Delivery-Date: Sun, 09 Nov 2014 14:27:19 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id CBD961E0A51;
	Sun,  9 Nov 2014 14:27:17 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 8CF122DA17;
	Sun,  9 Nov 2014 19:27:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 6A5D9233FB
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 19:27:11 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id akhaDT3FyzFa for <tor-talk@lists.torproject.org>;
 Sun,  9 Nov 2014 19:27:11 +0000 (UTC)
Received: from mail-vc0-x22a.google.com (mail-vc0-x22a.google.com
 [IPv6:2607:f8b0:400c:c03::22a])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 2522422292
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 19:27:11 +0000 (UTC)
Received: by mail-vc0-f170.google.com with SMTP id hq12so786526vcb.1
 for <tor-talk@lists.torproject.org>; Sun, 09 Nov 2014 11:27:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=yla4LBN6XX74052M+2pWrSXOIVeef2scM+2undP101A=;
 b=UtnhzE6uTWU79Re3eVQ+QM98cidxRsCKOyHa4Z3gnIZKCjHX2lQcnHdSVtym/AT02+
 C+tge0p9P8bddbKz8SpdMAJyDWPZZmqdqhIzwpIfw6UGYwo909gfT9G3rFol4uGE6n+2
 Sg6g0fTGfzyQtYgVP8vqkkBucqxajJKN+iEgl0TbP8nr8MJEkcCeYUHv12+qnUvhXNzy
 X+i8T/CQADKTPgYCxzI5wEJzbZN69vkFBYAZQh2BTP/bCCo00PahoFFD79YzYLDo5HEy
 OcmXOJmn0sAg717cc/69chB0VvHQRU+2BhYNQVcfXSGhLXEacsUErJzaRjp7l2cMwlgU
 KtoQ==
MIME-Version: 1.0
X-Received: by 10.52.80.4 with SMTP id n4mr14805751vdx.6.1415561228763; Sun,
 09 Nov 2014 11:27:08 -0800 (PST)
Received: by 10.221.64.74 with HTTP; Sun, 9 Nov 2014 11:27:08 -0800 (PST)
In-Reply-To: <54134ECB.2080301@infosecurity.ch>
References: <20140911101248.4C48C290C1@scatolo>
 <54134ECB.2080301@infosecurity.ch>
Date: Sun, 9 Nov 2014 14:27:08 -0500
Message-ID: <CAD2Ti2-bdPXmbFBnbaOd2pwR_aQW92YvRcVBnm-3PrEGuW+NMg@mail.gmail.com>
From: grarpamp <grarpamp@gmail.com>
To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] Someone is crawling TorHS Directories: Honeypot
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Fri, Sep 12, 2014 at 3:51 PM, Fabio Pietrosanti (naif)
<lists@infosecurity.ch> wrote:
> about a month ago i wanted to verify if someone is actively crawling
> TorHS that are inside the memory of Tor HS directories.
>
> So, i've setup a small Tor Hidden Service Honeypot at home with unknown,
> unpublished, non-publicly-linked TorHS, with a relatively simple setup:

> With such setup if someone would connect to my TorHS, it would be for
> sure a malicious user whose primary goal is to harvest TorHS addresses
> for research or intelligence purposes.

> To know about such TorHS address the attacker must be running a
> malicious Tor Relay acting as a TorHS Directory, with Tor's code
> modified to dump from the RAM memory the TorHS list, then harvest them
> with an http client/script/crawler.

> Yesterday i've received my first email from the honeypot, report below.

> It would be nice to extend this concept to proactively detect and
> identify who's running such malicious Tor Relays by logging/mapping
> every HSDir that is selected/rotated for such Tor Hidden Services.

> GET / HTTP/1.1

There are two other honeypot-able events before such TCP
packets are ever even sent over circuit to appear at HS host's
stack via HiddenServicePort VIRTPORT TARGET:
- request for descriptor from HSDir's (you can't see this)
- making HS circuit between client and HS (you can see this nego)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

