Cyber Threat Intelligence - Dark Web Analysis and TOR Investigations

Greetings, fellow code warriors! 🤟 If you’re here, I reckon you’ve already got your hands dirty with the basics of cyber threat intelligence. Well, buckle up, because today we’re diving deep into the abyss of the dark web and I’ll tell you how to snoop around TOR like a pro! We’re talking red pills, black hoods, and some freaky rabbit holes! 🎩🐇

Let’s start off with some techno-punk razzle-dazzle, shall we?

Enter the Dark Side of the Internet

Imagine a vast city with hidden alleys, underground clubs, and marketplaces where information is currency. This, my friends, is the Dark Web - an encrypted network within the deep web, where anonymity is the norm and only the brave venture.

Why Should We Care?

• Underground Markets: From zero-days to botnets, the dark web is a treasure trove for hackers.
• Command-and-Control (C2) Servers: Malicious actors use TOR hidden services to operate C2 infrastructure.
• Information Gathering: Dark web is full of leaked credentials, PII, corporate secrets, and blackmail.

Chapter 2: Anatomy of the Dark Web – The Onions Have Layers!

What is TOR? TOR, or The Onion Router, encrypts and bounces your network traffic across various nodes to hide your identity. It’s like cyber-ninja-level stealth!

Tor Hidden Services

Real-world example: Silk Road, the notorious darknet marketplace, used TOR hidden services to stay anonymous. Oh, and Facebook has a .onion address. Yeah, you read that right!

These services have funky .onion TLDs (Top Level Domains) and can only be accessed through the TOR network.

Example Time! 🎉 Let’s Access TOR Hidden Services.

Fire up the Tor Browser and we’re ready to rock. Want to set up a hidden service? Get a taste of this:

sudo apt install tor
echo "HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080" | sudo tee -a /etc/tor/torrc
sudo service tor reload

Get your .onion address:

sudo cat /var/lib/tor/hidden_service/hostname

Who’s Watching the Watchers? Investigation Tools for TOR

Let’s roll with some cool tools:

• OnionScan: Scans .onion sites to identify vulnerabilities.

git clone https://github.com/s-rah/onionscan.git
go run onionscan.go --webport 8080

• Ahmia: A search engine for finding .onion sites.
• TorBot: Crawls deep into the dark web for juicy intel.

git clone https://github.com/DedSecInside/TorBot.git
cd TorBot
python3 torBot.py -u <onionURL>

Dark Web Analysis for Threat Intelligence

Alright my friends, let’s crank it up a notch. Time to sharpen those skills and delve into the nitty-gritty!

Case Study: Catching Slavik, The Zeus Botmaster

Remember Slavik? That’s the pseudonym of Evgeniy Bogachev, the black-hat extraordinaire behind the infamous Zeus Trojan. He orchestrated one of the largest bank heists in history with his malware, amassing a staggering fortune.

Let’s break down how the cybersecurity experts and law enforcement agencies went on a wild goose chase, tracking Slavik down.

Building a Profile

Slavik was a ghost. However, ghosts do leave trails. He was highly active on TOR-based forums, especially Darkode. He was also notorious for his posts on Zeus configurations and Jabber IDs.

Tools and Techniques

Here’s a look at what the white-hats used to unmask him:

• Digital Forensics: Analyzed Zeus configurations and samples to link them back to Slavik.
• Social Engineering: Infiltrated forums to gain Slavik’s trust and extract information.
• Bitcoin Analysis: Tracked down the flow of Bitcoins to get closer to his real-world identity.

Lessons Learned

1. Anonymity is Hard to Maintain: One slip-up, like using a personal email just once, can bring down the whole facade.
2. Collaboration is Key: The global cybersecurity community and law enforcement had to work in sync to catch Slavik.

Scouring Forums and Marketplaces

Dark web forums like Darkode, Hell, and Exploit.in are dens for hackers. They contain exploits, tools, and malware.

How to Infiltrate These Forums

1. Establish Credibility: You need to earn street-cred. Be active, contribute, and build a reputation.
2. Vouching System: Some forums require an existing member to vouch for you.
3. Paid Entry: Sometimes, entry into these forums costs money or Bitcoin.

