kero12
Community Builder
LEVEL 1
400 XP
In this article, I will take you through my thought process while conducting an investigation, aiming to identify and collect sources of intelligence. Specifically, we will focus on using OSINT (Open Source Intelligence) sources related to the Deep and Dark Web domain. Our primary goal is to monitor intelligence information from the following sources: âmarketsâ and âcyber criminal activities.â While I will present a case I worked on some time ago, I wonât provide details about the case itself. Instead, I will discuss the tools I used and how to conduct a hunt. As you join me on this journey, I hope you donât get lost in my thought process.
Case Study
Your mission, should you choose to accept it, is to trace and identify the relationship between two onion sites and demonstrate that they are owned by the same entity or individual. Additionally, trace their blockchain fingerprints to a registered cryptocurrency exchange.
Site A - operates as an onion market, facilitating the sale of hacking tools and personal identifying information (PII).
Site B - appears to be a platform offering personal hacking services.
A word of caution : Be cautious not to be deceived by appealing headlines you may come across while conducting a passive search on the Dark Web, This message will self-destruct in 5âŚ4âŚ3âŚ
Tools For Dark Web Onion Sites
The Blockchain Explorer is like an interactive map of the blockchain, while OXT analyzes the blockchain to extract high-level information. You browse these high-level information instead of a direct representation of the data stored in the blockchain.
Fingerprints
So, how do we link the relationship between two dark web onion sites? The Dark Web is an uncharted, chaotic conglomerate of sites. At times, .onion sites often go down for prolonged periods of time or entirely disappear.
For instance, in this case, weâre trying to find a link between two different onion sites. The first step is to identify the administrators and popular vendors of such sites. Many vendors operate on various markets with the same details across all sites. Some are also active on discussion forums. Then, we delve into the siteâs structure by searching for email addresses, Bitcoin addresses, and identifying technologies. We scan for open ports and hidden paths.
So, letâs begin by creating an intelligence profile. Take note of the following:
Next, conducting a quick crawl and observation of the sites, I noticed a couple of things. The site B is running on the âApache web server,â which is fairly standard. However, what gets interesting is that the site operator seems to have forgotten to disable the http://httpd.apache.org/docs/2.4/mod/mod_status.html, also known as mod_status or server-status. This module provides information about the requests Apache is currently serving and has recently served. The information includes:
Starting with the administration of Site A, it is now time to cross-reference that intelligence profile and search for any useful information. I was able to trace the username across various forums, one of which is xss[.]is. In case youâre unfamiliar, âxss is a Russian forum that hosts discussions on vulnerabilities, exploitation, malware, and various other cyber-related topics.â To thoroughly scope the profile, I initiated a quick crawl to retrieve a link. Upon checking the link, I received no response, indicating that the site is no longer operational. Additionally, the profile associated with it has been inactive since the last recorded activity in 2021. To investigate further, I decided to run the site through https://web.archive.org/web/ to see if any snapshots are available:
https://0x00sec.s3.amazonaws.com/original/3X/2/d/2debbf3cc3490e3e4a34e3c94df12c2bf205f93e.png]
Blockchain Forensics On Transactions
From a single Bitcoin address, various insights can be derived, including the total number of transactions, the sources and amounts of incoming funds, the destinations and amounts of outgoing funds, a historical timeline of transactions, and identification of other associated Bitcoin addresses within the same wallet. This is where the website https://www.walletexplorer.com/ and https://oxt.me become relevant and come into play.
Usually, the first approach is to start looking for patterns and correlations to link multiple addresses. We also map the flow of funds and relationships between addresses to uncover suspicious activities or money laundering schemes and extract and analyze additional data associated with transactions, timestamps to gain further insights.
With this tool, we are able to identify any other bitcoin addresses owned by the same wallet.
When we input the address into the explorer, the displayed data includes transaction records, each with specific information like dates and the amounts sent or received. Notably, one of the transactions received funds from an unfamiliar sender (address beginning with â06fâ), allowing us to discern the shared ownership of these addresses and subsequently unveil the complete wallet.
With a transaction history dating back to 2019, we now have a time frame that matches our investigation. Letâs proceed to scrutinize the individual transactions associated with each of these Bitcoin addresses.
These two sites are related since their bitcoin addresses come from the same wallet, confirming that the individuals behind them are the same.
Tracing the payments through to an exchange
Transaction History explores how funds have moved in and out of the address, potentially revealing patterns or connections to other addresses.
