SDL Episode107

From Paul's Security Weekly
Jump to: navigation, search

Recorded on April 22, 2019 at G-Unit Studios in Rhode Island!


  • Russell Beauchemin
    Cybersecurity & Network Security Program Advisor and Director of Instructional Support & Learning Innovation at Roger Williams University.
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Announcements

    • Register for our upcoming webcasts by going to . If you have missed any of our previously recorded webcasts, you can find our on-demand library at Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to and enter your suggestions!

    Topic: Getting Started: Dark Web

    So, let's get started by talking about what "the dark web" actually is. It's really nothing different than the same old interweb you know and love but the idea was what if there was an unindexed, unsearchable, part of the internet? Wouldn't that be creepy and cool?

    I figure the original idea was simply to create a playground idea for people who understood tcp/ip pretty well and take it from there. So, initially, we eliminate the idea of the URL. The way URLs work is a domain name service server like BIND is connected to the network of DNS servers (running on port 53) and A records etc. are entered there to map ip addresses from the public space into names like So, if we simply don't use names, we have already eliminated some massive portion of the population who can't figure out 4 8 bit octets. We still have to follow the basic rules since if we wanted to get over into that realm without using the backbone of the world, we would have to basically string wire everywhere and run our own network.

    So, instead let's just use a concept called "treehouse" which came from some old fantasy novels where hackers changed their ip addresses on a rotating basis and you had to keep up. This is the same way they used to broadcast information on radio during WWII and they had the next frequency embedded in the earlier broadcast. This idea was to keep people guessing that shouldn't be there in the first place.

    The second step in this process was to force the use of obfuscation of your own IP information by using TOR browser ( This is a web browser that has a built in obsfucation mechanism based on the old mixmaster concept for hiding email. It basically bounces your connection around and then finds a VPN endpoint that is acceptable to dark web sites. Basically, the TOR or .onion network has an entry node somewhere so you form a connection to that entry node. Then, after the entry, all your traffic is not only encrypted after the entry point but it is then bounced around through a bunch of "random" nodes inside the TOR network. After the shuffling, there is also some "exit" from the TOR network back onto the regular internet.a Thus, the source of this traffic is obfuscated and if you set it up correctly, then your identity is theoretically secure.

    Now, this may mean that you can't use a lot of normal services like Netflix or Hulu and it may also mean that you have a slower connection due to all the additional relays. It doesn't support UDP so you can't set up services using that protocol.

    Does it work? Well, it should. Understand, that if you type your name and address on a web site, this doesn't protect you. It does convolute the source of traffic so that the destination log shows the traffic being sourced from the exit point node. It's also worth noting that these exit points change a LOT since they get blacklisted pretty regular. But! This does nothing to actually hide anything you give up so be careful. Likewise, the TOR browser itself is "secure". That means it doesn't allow cookies, record browsing history, allow scripts to run. But, be warned, setting up true anonymous TOR takes some effort and you better test it to make sure if you want to remain anonymous when you are doing undercover work.

    Anonymous! Why do you need to be anonymous? Well, the whole idea appeals to some people who don't like corporations collecting their information and tracking their browsing. The concept wasn't developed by Tor to allow for illegal activity, it was more an "off the grid" kind of thing. Same as the ideas for bitcoin. Can you use bitcoin for illegal stuff? Sure, but some people just wanted to have anonymity and the same was true of TOR. Can't I just buy some shampoo without the government, amazon, facebook, and google all having the information that I bought expensive gene edited shampoo designed to make me look like Fabio and my next search was "how to remove eyelid hair?"

    So, if you get TOR browser and get it installed per the setup. The next step is to test Tor and ensure that you are hidden. The best way to do this is to setup your own web server and logging. For instance, if we go to straight up and then use TOR to go to the same site, we should be able to review the logs there (this is my site) and see what it looks like. I would strongly suggest you analyze the packets carefully to see just how anonymous it really is.

    There are two main ways to get TOR information on TOR users:

    • Get you to give it up yourself. So, say you have a TOR connection via the mixmaster and then you form a connection to my website. One trick would be to simply say "your browser is not supported, if you really want to see this material, use Chrome." If you foolishly switch over, boom.
    • the FBI can apparently obtain warrants to "hack" TOR relays. If those have logs, etc, and they have enough time and warrants, I guess they could back trace it or log traffic on those boxes. But we aren't here to do illegal things.

    Once you have established yourself, you are essentially on the "dark web". I want to say, this is not any different than the regular web, you are just anonomized. The actual dark web sites are then a collection of non-indexed sites. What that means is the web sites don't want to be crawled by spiders indexing pages. If we put up a page with a spider trap on it, you will quickly see how many times your site is crawled by google, bing, etc. These spiders basically find new listings, and then crawl the links in your site. Most people want this since they put up a page so that other people can find it. But on the dark web, well, they don't.

    So, how do you find dark web pages? There are no official search engines and maybe GRAM works and maybe it doesn't. The sites change constantly so they can't be traced so there is an ever shifting network of sites. Often times, the sites themselves, if they have names, use hashes or other cryptic means to disguise themselves.s Silk Road, Alpha Bay, etc. were all sites that were being used on the dark web to sell drugs, child porn, you name it. So, how. Well, the hidden wiki ( has listings. You can search regular engines for information (check the dates on articles since they may be old) and you can start getting links to places to surf the dark web.

    Be warned:

    • anonymous browsing doesn't protect you from malware or giving up your data.
    • Giving bitcoin to anonymous strangers via the dark web does not guarantee that they will actually send you a pound of iguana meat and there is no customer service department contact information.
    • If you buy illegal stuff and have it sent to you it still has to go through shipping, customs, shipping again, and delivery. If one of your lovely neighbors steals your iguana meat delivery and is so outraged they decide to call the FBI, well...

    Advice for browsing for fun:

    Set up vms to use for this. I am just NOT going to put this on my regular use machines. So:

    1. Build out a VM template machine and install TOR.
    2. Create a vm from the template for each use.
    3. Browse
    4. Setup throwaway email addresses for use on the dark web and throw them away after each use.
    5. When you are done, destroy the VM and remove it from the disk.

    If you buy anything, you're on your own. Don't ever give out any personal information on the dark web. If you have to register, use your throwaway email address. You can only use bitcoin or other crytpocurrency, so if anyone is asking for your information, well, I wouldn't.

    So, what is the legitimate use of this place?

    1. Collecting intelligence seems to be a big one. Monitoring hacker chat rooms (which are filled with intelligence officers these days) seems popular for a lot of companies advertising the service.
    2. Malware hunting, collection, reverse engineering
    3. Trying to keep up to date by lurking in hack rooms/malware rooms

    So, mostly, intelligence gathering. Beyond that, well, if you really feel that you have to use amazon with TOR, you may be ready to move to a cabin in the deep dark woods with no internet connection or one of those sea homes off the coast of Thailand.