Advanced Web Scraping Techniques

Extracting data from forums requires automation. Python, my beloved serpent, is here to aid you.

• Selenium: For AJAX-loaded content, traditional HTTP requests don’t cut it. Selenium mimics user interaction, making it perfect for scraping complex websites.

from selenium import webdriver

TOR_BROWSER_PATH = '/path/to/tor-browser'
browser = webdriver.Firefox(executable_path=TOR_BROWSER_PATH)

browser.get("http://exampledarkwebforum.onion")

posts = browser.find_elements_by_class_name("post")
for post in posts:
    print(post.text)

• Proxychains: Proxychains is a tool that forces all TCP connections to go through a proxy. It’s a must-have for scraping the dark web.

proxychains python script.py

Mining Threat Intelligence

Once you’ve scraped data from forums, it’s time to sift through the noise.

• Natural Language Processing (NLP): Use NLP to understand the context behind the text. Libraries like NLTK or spaCy are your friends here.
• IoC Extraction: Extract Indicators of Compromise (IoCs) such as IP addresses, URLs, or file hashes.
• Threat Hunting: Proactively search through datasets to identify threats before they hit.

Real-World Example: Shadow Brokers Leak

Shadow Brokers, a mysterious group, leaked a treasure trove of alleged-NSA hacking tools and exploits. The subsequent analysis revealed Zero-Days and also allowed researchers to link the WannaCry ransomware to the Lazarus Group.

Utilizing Dark Web Search Engines

Even the dark web has search engines! Ahmia and Grams are popular ones.

• Ahmia: Indexes TOR hidden services and provides search capabilities.
• Grams: Tailored for dark markets, it lets you search for products on several dark web markets.

Querying Ahmia via Python

import requests

search_url = "http://msydqstlz2kzerdg.onion/search/?q=exploits"
results = requests.get(search_url, proxies=dict(http='socks5h://localhost:9150')).content

# Extract results using Beautiful Soup or another parser

Cyber Threat Intelligence Feeds

Augment your analysis with intelligence feeds like AlienVault OTX, IBM X-Force Exchange, and Anomali ThreatStream.

Tools of the Trade

• Maltego: Used for information gathering and link analysis.
• RiskIQ: For external threat management and security intelligence.

Legality and Ethics

Let’s get real for a sec. Treading on the dark web ain’t a walk in the park. You need to be responsible and understand the legalities.

• No Vigilantism: You ain’t Batman! Working with the law is key.
• Know the Laws: Hacking laws differ across jurisdictions; know where the line is.
• Ethics: If you find some seriously dark stuff, report it to the authorities. Take a stand!

The Future of Dark Web Analysis

Hold onto your keyboards, folks, because the future of dark web analysis is blazing! From AI to quantum computing, let’s deep dive into what’s around the corner.

AI-Powered Dark Web Analysis

Artificial intelligence is revolutionizing dark web analysis by automating and enhancing various aspects of the process. Here’s how:

NLP for Enhanced Text Analysis

We touched upon NLP earlier, but the future is even more enticing. Sentiment analysis, entity recognition, and machine translation are just the beginning.

• Sentiment Analysis: Determine if a forum post is signaling an upcoming attack or sharing exploit code.
• Entity Recognition: Automatically extract entities like names, places, and cryptocurrencies from the unstructured text.

Predictive Analytics

Predictive analytics using AI can help forecast cyber attacks and trends. For instance, an uptick in the chatter about a specific vulnerability might signal an upcoming exploit.

Automated Image and Video Analysis

Analyzing images and videos on the dark web for hidden messages or malicious content manually is like finding a needle in a haystack. AI-driven image recognition and video analysis are game-changers.

Quantum Computing – The Cryptographer’s Nightmare

The advent of quantum computing may turn the cryptographic foundations of the dark web into dust. Post-quantum cryptography is already a hot research topic.

