Delivery-Date: Fri, 12 Sep 2014 15:51:53 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D7E271E0BB4;
	Fri, 12 Sep 2014 15:51:51 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 8456328C1F;
	Fri, 12 Sep 2014 19:51:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A8DE4286AF
 for <tor-talk@lists.torproject.org>; Fri, 12 Sep 2014 19:51:44 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 5vp8x_afm6ij for <tor-talk@lists.torproject.org>;
 Fri, 12 Sep 2014 19:51:44 +0000 (UTC)
Received: from mail-qa0-f45.google.com (mail-qa0-f45.google.com
 [209.85.216.45])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 813202348A
 for <tor-talk@lists.torproject.org>; Fri, 12 Sep 2014 19:51:44 +0000 (UTC)
Received: by mail-qa0-f45.google.com with SMTP id s7so1268172qap.18
 for <tor-talk@lists.torproject.org>; Fri, 12 Sep 2014 12:51:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:sender:message-id:date:from:user-agent
 :mime-version:to:subject:references:in-reply-to:content-type;
 bh=aVJX3xzwK/8bCkMmHe5BkFuZ5egmNdN4unUGu9aWTVc=;
 b=VVVcwU2mABhvnkSYQdphb6Xy/yNcgceTrR4sAohM65ssdAdYXbwgZicLA+eAr76ytK
 C6nDvQqcpbLUpyPuwzPlFdAfjuFAuPHZ0srDMzte6ItzFkJ4+6GynwVWLqFx3DDqXARZ
 2hZtviGNQ16qDiJC3bkIyFxLmrTxh6Qv/bZEYElWXlWPP9tfStPH79t0FyBtL77MRxi9
 zD8mJwMdYpSZetXHiipys9KikqXkdZ++iqkXJnkZNFilbbNo6r+S+8l2JPr2/TaX5UpS
 0Yhe92Q2DHZLkz+pntyvi8RLOcZTG16Mb7evLSST2Phqn3x4vKu/CwJ7tkd89Ef0Uaor
 8DlQ==
X-Gm-Message-State: ALoCoQmurmJb6CVdewFCNqiyvJFDhlu8jS2qhgtklr+7utovnBYrZZ9ReTShs0EUuh9+IRktur1N
X-Received: by 10.224.120.138 with SMTP id d10mr16001251qar.8.1410551501850;
 Fri, 12 Sep 2014 12:51:41 -0700 (PDT)
Received: from MacBookAir-2.local
 (50-195-79-178-static.hfc.comcastbusiness.net. [50.195.79.178])
 by mx.google.com with ESMTPSA id m8sm3712285qag.25.2014.09.12.12.51.41
 for <tor-talk@lists.torproject.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 12 Sep 2014 12:51:41 -0700 (PDT)
Message-ID: <54134ECB.2080301@infosecurity.ch>
Date: Fri, 12 Sep 2014 15:51:39 -0400
From: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <20140911101248.4C48C290C1@scatolo>
In-Reply-To: <20140911101248.4C48C290C1@scatolo>
X-Forwarded-Message-Id: <20140911101248.4C48C290C1@scatolo>
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [tor-talk] Someone is crawling TorHS Directories: Honeypot
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi ,

about a month ago i wanted to verify if someone is actively crawling
TorHS that are inside the memory of Tor HS directories.

So, i've setup a small Tor Hidden Service Honeypot at home with unknown,
unpublished, non-publicly-linked TorHS, with a relatively simple setup:
- Setup 30 Tor HS (just to increase the chance to be on different TorHSDir)
- Redirected all of them to 127.0.0.1:80
- Setup inetd on port 80 executing a small shell script
/usr/local/bin/honeypot.sh

With such setup if someone would connect to my TorHS, it would be for
sure a malicious user whose primary goal is to harvest TorHS addresses
for research or intelligence purposes.

To know about such TorHS address the attacker must be running a
malicious Tor Relay acting as a TorHS Directory, with Tor's code
modified to dump from the RAM memory the TorHS list, then harvest them
with an http client/script/crawler.

The shell script honeypot.sh does just:
- execute date
- read the incoming requests
- write those data to a log file
- answer 404 not found to the client
- send me an email

Yesterday i've received my first email from the honeypot, report below.

It would be nice to extend this concept to proactively detect and
identify who's running such malicious Tor Relays by logging/mapping
every HSDir that is selected/rotated for such Tor Hidden Services.

-------- Messaggio originale --------
Oggetto: 	ALERT da Honeypot TorHS
Data: 	Thu, 11 Sep 2014 10:12:48 +0000 (UTC)
Mittente: 	root@pietrosanti.it (root)
A: 	fabio.pietrosanti@logioshermes.org



Thu Sep 11 10:12:48 UTC 2014
yefc7p6pv3lsvqrn.onion
GET / HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: yefc7p6pv3lsvqrn.onion
Accept: */*



-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

