Posted on Leave a comment

The hidden Deep Web (Undernet) easy HOWTO – road to enlightenment or highway to hell?

image thumb2411

Tor (The Onion Network) logo

Most hardcore geeks have been there and a few hardy souls visit it regularly. Known variously as the Deep Web, Deepnet, Invisible Web, Hidden Web, and Undernet, it is claimed to be several orders of magnitude larger than the surface web – if you can find the buried, hidden content that lies deep within. But with new technologies such as the Tor Browser, it is now easier than ever to delve into the Deep Web, anonymously of course, and trudge through the muck. Here’s how to do it.

Tor, browsing and Onion addresses

Silk Road Tor hidden service screen shotTor, short for The Onion Router, is a network system intended to provide anonymity for its users. Tor encrypts network communications and then directs the packet through a worldwide volunteer network of servers to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis along the route. The communications are encrypted using a multi-layered approach, hence the name “Onion Router”. Messages are repeatedly encrypted and then passed through several network nodes (onion routers). Each node is able to remove only one layer of the encryption, just enough to read the cleartext routing instructions, and then sends the packet to the next router where the encryption process is repeated. This multi-layered encryption ensures “perfect forward secrecy” between relays. Because the internet addresses of the sender and the recipient are encrypted as they pass through each hop, anyone eavesdropping at any point cannot directly identify both ends.

Tor network traffic is bounced around from router to router until it reaches an “exit point”, where the cleartext packet is available, and forwarded to the true intended destination. Viewed this way, the network traffic appears to originate from the exit point – and not from the true sender of the packets.

The anonymity provided by Tor extends through servers hosted on TOR called “hidden services”. Hidden services are relays running specially configured server software, much like a public web server. Rather than addressing the service via an IP address or public domain name (as you would with a publicly available web server), hidden services are accessed through Tor specific .onion “pseudo top-level domain” (TLD) names (e.g. myevilsite.onion). Only Tor understands the TDL addressing and thus routes the data anonymously both to and from the hidden service. Also, since the service does not rely on a public IP address, the server can be hosted behind a firewall or NAT. Furthermore, Tor is decentralized by design and there is no direct readable list of hidden services.  This makes the hidden services/sites difficult to find – unless you know how.

It is important to understand that Tor does not protect the endpoints. It prevents traffic from being analyzed along the route but cannot truly prevent “traffic confirmation”. Exit points in particular entail risk for both the originator and the person running the exit point node.  If you plan on doing something illegal via Tor, understand that there is a chance you could be tracked down – albeit via a lot of legwork and a little bit of luck for Johnny Law.

How Tor circuits work

Vidalia establishing the Tor circuit screen shotTo begin a Tor session, the originator of the communication (your client PC for instance) picks nodes from a list provided by a “directory node”. This list of nodes is sorted in order to create a “chain” or “circuit”. The order of the nodes dictates the path the message will take through the Tor network on its way to its intended destination. The nodes along the way are kept somewhat in the dark – they do not know if the node that sent them the message was the true originator nor do they know how many nodes are in the complete routing list (although Tor is limited to three nodes – the entry node, relay node, and exit node).

The originating node then looks up the public key for the first node (i.e. entry node) in the circuit (the public key for each node is held in the directory) and uses this public key to encrypt a message to send to the entry node. This encryption ensures only the entry node can decrypt the message.  The encrypted message is received by the entry node and decrypted using the entry node’s private key. All of this is taken care of automatically by the Tor protocol. This initial step begins a process to create a shared secret, or session key, which will be used to efficiently encrypt further communications between the originator and the entry node.

Bank accounts for sale on Tor hidden serviceNext the originator begins a negotiation with the next node in the chain – the “relay node”. This negotiation occurs between the entry node and the relay node, not directly between the originator and relay node. Using their pre-negotiated session key, the originator sends an encrypted packet to the entry node with instructions to send on to the relay node. The entry node takes the packet of instructions and further encrypts it using the public key for the relay node. This negotiation results in another layer of encryption and an additional link in the chain or circuit. As with the communication between the originator and the entry node, the communication between the entry and relay nodes can only be decrypted by the entry node and relay node themselves.  Every other node in the circuit is kept in the dark and is only aware of the communications occurring between itself and the node next to it.

Once complete, the process continues again with the next node in the list and so on with each node using the public key of the next node to encrypt the packets ensuring that only the receiving node can decrypt and interpret its contents.

