07/1/13

TTP – cyber -tactics- techniques- and procedures

TTP - cyber -tactics, techniques, and procedures

HUMINT in cyberspace- finding adversary activities in cyberspace with subject matter expertise in intrusion set tactics, techniques, and procedures (TTP)

gAtO tHiNk- we should all learn form the state actors and adapt – China – they profile a company- then the c-suite their likes, dislikes, social media, family – then build a profile and launch the phishing email to specific tageted c-suite that loves that new golf clubs, or watch they been looking for. Wham – PoW – were in..// we all know this.

Crawling Tor Hidden Service - websites

Crawling Tor Hidden Service – websites

Example in Tor there are a few under-web hacking sites were they trade small basic hacks and share information about weakness and exploits most of it is silly n00bs stuff, but once in a while you will see the real thing and you have to know better if it’s LE or a real gamer, faker or joker or a thief. You need a personas and make it trusted for a while – so it’s legit in that world-// then you just have to sit and look here and there, and find new places to search. From these sites you can gauge whats hot and whats new and real, but it’s all a game that you have to play. HUMINT in cyberspace that’s the way you see the real things come and go. Cyber fame is on some way a weakness in the geek squad that hack the codes that makes this all happen. So you have to sit and wait.

HUMINT in cyberspace can get insider intelligence if you do it right, the Tor-network is perfect for OPSEC countermeasures tool in anything in cyberspace. With a few proxies and/or VPN – it Boot’s up from a thumb drive and 100% secure in your possession and encrypted. Surf Tor or the real Internet secure and private- untraceable— add your own Tor-hidden service-website that you control without any DNS or domain registration -(with a laptop) your website can move from anyplace never the same spot twice with open WiFi-hotspots- for OPSEC websites that’s untraceable a thing like the Tor network is a great tool that a pro-adversary would use for secure communication (C2)c&c and distribution tool.

Source of new URL’s and websites: can be gathered with a simple crawler and search engine to store everything.- this will enable you to find new places to go in and check out – there is so much information on Tor, so many places to hide secrets – so it’s the most interesting place in cyberspace for a puzzle freak.

Tor comes in any flavor and rides on any Internet connection -KISS- With the information from the Search Engine —Now HUMINT in cyberspace has places to go and things to verify but it’s time spent in learning everything you think is crazy, just to see of it’s real. for example:Who may uses it?

TTP- We reverse-engineered a lot of Anonymous operations and saw a real interesting thing, in a loose based organized operations with many strangers never working together, they learned from all the OP’s and adapted every time, and I don’t mean simple attack methods or crap like that, it’s organized and well planned. Some were “placed” operations with state actors to see what can be done.—-tactics, techniques, and procedures

Some operations were too well organized. In some cases Anonymous was used as a ruse while the real threat hacked the side doors as they were kept busy with youngsters play toys. The real attackers hacked away and placed their logic bombs for later after things calm down…

It’s outside the box and thinking vulnerabilities not defense – every defense has a countermeasure. Once again HUMINT in cyberspace payed off to learn how the kiddies play, but learning most how the leaders think and plan and communicate and manage the people get’s the most miles.

As Anonymous’ cyber “activism” only increases in prevalence, many organizations—both government and corporate—have moved to protect vital, sensitive information, including NATO. By issuing this press release explaining their updated security procedures, NATO was acknowledging the rapid evolution in prevalence and sophistication of cyber terrorism since, well, not that long ago.

But if NATO—with the combined resources of 28 member countries—is that concerned about the protection of its sensitive data from admittedly sophisticated criminal enterprises, shouldn’t its announcement last week serve as a harbinger for other organizations without intercontinental alliances?

From supply chain attacks going after the big players thru small contractors get’s some of the best access to Intellectual Capital and other goodies. In cyberspacewe have found that when you select the target and keywords – then the TTP–tactics, techniques, and procedures become clear and make the rules to provide a solid plan for the operations.

