAu/C8/Lu8/uSu) ," "llrearms
+AmmunlLlon," "SLolen lnfo (CC [credlL card], aypal) ," and "PlLmen
(10+ counLrles)."
Sellers may noL llsL forgerles of any prlvaLely lssued documenLs such as
dlplomas/cerLlflcaLlons, LlckeLs or recelpLs. Also, llsLlngs for counLerfelL
currency are sLlll noL allowed ln Lhe money secLlon.
hLLp://lrongeek.com
The earliest they could find was from alLold on Lhe Shroomery.org forums on 01/27/11.
hLLp://www.shroomery.org/forums/showflaL.php/number/13860993
hLLp://lrongeek.com
8lLColn1alk.org osL
CuoLe from: alLold on !anuary 29, 2011, 07:44:31 M
WhaL an awesome Lhread! ?ou guys have a Lon of greaL ldeas. Pas anyone
seen Sllk 8oad yeL? lL's klnd of llke an anonymous amazon.com. l don'L Lhlnk
Lhey have heroln on Lhere, buL Lhey are selllng oLher sLuff. 1hey baslcally use
blLcoln and Lor Lo broker anonymous LransacLlons. lL's aL
hLLp://Lydgccyklxpbu6uz.onlon. 1hose noL famlllar wlLh 1or can go Lo
sllkroad420.wordpress.com for lnsLrucLlons on how Lo access Lhe .onlon slLe.
LeL me know whaL you guys
thinkhLLps://blLcolnLalk.org/lndex.php?Loplc=173.msg42479#msg42479
hLLp://lrongeek.com
An account named alLold also made a posL on 8lLcolnLalk.org abouL looklng
for an IT pro ln Lhe blLcoln community and asked interested parties to contact
+#,,9=>+?8"' &' @6&?= :#' 8#6 (10/11/11).
hLLps://blLcolnLalk.org/lndex.php?Loplc=47811.0
hLLp://lrongeek.com
Ulbrichts Google+ profile show an interest in the Mlses Institute a world
cenLer of Lhe AusLrlan School of economlcs.
Dread Pirate Roberts signature on the Silk Road forums had a link to the Mlses
lnsLlLuLe. AusLrlan Lconomlc Lheory was also sLaLed by uread lraLe 8oberLs Lo
be influential to the the Silk Roads philosophy.
hLLp://lrongeek.com
"8oss ulbrlchL. account also posted on SLackCverflow asklng for help wlLh P code Lo
connect to a Tor hidden service. The username was quickly changed to frosty
(03/16/12).
hLLp://sLackoverflow.com/quesLlons/13443283/how-can-l-connecL-Lo-a-Lor-hldden-
servlce-uslng-curl-ln-php
Cuess who ls now a suspecL for belng Dread Pirate Roberts? Ross Wllllam ulbrlchL.
hLLp://lrongeek.com
Someone was connecLlng Lo a server LhaL hosLs Lhe Sllk 8oad from an lnLerneL
cafe near where 8oss llved ln San lranclsco. rlvaLe messages on Sllk 8oad
make lL seem uread lraLe 8oberLs llved ln Lhe aclflc Llme zone.
l of a Sllk 8oad server was aLLached Lo vla a vn server LhaL was connecLed Lo
by an l belonglng Lo an lnLerneL cafe on Laguna SLreeL ln San lranclsco from
whlch ulbrlchL had also connecLed Lo hls Cmall accounL wlLh (boLh on !une 3,
2013).
M Lo uread lraLe 8oberLs from a user sald Lhe slLe was leaklng "some sorL of
exLernal l address" belonglng Lo Lhe vn.
l8l sLarLs Laklng down Sllk8oad servers, though Im are not sure how they were
found. Could have been money Lrall Lo allases, or as nlcholas Weaver
