[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Someone is crawling TorHS Directories: Honeypot

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Someone is crawling TorHS Directories: Honeypot
From: "Fabio Pietrosanti (naif)" <lists@xxxxxxxxxxxxxxx>
Date: Fri, 12 Sep 2014 15:51:39 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 12 Sep 2014 15:51:53 -0400
In-reply-to: <20140911101248.4C48C290C1@scatolo>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140911101248.4C48C290C1@scatolo>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

Hi ,

about a month ago i wanted to verify if someone is actively crawling
TorHS that are inside the memory of Tor HS directories.

So, i've setup a small Tor Hidden Service Honeypot at home with unknown,
unpublished, non-publicly-linked TorHS, with a relatively simple setup:
- Setup 30 Tor HS (just to increase the chance to be on different TorHSDir)
- Redirected all of them to 127.0.0.1:80
- Setup inetd on port 80 executing a small shell script
/usr/local/bin/honeypot.sh

With such setup if someone would connect to my TorHS, it would be for
sure a malicious user whose primary goal is to harvest TorHS addresses
for research or intelligence purposes.

To know about such TorHS address the attacker must be running a
malicious Tor Relay acting as a TorHS Directory, with Tor's code
modified to dump from the RAM memory the TorHS list, then harvest them
with an http client/script/crawler.

The shell script honeypot.sh does just:
- execute date
- read the incoming requests
- write those data to a log file
- answer 404 not found to the client
- send me an email

Yesterday i've received my first email from the honeypot, report below.

It would be nice to extend this concept to proactively detect and
identify who's running such malicious Tor Relays by logging/mapping
every HSDir that is selected/rotated for such Tor Hidden Services.

-------- Messaggio originale --------
Oggetto: 	ALERT da Honeypot TorHS
Data: 	Thu, 11 Sep 2014 10:12:48 +0000 (UTC)
Mittente: 	root@xxxxxxxxxxxxxx (root)
A: 	fabio.pietrosanti@xxxxxxxxxxxxxxxx



Thu Sep 11 10:12:48 UTC 2014
yefc7p6pv3lsvqrn.onion
GET / HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: yefc7p6pv3lsvqrn.onion
Accept: */*



-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Someone is crawling TorHS Directories: Honeypot
  - From: coderman

Prev by Author: Re: [tor-talk] Merging all languages (locales) into one Tor Browser package?
Next by Author: [tor-talk] IPv6 Only Tor Exit Relay?
Previous by thread: Re: [tor-talk] I2P over Tor
Next by thread: Re: [tor-talk] Someone is crawling TorHS Directories: Honeypot
Index(es):
- Author
- Thread