gAtO- wanted to test my map making abilities and so I put this little map of the OR-relays of Tor in ItAlY - gATO oUt
Finding Tor Websites –geo-location
gAtO tHiNkInG- to find Tor-hidden service-website geo-location we must understand Tor and how it works better. Figure 1 shows us how a basic Tor connection is made. Let’s take a closer look, to understand the weak points in Tor and to find the location of the Tor-hidden service-website:
1,2 and 3 are how a Tor-hidden service-websites tells the world that it is available to the world. 4-5 and 6 create the map’s to the location of the meeting between the client and the HS. 7,8 and 9 are the key’s to finding the website…
The HS –hidden service needs to advertise that it’s available thru the IP –introduction points to the DS- Tor-DNS –so other Tor-clients can find them. The workload of data exchange goes on between the RP -Rendezvous Point and the client and the Tor-website.
All Tor connection have 3 relays they must use to connect to the Tor-network.
Client–|> 1.Entry-node 2.Relay-node 3.Exit-node -HS-website
a}. To find the geo-location we need to find the 3RP for a HS-website and direct our crawlers to crawl from 8 different geo-location– the delay signals from all location should be the [same/different] from the RP to the HS. This data with data from the OR should give us enough information to tag a location to these signals.
B}. –this is part of the information that is kept in the ”descriptor information“ that the Tor-DNS (directory service) uses to find and connect to the hidden service-website.
We will now have 8-Tor servers from different worldwide locations finding these 3 RP for the target hidden service-website. Once we have the geo-location of the RP –using network delay signals that we collect with our cralws. This data can give us triangulation information using data correlation to find the geo-location of the target- Tor hidden service-website. At least in threory it works, we have started testing some of these new ideas and will keep you posted. So far we can find the country of the target hidden service-website but we need to come closer and get a pinpoint location without an IP address with our medthod of triangulation and data correlation – gAtO oUt
You may need to reload it or hit the return a few times but you should get a big map of the world with Tor OR all over the place -
Biggest Growth Tor Usage Washington-DC
I found a chart from 2011 that shows all 900 OR in Tor at that time. Then I got a hold of some code that get’s me all V3 OR 2013. When I compared them both my biggest shock was the number of OR in Washington, DC area shows the biggest growth of OR on the To network.
So tell me why the US government seems to be the biggest user of Tor???
Last year we where running about 3,000 Tor-OR this year so far we have another 500 more OR bringing us up to 3,500 OR we have also increased the Authority-Directory servers to10 from 8
Mapping Tor OR – we will be doing more Tor-mapping project that will make things funs with Google-Maps – gAtO oUt
gAtO fOuNd – this very interesting and wanted to share -
Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.
Try them! You may even find something interesting you cannot find on Tor!
These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.
- Tor – Fast anonymous internet access, hidden websites, most well known.
- I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
- Freenet – Static website hosting, distributed file storage for large files, decentralized forums.
Also anonymous networks, but less used and possibly more limited in functionality.
- GnuNet – Anonymous distributed file storage.
- OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
- RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
- Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.
These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.
- Osiris – Serverless portal system, does not claim to provide any real anonymity.
- Phantom – Hidden Services, native IPv6 transport.
- GlobaLeaks – Open Source Whistleblowing Framework.
- FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
- Telex – A new way to circumvent Internet censorship.
- Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
- Hyperboria A distributed meshnet built on cjdns.
These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.
- Anonet – AnoNet2, a more open replacement for AnoNet1.
- dn42 – Another highly technical routing community.
- CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.
- Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
- Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also
- Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
- OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
- Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).
gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.
With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.
Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.
I got a crazy Idea that may or may-not work, but it sounds good—// so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…
gAtO iS CrAwLliNg websites-We just completed our new crawl of Tor URL that we found. We started with 2,000 URL’s and we got about 550 positives from this first run. This will change since some sites go up and down for no rhyme or reason. I went back to verify one site that my crawl picked up with all kinds of good information but later when I went back it would not come up. So this is an ongoing thing in order to map out all of Tor’s hidden service websites. From the preliminary data Pedo sites are about 18% of the sites we discovered another 4-6% guns and assassins and another 14-16% of different criminal type’s of sites or scams. So that is over 36% of the sites we found were criminal type, that is not good for anyone.
Tor is an excellent software for being private and having some level of safety but this new light is not good for the people that want to use Tor and the Dark Web to do good things and positive things. Now we see that the bad guys are all over Tor-Dark Web we hope this list will help it become better.
