Tor and how to be anonymous online

# Tor and how to be anonymous online ## I. Introduction The secret world of the Darknet isn’t entered via any gate, but throughout the **TOR (The Onion Router)**. The term **onions** identifies the layers that have to be penetrated from the information. ![](https://i.imgur.com/p6Mia5j.png) *Illustration of how the data/messeage is wrapped - Source: Wikipedia* ### Bright spots on the Darknet The core principle of TOR, Onion routing, was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, to protect U.S. intelligence communications online. Since this anonymous method was developed purely out of intelligence communications defense, the Darknet is not all about creepy, prohibited content. While there is no shortage of some dreadful content beneath the surface of this Net, there are some sites which have real value to the general attetion. **1. The chess** ![](https://i.imgur.com/qMghsCm.png) "The chess" is a dark site devoted to completely anonymous game of chess. You can take part in boundless real-time games against a stranger or discuss approach in committed forums. **2. The CIA** ![](https://i.imgur.com/OK3jziY.png) The US Central Intelligence Agency (CIA) has an onion website using a "Contact Us" form. This website guarantees to "Carefully safeguard all information you provide, including your individuallity". **3. Ad-free search** ![](https://i.imgur.com/ckDGwvV.jpg) There are many darknet search engines, but they are mostly research jobs that try to index Onion websites. Nearly all deep net remains inaccessible through any way apart from wiki lists. Darknet engines like DuckDuckGo exists to crawl the outside net when shielding TOR user anonymity. #### How onion routing works ![](https://i.imgur.com/xznPenU.png) *Illustration of how the onion routing works* ***Annotate: N2N = Node to node*** * The first thing that it does is to connect with its directory servers on the Internet that lists all of the nodes available in the TOR network, your TOR proxy on your machine will download this information and use it to build a circuit. * Next, it selects an **Entry node**, establishing a secured connection (Using TLS key). Then, Tor proxy on your machine establishes a N2N key with the chosen entry node. Once this TLS connection to the chosen Entry node communicated with and secured, it will then attempt to build a circuit. The first message it sends is a "Create" request and sends it to the entry node which the entry node responds with a "Created" response. At this point a circuit has been created between the Tor proxy and the entry node and a specific session key has been established just for that link. * Once that has been accomplished, our TOR proxy needs to create another Hotpoint called **Middle node** because all tor nodes keeping a TLS key with all other tor nodes will indicate that this is already present. Our TOR proxy then sends a message to the entry node, “instructing” it to extend a circuit to the middle node. When the entry node gets the message from the Tor proxy it unwraps it using their agreed-upon **session key number 1** that only the tor proxy and the entry node know about. It looks at this message and sees that it's being instructed to extend a circuit to the middle node it sends a create circuit to the middle node and the middle node responds with a "circuit created" response back to the entry node, the entry node receives this message, encrypts it with **session key number 1** and sends it back to the TOR proxy indicating that the circuit has been extended, in this message is also a session key between only the Tor proxy and the middle node called **session key number 2**. * Finally, the TOR proxy needs to select an **Exit node** - which it chooses based on availability and certain rules - and it sends a "relay" request to the entry node, the entry node unwraps it with **session key number 1** and finds another "relay" request within it, the entry node sends this "relay" request to the middle node, the middle node unwraps this request with **session key number 2** and finds another "extend" request specifying an exit mode. The exit node is contacted and back through the chain it sends a session key that only the TOR proxy and the exit node can use to communicate with each other which is **session key number 3**, this key is also used to validate that the data coming into the TOR proxy is the same data being sent out of the exit node. We now have a set of tunnels that unwrap the layers of an onion. At this point, our request can be sent from the browser to the TOR proxy - where it will wrap the request/data in three layers of encryption using three different session keys - and send it through the three nodes with each node unwrapping one layer. ## II. Accessing the darknet - Dark Web The Net has become a baseline necessity not only to