con[ecLured, Lhey hacked Sllk8oad and made lL conLacL an ouLsldes server
without using Tor so it revealed its real IP. Once located, FBI was able to get a
copy of one of Lhe servers.
hLLp://lrongeek.com
Cn 07/10/13 uS CusLoms lnLercepLed 9 lus wlLh dlfferenL names, buL all havlng a plcLure of
ulbrlchL. Pomeland SecurlLy lnLervlewed ulbrlchL, buL he denled havlng ordered Lhem.
Smart: ULBRICHT generally refused Lo answer any quesLlons perLalnlng Lo Lhe purchase of
Lhls or oLher counLerfelL ldenLlLy documents.
Stupid: However, uL88lCP1 volunLeered LhaL "hypoLheLlcally" anyone could go onLo a
webslLe named "Sllk 8oad" on "1or" and purchase any drugs or fake ldenLlLy documenLs Lhe
person wanLed.
Roommates knew him as Josh. PMs show DPR was interested in getting fake IDs.
hLLp://lrongeek.com
Server used SSP and a publlc key LhaL ended ln frosLy[frosLy. Server also had some of
Lhe same code posLed on SLackCverflow.
LvenLually, on 10/01/2013 Lhe l8l Landed on hlm ln a Llbrary rlghL afLer he enLered Lhe
password for hls lapLop. More evldence was found on hls lapLop.
More lnfo (8lg Lhanks Lo naLe Anderson for Lhe orlglnal arLlcle and AgenL ChrlsLopher
1arbell for courL docs):
hLLp://arsLechnlca.com/Lech-pollcy/2013/10/how-Lhe-feds-Look-down-Lhe-dread-
plraLe-roberLs/
hLLps://www.cs.columbla.edu/~smb/ulbrlchLCrlmlnalComplalnL.pdf
hLLp://lrongeek.com
Lessons Learned:
keep onllne ldenLlLles separaLe
keep dlfferenL usernames
lrom dlfferenL locaLlons
Pave a conslsLenL sLory
Dont talk about interests
Dont volunLeer lnformaLlon!
hLLp://lrongeek.com
Maybe?
hLLp://lrongeek.com
1alk on uarkneLs ln general
hLLp://www.lrongeek.com/l.php?page=vldeos/alde-wlnLer-
2011#Clpherspace/uarkneLs:_anonymlzlng_prlvaLe_neLworks
l2 lAC
hLLp://www.l2p2.de/faq.hLml
1or lAC
hLLps://Lrac.Lorpro[ecL.org/pro[ecLs/Lor/wlkl/doc/1orlAC
1or Manual
hLLps://www.Lorpro[ecL.org/docs/Lor-manual.hLml.en
l2 lndex Lo 1echnlcal uocumenLaLlon
hLLp://www.l2p2.de/how
hLLp://lrongeek.com
lnLro Lo uarkneLs: 1or and l2 Workshop
hLLp://www.lrongeek.com/l.php?page=vldeos/lnLro-Lo-Lor-l2p-darkneLs
My 1or/l2 noLes
hLLp://www.lrongeek.com/l.php?page=securlLy/l2p-Lor-workshop-noLes
Clpherspaces/uarkneLs An Cvervlew Cf ALLack SLraLegles
hLLp://www.lrongeek.com/l.php?page=vldeos/clpherspaces-darkneLs-an-overvlew-of-aLLack-sLraLegles
Anonymous proxy Lo Lhe normal web
hLLp://www.lrongeek.com/l.php?page=vldeos/Lor-1
Pldden servlces
normally webslLes, buL can be [usL abouL any 1C
connecLlon
hLLp://www.lrongeek.com/l.php?page=vldeos/Lor-hldden-servlces
hLLp://lrongeek.com
uerbycon
SepL 24Lh-28Lh, 2014
hLLp://www.derbycon.com
CLhers
http://www.louisvilleinfosec.com
http://skydogcon.com
http://hack3rcon.org
http://outerz0ne.org
http://phreaknic.info
http://notacon.org
P
h
o
t
o

C
r
e
d
i
t
s

t
o

K
C

(
d
e
v
a
u
t
o
)
D
e
r
b
y
c
o
n
A
r
t

C
r
e
d
i
t
s

t
o

D
i
g
i
P
hLLp://lrongeek.com
42
1wlLLer: [lrongeek_AuC