This list is only available to Law enforcement, governments and selected security companies, you must be verified first before you can get a hold of this list of Onion websites in Tor. This is not a free list (we have to recover our cost of r&d) and this is only the first steps we have gained over 12,000 new URL in Tor from this crawl and will be doing more crawls and adding more information to the list.
What really freaked us out was the undocumented website that are not in any hidden wiki in Tor and the number of them being put out by criminals. Now some of the other information that we collected see list below will give us a baseline like — Last-Modified: — will give us an indication of how active they are. The —Server: & Web Application:— will give us the web app they use and from the looks of things some are vulnerable to all kinds of hacking attacks. Tor websites are the same as any site and if you don’t update your website, well your vulnerable to hacking from anyone and in Tor you don’t have a clue because they are protected just like the site.
This will be an ongoing crawl for the next year or so, so expect the list to grow and as new data is collected more will be revealed about the how, and the use of Tor and who uses Tor will become not just theories but facts that we can verify - gAtO OuT
Internal URL’s -
[size_upload] => 0
[size_download] => 124
[speed_download] => 7
gATo and fRiEnDs- are am now working on the Tor-Directory Project crawling about 2000 Tor-url and getting some new information about Tor and the sites that reside in the Dark Web. Example I got a good crawl from a site and I went to double check it and now it was down, so are the sites going up and down and online just for a period of time? Are the site not available because of the browser I am using -vs- my crawler. These are some of the answers I will find out.
I expected due to the slowness of Tor to spend a lot of time running these crawls. I have now a script that I can run in about 20hr or less and scrape about 2000 sites. I thought that the slowness of Tor-Dark Web would make this a real time eater but I am wrong. Another thing is the secret Tor sites I found, I now have a fingerprint on them and these sites that hide in secret on top of being in Tor are a real interest to me and others.
The main issue is Tor is not socks-http friendly so setting up the infrastructure was a real learning curve and now I can replicate the installation so as I get more servers online this will become a little easier. Right now I am mapping the sites so I can crawl every page, the good part and bad is I am finding more and more URL that I never thought existed, so the discovery of new URL is a good thing but once again the collection becomes a real bear.
I am putting this into a db to make the search of the collected data a little easier but finding that db programing on the web is well not very user friendly but I have a good partner that is fixing all my mistakes. We will house this new Tor-only website search engine in the clear web so we can keep the speed up and well people are scared to go into Tor, so why not keep everything in the clearWeb for now.
I expect the crawls to get much longer since I now have the urls to crawl every site a little better but the information and mapping out Tor will be and invaluable tool for us. You say how about the hidden wiki, and all those sites that have Tor directory wiki sites. Well they are OK for basic stuff but I am finding new sites I never heard of and the pedophiles are all over Tor so you best beware I am putting a light on your websites and the next part will be to stop you from using Tor as a play ground for your sick crap. Tor is meant for real needs of privacy and protection and I hope my work in this will get these sick bastards to run somewhere else — gATO is watching you in Tor so beware!!!
Update: 01-26-2013 – It seems that the TorProject.org is now threatening poor little gAtO because I voiced my opinions and disagree and question their practice of protecting pedophiles. So the TorProject that say’s they support “Freedom of Speech” now is trying to used it POWER to abuse people who disagree with them. This shows to me that I am very closed to the truth. Why would they be offended and why would they threaten a disable veteran that is only trying to help children by questioning it’s practice of supporting pedophiles in TOR.
This ABUSE of power upon the weak is what the TOR-Project claims it is trying to protect. This is the same tactics that corporations, governments that feel entitled think they can silence “Freedom of Speech” – Well Mr. Andrew Lewman of TorProject anytime, anyplace little boy. You are a coward to hide behind the Tor-Project and think you can get away with your abuse, your threats, your intimidation. gAtO is Ready- Fire at will.- hit me with your best shot.
I DO NOT FORGIVE
I DO NOT FORGET
YOU SHOULD OF EXPECTED gAtO
gAtO hAs his ClAw’s oUt psssss- I have been working on a project to fight pedo website in the Tor-onion network – (The Dark Web- the underweb) what ever you want to call it. We all know that Pedophiles as well as other criminals are hiding their websites inside -Tor-hidden service. So I contacted one of the torproject people – we will call him Andrew.
“It’s so toxic, most law enforcement cannot touch it either. You should report these links to
http://missingkids.com/“>http://missingkids.com at a minimum. See
https://www.torproject.org/docs/faq-abuse.html.en#RemoveContent for the longer explanation.”
