[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Regarding the Hacking Team leak and the "TOR interception" (all uppercase Tor obviously)

On 7/7/15, chloe <chloe@xxxxxxxxxxxxxxx> wrote:
> ...
> how would this method work if an infected client tries to visit a hidden
> service?

there are at least three common ways:

1. using an evil proxy, as directed above. they install a rogue CA so
they can sign for any SSL/TLS required.  this works for hidden
services, because their proxy strips ssl, then forwards to hidden
service. e.g. https://www.facebookcorewwwi.onion

2. using memory scraping - they don't appear to do this, but other
exploit kit does. if your browser is rendering pages and accepting
input, it does so on the local machine, and inspecting local machine
memory gets at these bits before encryption (before network I/O)

3. using key exfiltration, so that encrypted streams captured on the
network can be decrypted later. note that exfiltration key material is
very small, easy to hide. and then gets you access to all the
plain-text. call this the #BULLRUN method.

best regards,
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to