1. What is Onion routing in the Internet World?
The Onion Routing (Tor) is an open-source tool to act as a global gateway by enabling anonymity communication on the internet through various hidden channels and routing mechanisms process to get to the destination point securely.
According to the official website of Tor, there are around 6000 Tor nodes running across the globe. In other words, Tor is also known as the Internet’s secret of chambers. The dark web network is inherited from the parent directory World Wide Web (WWW), and currently exists independently on darknets overlay networks that use the Internet as the backbone.
It requires specially designed Tor software, Tor configurations, Tor controls to access the dark web contents which are not indexed by regular search engines.
Cybercriminals use darknets and the dark web to conduct cybercrime operations. However, today in our research operations we are trying to understand the functional ability and maneuvring capabilities on the dark web, and how it assists cybercriminals to traverse the dark web more conveniently than ever before, anonymity created gargantuan impacts on society and governance.
The lack of dark web monitoring research studies, typical orthodox existence of global intelligence surveillance on cyber-criminal activities created huge implications globally.
1.1 Research strategy and objectives:
This analytical research endeavours to provide a comprehensive understanding of the dark web, finding research techniques to identify, assess, and provide the summary of Tor browser, accessing mechanisms of dark web using Tor, exclusive monitoring and traffic analysis of in and out of Tor connections through open source and commercially available tools.
1.2 How to Access and Maneuver the dark web with Tor browser:
Adopting a cost-effective VPN solution could magnify user's anonymity level, and helps them to obscure the resiliency path to the destination and protect against from any advanced social engineering attacks, government intrusions, restrictions, censorship, and APT adversaries in particular.
The vast majority of the paid and unpaid content and services offered on the Dark Web are commonly used by some well-known anonymous services such as Tor, Freenet, I2P, and JonDonym.
1.3 Dark Web Resources:
In our analytical study, we analysed the very existence of different dark web resources using the Tor browser tool.
1.4 How to launch Tor Browser:
Once you downloaded the Tor browser from the official website, if your country of origin is heavily censored, you opt in to send an email request to Tor to receive a mirrored link to download without any suspiciousness.
After that, when you run the Tor Browser for the first time, a notification window will be displayed on the screen offers you two options, the one to choose “connect”, either choose “Tor Network Settings”, to configure proxy configurations if your country of origin is heavily censored at last you may opt in for automatic connection to the Tor network as well by ticking the checkbox.
We have depicted the Tor browser connection and negotiation process chain in Figure 2.
Fine tune the configuration: In this section, you may have all the options to perform multiple configurations according to your requirements and safety. The probability of recceing access denied message is quite common if it’s blocked by your Internet Service Provider (ISP), educational institution, company, censored country. To overcome this problem, we need to use circumvention tools to get away from these restrictions. Tor created this circumvention tools and named it pluggable transports. At present, there are three types of pluggable transports to be used, such as obfs4, meek, Snowflake.
Step1: Click on Security Settings Icon as shown in Figure 3.
Step2: Please, navigate to Tor section. Here, you may opt in for “quick-start”, to automatically connect to the Tor as always. If your network blocked access to Tor, you definitely need a “Bridge”, to connect with Tor network. Also, you may “request a bridge”, from torproject.org, or if you have already obtained one, you may choose to “provide a bridge”. If you are going to use “request a bridge”, please skip this step for now and go to step 6.
Step3: To make your internet presence protected. Please, click on the Shield icon, a display window shows “Advanced Network settings”.
Step4: Now choose the “Privacy & Security”, option from the left sidebar or you may drag it down interchangeably.
Step5: Now, under “Security”, choose the “Safest”.
Step6: Now, please close this window and start to use Tor.
To request a Bridge:
When you run the Tor Browser for the first time, please follow the steps from Step1 to Step4. If you have your Tor browser running follow from Step 5 to Step 7 accordingly.
Step1: Please, click on “Tor Network Settings”.
Step2: Now navigate to “Bridges” section, tick the checkbox “Use a bridge” and then choose the “Select a built-in bridge” option on the window.
Step3: From the dropdown, select whichsoever “pluggable transport”, preference of your choice.
Step4: Once you are finished the selection, please scroll up and click “Connect” to save your settings.
Step5: Please, click on “Preferences” or “Options” on browser window icon ≡.
Step6: Please, navigate to Tor section in the left sidebar. From the dropdown, select whichsoever “pluggable transport”, preference of your choice. Step7: Once you are finished the selection, please scroll up and click “Connect” to save your settings.
2. Navigating the Dark web safely and capturing the Internet traffic connections:
2.1 Types of Dark web monitoring tools:
In the 21st century, due to the recent rapid technological breakthrough in IT sector’s invention, there are plenty of open-source, commercially available tools and SaaS-based subscription model to protect your entire defense in-depth of your organization.
Therefore, continuous identity analysis, detection, and protection actions are mandatory for any IT departments to act upon any sign of threats that could cause real damage to your assets and reputations.
In our analytical study, we are using some of the industry of the best open-source tools to conduct our dark web traffic monitoring.
2.2 Wireshark:
In our analytical study, we have Chosen “Wireshark” tool to identify, analyse, monitor, and troubleshoot our dark web traffic connections and protocols.
Wireshark is an open-source tool, primarily used to analyse the network traffic packets and other covered aspects such as network troubleshooting, analysis, software development, communications predictions, protocol development, and educational usages. The home page of the Wireshark network analyzer is shown in Figure 3.
Wireshark Task Prerequisites: Some of the widely requested parameters are required admin access, choosing the right network interface, and capture the determined and requested traffic for your usage.