• Breaking TOR: Quantum computers could potentially de-anonymize TOR traffic by breaking the underlying cryptographic protocols.
• Quantum-Resistant Algorithms: The community is already working on cryptographic algorithms that can withstand the power of quantum computing.

Blockchain for Dark Web Analysis

Blockchain can provide unique solutions for dark web analysis.

• Decentralized Intelligence Sharing: Blockchain can be used for secure, anonymous sharing of threat intelligence across organizations.
• Tracking Cryptocurrency Transactions: New blockchain analysis tools are emerging to track not just Bitcoin but also privacy coins like Monero.

Enhanced Anonymity and Decentralization

The dark web itself is evolving, with users demanding even more secure and anonymous communication methods. This is leading to the development of next-generation anonymity networks.

• Mix Networks: These networks employ cryptographic routing and random delays to provide anonymous communications, which might replace or augment the existing TOR network.

The Rise of Decentralized Markets

The future dark web markets might be decentralized, making them more resilient to takedowns. They might operate similar to how blockchain-based, decentralized applications (DApps) work.

The Role of IoT

With the proliferation of IoT devices, the dark web might see a surge in compromised device data trading and botnets controlled through dark web backbones.

International Cooperation and Legal Challenges

As cyber threats become more global, international cooperation is paramount. There’s a need for harmonized legislation and joint operations to tackle the dark web’s challenges.

The Crypto Dimension

Fasten your seat belts, cryptonauts! We’re about to dive into the swirling vortex of cryptocurrencies in the dark web. If there was ever a more potent duo than peanut butter and jelly, this is it. Cryptocurrencies are the lifeblood of the dark web. Let’s decode this cryptic saga.

The Advent of Bitcoin and the Dark Web

In the early days, the dark web was all about Bitcoin. Its pseudo-anonymous nature made it the currency of choice for buying illicit goods and services. Bitcoin transactions, though traceable through the blockchain, offered a level of anonymity that was hitherto unavailable.

Rise of Privacy Coins

But as the blockchain analysis tools grew, so did the paranoia amongst the dark denizens. Enter privacy coins – Monero ( XMR), Zcash (ZEC), and Dash.

• Monero (XMR): Monero is now considered the gold standard for anonymous transactions. It uses stealth addresses and ring signatures to ensure that the origin, amount, and destination of all transactions remain private.
• Zcash (ZEC): Zcash offers selective transparency, allowing users to choose whether to make a transaction public or private.
• Dash: Initially known as Darkcoin – Dash offers PrivateSend transactions that obscure transactions through a mixing mechanism.

Tumbling and Mixing Services

Cryptocurrency tumbler or mixing service is used to mix potentially identifiable or ’tainted’ cryptocurrency funds with others, making it difficult to trace the funds’ original source.

• Bitcoin Mixing Services: These services take the Bitcoins from multiple users and send them in a pooled transaction, further dividing them into several addresses, making tracing incredibly hard.
• Monero as a Mixer: Some users convert Bitcoin to Monero and back to Bitcoin to break the traceability.

Cryptocurrency in Malware Economy

Cryptocurrency is the currency of choice for ransom payments. From WannaCry to the latest strains, Bitcoin and Monero addresses are now a common sight in ransom notes.

But there’s more to it:

• Crypto Mining Malware: Unauthorized mining (cryptojacking) is rampant. Monero is a favorite due to its CPU-friendly mining process.
• RaaS (Ransomware as a Service): Emerging RaaS platforms in the dark web use cryptocurrencies for transactions. Users can “rent” ransomware infrastructure in exchange for a share of the profits.

Buying Exploits and Tools

Dark web marketplaces like AlphaBay, Silk Road, and Hansa have been the go-to places for buying exploits, tools, and data.

• Exploit Kits: From Zeus to Angler, exploit kits are in high demand and are bought using cryptocurrencies.
• Zero-Days: These unknown exploits can fetch a high price in both clearnet and dark web markets. They are often transacted in cryptocurrencies for added anonymity.

Procuring Hacking Infrastructure

Cryptocurrency also fuels the dark economy by enabling hackers to procure infrastructure.