HUMINT in cyberspace is the new skill set that will help you understand the new cyber enemy in the new digital domain with web-apps flying everywhere – by the time NATO put’s it all on paper, everything changed so adaptability and changing on a dime has to be the new rule in NATO and other corporations but are they too big to change with the times – if you don’t change and adapt then you loose in cyber-world -gAtO ouT.

ref:IAM and Cyber Terrorism: NATO Reassess Their Cyber Security Policies

http://www.aveksa.com/blog/bid/300679/IAM-and-Cyber-Terrorism-NATO-Reassess-Their-Cyber-Security-Policies

 

CrowdStrike Launches Security Service That Tracks Cyber-Attacker Tactics

http://www.eweek.com/security/crowdstrike-launches-security-service-that-tracks-cyber-attacker-tactics/

 

06/22/13

China Hackers found in Tor

China Hackers found in Tor

gAtO bEeN crawling - Tor and found China — China, Fujian IP found in Tor but is it really the Chinese or someone else. As I work on the Tor-Directory-Project to map out every URL in Tor. I came to these site

Anonetchina-computer-hac_1963116c

http://yaiaqf3te6khr3nd.onion/ – This sites has 3 different sites in one – 3 index front pages-DOORS - fUnNy nO?

http://lw7b7t7n7koyi6tb.onion

Now what’s so weird about these 2 sites 4 IP address on the site for proxies and Tor in CHINA.  This ain’t right, China does it’s best to block Tor and keep it’s citizens away from Tor so why would a website in Tor place these explicit IP address and telling you to use them.  In Tor you try to hide not give IP out that can be traced, so why is this different???

So I back trace these 4 sites 3 in China 1 is Soul,Korea, then you google “Fujian Providence hacking”

Yeah there are a lot of things happening in that part of China but is it really the Chinese or others. Russians maybe??

These 2 sites are linked to “Anonet” the funny (ha ha) thing is this one person that keeps popping up – (Anonymous Coward ) on both these sites-  and he/she leads back to China too mAyBe -Si-nO. The Chinese use the Anonymous Coward to mock Anonymous which are very dangerous in China but this does not look good folks.

We talk about China hacking us and when people like myself find these sites and try to report them  – no way- I’m just a nobody that has one of the largest Tor search engines around. Just from these 2 sites I have 56 URL’s – Maybe one of these cyber Professional should check these 2 sites out – I have a subscription service for Tor Search engine any governments or law enforcement out there that need this — talk to gAtO—

They may find one source of China Hacking the US and other places – gAtO oUt

Chinanet Fujian Province Network

http://1.1.7.10/  IP Address:

Chinanet Fujian Province Network

http://1.1.7.7/  IP Address:

Chinanet Fujian Province Network

http://1.234.56.4/  IP Address:

1.234.56.4  ISP: SK Broadband Co Ltd Region:

Seoul (KR)

http://1.56.75.16/  IP Address:

China Unicom Heilongjiang Province Network

1.56.75.16  ISP: Region: Harbin (CN)

06/21/13

Tor Network Consensus Document

gAtO lOOkInG - at the Tor-network intelligence, how does it do what it does. Tor takes volunteers Onion-relays and organizes them into different categories they are called “flags” -

—  known-flags Authority BadExit Exit Fast Guard HSDir Named Running Stable Unnamed V2Dir Valid  —

Of course there are only now 10 authority flags-servers own and controlled by some of the top people in the Tor-project community. These 10 Authority-relays control all the intelligence that Tor need to run and keep everything working automatic. Every few hours these relays gather the OR-relays and depending on how long they have been turned on, how much bandwidth they have what version of Tor-software and OS they have and put this together into one document then it does a calculation and assigns flags to the 3,500 or so volunteer OR-relays throughout the world. After it’s all said and done they produce a “Consensus Document and sends this information to every HSDir -OR-relay so that clients can find hidden service websites in Tor. The HSDIR relays have all the DNS information to find Tor-hidden service -websites…//

consensus document – May-2013

———————————————————————————-———————————————————————————-

network-status-version 3

vote-status consensus

consensus-method 17

valid-after 2013-05-17 12:00:00

fresh-until 2013-05-17 13:00:00

valid-until 2013-05-17 15:00:00

voting-delay 300 300

client-versions 0.2.2.39,0.2.3.24-rc,0.2.3.25,0.2.4.5-alpha,0.2.4.6-alpha,0.2.4.7-alpha,0.2.4.8-alpha,0.2.4.9-alpha,0.2.4.10-alpha,0.2.4.11-alpha,0.2.4.12-alpha

server-versions 0.2.2.39,0.2.3.24-rc,0.2.3.25,0.2.4.5-alpha,0.2.4.6-alpha,0.2.4.7-alpha,0.2.4.8-alpha,0.2.4.9-alpha,0.2.4.10-alpha,0.2.4.11-alpha,0.2.4.12-alpha

known-flags Authority BadExit Exit Fast Guard HSDir Named Running Stable Unnamed V2Dir Valid

params CircuitPriorityHalflifeMsec=30000 UseOptimisticData=1 bwauthpid=1 pb_disablepct=0