modern business but also our life. Most of us utilize the Net on a daily basis. Yet we are unaware of how it functions on a fundamental level. ### Internet leveling: The Internet can be divided into three levels: * The surface web: These are the websites we navigate daily and are available via ordinary search engines like Google and Yahoo. Most expert estimate that this only comprises 4% of the Web. * The deep web: contains the 96% of the Web that cannot be reached via ordinary search engines. * The dark web: Though technically part of the deep web, it can be considered a level on its own which is designed for anonymity. ### The Deep Web The deep web is comprise of articles not indexed by surface search engines.These includes the content of your social media or personal email accounts, companies’ databases, medical records or banking information. While some of these data cannot be accessed, others can or must be obtained with login credentials. ### The dark web The dark web is the part of the deep web that is purposefully concealed. It is only available with specific plugins and protocols. Some examples of darknets includes: The Onion Router (TOR), Invisible Internet Project (I2P), Freenet, Zeronet, … Due to its anonymity, the dark web is used by many involving in illegal activities. These includes: hackers, stolen data vendors , counterfeiters, gamblers, terrorists, hitmen, illegal pornographers, contraband traders,... However, people still use the dark web for legitimate reason such as journalism, whistle blowing, investigation or bypassing censorship in countries where the Internet is strictly censored. ### Deep web vs dark web The terms deep web and dark web are sometimes used interchangebly. This leads to confusion in the general masses. When speaking of the deep web, most people would think of websites used by drug dealers or hitmen or human traffickers. In reality this description is more accurately (though not 100% accurately) applied to the dark web. The deep web are a lot more mundane. Even a Facebook post you shared privately belongs to the deep web. They are deep because they cannot be searched. In most cases this is because they are password-protected. ## III. Step by step guide to safely accessing the Dark Net and Deep Web Some experts estimated that the deep web includes 500 times more articles than that which Google indexes. Though it can be dangerous to navigate, the deep web and dark net can be utilized for legitimate usage. ### Tor Widely considered the best way to access the dark web, Tor is a network of volunteer relays through which the user’s internet connection is routed. The connection is encrypted and all the traffic bounces between relays located around the world, making the user anonymous. Tor browser is the easiest way to access Tor. It can be downloaded for free from Tor’s official website. The browser is available on Windows, Mac, Android and Linux. Third-party mobile browsers that utilize the Tor Network exist but are advised against by many experts. ### How Tor works Tor works by sending your traffic through at least three random servers (also known as relays) in the Tor network. The last relay in the circuit (the “exit relay”) then sends the traffic out onto the public Internet. Your browser will send a message with layers of encryption to the Tor network. At each relay, a layer of encryption is decrypted and forward to the next relay until an un-encrypted message is sent to the server. When the server send a respond, the reversed processed is applied. The respond message is received by the exit relay, which will encrypt the message and forward it to the middle relay. At each relay, a layer of encryption is added until it reach you, who has all the keys to decrypt the message. ![](https://i.imgur.com/zddkn1y.png) Because of this layered onion-style routing technique, none of the relay has access to the full picture: * The first relay (guard relay) only knows you are using Tor. * The middle relay(s) has no information on the client or the server. * The exit relay only knows someone is using the service provided by the server. This routing technique is also the reason Tor has its name. ### Tor alternatives I2P is an (less popular) alternative anonymous network to Tor. Unlike Tor, it can only access hidden services specific to the I2P network. I2P cannot access .onion sites because it is a separate network from Tor, instead uses its own brand of hidden sites called “eepsites”. I2P is harder to use than Tor and require more setting up. However, it is much faster and more reliable than Tor for some technical reasons. Like I2P, Freenet is a self-contained network within the network that can’t be used to access sites on the public web. nlike I2P and Tor, you don’t need a server to host content. Once you upload something, it stays there indefinitely even if