[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Report of Pervasive Active MiTM Attack Against Hidden Services

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Report of Pervasive Active MiTM Attack Against Hidden Services
From: Rich Jones <rich@xxxxxxxxxxxxx>
Date: Mon, 30 Jun 2014 17:40:37 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Jun 2014 20:41:38 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:from:date:message-id:subject:to :content-type; bh=SYSPpr2EKPCqtOHgPP/z7Sg4VlKtzfeMsqUindkew8A=; b=t2RuQ0DypmCEmVKYMjjRWs9rDJlZ/39NFZcHIlCnLVQ3ao+DBihhGklF9zp3ZhJQsv NqpanXQCKxkGyRoChRrSymwOOWPR5X8EkfrGDlM9z0LyJwkFxqbJqqMnhAYO9MmwOPzZ otwKVq2ai90nT9JT56KJ5rNu16eyfichzD91s2XfcJjUjXfmXCjijsUmlZlPpmw082c+ etIRHQl0ugfvfUgQ11AogbuaPBAEn//jD7Dx0z4flE5TnW+NYS+bzPvXjrA5qELc1yCe n7AWtPKrvondgErwYMaT0JXY1Jge8RikmmMNpZv7eMuUgn7kxUskzsIhxxvGEiv5I1Ar 4csw==
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Has anybody responded to this claim yet?
http://s7kgnncq3zbe3yza.onion/windex.shtml#mitm

I don't understand how such an attack would be possible without decrypting
the traffic, unless this is actually a phishing-and-proxy attack and not a
"true" MiTM. (How would an MiTM be able to manipulate traffic from a hidden
service without decrypting the contents? I was under the impression that
http request to hidden services should be end to end encrypted.)

Either way, still worth taking note of.

R

via Onion Soup:

 *05/03/14 - 06/26/14 *
>
> * For a period of 3 weeks, a Man in The Middle Attack has pervaded
> onionland. To date, over 400 .onion domains are known to have been
> targeted. The attack consists of at least one person creating new .onion
> addresses, cloning websites "on-the-fly" and re-writing the original sites'
> contents. The attacker can re-write any text on an original page to a
> "cloned" page - in real time. The primary intent appears to be BitCoin
> theft. Once a BitCoin ID is re-written to one of the attacker's IDs,
> unwitting customers send BitCoin to his ID, instead of the intended party. *
>
> * Even though BitCoin theft may be the object - with non-market sites
> cloned, a site's reputation can be ruined, connections hi-jacked and
> legitimate traffic diverted from the original site. *
>
> * The problems with these attacks are: (1) they are consuming the
> resources of .onion hosters by the attacker's cloning re-directs (2) they
> are diverting visitors via altered hyper-links to the fake sites and (3)
> BitCoin fraud is being committed. *
>
> * Below is what a HEAD request for a cloned site returned after called
> from the onion sniffer app
> <http://s7kgnncq3zbe3yza.onion/windex.shtml#sniff>. See the bolded "302"
> re-direct (to the original site) and "PHPSESSID" in the "Set-Cookie:"
> header? *
>
>
> * Connection to 42w2zwtwxqbhexsm.onion 80 port [tcp/www] succeeded! *
>
> * HTTP/1.1 302 Found *
>
> * Date: Sat, 03 May 2014 18:28:08 GMT *
>
> * Server: Apache/2.4.9 (Fedora) PHP/5.5.11 *
>
> * X-Powered-By: PHP/5.5.11 *
>
> * Set-Cookie: PHPSESSID=dqqct52sp913aq0tcokhef2lr1; path=/ *
>
> * Expires: Thu, 19 Nov 1981 08:52:00 GMT *
>
> * Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0 *
>
> * Pragma: no-cache *
>
> * Location: http://n6pbizsbykwxmydz.onion/
> <http://n6pbizsbykwxmydz.onion/> *
>
> * Connection: close *
> * Content-Type: text/html; charset=UTF-8 *
>
> * The only known means of blocking this attack is to match the specific
> cookie or the generalized "path" statement in the "Set-Cookie:" header
> field. With lighttpd, a rule can be created (in lighttpd.conf) to deny
> access to the attacker's attempts to clone the original pages by
> re-directs. *
>
>
>
> * $HTTP["cookie"] =~ "PHPSESSID" { url.access-deny = ( "" ) } *
> *However, the first cookie makes it through; that is, on the first pass, a
> browser can access the fake site, but a subsequent hit on any page of the
> fake site is blocked, and a "403 - Forbidden" error thrown up. To force a
> 403 immediately*
>
> *after the first page loads, the webpage can be refreshed to a new page. *
>
> *Update: the cloner no longer sends the PHPSESSID cookie. An NID (session)
> cookie is currently (06/26/14) being transmitted. [1
> <http://s7kgnncq3zbe3yza.onion/windex.shtml#cook>] To block it, use the
> following rule, or - to thwart his future, cookie plans use the more
> generalized path rule [2 <http://s7kgnncq3zbe3yza.onion/windex.shtml#path>]
> - along with refreshing the page: *
>
>
>
> * $HTTP["cookie"] =~ "NID" { url.access-deny = ( "" ) } *
>
> * Copy index.html to sindex.html. Place the following between the <head>
> and </head> of index.html. *
>
> * <meta http-equiv="refresh" content="0; url=sindex.html"> *
>
> * Finally, the attacker's script cannot parse ascii code. The first (or
> any other) letter of a site's hostname can be substituted for - by its
> ascii equivalent <http://www.asciitable.com>. The warning notice should
> consist of ascii code and text (which is rendered by the browser as text).
> To warn visitors of a site that connection hi-jacking attempts abound on
> the darknet and to identify your site as the original, a warning -
> containing something to the effect below and anchored to the head of the
> index page - should be adopted; The cloner cannot alter ascii on-the-fly,
> and anyone visiting the fake site can detect the hi-jacked connection - by
> merely inspecting the warning. *
>
> *WARNING: connection hi-jacking attacks are rampant in onionland. This
> site's hostname is s7kgnncq3zbe3yza.onion. Look at the navigation bar. If
> you see any other hostname, leave immediately! *
>
>
> *notes * *(1) Here's what Chrome reports about the NID cookie: *
>
>
>
>
>
>
>
>
> * Name: NID Content: jcf27o21sdhok7fga77g0cmk42 Domain:
> 42w2zwtwxqbhexsm.onion Path: / Send for: Any kind of connection Accessible
> to script: Yes Created: Friday, June 27, 2014 3:03:04 AM Expires: When the
> browsing session ends *
>
> * The Lighttpd rule blocks the cookie. The "Expires:" line explains why a
> 403 is thrown up when a page is loaded and refreshed (or any other page on
> the site is visited) - AFTER the browser is closed and re-opened. Below is
> the header from the cloner's most recent arrangement. Notice: the different
> Server, cookie and Location. *
>
>
> * Connection to 42w2zwtwxqbhexsm.onion 80 port [tcp/www] succeeded! *
>
> * HTTP/1.1 302 Moved Temporarily *
>
> *Server: nginx *
>
> * Date: Sat, 28 Jun 2014 07:57:04 GMT *
>
> * Content-Type: text/html *
>
> * Connection: close *
>
> *Set-Cookie: NID=h3fr5ohquqdqnnnmcgjhuhdfd6; path=/ *
>
> * Expires: Thu, 19 Nov 1981 08:52:00 GMT *
>
> * Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0 *
>
> * Pragma: no-cache *
>  *Location: http://kpvz7ki2lzvnwve7.onion <http://kpvz7ki2lzvnwve7.onion>*
>
*(2) The alternate (more generalized) blocking rule matches a different
> portion of the cookie field ("path"), then it denies access to the clone
> site. N.B., this rule will block all sites from sending cookies through
> your server. *
>
>
>
> * $HTTP["cookie"] =~ "path" { url.access-deny = ( "" ) } *
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Report of Pervasive Active MiTM Attack Against Hidden Services
  - From: grarpamp

Prev by Author: Re: [tor-talk] Tor Phishing in the Wild // Old Sigs
Next by Author: Re: [tor-talk] Is this safe
Previous by thread: [tor-talk] Intersection of Projects [Illegal Activity As Security and Anonymity Metric]
Next by thread: Re: [tor-talk] Report of Pervasive Active MiTM Attack Against Hidden Services
Index(es):
- Author
- Thread