
Brief survey on methods for attacking Tor hidden service - adamnemecek
http://translate.wooyun.io/2015/09/19/Brief-survey-on-methods-for-attacking-Tor-hidden-service.html
======
ijktdot
Torblog has a recent (Sep 2015) write up on how the great firewall detects and
kills Tor connections/bridges hence the need for using Obfsproxy4 as a
pluggable transport [https://blog.torproject.org/blog/learning-more-about-
gfws-ac...](https://blog.torproject.org/blog/learning-more-about-gfws-active-
probing-system)

------
est
Surprised to see a Wooyun article translated and posted to HN. In case anyone
is wondering, wooyun is a Chinese security online community like Full-
Disclosure, it features a CVE like vulnerability tracking system. You can find
literally thousands of Chinese software/hardware/online exploits.

------
mercora
Is the illustration really accurate for hidden services? If so, for what
reason isn't the last hop encrypted too?

~~~
ijktdot
The title for this is confusing, they are talking about detecting and
attacking regular Tor connections not internal hidden services (like a
DarkMarket). That illustration showing not encrypted is the exit node to a
regular clearnet site.

The methods for attacking hidden services (DNM) are the same as any other site
such as exploiting misconfiguration, exploiting unpatched software or finding
new ones, and looking for pieces of opsec like the Czech guy who's darkmarket
used some obscure Czech php framework which was identified by viewing the CSS.
Every so often a research paper comes out too that identifies some new scheme
of analysis of guard nodes/pattern matching/fingerprinting ect to identify
hidden service IPs as noted in this Wooyun article.
[https://news.mit.edu/2015/tor-
vulnerability-0729](https://news.mit.edu/2015/tor-vulnerability-0729)

Snowden docs also talked about QUANTUM which was some NSA/GCHQ scheme to try
race conditions against relays to lure Tor users to their own relay farm for
analysis detailed here
[https://www.schneier.com/blog/archives/2013/10/how_the_nsa_a...](https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html)

~~~
mercora
Thanks for clarifying. Exploiting vulnerabilities in the service itself,
mishandling opsec and fingerprinting traffic seem obvious.