 

dir-source tor26 14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 86.59.21.38 86.59.21.38 80 443

contact Peter Palfrader

vote-digest C9B36D4CE1E4E25D313DBCB9CAB01BD6402136BB

dir-source turtles 27B6B5996C426270A5C95488AA5BCEB6BCC86956 76.73.17.194 76.73.17.194 9030 9090

contact Mike Perry <mikeperryTAfsckedTODorg>

vote-digest 2974C1E86CE7D44B2A1B304DDED4D6965C519F6C

dir-source maatuska 49015F787433103580E3B66A1707A00E60F2D15B 171.25.193.9 171.25.193.9 443 80

contact 4096R/23291265 Linus Nordberg <linus@nordberg.se>

vote-digest 4C9F8F31152829E776531350A3D0A3AB4F601FBF

dir-source dannenberg 585769C78764D58426B8B52B6651A5A71137189A dannenberg.ccc.de 193.23.244.244 80 443

contact Andreas Lehner <anonymizer@ccc.de>

vote-digest E326C020E9462BA105EC190DFBE4EA8FADA3A138

dir-source urras 80550987E1D626E3EBA5E5E75A458DE0626D088C 208.83.223.34 208.83.223.34 443 80

contact 4096R/4193A197 Jacob Appelbaum <jacob@appelbaum.net>

vote-digest 9D6CB9D0890C4BF18D12BBB4F26F5BC762B081C3

dir-source moria1 D586D18309DED4CD6D57C18FDB97EFA96D330566 128.31.0.34 128.31.0.34 9131 9101

contact 1024D/28988BF5 arma mit edu

vote-digest 21FCEA71FE6597E39E586721F7DA65C3A74A4EA1

dir-source dizum E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 194.109.206.212 194.109.206.212 80 443

contact 1024R/8D56913D Alex de Joode <adejoode@sabotage.org>

vote-digest 0787DE217B45ED8895701D679F02E755A257AF4F

dir-source gabelmoo ED03BB616EB2F60BEC80151114BB25CEF515B226 212.112.245.170 212.112.245.170 80 443

contact 4096R/C5AA446D Sebastian Hahn <tor@sebastianhahn.net>

vote-digest EEECD55223C97CACF7655D897782B61B64C1CF03

dir-source Faravahar EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 154.35.32.5 154.35.32.5 80 443

contact 0x0B47D56D SiNA Rabbani (inf0) <sina redteam io>

vote-digest EE92CA0F3820E3BAFC22C41DFD107D4F4B34E542

r ididnteditheconfig6 AB+dZViiymIEpTtbx+9cX5Y32i0 sjraCwjE8lzInizQ0UPqTI1AHkE 2013-05-17 10:29:13 128.8.24.14 9001 9030

s Exit Fast Running V2Dir Valid

v Tor 0.2.3.25

w Bandwidth=14

p accept 20-23,43,53,79-81,88,110,143,194,220,389,443,464,531,543-544,554,563,636,706,749,873,902-904,981,989-995,1194,1220,1293,1500,1533,1677,1723,1755,1863,2082-2083,2086-2087,2095-2096,2102-2104,3128,3389,3690,4321,4643,5050,5190,5222-5223,5228,5900,6660-6669,6679,6697,8000,8008,8074,8080,8087-8088,8332-8333,8443,8888,9418,9999-10000,11371,19294,19638

r MukiMukiAmaguri ADwuo9jHaHhVHIjp8/rSBaoXkj8 qZ48RT3ftleevrpO/kNy1qeBAS0 2013-05-16 18:16:19 119.25.52.227 9001 9030

s Fast HSDir Running Stable Unnamed V2Dir Valid

v Tor 0.2.2.39

w Bandwidth=38

p reject 1-65535

———————————————————————————-———————————————————————————-

r= Version of Tor- -OS -timestamp -IP address

s= Flags of the Onion-relay

w= bandwidth that the relays has

p= Exit relay information

The 10 servers on top of the documents are the Tor- Authority the servers that have all the real power in Tor controlled by – SiNA Rabbani (inf0) <sina redteam io> – Sebastian Hahn <tor@sebastianhahn.net> – Alex de Joode <adejoode@sabotage.org> – arma mit edu – Andreas Lehner <anonymizer@ccc.de> – Linus Nordberg <linus@nordberg.se> -  Mike Perry <mikeperryTAfsckedTODorg> – Jacob Appelbaum – Peter Palfrader <jacob@appelbaum.net> -

These are the real master of the Tor network nah… just joking it’s in the code- gAtO oUt

 

There is a small set (say, around 5-10) of semi-trusted directory authorities.  A default list of authorities is shipped with the Tor software.  Users can change this list, but are encouraged not to do so, in order to avoid partitioning attacks.

