Introduction to Dark Web

Wednesday, February 14, 2024 9:56 PM

Three Types of Internet (Web):

• the Clear Web,
• the Deep Web, and Deep Web
• the Dark Web
The Deep Web, also known as the
• Underground Web or
Clear Web • Invisible Web,
It has many names, such as;
is the part of the Internet that isn’t indexed by conventional search engines,
• The Clear Web,
such as Google or Bing. Either the site owners have prevented crawlers from
• Surface Web, and indexing their site, or they have implemented access controls to only allowed
• Indexed Web. their intended audience to access the site. The Deep Web is huge.
Crawlers are a type of software that searches the internet for publicly “Public information on the deep Web is currently 400 to 550 times larger than
available webpages so that search engines can offer them as results. These the commonly defined World Wide Web.”
bots go from site to site, link to link, finding every page that they’re
allowed to view, and reporting back. Are the Dark Web and the Deep Web the same thing?
The Clear Web consists of legal sites that are generally designed for use by
No. They’re different. Log in to your Amazon account – you’re on the Deep
the public, and tend not to have obscure methods of gaining access, such
Web. Sign in to your Facebook – you’re on the Deep Web. These are web pages
as a special key or IP whitelisting. that are not indexed or publicly available, imagine if anyone could search on
Google and find your private Amazon page with your order history, payment
details, and more private information. Not everything on the Deep Web is illegal
or shady, it’s just private pages that only certain people should have access to.
Other examples include private forums, private membership pages, and online
banking.
Dark Web
A section of the internet that is utilized for
• anonymity,
• illegal operations,
• intelligence gathering, and more.
Whilst some search engines do exist for the Dark Web, sites are usually hidden, and
you’ll need to know the exact URL in order to find them.
Sites on the Dark Web use the Top Level Domain (TLD) ‘.onion’ as opposed to Clear
Web TLDs such as ‘.com’ or ‘.co.uk’.
Why Dark Web is Useful
The Dark Web has a number of benefits, and not just for cybercriminals. When considering its
legitimate use, there are a number of obvious benefits:
Threat Intelligence Collection
A large amount of useful intelligence can be gathered from the dark web, such as malware
and vulnerabilities for sale (which can help researchers and companies to fix these holes
before they’re exploited on a mass scale), uncovering planning of cyberattacks on private
forums (this intelligence can be used to inform the target organization so they can
implement defenses), tracking threat actors online (attempting to uncover the identities
of advanced hackers so they can be arrested for their crimes), and much more.
Law Enforcement Operations
Using the dark web, law enforcement officers can infiltrate private sites, forums, and
marketplaces in order to collect evidence that would be used in the case of legal
prosecution against individuals involved in illegal activity. By joining the criminals in
cyberspace, police officers and other law enforcement units are able to take the fight
straight to the bad guys, and work to shut down sites, collect intelligence, and disrupt
criminal operations.
Freedom of Speech
In some countries the government works to closely monitor all communications and
remove any that they do not agree with, an act called censorship. Using TOR, individuals
from these countries can bypass internet restrictions such as website blocking, or get
messages out to the wider world, letting them know what’s happening in their location.
Privacy
Whilst TOR does not provide 100% anonymity, it does provide more security in terms of
privacy than using a normal browser such as Chrome. Due to the way TOR operates, your
IP will be masked by a number of nodes, working like a VPN to hide your true address.
Associated Roles
Threat Analysts
Threat Analysts are responsible for ensuring that information about their company
is as limited as possible on sources such as the Dark Web. This includes searching
for discussions about future attacks, employee credentials in data breach dumps,
and more. Whilst there are tools out there that scrape the Dark Web for
intelligence, Threat Analysts may attempt to infiltrate forums or private websites
themselves, depending on their exact job description.
Malware Analysts
Malware Analysts may attempt to retrieve malware samples from sources such as
the Dark Web, in order to conduct analysis and gather Indicators of Compromise
(IOCs) that can be used to help defend their organization by creating alerts or rules
in different security systems such as SIEM, EDR, and IDPS. Dark Web marketplaces
typically sell commodity malware (such as Remote Access Trojans (RATs) and key
loggers) as well as more advanced malware for the right price – knowing how to
effectively defend against these is important, as it reduces the risk to the
organization.
Security Researcher
Security Researchers are individuals that work to detect and report on security-
related activity, and the Dark Web is an attractive scene for them, due to the illegal
activity that takes place, including the sale of malware, selling access to
compromised hosts, zero-day vulnerability sales, and much more. Researchers may
choose to infiltrate underground forums and private sites in order to collect
intelligence and share it with the world.
Law Enforcement
Law Enforcement agencies will work to detect illegal activities, gather evidence,
and eventually take action. Examples of these Dark Web operations include the
shutting down of Silk Road, which was previously the largest underground
marketplace, known for its huge drug trade. In October 2013 the FBI shut down
Silk Road and arrested the individual behind the site, who was sentenced to life in
prison. Silk Road 2.0 was setup, and again taken down by the FBI who arrest the
new owner, as part of ‘Operation Onymous‘ which targets darknet marketplaces.
The UK’s National Crime Agency (NCA) has been recruiting intelligence officers for their
“Darkweb Intelligence Collection and Exploitation” unit (DICE). Below is an archived
version of their job description obtained from jobs.findyourflex.co.uk:

The Good Guys - Intelligence Gathering
It’s important to note that different countries will likely have different
regulations and laws when it comes to accessing the dark web for different
purposes, and you should always research any applicable legal content before
conducting dark web operations to ensure that you are not prosecuted for
illegal activity. Involve your legal team or a consultant, and make law
enforcement aware of what you’re doing. The below is based on information
from the US Department of Justice.
Legal Activities
• Organizations are able to ‘passively’ collect threat intelligence from dark
web sources. This means ‘scraping’ publicly-accessible sources is
permitted. Organizations can silently watch and listen to activity on the
dark web, and record it for other purposes such as dissemination or for
selling to clients.
• Access private dark web forums legally. This goes hand-in-hand with the
above point – provided individuals can gain legitimate access to a forum,
they are permitted to scrape the contents for later analysis or sharing.
Legal access in this context means that the individual(s) need to be invited
into the forum (typically achieved by creating a fake online persona and
performing social-engineering attacks against forum staff) or by
purchasing access.
• Masquerade as a criminal on forums, asking for advice from criminals or
hackers in order to collect intelligence. This must be well documented so
that law enforcement knows this is for legitimate purposes and not
genuine criminal activity.
Illegal Activities
• Providing dark web forums or private site staff with illegal material in
order to gain access or build trust, such as malware or personal
information that could be used to conduct crimes.
• Accessing forums or private sites by brute-forcing account credentials,
exploiting a vulnerability, using compromised credentials belonging to
another user, or impersonating a real person.
• Assist individuals or parties in committing crimes by offering advice,
information, money, or resources, as this makes you an accessory to any
crimes that occur as a result.
Intelligence Gathering by Law Enforcement Intelligence Gathering by Threat Intelligence Company The Bad Guys - Insight into Illegal Sites a screenshot of a REAL site on the dark web that is supposedly selling handguns
in the UK. This site could be run by scammers, law enforcement, or worse – a
It is common knowledge that law enforcement entities around the world monitor the Here are just a few things that security teams could benefit from Dark Web: DO. NOT. SEARCH. FOR. SITES. LIKE. THESE. legitimate site.
dark web, infiltrate private sites and forums, and gather intelligence and evidence
that can be used to prosecute criminals who hide behind the apparent anonymity • Information about cyber-attacks that are being planned or launched in the near • If you click on one wrong link and your browser loads explicit material,
provided by TOR and the dark web. future – allows security teams to prepare. such as child pornography, you are accountable for it and can be
• Information about malicious actors selling access to companies – this can allow prosecuted for viewing it.
Below are some interesting cases where law enforcement has conducted large-scale security teams to identify the compromised accounts or systems and kick the attacker • If you click on one wrong link your system can be infected with malware
operations within the dark web. out. that can steal or encrypt your files, leading to 2nd stage attacks such as
• Information about malicious actors selling malware and hacking tools – this can blackmail.
Operation Onymous provide valuable indicators that a security team can proactively block (such as file
Silk Road was the largest and most well-known dark web marketplace, hashes).
primarily used for the sale of illegal drugs around the world. The website • Data breach dumps typically end up on the dark web, either freely available or sold at
launched in February 2011, but was shut down in October 2013 by the FBI who an auction – being able to access the list of breached credentials can help
arrested the founder, Ross Ulbricht. In November, Silk Road 2.0 was raised by the organizations to identify if any of their corporate accounts were included, so they can
team behind the original website. A year later the site was once again shut down Whilst illegal marketplaces do operate in the dark web, there are a vast number of
reset the passwords and ensure no malicious actors can gain access.
by law enforcement as a part of “Operation Onymous”, a joint effort headed by fake sites and stores. These can either be operated by scammers, looking to take
the FBI and Europol to “address the problems of malware, botnet schemes, and money then disappear, or by law enforcement setting up sting operations to
Example Company - https://www.recordedfuture.com/ catch individuals that are purchasing illegal goods. Let’s walk through a mock
illicit markets or darknets” (1). Police forces in 17 different countries were
involved, and it is thought that around 27 sites were taken over, preventing scenario where a criminal in the UK is looking to buy a firearm.
illegal activities from continuing. Over $1,000,000 in bitcoin was retrieved, along
with other assets including gold, silver, cash, and drugs.
Hansa Dark market Infiltration
• Hansa, similar to Silk Road, was previously the largest dark web marketplace in
Europe, with 3600 dealers, 24,000 different drug-related products, and other
miscellaneous sales of fake documents. As observed with Silk Road, when a
marketplace is simply shut down by law enforcement, customers and traders
simply move to one of the many other available sites. In the case of Hansa, in
2016 Dutch officers from the Netherlands National High Tech Crime Unit decided
to infiltrate and take over a marketplace, rather than shut it off completely.
• Dutch investigators uncovered the identities of two Hansa administrators and
gained access to both of their accounts, so they now had complete control over
the site. In the following months, officers worked to uncover the identities of
sellers and buyers by performing social engineering attacks, tricking users into
opening files on their own systems which grabbed system information and
geographical location and edited the site code to perform passive
reconnaissance and collect information from site visitors.
• This operation was believed to be “one of the most successful blows against the
dark web in its short history: millions of dollars' worth of confiscated bitcoins,
more than a dozen arrests and counting of the site’s top drug dealers, and a vast
database of Hansa user information that authorities say should haunt anyone
who bought or sold on the site during its last month online”.