2.3 Capturing the Live network data:
In our study, we used the following methods to start capturing the Dark web network traffic packets with Wireshark packet analyzer.
Step 1: To choose the desired the wired or wireless interface on the welcome screen.
Step 2: Then you can click on the “capture” and select “start” or press Ctrl + E. Or you can choose the interface and click this icon on the home screen page.
Step 3: Now, minimize this Wireshark window, and let it run in the background while we are surfing on the dark web.
Step 4: Now, open the Tor browser and start to surf the dark web. In our analytical study, we are using Hidden Wiki for packet capturing. Because, it's one of the oldest directories existed on the dark web, which contains all the links and resources to surf the dark web.
Step 5: The Hidden Wiki home page is shown in Figure 7.
We have referred to one .onion web link on the Hidden wiki to capture interesting traffic as shown in Figure 8.
Step 4: Now, click on this icon to stop capturing the traffic.
Note: Please, click “stop”, when enough traffic is captured by the tool.
Step 5: To click on the “File”, and select “Save” when you are saving it for the first time or choose “Save as” interchangeably if you are assuming to save it in different formats. In our case, it's .pcap in a single mode file format and store the file in a specific folder.
Step 6: Please, close the Tor browser.
Step 7: To stop the running sessions on Wireshark, you may press Ctrl +E or click on “Capture” and select “Stop” or pressing the red color square icon box on the home screen.
3. To Analyse the Captured Dark web traffic:
In this section, we are going to perform an in-depth analysis on the captured traffic to identify the threats.
Step 1: Please, open the Wireshark tool.
Step 2: Click on the “File” and select “open” and choose your file from the specific folder location or select the file through “open recent” as like shown in Figure 9.
Step 3: Now, click on the “Analyse” feature from the toolbar section and click on “Expert information”. A new window will pop up on the screen as shown in Figure 10.
Step4: Please, use the color-coding scheme as defined in Table 2.
The Expert information feature is the starting point of the investigation journey, where it keeps track of every single anomaly and peculiar item of interest during the capture process, here it’s the captured file.
When we prevail this feature, a dialogue box provides us the comprehensive information about the uncommon behaviours and issues to be well noticed.
In general, anomaly entries are screened upon these protocols as highlighted and grouped by severity level. An example of this is TCP and DNS protocols, to identify out of order TCP packets whether It’s malformed or not, DNS query, and TCP sequence order packets.
In addition to the Expert packet information, by default it’s not enabled. So, we can opt-in an additional “Expert Info Severity” feature to highlight and list out the crucial severity information as like shown in Figure 11.
Malformed packet:
In general, Malformed packets are identified as suspicious or dissector has a bug in them. Therefore, the dissection of these packets is aborted.
Expert Packet Information Summary:
To take one malformed packet from the list of summary packets to analyse the contents for justifications. Now, please right-click on the packet and “Apply as filter”, choose “Selected”.
We identified another packet with the “Warning” sign and selected the packet for analysis.
We found the reason for TCP zero Window and partially identified when our computer advertises a zero value for its window size to the server, this stipulates that the TCP receiving buffer frame is now full, and it cannot receive any more data to process. as in Figure 14 and Figure 15.
Network Forensic Analysis Tool (NFAT): NetworkMiner tools is a passive network sniffer a.k.a. advanced packet capturing tool for forensic and network incident response purposes.
It can support offline-based analysis to regenerate and reassemble the inherited pcap based files from multiple network software products. This specified intruder IP spoofed the MAC address with our randomly generated MAC address.
Figure 17.ARP Spoofing occurred with the Random MAC.
We used random hardware addresses before we started the Tor browser. Therefore, the spoofed MAC is not the one matched with the original MAC table and we remained obscure.
4. Functional Challenges of Traffic monitoring on the Dark web network:
The Tor anonymity became the enemy of good, because of the obscure presence on the network with the secured and highly encrypted traffic which makes it harder to crack the shell for the law enforcement, Cyber Police, IT admins and other individual users.
To monitor the dark web is time-consuming and complicated in nature due to the criminal's frequent and infrequent footprints on the forums and blogs which makes it harder to trace them. We need an AI-driven technology-based tool to automatically conduct regular scans and monitor anomalies. The indexed data should be presented in identifying the target in a straightforward manner.
(i) Threat intelligence: We need an automated threat intelligence system to feed the captured data into it and present the data.
(ii) Threat hunting: We need to use both commercially available and open-source tools to conduct comprehensive work on the dark web.
(iii) Faster incident response: At present, no adequate workflow and framework for dark web monitoring have been defined to mitigate threats, and moreover we are lacking and struggling to match the rapid expansion of threats.
(iv) Integration into one core security platform: In fact, every organization is capable of having a mid-sized team to manage the infrastructure monitoring of their assets. If we put our focus to merge the network and dark web traffic packets into one intelligence monitoring platform to prepare, discover, identify, evaluate, remediate and rescan the entire infrastructure within a short timeframe.
5. Conclusion:
The awareness and adequate training help individuals, organizations, law enforcement agencies to strengthen the conscious approach towards dark web monitoring and contemporaneous with systematic approach and improvements are proven to be more effective, accurate, and helps to withstand any skilled intruders and cybercrimes.
DISCLAIMER OF RESPONSIBILITY. None of this article info or my blog assume any responsibilities whatever for any damages caused to your own actions, any risk, any wickedness, or other misconduct of using dark web or its services, or by any product or process incorporating or made by your own interest or actions, or incorporating or made by the use of any information from your surfing is not responsible.
This article is for educational purposes only!