you stop using Freenet, as long as it is popular. ### VPN A virtual private network (VPN) is used in conjunction with Tor to further increase the security and anonymity of the user. Tor emphasizes anonymity while VPN emphasizes privacy. Although websites can’t identify you and ISPs can’t decrypt your internet traffic, they can see that Tor is being used. This can raise suspicions and draw unwanted attention. This can be averted by using a VPN as your ISP will not be able to see that you are connected to a Tor node, only an encrypted tunnel to a VPN server. ### Tor over VPN VS VPN over Tor ![](https://i.imgur.com/oo91Cpx.jpg) Tor over VPN is when you connect to a VPN before opening Tor browser. This is the more popular method of the two and is better for accessing **.onion** sites. Your device’s traffic will goes in to the VPN server then circulates via Tor Network before arriving at the final destination. VPN over Tor is far less popular. Internet traffic first passes through the Tor Network, then through the VPN and finally the destination. | Tor over VPN | VPN over Tor | | -------- | -------- | | Trusting in VPN provider | Trusting in your ISP | | Your ISP doesn’t know you are using Tor| Your ISP know you are using Tor| | Does not protect from malicious exit relays | Protects you from bad exit relays | | Available with most VPN providers | Only available on a few VPN providers| | Your VPN provider might log your metadata| VPN provider doesn’t know your IP address| ### Navigating the darknet With your VPN and Tor connected, you can now start browsing the dark web. Instead of the ordinary **.com** or **.org** domain, darknet websites has a distinct domain **.onion**. They will also have long and seemingly meaningless url. Locating these sites will be your first challenge. They will not show up in Google search results. There are, however, A handful of dark net search engines that do index **.onion** sites such as NotEvil, Ahmia, Candle,… Reddit is also a valuable resource for finding the darknet or deep website with many sub subreddits such as /r/deepweb, /r/onions, and /r/Tor. Another precaution is to make sure your .onion url is correct. Because there’s very little use of HTTPS on the darknet, verifying whether or not a website is genuine using an SSL certificate is not feasible. This means there are an abundant of scams, phishing sites and malware. This can be circumvented by verifying your url from multiple sources. You should also save your url in an encrypted note - the Tor browser will not cache it for late - to avoid phishing scams.. You can now safely browse dark websites and hidden wikis. However, to do anything more than that, you’ll need to take several precautions. If you plan to make a purchase on a darknet marketplace, you’ll need to create a fake identity. To do this, you need to set up encrypted email with a new email address, encrypt messages with PGP, use a pseudonym and disable Javascript in Tor Browser. Another thing to do is setting up an anonymous bitcoin wallet because crypto currency is almost the only accepted currency. ## IV. OSINT Tools for the Dark Web ### Dark Web Search Engine Tools + Katana - https://github.com/adnane-X-tebbaa/Katana + OnionSearch - https://github.com/megadose/OnionSearch + Darkdump - https://github.com/josh0xA/darkdump + Ahmia Search Engine - ahmia.fi, https://github.com/ahmia/ahmia-site + DarkSearch - https://darksearch.io/, https://github.com/thehappydinoa/DarkSearch ## Tools to get onion links + Hunchly - https://www.hunch.ly/darkweb-osint/ + Tor66 Fresh Onions - http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion/fresh ## Tools to scan onion links + Onionscan - https://github.com/s-rah/onionscan + Onioff - https://github.com/k4m4/onioff + Onion-nmap - https://github.com/milesrichardson/docker-onion-nmap ## Tools to crawl data from the Dark Web + TorBot - https://github.com/DedSecInside/TorBot + TorCrawl - https://github.com/MikeMeliz/TorCrawl.py + VigilantOnion - https://github.com/andreyglauzer/VigilantOnion + OnionIngestor - https://github.com/danieleperera/OnionIngestor ## IV. Threat Intelligence Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors. ### Why is it important? Cybersecurity industry faces numerous challenges — increasingly persistent and devious threat actors, daily flood of data full of extraneous information and false alarms across multiple, unconnected security systems, and a serious shortage of skilled professionals. Some organizations try to incorporate threat data feeds into their network, but don’t know what to do with all that extra data, adding to the burden of analysts who may not have the tools to decide what to prioritize and what to ignore. A cyber threat intelligence solution can address each of these issues. The best solutions use machine learning to automate data collection and