• Buying Botnets: Hackers use cryptocurrencies to buy access to botnets like Mirai or rent a stresser/booter service for DDoS attacks.
• Hosting Services: The dark web offers various hosting services, and they usually only accept cryptocurrencies. These hosting services are often used for C&C servers, dropzones, and phishing campaigns.

Blockchain Analytics and De-Anonymization

As the usage of cryptocurrency on the dark web evolved, so did the tools for analyzing the blockchain. Companies like Chainalysis, Elliptic, and CipherTrace are at the forefront.

• Tracing Transactions: By analyzing the blockchain, it is sometimes possible to trace transactions back to an exchange. This could lead to potential identification if KYC (Know Your Customer) data is obtained.
• Clustering Techniques: By analyzing various parameters of transactions, addresses can be “clustered” together, likely linking them to a single user.

The Art of Steganography

Steganography - the ancient art of hiding data within data. It’s a hot topic on dark web forums.

• Steghide: Embeds data within image and audio files.

steghide embed -cf image.jpg -ef secret.txt

• zsteg: Detects hidden data in PNG and BMP files.

zsteg -a image.png

Real-world Example: Operation Shrouded Horizon

Darkode, the infamous cybercriminal forum, used image steganography to hide secret messages. The FBI busted them in Operation Shrouded Horizon.

PGP – The Keeper of Secrets

All hail Pretty Good Privacy (PGP), the unsung hero in the shadows. PGP is the Gandalf of encryption - wise, robust, and pretty darn good at keeping secrets. Let’s decrypt this enigmatic wizardry!

What is PGP?

PGP, or Pretty Good Privacy, is a data encryption and decryption program that provides cryptographic privacy and authentication for data communication. Initially developed by Phil Zimmermann in 1991, it’s the golden standard for secure communication in the cyber realm. It uses a combination of symmetric-key cryptography and public-key cryptography.

How PGP Works?

• Key Generation: PGP generates a pair of keys: a public key and a private key.
• Encryption: When someone wants to send an encrypted message, they use the recipient’s public key to encrypt the message.
• Decryption: The recipient uses their private key to decrypt it.

Legitimate Uses of PGP

• Secure Communication: Emails encrypted with PGP are only readable by the intended recipient.
• File Encryption: PGP is not just for emails – it can encrypt just about any form of data.
• Digital Signatures: PGP can be used to sign data, software, or documents, verifying the authenticity and integrity.

Case Study: Edward Snowden and PGP

Edward Snowden, the infamous NSA whistleblower, used PGP encryption to communicate securely with journalists when leaking classified documents. It is a classic example of using PGP for maintaining privacy and secure communication.

PGP in The Dark Web - A Double-Edged Sword

In the dark web, PGP is a sword that cuts both ways. It’s a tool for good and a shield for the malicious.

• Securing Criminal Communications: Drug dealers, hackers, and other criminals use PGP to secure their communications.
• Marketplace Transactions: When you’re buying zero-days on the dark web, you don’t want anyone snooping. PGP is often mandated for vendor-buyer communication in dark web marketplaces.
• Validating Identity: Dark web personalities often sign messages with their PGP key to prove their identity.

Analyzing PGP – Peeling the Onion

As seasoned cyber warriors, we must sometimes attempt to peel the PGP onion. Here’s how:

Traffic Analysis

While you can’t easily break PGP encryption, you can analyze the metadata. Look at the timestamps, frequency, and size of PGP-encrypted messages to correlate them with other events.

Key Analysis

• Key Servers: There are public PGP key servers. Search for a target’s public key, and you might find their pseudonym or even real name attached.
• Web of Trust: PGP keys can be signed by other users. Analyzing the web of signed keys can reveal associations between entities.

Cryptanalysis Attacks

• Known-Plaintext Attack: If you can obtain an encrypted message and its plaintext, you might be able to discover patterns or weaknesses in the encryption.
• Social Engineering: Sometimes the best cryptanalysis is done outside the computer. Convincing someone to reveal their private key or passphrase is the holy grail.