Every authority has a very-secret, long-term “Authority Identity Key”. This is stored encrypted and/or offline, and is used to sign “key certificate” documents.  Every key certificate contains a medium-term (3-12 months) “authority signing key”, that is used by the authority to sign other directory information.  (Note that the authority identity key is distinct from the router identity key that the authority uses in its role as an ordinary router.)

Routers periodically upload signed “routers descriptors” to the directory authorities describing their keys, capabilities, and other information.  Routers may also upload signed “extra info documents” containing information that is not required for the Tor protocol. Directory authorities serve router descriptors indexed by router identity, or by hash of the descriptor.

Routers may act as directory caches to reduce load on the directory authorities.  They announce this in their descriptors.

Periodically, each directory authority generates a view of the current descriptors and status for known routers.  They send a signed summary of this view (a “status vote”) to the other authorities.  The authorities compute the result of this vote, and sign a “consensus status” document containing the result of the vote.

Directory caches download, cache, and re-serve consensus documents.

Clients, directory caches, and directory authorities all use consensus

documents to find out when their list of routers is out-of-date.

(Directory authorities also use vote statuses.) If it is, they download

any missing router descriptors.  Clients download missing descriptors

from caches; caches and authorities download from authorities.

Descriptors are downloaded by the hash of the descriptor, not by the

relay’s identity key: this prevents directory servers from attacking

clients by giving them descriptors nobody else uses.

 

All directory information is uploaded and downloaded with HTTP.

[Authorities also generate and caches also cache documents produced and

used by earlier versions of this protocol; see dir-spec-v1.txt and

dir-spec-v2.txt for notes on those versions.]

06/14/13

Cyber Illuminate – Prism

gAtO lOcO-  I know conspiracy theory’s but this one stop me cold.  I was looking at a newscast and the NSA Prism illuminate_dollarlogo came on, OK pink Floyd – dark side of the moon rip-off but something caught my eye – the triangle on the dollar bill and the Prism logo triangle ummmm…. – an all seeing triangle -what every one tells about the Illuminate logo. If you apply a prism to data -it’s the same thing you grab all the light/data and filter it down to different data streams, categories -colors. I can see the meaning of the logo for prism now, wonder how much they paid a no-bid contractor for that logo.  prism-logo-61013

—a new world order – cyberspace —

Then I remember the CISPA fight we had a while back and on one of them it said. “Cyber Intelligence Sharing & Protection Act” that was pretty much the same thing we find now in what Prism does with phone and data collection. So my question is, if Prism has been going on since the Patriot Act and the NSA has been doing this legally.

Why CISPA? Why SOPA? Why PIPA? Come on Prism is legal so why all this data sharing when the government was doing it under our nose. I think what this kid Shoden did was stupid, but it’s his choice and he will live with this one way or another. What he showed us has opened a discussion that I think was needed in the cyber world. cispa

Cyber society is the new norm and we older-people must accept that these young men and women know this technology and how to use it better than we do. Cyberspace belongs to everyone today and I hope we together can change things for the better. But I don’t think the powers that be will give over so easily. Prsim is a perfect example of how the cold war mentality has change with the digital domain becoming more real. We will not recognize the Internet 10 years from now, but if the Illuminate have there way they will be watching us -  gAtO lOcO oUt…      Illuminate

 

06/12/13

Government use of Cyber Weaponized Exploits

gAtO rEaD- The government is buying hackers exploits – not to stop these sophisticated cyber exploits but to use these tools against it’s own people- they are using the tools to infiltrate computer networks worldwide, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.network

The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. So your computer is vulnerable and the governments knows it and will not disclose this information, but use it against you to place cookies,RAT’s or other spyware into your computer -maybe- I trust our government don’t you?

If you got nothing to hide, you should not be worried… right????

So our Tax dollars are going to Hackers and cyber criminals that sell these exploits all over the world. As a tax payer I don’t like this part at all. But the worst part is by us taking the lead of cyber offensive cyber tools -example.. Stuxnet – it is a plan book for other countries to do the same. So what we do in cyberspace has become socially acceptable to do in cyberspace and then we bitch about China. I don’t get it – mEoW

Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has beenmost widely reported – the use of a virus known as Stuxnet to disrupt Iran’s nuclear-research program – was lauded in Washington. Officials confirmed to Reuters previously that the U.S. government drove Stuxnet’s development, and the Pentagon is expanding its offensive capability through the nascent Cyber Command.