Most of the transactions paid into these accounts resemble normal transactions when viewed on the blockchain. However, following the transactions, some use more addresses, possibly indicating a bitcoin mixing service. This is normal, as many actors use a mixing service, or cryptocurrency tumbler, to guarantee anonymity by essentially scrambling the addresses and the payments made.
https://0x00sec.s3.amazonaws.com/original/3X/7/3/738cc3a2bf356c4cd5ce461086913cf5718b254f.png] TLS certificate matching
An SSL/TLS certificate contains identifying information, such as a unique serial number and cryptographic key information, which is traceable if reused on other web properties. A key principle of operating on the dark web is to maintain anonymity, so certificates providing identity attestation can actually help pinpoint the operator behind a website.
Web crawlers, such as Shodan, provide a powerful method for indexing the public internet. They provide a myriad of information about host computers that are running internet-enabled services. One of the services Shodan provides is cataloging TLS certificate information. By leveraging Shodanâs index, A simple whois check shows that this host belongs to M247 LTD Singapore. When visiting the site, we face a blank screen; however, we can verify that the TLS certificate serial number is the same as that used for the site hosted on TOR hidden services, which we can attribute to a specific hosting provider. Four domains have been listed as A records in Domain Name System (DNS) records with the IP address since 2021.
These domains were registered using a privacy domain registration proxy service by the malware operator. However, tracing the favicon file in the web root directory as âfavicon.ico,â we can obtain this file and calculate a hash value for it. Unfortunately, Shodan doesnât keep an index of these favicon file hashes.
So I moved on and decided to follow the TOR hidden service link we found earlier. I noticed that the link contains an identifier that is presumably unique to each victim, something like this:
https://{url}/id=aaaaa
Enum the URL Endpoints, we see that the link contains several HTTP parameters. So, I thought, directory traversal? And just like that, bingo. Iâll leave the rest for you to guess.
In conclusion, I hope youâve picked up a few tricks from this little spiel. This post was meant to give you a sneak peek into how a hunt goes down and to drop some knowledge on the OSINT tools we like to play with. But, you know, life in the digital shadows ainât always this straightforward. Itâs all about patiently waiting for the other guys to slip up, or sometimes, they just hand us the info on a silver platter. Itâs mind-boggling how many vendors out there keep making the same boneheaded OPSEC blunders, I tried to keep it vague, of course, canât spill the beans on the real deal. Gotta keep those cases cookinâ in the shadows.
[/REPLY]
Case Study
Your mission, should you choose to accept it, is to trace and identify the relationship between two onion sites and demonstrate that they are owned by the same entity or individual. Additionally, trace their blockchain fingerprints to a registered cryptocurrency exchange.
Site A - operates as an onion market, facilitating the sale of hacking tools and personal identifying information (PII).
Site B - appears to be a platform offering personal hacking services.
A word of caution : Be cautious not to be deceived by appealing headlines you may come across while conducting a passive search on the Dark Web, This message will self-destruct in 5âŚ4âŚ3âŚ
Tools For Dark Web Onion Sites
- https://www.torproject.org/
- https://www.walletexplorer.com/
- https://www.blockchain.com/explorer
- https://oxt.me/
- https://osintframework.com/
The Blockchain Explorer is like an interactive map of the blockchain, while OXT analyzes the blockchain to extract high-level information. You browse these high-level information instead of a direct representation of the data stored in the blockchain.
Fingerprints
So, how do we link the relationship between two dark web onion sites? The Dark Web is an uncharted, chaotic conglomerate of sites. At times, .onion sites often go down for prolonged periods of time or entirely disappear.
For instance, in this case, weâre trying to find a link between two different onion sites. The first step is to identify the administrators and popular vendors of such sites. Many vendors operate on various markets with the same details across all sites. Some are also active on discussion forums. Then, we delve into the siteâs structure by searching for email addresses, Bitcoin addresses, and identifying technologies. We scan for open ports and hidden paths.
So, letâs begin by creating an intelligence profile. Take note of the following:
- Username / Alias
- Date of account creation / Online, Offline (map out an activity pattern)
- PGP public key (Important! Reused keys indicate related accounts)
- Type of merchandise offered
- Methods of contact
Next, conducting a quick crawl and observation of the sites, I noticed a couple of things. The site B is running on the âApache web server,â which is fairly standard. However, what gets interesting is that the site operator seems to have forgotten to disable the http://httpd.apache.org/docs/2.4/mod/mod_status.html, also known as mod_status or server-status. This module provides information about the requests Apache is currently serving and has recently served. The information includes:
- The time the server was last started/restarted and the duration it has been running.
- Averages, including the number of requests per second, the number of bytes served per second, and the average number of bytes per request.
- Details about the current hosts and requests being processed.