\—The Missing Kids network cannot do anything about websites in the Tor-network –hidden service.—/
This made me sick from the TorProject site -We refuse to weaken Tor because it would harm efforts to combat child abuse and human trafficking in the physical world, while removing safe spaces for victims online. – SAY WHAT!!! – Here we are we know the URL of PedoBear and hundreds of Pedo site in the Dark Web and they keep the real directory of all sites in the 10 Authority servers – they could just go and delete these known Pedo websites and then they would have to generate another URL and re-advertise and get back the customer base.
“Hay Anonymous we need your help”
You ever wonder why everyone vilifies the dark web (Tor) this is the reason why, get a clue TorProject.
That is a lot of work for these monsters – We in the cyber security field know all this and if we can get together and help we could help these children and protect them from these cowards. No, No the Torproject is so arrogant and delusional that they make these statements on their website and – well that’s all I have to do. - gAtO don’t get it.
I respect the efforts of the TorProject and what they do to help “freedom of Speech in cyberspace” this is my core belief, but to claim to help child abuse by leaving these sick website online. – That is madness – I cannot believe that Roger and Jacob worked as hard as they did to build such a great tools that is saving lives but when it comes to children they turn a blind eye.
I hope they see this post and think of the millions of children that suffer because they choose to do nothing. I hope they sleep well at nights knowing that pedophiles are loving their Tor-hidden service where they can do whatever they want with children and get away with it.
Shame on you TorProject – all I can say is that gAtO will work hard to find and destroy these websites.
- we have rules and pedophiles have no rules -not on my watch
I know behind the Tor-hidden service is just a basic website with the normal vulnerabilities and from my research some of these use old web apps that are vulnerable. So be warned gAtO is a gray hat and I’m hunting you. I will find you and exposed you, I will expose your family, I will shame you, I will send you to jail in what ever country your in, were I hope they treat you like you treated these helpless children.
TorProject I expected more from you, I expected you to have a heart and help these helpless children- gAtO oUT
gAtO hAs - been meeting some very good people that have the ugly dirty job of going after pedophiles and gATO is sicken that this problem is becoming so big. I like most people hear of these sick wackos and my skin crawls but I am guilty of not doing anything to stop this. In my research into the Tor’s Dark Web I found so much ugly Pedo stuff but I always said to myself this is some else job but it’s not.
All cyber security professionals should work together to find and go after these sick bastards that haunt our children nightmare. When I first saw the “Pedo Bear Wiki” in Tor’s I was in shock at how they do business in plain site thinking that they are safe. This is also a big black eye for everyone because this does not just happen in Tor’s Dark Web but in the clear web were we all do work, and talk to friends. Facebook, Twitter is full of them, you may of added them as friends. In the normal Internet these people thrive and then they go into Tor and people start saying Oh well in Tor it’s all about these perverts. They give Tor a bad name because it works so well to mask you.
Be on Notice pedo’s that gATO has found ways to find you in the Tor-onion network. I can find the IP of your hidden-service website, I can also find your clients if your not careful. I am launching some Tor tools that I am developing that may allow me to find your IP and then your -geo location. I am working on some other offensive cyber tools to go after these Pedo Sites in the clear web and especially in Tor. So the hunt begins pedophiles you have been warned this coming year we will find you and destroy you then give the police a chance to lock you up for life. Yeah your safe in Tor, keep thinking that – gATO hunts for RaTz like yOu.
gAtO tHiNkInG - anonymity serves different interest for different user groups; To a private citizen it’s privacy, to a business it’s a network security issue. A business needs to keep trade secrets or have IP (knowledge base data-centers), communicate with vendors securely and we all know that business need to keep an eye on there competition – the competition can check your stats
update -11-14-2012 -uscyberlabs.com Tor Hidden Service = http://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox and it turned into a honeypot — cool logs stats
(http://www.alexa.com/siteinfo/uscyberlabs.com) and check on how your business is doing, what keywords your using, demographics of users hitting your site—— by the way in the Tor-.onion network a web site/service cannot be monitored unless you want it…
How would a government use a ToR-network I’m asked all the time —
// if I was an (agent/business-person)state actor doing business in China (and other countries too) well I would use a ToR-.onion connection to keep my
business private from a government that is know to snoop a bit on travelers to their country. The fact is governments need anonymity for their security -think about it “What does the CIA Google for?” Maybe they us ToR??? But this is about Hidden services right.