Accessing the Dark Web Accessing the Dark Web Accessing the Dark Web Browsing Activity

The Onion Router
The History of TOR
TOR was founded by individual researchers who worked at the US Naval Research Laboratory.
David Goldschlag, Mike Reed, and Paul Syverson realized there was a distinct lack of internet
security in the 1990s and saw how easy it was to perform surveillance, so they decided to find a
solution that would work to protect the privacy of internet users. Their solution was onion
routing.
The basic explanation for how onion routing works is that instead of traffic going from A > B it
goes from A > C > J > K > B, and the traffic is encrypted at each part of the journey, making sure
that it can’t be intercepted or sniffed during transit. This also meant that it was extremely
difficult for B to identify where the request has come from (A).
For TOR to function, it needed a decentralized network – a large number of independently-
owned servers (known as ‘nodes’) which worked together to form a network, which would later
be named the ‘Tor network’. To make it accessible for new nodes to be created, in October
2002 the code for Tor was released as free and open-source software, and within a year there
were 13 active Tor nodes.
The Electronic Frontier Foundation, a non-profit dedicated to defending civil liberties in the
digital world, saw the importance of the Tor network in 2004 and began funding the work being
completed by Roger Dingledine and Nick Mathewson. In 2006 they formed “The Tor Project,
Inc”, a 501(c)3 non-profit organization, so they could receive funding in order to continue
developing and maintaining Tor.
Tor Warning and Disclaimer
before attempting to access TOR, for your own safety:
• Understand that there is the potential for you to come across offensive or explicit
content, and you should be prepared to deal with viewing it.
• As an unregulated part of the internet, there is an increased risk of criminals or
hackers trying to steal your data, get you to download malware, or attack your system
through the browser. Make sure all software is up-to-date or disabled, such as Flash
Player and your browser. Do not click on any links or navigate to any sites if you do
not know what they are.
• Ensure you have an updated operating system, including security updates and
patches.
• Ensure you have an up-to-date anti-virus solution and it is running.
• We highly recommend that you use a VPN, then use the TOR browser.
Accessing Tor
When using TOR, your request is encrypted, sent to your ISP, then moves on to TOR nodes,
systems that are used to bounce requests around. After a number of bounces, your request
will be decrypted and sent to the intended destination so that it is impossible to track
where the original request actually came from.
Tor download - https://www.torproject.org/
Below is a list of the sites that you need to find either using clear web or dark web
search engines to find their current URLs, and then answer an additional question by
visiting them using the TOR browser.
• What is the current URL for the CIA mirror website on the dark web?
http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion/
• Visit the CIA mirror site and search for “Our Organization” on the “About” sub-
menu. What is the first of the seven basic components of the CIA?
integrity; service; excellence; courage; teamwork; and stewardship
• What is the current URL for the ProPublica investigative journalism outlet?
https://www.propublica.org/
http://p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion/
• On the ProPublica site, click on “About” at the top. Copy and paste the first
sentence under the heading “The Mission”.
To expose abuses of power and betrayals of the public trust by government, business,
and other institutions, using the moral force of investigative journalism to spur reform
through the sustained spotlighting of wrongdoing.