Then you have the Prism disclosure and PoW- US Cyber Agents Disrupt Publication of Popular Al Qaeda Magazine – This means that Obama’s cyber military is potentially capable of more targeted attacks, specified at damaging particular pieces of information or infrastructure. I wonder where they got those vulnerabilities? maybe some bad guys—/Nato_cyber_plat

What worries me is as the U.S engages in these attacks our enemies are learning what is acceptable in cyberwar. So we must be careful not to lose the fact that everyone is watching what we do and how we treat cyberspace and others governments will follow, defensive and offensive, they are learning from the best the U.S. Government -gAtO oUt

ref: http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510

 

http://www.businessinsider.com/us-cyber-agents-disrupt-inspire-magazine-2013-6

 

 

04/5/13

Tor Tells It’s Secrets

gAtO pLaYiNg with words in Tor- We just simply counted the number of times a word appeared in our search engine by pages- this is something every search engine does but what it gave us was a picture of what Tor really is. It’s not all crime and ugly but information is number one in Tor. Exactly what it’s supposed to be. Tor was created to share information from the table below we see lot’s of stuff inside Tor.output

Tor word data points: We put this report together to see what our word count occurrence was, in our crawled data so far. The chart below gives an interesting picture of the Tor data points that it generates.

We are finding that these are the best categories to put our websites into. The words by site occurrence speaks volumes to understand trends in Tor.  For example it shows i2p network in Tor 2 notices above drugs in Tor. Because i2p is fast being intwined with Tor to get better anonymity.

  • These are real data point based on 3/27/2013-4/3/2013 – this is a live report from our crawls.
  • As we crawl and add more data our picture will change as to the landscape of Tor. 
  • Bitcoins is the fourth most popular word – currency in the Dark Web is number 1  

Word Num. Occurrences
blog 1014
wiki 985
anonymous 966
bitcoin 837
sex 530
gun 492
market 458
I2P 400
software 372
drugs 365
child 353
pedo 321
hacking 314
weapon 221
politic 209
books 157
exploit 118
anarchism 105
porno 88
baby 87
CP 83
fraud 76
piracy 69

 

  • Bitcoins are above SEX tell us volumes in that bit coins are the normal exchange currency in Tor.
  • Fraud and piracy are the lowest were we would except it to be much higher, People trust more in Tor.

This map does tell us that crime is everywhere in Tor at a more alarming rate than we though.

We are doing the same in the e-mail we found in Tor. In the email table is a place where we can get a better picture of emails in the Tor network. Not all of them go to tormail.org as we thought. As mentioned more i2p and connections with other anonymous networks seems to be a trend, as the growth rate of Tor users increase so is the technical base and more sophisticated users will come on board.

Hope this gives you a better picture of Tor. -gAtO oUt

03/24/13

Tor is NOT the ONLY Anonymous Network

gAtO fOuNd – this very interesting and wanted to share -

Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.fin_07

Try them! You may even find something interesting you cannot find on Tor!

Anonymous networks

These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.

  • Tor – Fast anonymous internet access, hidden websites, most well known.
  • I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
  • Freenet – Static website hosting, distributed file storage for large files, decentralized forums.

Less well known

Also anonymous networks, but less used and possibly more limited in functionality.

  • GnuNet – Anonymous distributed file storage.
  • OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
  • RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
  • Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.

Non-free networks

These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.

  • Osiris – Serverless portal system, does not claim to provide any real anonymity.

In development

  • Phantom – Hidden Services, native IPv6 transport.
  • GlobaLeaks – Open Source Whistleblowing Framework.
  • FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
  • Telex – A new way to circumvent Internet censorship.
  • Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
  • Hyperboria A distributed meshnet built on cjdns.

Routing Platforms

These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.

  • Anonet – AnoNet2, a more open replacement for AnoNet1.
  • dn42 – Another highly technical routing community.
  • CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.

Alternative Internet

  • Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
  • Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also

Alternative domain name systems

  • Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
  • OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
  • Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).