What is a hidden service in ToR-.onion network?
SImply put it’s a web site/service, a place in the ToR network were we have a service like:
- Search Engine
- web / pop3 email
- PM Private Messages
- Drop Box’s
- Bulletin Boards BBS
- Image Boards
- Currency exchange
- Social Networks
- Micro-Blog -
Hidden Services are called hidden, because your website’s IP in ToR is hidden- they cannot see the IP of your server — they can’t track you- if they can’t find you how are they gonna hack you???? Sorry I had to say that -((more about that later)). Now how do I keep this secret (my IP) and let you the user use my services. In the normal web if your in uscyberlabs.com your on my site,— my server -you can do a whois and get my IP and geo-location— then you can attack my website with dDoS and other IP attack vectors, you also get my location so you can physically find me- my server/my website – maybe go dumpster diving in the trash and get my company secrets— mAyBe sI – nO,
Well in the ToR-.onion network you the client ask the business website if they can use the websites service / then decide and start a handshake to a rendezvous POINT to meet —we meet at an OR ((onion relay))-a rendezvous POINT) not at my server/ my IP — so your never ever on the business site/server when your in onionLand, you can’t do a whois and get my IP because we meet at an OR, you cannot find my geo-location…..
We have heard of the killings of Iranians and Syrian rebels being killed in todays news, when an Iranian rebel is fighting for his and his families life if they(the government) finds his IP or the IP of the website he visited // they will hunt that person down and the Iranian police/government will kill the whole family sometimes. So keeping an IP from someone is not an evil act it is an act of privacy for safety on both sides the client and the business.
you need to look at Figure 2 to explains this better:
Now let’s focus on R2 OR the yellow key. That’s the spot were you(your company’s hidden website) and your client meet — I know it’s a sneaky way of doing business but once again if they can’t get to your IP at least that is one attack vector that can’t be used to hack you or ddos you. OK they can still hack you but it’s software then. How it’s all done – the magic —the technical thingy to this is below —/this is just an outline of events of the client /hidden web/service protocol:
I goes something like this –
- ESTABLISH RENDEZVOUS cell
- INTRODUCE2 cell
- INTRODUCE ACK cell.
- INTRODUCE2 cell
- RENDEZVOUS1 cell
- sends a RENDEZVOUS2 cell Chat
- sends a RENDEZVOUS2 cell Blog
- RENDEZVOUS ESTABLISHED cell
More Geek network kinda stuff::
1. Jun 03 20:50:02.100 [notice] Tor 0.2.1.0-alpha-dev (r14739) opening new log file.
2. Jun 03 20:50:11.151 [notice] We now have enough directory information to build circuits.
3. Jun 03 20:50:12.697 [info] rend_services_introduce(): Giving up on sabotage as intro point for stuptdu2qait65zm.
4. Jun 03 20:50:18.633 [info] rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 1560 for service stuptdu2qait65zm
5. Jun 03 20:51:18.997 [info] upload_service_descriptor(): Sending publish request for hidden service stuptdu2qait65zm
6. Jun 03 20:51:22.878 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 (“Service descriptor stored”))
People ask me how can these hidden services be attacked???
It’s all the same as in the surface web you find the software the hidden service is using /// let’s say Worpress (or flatPress) if they use an old version with vulnerabilities then, that site can be hacked by traditional hacking attack vectors— gAtO can’t wait till USCyberLabs.com will have a sandbox in the .onion were we can have a honeypot for people to hack and learn from. (we need Funding for these project donate please – we will share) gAtO has not tried Backtrack 5 on ToR-.onion network – mAyBe sI -nO – uscyberlabs.com has been hacked a few times already and is consistently fighting bot’s and spammer, it goes on and on.everywhere-.-.-.-
Here are some technologies used in the ToR-.onion network:
update -11-14-2012 -uscyberlabs.com Tor Hidden Service = http://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox and it turned into a honeypot — cool logs stats
Snapp BBS works fine in OnionLand - http://4eiruntyxxbgfv7o.onion/ -
PHP BBS – http://65bgvta7yos3sce5.onion/
Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. – http://ay5kwknh6znfmcbb.onion/torbook/
Anyway I hope this open up the mystery of a hidden service in ToR – it’s just a website, you go to a rendezvous point and do your business — your IP and the business IP are totally secure. No digital breadcrumbs. Now a word to the wise in the ToR-.onion network you have some very tech savvy people and some are very stupid be a critical-cyber user always -gAtO oUt.