Challenge Scenario

Last month we were informed about a huge drug trafficking network that was taking place in
the UK through the TOR network, in response to this situation we set to work and managed to
dismantle their main TOR marketplace to stop drugs from reaching the streets of the UK.
However, we were informed that one of the creators of this network managed to evade us and
is now continuing to carry out this type of activity. This is where you come in. We think we have
found the site that this individual uses to “tell their stories” regarding criminal activity.

We need you to find evidence that will allow us to identify this subject, relate it to drug
trafficking crimes, and bring them to justice. We know this is a difficult task, but we are
confident in your abilities, and we are sure that you will succeed.

1] Gain access to the site (Visit the URL, click on ‘Start Challenge’ button. When presented with
a login screen, right-click and select “Inspect Element”. Select the ‘Console’ tab and enter in the
command: generateUserCredentials(). Decode the answer, and you’re good to go!)

generateUserCredentials(){let
ret='';usrs=["KF7ybuD1"];pswds=["AIyhfot0V9VIWm6W"];ret="USR:"+usrs[Math.floor(Math.random()*u
srs.length)]+" , PASS: "+pswds[Math.floor(Math.random()*pswds.length)];cons…

2] Find evidence that the individual is involved in drug trafficking

3] Find any information about the next shipment that is coming in, so we can seize it

New Section 1 Page 1

function generateUserCredentials()
USR:KF7ybuD1 , PASS: AIyhfot0V9VIWm6W

siteusername1- Wousbacan
siteusername2- DarkChest984

Country: Germany
Country: United Kingdom

Date: 17/8/20XX
Date: 23/8/20XX

Date: 26/10/20XX

31st October
51°56'57.2"N 1°19'26.1"E

====

Authentic Swiftzerland's chocolate you're tired of not finding good chocolate? This post is for you.

GunsWANNA KNOW HOW TO BUY YOUR GUNS?, THIS IS FOR YOU

Recreational Drugs Buying/SellingLet the party begins! (Everything you wanna know about drug dealing)

Hey dude... wanna candy? (The real D king!)Deliver the package, collect the money and live like a king!

BBB Organs for saleAre you such an alcoholic that your kidney stopped working? Don't worry, we can
get you a new one.

No more silence (Politics)THEY'LL NEVER SHUT US UP AGAIN, FREE THE COUNTRY!!!

Love Scales (Reptile Sales)We all love these little cute and beautiful reptiles, come and get one :3

New Section 1 Page 2

 Authentic Swiftzerland's chocolate GunsWANNA KNOW HOW Recreational Drugs Hey dude... wanna BBB Organs for
you're tired of not finding good TO BUY YOUR GUNS?, Buying/SellingLet the candy? (The real D king!) you such an alco
chocolate? This post is for you. THIS IS FOR YOU party begins! Deliver the package, that your kidney
(Everything you wanna collect the money and working? Don't
know about drug live like a king! we can get you
dealing) one.

No more silence (Politics)THEY'LL

NEVER SHUT US UP AGAIN, FREE THE
COUNTRY!!!

Love Scales (Reptile Sales)We all love

these little cute and beautiful reptiles,
come and get one :3

New Section 1 Page 3

 Recreational Drugs Buying/SellingLet the party begins! (Everything you wanna know about drug dealing)

Hey dude... wanna candy? (The real D king!)Deliver the package, collect the money and live like a king!

BBB Organs for saleAre you such an alcoholic that your kidney stopped working? Don't worry, we can
get you a new one.

No more silence (Politics)THEY'LL NEVER SHUT US UP AGAIN, FREE THE COUNTRY!!!

Love Scales (Reptile Sales)We all love these little cute and beautiful reptiles, come and get one :3

saleAre
oholic KF7ybuD1 AIyhfot0V9VIWm6W

y stopped DarkChest984

worry, -

a new United Kingdom

26/10/20XX

Hexadecimal

31/10/20XX

51°56'57.2"N 1°19'26.1"E

New Section 1 Page 4