Remember that to the traffic endpoint (the ultimate destination), the originator appears to be the exit node. If the destination is busted, their logs will only include IP address information for the exit node and not the true originator’s IP address.  For that reason, it is recommended that you do not run an exit node from your home (this is an option in the Vidalia window discussed below). Exit nodes should only be run from commercial facilities that are supportive of Tor. Entry nodes and relay nodes however, are much safer to run. To date, nobody has gotten in trouble for running as an entry or relay node. If you do run into trouble, contact EFF. They have template letters and such that you can use as a response to any such complaints. These template letters explain the Digital Millennium Copyright Act’s safe harbor rules and how Tor fits into the existing law.

The Tor Browser Bundle

Vidalia settings - set to relay node or exit node if you have nerves of steelIn the early days of Tor, it required a fair amount of technical expertise to effectively utilize the service. If you did not fully understand the protocol, nor have the expertise to properly configure Tor, your anonymity could be compromised (even though you may not have been fully aware that your anonymity was compromised) . With the introduction of the Tor Browser Bundle, most anyone, inexperienced newbies included, can utilize Tor for anonymous communications.

To begin, download the Tor Browser Bundle from Extract the files and open the uncompressed Tor Browser folder. Double click the Start Tor application. The Vidalia window will appear and configure the Tor connection automatically. Once the Tor connection is established, the Tor Browser will open pointing to a page that verifies your Tor connection is securely established. It is important to understand that only traffic through the Tor Browser will be sent using Tor. Other web browsers (and other networking applications) on your client PC are not affected by the Tor connection and hence, not anonymous.

Before browsing any sites using the Tor Browser, make sure the browser is set to block scripts (given the evil that abounds, this is a necessity on the Undernet). You may also want to be a good guy and check the Vidalia settings to configure your node as a relay node and thus ease the load on the Tor network for everyone else.

Alternative methods – Linux distributions

The Tor browserAnother alternative method to entering the Deep Web is to utilize a pre-configured Linux distribution such as Liberte or Tails. These distributions can be installed on bootable USB flash drives that allow you to boot into a Tor configuration that secures every network communication on the system in addition to erasing system data upon exit, modifying the MAC address of your machine, marking the drive as read-only, and many more methods to ensure anonymity and online security. This is an even safer method than using the Tor Bundle but is a bit harder to install if you are not technically proficient.

Last chance for Tor virgins – your innocence ends here

Take a deep breathe.  You are now ready to enter the Deep Web.

The Hidden Wiki

The Hidden Wiki home pageOnce you have a browsing session open and connected through the Tor Browser, you’ll want to start with The Hidden Wiki. You can find it at http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page. The Hidden Wiki is similar to Wikipedia – open to everyone to edit and view. It contains many links to the various hidden services located within the Deep Web.

UPDATE: After the fall of Freedom Hosting, many Tor sites have gone down or changed addresses.  Here’s a list of a few Tor hidden services that were brought back online and working after the Freedom Hosting takedown:

http://torlinkbgs6aabns.onion (Tor Links)

http://jh32yv5zgayyyts3.onion/ (Hidden Wiki – new, cleaned up version)

http://xmh57jrzrnw6insl.onion/ (Torch search engine)

http://qkj4drtgvpm7eecl.onion/ (Countefeit USD bills)

http://zw3crggtadila2sg.onion/imageboard/ (TorChan forums)

http://jv7aqstbyhd5hqki.onion/index.php (HackBB – backonline after Freedom Hosting taken down)

http://npieqpvpjhrmdchg.onion/ (Doxbin)

Be forewarned, do you enter if you have a weak heart. You will find, in plain sight, everything your wicked little mind can imagine – illegal guns (note that Bitcoin is the accepted currency on the Deep Web), stolen credit card information, compromised Paypal accounts, fake ids, professional hackers for hire, bootlegged software and movies, stolen goods, underage prostitutes, child pornography, hacker chat boards, explosives, illegal drugs – even contract hit-men. It’s a dark world and not for the feint of heart.

Road to enlightenment or highway to hell?

Is the Deep Web full of criminals? Of course. Given anonymity and no rules, human nature seems to take a very dark turn. But Tor is endorsed by EFF and other civil liberties groups as a method for whistleblowers and human rights workers to communicate anonymously and indeed, you will find many boards where civilians from countries who censor their citizens’ communications, talk freely about politics, religion, and anything else that their native country may forbid. Typically these conversations are very intellectual, and interesting.  Thus, a disciplined hacker can glean quite a bit of interesting information from the Deep Web, while avoiding the murkier side of the Undernet.