Examples Of Hidden Service Deanonymization

All have been disclosed and fixed

A penetration tester under the name “UnhandledException,” with credit to “bl00d,” wrote an essay on hidden service deanonymization for DeepDotWeb in an effort to warn the community. In the wake of current situations and in preparation for future events, extra scrutinization is in high demand as new markets rise to fill the Alphabay and Hansa void.

In the first topic covered, UnhandledException explained where safest place to host a hidden service would be—a physical host controlled by the hidden service owner or through anonymous hosting providers. UnhandledException’s proposal was to take the physical route over a host owned by an unaffiliated third party. (This is a controversial topic as many believe that taking the anonymous server route—especially an anonymous server in Russia or Kazakhstan.) UnhandledException backed up the decision with a set of “pros” that outlined the positives to hosting a hidden service on one’s own hardware.

For a physical host:

• The first argument was in relation to the level of control enabled by a host owned by the hidden service owner. Complete control over security, “multiple levels of encryption, [setting] your own iptables rules, and hardening your permissions.”
• Owning the hardware means a third party host would not have identifying metadata, despite the anonymity steps taken in an effort to keep an identity from said hosting provider.
• Physical devices are easily destructible in an emergency situation.
• The ability to physically access a server allows for a smaller attack surface.

“You have no idea about how many hidden services are still using default credentials and standard port for [these] access points,” UnhandledException wrote, in reference to leaving ports open for SSH, FTP, etc. With credit to bl00d, UnhandledException gave us current example involving Berlusconi Market, a recently created Italian marketplace. (The marketplace looks roughly a month old, if not less). With a Shodan search, they found the hosting provider and and the server’s real IP address—simply by searching the market name.

They then explained web server setups and the basic mistakes they had stumbled upon. One of which occurred on the market mentioned above. UnhandledException scanned the market with nmap and found a near-default setup. The Berlusconi Market was leaking the http port through a Nginx bug. “The directory “/img” will redirect you at http://berluscqui3nj4qz[dot]onion:8080/img/,” the Ex0du$ team member wrote.

According to UnhandledException, Apache servers can be even more dangerous than Nginx servers when default settings are in use. And apparently hidden services use default setups rather frequently. The admins of darknet markets or forums, in UnhandledException’s experience, leave the Apache modules “mod-info” and “mod-server” available for public access. The enabled modules would allow a user to visit /server-info and /server-status, respectively.

An Italian forum called Astaroth, along with Symposion/IDW, served as an example for the Apache module leakage. UnhandledException potential demonstrated the damage caused by a module leaking sensitive information. “I was able to find the remote ip address of the server above the hosting provider as shown previously,” UnhandledException explained:

• “I prepared a php page with this exploit:

• And passed it inside the “upload avatar from URL” function which is vulnerable:

• Got the remote server address in the log file:

• This kind of tricky requests can be easily blocked by restricting dangerous php functions.”

UnhandledException concluded:

“Most of the people probably don’t understand that risks are REAL when running an illegal service. Do not announce your shit if you are still not ready to announce it. As we have seen we could be able to find hosting providers, VPS numbers and even ip addresses of some illegal websites. These info are enough for LE to start an inquiry on you. You should always use multiple levels of proxy like VPN, virtualized environments with a safe connection and encryption. Be sure to update your stuff constantly and move your server from time to time.”

additional resource: https://www.loggly.com/ultimate-guide/apache-logging-basics/