Legal and Ethical Considerations

Cracking PGP encryption or obtaining private keys should always be conducted within legal boundaries and ethical guidelines. This is a powerful tool, and with great power comes great responsibility.

TOR Vulnerabilities (Expanded Version)

Ah, TOR, the crown jewel of the dark web. But remember, even a fortress can have its weaknesses. Let’s dig into some of the chinks in TOR’s armor.

Traffic Analysis Attacks

When your adversary is a nosy network observer, traffic analysis attacks are what you should worry about.

Correlation Attacks

• Timing Attacks: By analyzing the timing of traffic entering and exiting a TOR relay, an adversary might correlate the traffic and de-anonymize the user. Timing attacks require monitoring both ends of the communication to match the patterns.

• Size-based Attacks: An attacker might use the size of packets to correlate traffic flows. By observing unique sizes or patterns, they can link the source to its destination.

Guard Discovery Attacks

Guard nodes are your first point of contact in the TOR network. If an attacker can figure out which guard node you are using, they can perform targeted attacks against that node.

• HSDir Attack: In this attack, the attacker sets up several HSDir (Hidden Service Directory) relays. They wait for a hidden service to publish its descriptor to the attacker’s HSDir, allowing them to discover the guard node of the hidden service.

Compromised Relay Attacks

If an attacker can compromise or control a significant number of relays, they can launch a range of attacks.

Sybil Attacks

In a Sybil attack, the attacker floods the TOR network with relays they control. This increases the chance that users will choose malicious relays, which can then be used for traffic analysis or to manipulate the traffic.

End-to-End Compromise

If an attacker controls both the entry and exit nodes in a TOR circuit, they can potentially correlate the traffic and de-anonymize the user. This attack is more practical if the attacker has a large number of relays.

Application Layer Attacks

Sometimes, the TOR network is not the weakest link; it’s the applications using it.

Browser Exploits

TOR is often accessed via browsers like TOR Browser. An attacker can exploit vulnerabilities in the browser itself to de-anonymize users or execute malicious code. The FBI used this method in the Operation TORMENTED operation to identify users accessing illicit content.

SSL Stripping

This attack involves downgrading the traffic from HTTPS to HTTP at the exit node. This can potentially expose sensitive information to the exit relay operator. To mitigate this, always ensure that the websites you visit over TOR are using HTTPS.

Deanonymization via Protocols

Certain network protocols can also lead to de-anonymization.

DNS Leaks

When using TOR, if the DNS requests are not routed through the TOR network, they may leak to the local network, exposing the websites you are accessing.

Bitcoin Transaction Analysis

If a user makes a Bitcoin transaction over TOR, an attacker might use transaction analysis in conjunction with traffic analysis to de-anonymize the user.

Autonomous System (AS) Traffic Analysis

When the TOR traffic passes through networks controlled by a single organization (AS), the organization can potentially analyze the traffic patterns to de-anonymize users. This is more of a global adversary model.

Defense and Countermeasures

• Utilize Bridges: Use TOR bridges to hide the fact that you are accessing the TOR network, especially in regions where TOR usage is monitored or blocked.

• Keep Software Updated: Regularly update the TOR browser and underlying system software to mitigate the risk of exploits.

• Use HTTPS: Ensure that sites accessed through TOR use HTTPS to encrypt the traffic between the exit relay and the destination server.

• Awareness and Practices: Be aware of the risks and adopt safe practices. Avoid providing personal information and be cautious with the protocols and services used over TOR.

Leveraging Automation for Dark Web Analysis

Automation is vital in today’s fast-paced cyber realm.

• Photon: Scrapes data from websites, including the dark web.

git clone https://github.com/s0md3v/Photon.git
python3 photon.py -u <onionURL>

• SpiderFoot: OSINT automation tool for reconnaissance.

git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot && python3 sf.py -m <target>

The Evolving Landscape – Beyond TOR

Grab your virtual machetes, cyber warriors, because we are about to venture into the uncharted territories beyond TOR. The dark web landscape is evolving, and with it, new networks are arising.