Starting with the administration of Site A, it is now time to cross-reference that intelligence profile and search for any useful information. I was able to trace the username across various forums, one of which is xss[.]is. In case youâre unfamiliar, âxss is a Russian forum that hosts discussions on vulnerabilities, exploitation, malware, and various other cyber-related topics.â To thoroughly scope the profile, I initiated a quick crawl to retrieve a link. Upon checking the link, I received no response, indicating that the site is no longer operational. Additionally, the profile associated with it has been inactive since the last recorded activity in 2021. To investigate further, I decided to run the site through https://web.archive.org/web/ to see if any snapshots are available:
https://0x00sec.s3.amazonaws.com/original/3X/2/d/2debbf3cc3490e3e4a34e3c94df12c2bf205f93e.png]
- Bitcoin Address
- A real name linked to the administration alias
- Country of residence
- Email Address
- Bitcoin Address
- Email Address
Blockchain Forensics On Transactions
From a single Bitcoin address, various insights can be derived, including the total number of transactions, the sources and amounts of incoming funds, the destinations and amounts of outgoing funds, a historical timeline of transactions, and identification of other associated Bitcoin addresses within the same wallet. This is where the website https://www.walletexplorer.com/ and https://oxt.me become relevant and come into play.
Usually, the first approach is to start looking for patterns and correlations to link multiple addresses. We also map the flow of funds and relationships between addresses to uncover suspicious activities or money laundering schemes and extract and analyze additional data associated with transactions, timestamps to gain further insights.
With this tool, we are able to identify any other bitcoin addresses owned by the same wallet.
When we input the address into the explorer, the displayed data includes transaction records, each with specific information like dates and the amounts sent or received. Notably, one of the transactions received funds from an unfamiliar sender (address beginning with â06fâ), allowing us to discern the shared ownership of these addresses and subsequently unveil the complete wallet.
With a transaction history dating back to 2019, we now have a time frame that matches our investigation. Letâs proceed to scrutinize the individual transactions associated with each of these Bitcoin addresses.
These two sites are related since their bitcoin addresses come from the same wallet, confirming that the individuals behind them are the same.
Tracing the payments through to an exchange
Transaction History explores how funds have moved in and out of the address, potentially revealing patterns or connections to other addresses.
Most of the transactions paid into these accounts resemble normal transactions when viewed on the blockchain. However, following the transactions, some use more addresses, possibly indicating a bitcoin mixing service. This is normal, as many actors use a mixing service, or cryptocurrency tumbler, to guarantee anonymity by essentially scrambling the addresses and the payments made.
https://0x00sec.s3.amazonaws.com/original/3X/7/3/738cc3a2bf356c4cd5ce461086913cf5718b254f.png] TLS certificate matching
An SSL/TLS certificate contains identifying information, such as a unique serial number and cryptographic key information, which is traceable if reused on other web properties. A key principle of operating on the dark web is to maintain anonymity, so certificates providing identity attestation can actually help pinpoint the operator behind a website.
Web crawlers, such as Shodan, provide a powerful method for indexing the public internet. They provide a myriad of information about host computers that are running internet-enabled services. One of the services Shodan provides is cataloging TLS certificate information. By leveraging Shodanâs index, A simple whois check shows that this host belongs to M247 LTD Singapore. When visiting the site, we face a blank screen; however, we can verify that the TLS certificate serial number is the same as that used for the site hosted on TOR hidden services, which we can attribute to a specific hosting provider. Four domains have been listed as A records in Domain Name System (DNS) records with the IP address since 2021.
These domains were registered using a privacy domain registration proxy service by the malware operator. However, tracing the favicon file in the web root directory as âfavicon.ico,â we can obtain this file and calculate a hash value for it. Unfortunately, Shodan doesnât keep an index of these favicon file hashes.
So I moved on and decided to follow the TOR hidden service link we found earlier. I noticed that the link contains an identifier that is presumably unique to each victim, something like this:
https://{url}/id=aaaaa
Enum the URL Endpoints, we see that the link contains several HTTP parameters. So, I thought, directory traversal? And just like that, bingo. Iâll leave the rest for you to guess.
In conclusion, I hope youâve picked up a few tricks from this little spiel. This post was meant to give you a sneak peek into how a hunt goes down and to drop some knowledge on the OSINT tools we like to play with. But, you know, life in the digital shadows ainât always this straightforward. Itâs all about patiently waiting for the other guys to slip up, or sometimes, they just hand us the info on a silver platter. Itâs mind-boggling how many vendors out there keep making the same boneheaded OPSEC blunders, I tried to keep it vague, of course, canât spill the beans on the real deal. Gotta keep those cases cookinâ in the shadows.
[/REPLY]