processing, integrate with your existing solutions, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors. Threat intelligence is actionable — it’s timely, provides context, and is able to be understood by the people in charge of making decisions. In short, threat intelligence is important for the following reasons: - Enabling security teams to make better decisions - Empowers cyber security stakeholders by revealing adversarial motives and their tactics, techniques, and procedures (TTPs) - Helps security professionals better understand the threat actor’s decision-making process - Empowers business stakeholders, such as executive boards, CISOs, CIOs and CTOs; to invest wisely, mitigate risk, become more efficient and make faster decisions ### Who benefits from it? Benefits organizations by helping process threat data to better understand their attackers, respond faster to incidents, and proactively get ahead of a threat actor’s next move. For SMBs, this data helps them achieve a level of protection that would otherwise be out of reach. On the other hand, enterprises with large security teams can reduce the cost and required skills by leveraging external threat intel and make their analysts more effective. ## V. Impact of DarkNet on Cybersecurity: Not to be mistaken with all the deep net, the dark net is a set of thousands sites which can not be obtained through regular search engine (Google, Yahoo, Bing, ...) => needs specific tools and apps to access. The history of the darknet predates the 1980s, and the term was originally used to describe computers on ARPANET that were hidden and programmed to receive messages but which did not respond to or acknowledge anything, thus remaining invisible, or in the dark. Since then, “darknet” has evolved into an umbrella term that describes the portions of the internet purposefully not open to public view or hidden networks. The DarkNet’s evolution can be traced somewhat to the U.S. military. The most common way to access the darknet is through tools such as the Tor network. The network routing capabilities that the Tor network uses were developed in the mid-1990s by mathematicians and computer scientists at the U.S. Naval Research Laboratory with the purpose of protecting U.S. intelligence communications online. Uses of the darknet are nearly as wide and as diverse as the internet: everything from email and social media to hosting and sharing files, news websites and e-commerce. Accessing it requires specific software, configurations or authorization, often using nonstandard communication protocols and ports. The reputation of the dark web has often been linked to criminal intent or illegal content, and "trading" sites where users can purchase illicit goods or services. However, legal parties have made use of this framework as well. When it comes to dark web safety, the deep web dangers are very different from dark web dangers. Illegal cyber activity cannot necessarily be stumbled upon easily but tends to be much more extreme and threatening if you do seek it out. Malware and ransomware are equally popular. The notorious WannaCry global ransomware campaign had its C2C servers hosted on the darknet. In addition, just like their botnet and DDoS brethren, malware and ransomware have their own “pay for play” services which dramatically simplify the process of launching a ransomware campaign. Numerous ransomware services exist that allow a user to simply specify the ransom amount and add notes/ letters, and then the user is provided a simple executable to send to victims. Furthermore on the dark web, illegal users can also seek out three clear benefits from dark web usage: - User anonymity - Virtually untraceable services and sites - Ability to take illegal actions for both users and providers ### Steps to protect yourself and your business from Dark Net: * Don't enter sensitive information on public computers. * Keep passwords safe (don't write them down), and change them often. * Never email sensitive information such as social security numbers, credit card numbers or bank accounts, and driver's license information. * Stay away from unsecure sites such as those without a secure socket layer (SSL) — especially if the site sells products and services, or asks for financial information. You can check if a website uses an SSL Certificate by looking at the URL of the website. If it begins with "https" instead of "http" it means the site is secured using an SSL Certificate (the "s" stands for secure). * Use gift cards or other secure payment methods not attached to your bank account. * Do not reply to unsolicited email messages. * Ensure you know all recipients when replying to or sending an email message. * Use computing and browsing devices that have current anti-malware and firewall protection. * Refrain from publishing personal information on social networks.