I2P: The Invisible Internet Project

I2P, my friends, is another layer of the dark web. Often referred to as the network within the dark web, I2P was designed with hidden services in mind.

How it works

• Tunnel-Based: I2P uses unidirectional tunnels for sending and receiving data. Unlike TOR’s circuits, these tunnels change rapidly, making tracking more difficult.
• Garlic Routing: I2P employs garlic routing, a variant of onion routing where multiple messages are bundled together. This further obfuscates the traffic.

Legitimate Uses

• Private Communication: Individuals in regions with heavy internet censorship use I2P for secure, anonymous communication.
• Whistleblowing: Similar to TOR, I2P can be used by whistleblowers to share information without revealing their identity.

Illicit Uses

• Underground Marketplaces: Some darknet markets are turning to I2P due to its additional layers of anonymity.
• File Sharing: I2P has become a hub for illicit file sharing, including pirated content and illegal materials.

Analyzing I2P

• Network Mapping: Due to its decentralized nature, mapping the network requires advanced crawling techniques and monitoring of I2P’s distributed hash table.
• Traffic Analysis: Like TOR, traffic analysis and correlation attacks can be used, but with more difficulty due to I2P’s rapid tunnel changes.

Freenet

Freenet is another decentralized network that allows users to anonymously share files and browse and publish ' freesites'.

How it works

• Data Storage: Data in Freenet is distributed and stored in encrypted chunks throughout the network. This ensures data redundancy and availability.
• Darknet Mode: Users can run Freenet in ‘darknet’ mode, connecting only with trusted friends, making it harder to infiltrate.

Legitimate Uses

• Censorship Circumvention: Freenet is used by individuals in oppressive regimes to access information and communicate without government oversight.
• Data Publication: Journalists and activists use Freenet to publish content anonymously.

Illicit Uses

• Trading Illegal Content: Freenet has been known for hosting forums and repositories for illegal content, due to its high anonymity and encryption.
• Malware Distribution: Malicious actors use Freenet for distributing malware and exploits.

Analyzing Freenet

• Infiltrating Friend-to-Friend Networks: Gaining access to a darknet-mode Freenet network requires social engineering or infiltration tactics to become a trusted node.
• Data Traffic Analysis: Like with TOR and I2P, monitoring data patterns can potentially reveal insights into Freenet usage.

ZeroNet

ZeroNet uses Bitcoin cryptography and BitTorrent network technology to create a decentralized web.

How it works

• Decentralized Websites: ZeroNet allows users to create websites hosted by other users. These sites remain available even if the original publisher is offline.
• Bitcoin Cryptography: ZeroNet employs the same cryptographic functions as Bitcoin, ensuring data integrity and authentication.

Legitimate Uses

• Decentralized Publishing: Content creators use ZeroNet to avoid censorship and maintain ownership of their content.
• Blockchain Projects: ZeroNet is used for decentralized applications and blockchain projects.

Illicit Uses

• Darknet Markets: The decentralized nature of ZeroNet has given rise to new darknet marketplaces that are harder to shut down.
• Illegal Content Distribution: Like Freenet, ZeroNet has been used for distributing illegal content.

Analyzing ZeroNet

• Peer Discovery and Crawling: Discovering and mapping ZeroNet sites requires monitoring peer announcements and crawling active sites for content.
• Blockchain Analysis: Because ZeroNet uses Bitcoin cryptography, blockchain analysis tools can be used to trace transactions and potentially de-anonymize users.

Brace Yourselves, the Web is Evolving

The dark web is an ever-evolving creature. TOR, while still the reigning king, is not the only player in this murky realm. With the rise of alternative networks like I2P, Freenet, and ZeroNet, the future is decentralization and even more robust anonymity.

Conclusion

What a ride, huh? We took a plunge into the darkest corners of the web, tore some onions, and came out wiser! TOR investigations and Dark Web analysis are invaluable skills for Cyber Threat Intelligence, and they are just starting to heat up.

Keep your eyes wide, your code tighter, and your hood darker! The digital shadows await.

Onward, my fellow keyboard warriors! May your packets always find their destinations! 🚀🔥