See Also

03/10/13

Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…

03/9/13

Tor Website 36% are Criminals Sites

gAtO iS CrAwLliNg websites-We just completed our new crawl of Tor URL that we found. We started with 2,000 URL’s and we got about 550 positives from this first run. This will change since some sites go up and down for no rhyme or reason. I went back to verify one site that my crawl picked up with all kinds of good information but later when I went back it would not come up. So this is an ongoing thing in order to map out all of Tor’s hidden service websites. From the preliminary data Pedo sites are about 18% of the sites we discovered another 4-6% guns and assassins and another 14-16% of different criminal type’s of sites or scams. So that is over 36% of the sites we found were criminal type, that is not good for anyone.

Crawling Tor Hidden Service - websites

Crawling Tor Hidden Service – websites

Tor is an excellent software for being private and having some level of safety but this new light is not good for the people that want to use Tor and the Dark Web to do good things and positive things. Now we see that the bad guys are all over Tor-Dark Web we hope this list will help it become better.

This list is only available to Law enforcement, governments and selected security companies, you must be verified first before you can get a hold of this list of Onion websites in Tor. This is not a free list (we have to recover our cost of r&d) and this is only the first steps we have gained over 12,000 new URL in Tor from this crawl and will be doing more crawls and adding more information to the list.

What really freaked us out was the undocumented website that are not in any hidden wiki in Tor and the number of them being put out by criminals. Now some of the other information that we collected see list below will give us a baseline like — Last-Modified: — will give us an indication of how active they are. The —Server: & Web Application:— will give us the web app they use and from the looks of things some are vulnerable to all kinds of hacking attacks. Tor websites are the same as any site and if you don’t update your website, well your vulnerable to hacking from anyone and in Tor you don’t have a clue because they are protected just like the site.

This will be an ongoing crawl for the next year or so, so expect the list to grow and as new data is collected more will be revealed about the how, and the use of Tor and who uses Tor will become not just theories but facts that we can verify - gAtO OuT 

Internal URL’s

 [url] 

    [content_type]

    [http_code]

    [header_size]

    [request_size]

    [filetime]

    [ssl_verify_result]

    [redirect_count]

    [total_time]

    [namelookup_time] 

    [connect_time]

    [pretransfer_time]

    [size_upload] => 0

    [size_download] => 124

    [speed_download] => 7

    [speed_upload]

    [download_content_length] 

    [upload_content_length]

    [starttransfer_time]

    [redirect_time]

    [certinfo] 

Cache-Control

Expires: 

Pragma: 

HTTP

Server:

Crawl Date:

Content-Type: 

Content-Length:

Last-Modified:

Connection:

Accept-Ranges:

Proxy-Connection: 

Set-Cookie:

Content-Length: 

Accept-Ranges:

Web Application:

 

03/7/13

Mapping Tor Websites

gATo and fRiEnDs- are am now working on the Tor-Directory Project crawling about 2000 Tor-url and getting some new information about Tor and the sites that reside in the Dark Web. Example I got a good crawl from a site and I went to double check it and now it was down, so are the sites going up and down and online just for a period of time? Are the site not available because of the browser I am using -vs- my crawler. These are some of the answers I will find out.

I expected due to the slowness of Tor to spend a lot of time running these crawls. I have now a script that I can run in about 20hr or less and scrape about 2000 sites. I thought that the slowness of Tor-Dark Web would make this a real time eater but I am wrong. Another thing is the secret Tor sites I found, I now have a fingerprint on them and these sites that hide in secret on top of being in Tor are a real interest to me and others.

The main issue is Tor is not socks-http friendly so setting up the infrastructure was a real learning curve and now I can replicate the installation so as I get more servers online this will become a little easier. Right now I am mapping the sites so I can crawl every page, the good part and bad is I am finding more and more URL that I never thought existed, so the discovery of new URL is a good thing but once again the collection becomes a real bear.

I am putting this into a db to make the search of the collected data a little easier but finding that db programing on the web is well not very user friendly but I have a good partner that is fixing all my mistakes. We will house this new Tor-only website search engine in the clear web so we can keep the speed up and well people are scared to go into Tor, so why not keep everything in the clearWeb for now.

I expect the crawls to get much longer since I now have the urls to crawl every site a little better but the information and mapping out Tor will be and invaluable tool for us. You say how about the hidden wiki, and all those sites that have Tor directory wiki sites. Well they are OK for basic stuff but I am finding new sites I never heard of and the pedophiles are all over Tor so you best beware I am putting a light on your websites and the next part will be to stop you from using Tor as a play ground for your sick crap. Tor is meant for real needs of privacy and protection and I hope my work in this will get these sick bastards to run somewhere else — gATO is watching you in Tor so beware!!!