Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…


ToR-Relays -DeepWeb Info

Inspector -information about ToR-Relays

gAtO iS hApPy pUpPy – found the ToR Inspector site in the .onion. This site has information about all ToR-Relays around the world and it indicates if this ToR-Relay is BAD-GOOD-ERROR-REJECT status. Let’s say that you are planning an adventure into ToR land the (paranoid security -techy-talk) thing about ToR that you have to remember is the Entry Node into ToR and the Exit Relay out of ToR. ToR- the .Onion is legal.

ToR security: When you go into ToR the .onion your computer must enter the -ToR-Matrix- so the first ToR-Relay is your entry point and when you leave the .onion your Exit-Relay is logged by your ISP. All they know is that you went into ToR and you left. They don’t know anything about your session in the deepWeb. Using the ToR network is not illegal so far today anywhere. In places like the middle east and China it’s becoming a problem for these governments so they try mess with the ToR-Relays all the time. On this site [1]ToR Relay Inspector you can see if your entry and exit -TOR-Relays are working good and have not been compromised.

IP - Router Details- Version-Platform Tor-Relay-information




With the tools on this page I can look at all the US ToR-Relays, or Russia, China I can see their status, I can see the current version of the relay so I know what can happened – Think of it as as Patch-management on the fly, we see the OS platform of the relay: Here is a clearWeb Example>of a ToR-Relay>



Now that we know all this information about my ToR-Relay I may want to be active and select my own Entry-Exit ToR-Relay, on this page I can create an exclude-Entry-&-Exit-Node so when I can tell my ToR connection what to use. In a place like China were the government is always bring to find and corrupt ToR-Relays this is a great tool. As security people we need to look at this project which is Donation Only funding and help them. The DeepWeb is open just like Pandora the masses are exploring it and once they feel free and safe it may help them just like it did in the Arab Spring. gAtO know the deepWeb is being used by the bad guy’s too but just like a tool. With a hammer you can build a house or use it to hit mouses for gAtO dinner- This is a good page for any Security Reseracher to learn but some bad things are I can see the IP of all the Relays and maybe I can now do a DDoS attack to keep that Relays down – A government can use this tool to see every ToR-Relay in their country and DDoS them, maybe-sI-nO- gAtO oUt


InspecTor / ExcludeNodes generator

[1] http://xqz3u5drneuzhaeo.onion/users/badtornodes/

The following list provides information about relays that have been checked for injecting content over HTTP-connections.

Furthermore it allows you to create a string, that is used to prohibit your Tor client to use specific nodes when building circuits.

For more information you should read this useful HowTo.

If a relay is marked good, it doesn’t mean it is good at all, but the test went well. It could modify content under special circumstances.

This list is not complete (and won’t be), but will get updated regularly. New nodes appear every day and we also recheck known ones.

Note: This is not a real-time test, it was created a few hours or days ago.


For contact or to report suspicious nodes you know about, just use badtornodes@TorPM.

(GnuPG Public Key with fingerprint BBE0 C6B1 1245 07C9 8C48 2D67 1B4F 850B 0E1A 29E8)

I won’t publish the source code of this service in its actual state. If you have no trust in this list, don’t use it.