What Are ToR Hidden Services?

Friday, June 15, 2012

gaToMaLo r. amores


gAtO's thoughts: Anonymity serves different interests for different user groups. To a private citizen it’s privacy, to a business it’s a network security issue.

A business needs to protect trade secrets or have IPs (knowledge base data-centers) communicate with vendors securely, and we all know that business needs to keep an eye on their competition.

The competition can check your stats (http://www.alexa.com/siteinfo/uscyberlabs.com) and see on how your business is doing, what keywords you're using, demographics of users hitting your site, etc...

By the way in the Tor-.onion network, a web site/service cannot be monitored unless you want it to be…

How would a government use a ToR-network I’m asked all the time...

If I were an (agent/business/person) state actor doing business in China (and other countries too), well I would use a ToR-.onion connection to keep my business private from a government that is known to snoop a bit on travelers to their country.

The fact is governments need anonymity for their security - think about it: “What does the CIA Google for?” Maybe they use ToR??? But this is about Hidden services, right?

What is a hidden service in ToR-.onion network?

Simply put, it’s a web site/service, a place in the ToR network, were we have services like:

  • Search Engine
  • Directories
  • web / pop3 email
  • PM Private Messages
  • Drop Box’s
  • Re-mailers
  • Bulletin Boards BBS
  • Image Boards
  • Currency exchange
  • Blog
  • E-Commerce
  • Social Networks
  • Micro-Blogs

Hidden Services are called "hidden" because your website’s IP in ToR is hidden - they cannot see the IP of your server — they can’t track you. If they can’t find you, how are they gonna hack you???? Sorry I had to say that (more about that later).

Now how do I keep my IP secret and let you use my services? On the normal web, if you’re at uscyberlabs.com you're on my site - my server - so you can do a WhoIs and get my IP and geolocation - then you can attack my website with DDoS and other IP attack vectors, you also get my location so you can physically find me - my server, my website – and maybe go dumpster diving in the trash and get my company secrets - mAyBe sI – nO.

Well, in the ToR-.onion network you the client ask the business website if you can use the website's services, then decide and start a handshake at a rendezvous POINT to meet  - we meet at an OR (onion relay) - a rendezvous POINT not at my server/my IP — so you're never ever on the business site/server when you’re in OnionLand, and you can’t do a WhoIs and get my IP because we met at an OR, and you cannot find my geo-location…..

We have heard of Iranian and Syrian rebels being killed in the news. When an Iranian rebel is fighting for his and his family’s life if they (the government) find his IP or the IP of the website he visited they will hunt that person down and the Iranian police/government may kill the whole family. So keeping an IP from someone is not an evil act, it is an act of privacy for safety on both sides the of client and the business.

Now let’s focus on R2 OR the yellow key. That’s the spot where you (your company’s hidden website) and your client meet — I know it’s a sneaky way of doing business, but once again if they can’t get to your IP at least that is one attack vector that can’t be used to hack you or DDoS you. OK they can still hack you but it’s via software then. 

How it’s all done – the magic - the technical thingy to this is below - this is just an outline of events of the client /hidden web/service protocol:

(click image to enlarge)

It goes something like this:

  • INTRODUCE2 cell
  • INTRODUCE2 cell
  • RENDEZVOUS1 cell
  • sends a RENDEZVOUS2 cell Chat
  • sends a RENDEZVOUS2 cell Blog

More Geek network kinda stuff:

1. Jun 03 20:50:02.100 [notice] Tor (r14739) opening new log file.

2. Jun 03 20:50:11.151 [notice] We now have enough directory information to build circuits.

3. Jun 03 20:50:12.697 [info] rend_services_introduce(): Giving up on sabotage as intro point for stuptdu2qait65zm.

4. Jun 03 20:50:18.633 [info] rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 1560 for service stuptdu2qait65zm

5. Jun 03 20:51:18.997 [info] upload_service_descriptor(): Sending publish request for hidden service stuptdu2qait65zm

6. Jun 03 20:51:22.878 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 (“Service descriptor stored”))

People ask me how can these hidden services can be attacked?

Its all the same as in the surface web - you find the software the hidden service is using (let’s say Wordpress or FlatPress) and if they use an old version with vulnerabilities then that site can be hacked by traditional attack vectors.

gAtO can’t wait till USCyberLabs.com will have a sandbox in the .onion were we can have a honeypot for people to hack and learn from  (we need funding for these projects)

gAtO has not tried Backtrack 5 on ToR-.onion network – mAyBe sI -nO – uscyberlabs.com has been hacked a few times already and is consistently fighting bot’s and spammers, and so it goes everywhere...

Here are some technologies used in the ToR-.onion network:

Anyway, I hope this opens up the mystery of a hidden service in ToR – it’s just a website, you go to a rendezvous point and do your business — your IP and the business IP are totally secure. No digital breadcrumbs.

Now a word to the wise - in the ToR-.onion network you have some very tech savvy people and some are very stupid, so be a critical cyber user alway.

gAtO oUt...

Cross-posted from US Cyber Labs

Possibly Related Articles:
Information Security
Tools Network Security IP Address Website Security Anonymity TOR online safety WhoIs Onion Network
Post Rating I Like this!
Plagiarist Paganini Great Post!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.