[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
On 08/13/2014 03:01 PM, Anders Andersson wrote:
> On Wed, Aug 13, 2014 at 12:06 PM, <blobby@xxxxxxxxxxxxxxx> wrote:
>> How, in this case, was it possible for the FBI to learn the IP
>> addresses of visitors to this hidden service? The Tor hidden server
>> page states that "In general, the complete connection between
>> client and hidden service consists of 6 relays: 3 of them were
>> picked by the client with the third being the rendezvous point and
>> the other 3 were picked by the hidden service."
>> Can someone knowledgeable please explain how visitors to a Tor
>> hidden service can have their real IPs detected?
> only say "told you so", but that doesn't really help anyone. :)
> Because they managed to get in to the client browser, they could
> learn the real IP address and MAC address, they didn't learn this
> through Tor.
This is an old story. Here is an explanation from Wired:
> hidden in a variable named “Magneto.” A traditional virus would use
> that executable to download and install a full-featured backdoor, so
> the hacker could come in later and steal passwords, enlist the
> computer in a DDoS botnet, and generally do all the other nasty
> things that happen to a hacked Windows box.
> But the Magneto code didn’t download anything. It looked up the
> victim’s MAC address — a unique hardware identifier for the
> computer’s network or Wi-Fi card — and the victim’s Windows hostname.
> Then it sent it to a server in Northern Virginia server, bypassing
> Tor, to expose the user’s real IP address, coding the transmission as
> a standard HTTP web request.
> “The attackers spent a reasonable amount of time writing a reliable
> exploit, and a fairly customized payload, and it doesn’t allow them
> to download a backdoor or conduct any secondary activity,” said Vlad
> Tsyrklevich, who reverse-engineered the Magneto code, at the time.
> The malware also sent a serial number that likely ties the target to
> his or her visit to the hacked Freedom Hosting-hosted website.
They didn't get the "real" IP address through the browser. Magneto just
sent information to the FBI's server directly, rather than through Tor.
Also, Magneto is a Windows executable ;)
Proper firewall rules would have prevented that leak. Those using Whonix
weren't affected, because nothing in the workspace knows the "real" IP
address (and also because it's Debian, not Windows).
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to