- The dark web is increasingly used for illegal activities, with numerous underground marketplaces facilitating the buying and selling of illicit items such as drugs, weapons, data leaks, counterfeit money, and forged documents. These platforms, operating anonymously, pose significant challenges to law enforcement agencies (LEAs), making it difficult to identify the individuals behind these marketplaces, especially on the TOR network.
- Operating illegal sites on the dark web requires minimal technical resources: simply access to the TOR browser and the TORRC file. For hosting, individuals can use either paid or free hosting servers. Running on the TOR network (V3) provides near-impenetrable anonymity, complicating the identification of underground operators. These operators typically use ISPs and VPNs to further obscure their locations.
- The objective of this project is to develop a tool or technique capable of identifying the operators behind dark web marketplaces. Participants will focus on discovering the actual IP or VPN addresses associated with these operators and identifying any other personally identifiable information (PII) related to the individuals behind the onion sites.
Xpose is a powerful software solution for performing advanced deanonymization techniques, designed to trace the operators behind illegal dark web sites. The system includes both a web app and CLI (Command Line Interface) to offer flexibility and reliability.
Xpose leverages cutting-edge research in deanonymization techniques, providing highly accurate methods for exposing the VPN or ISP IP addresses of target onion sites. In addition to IP exposure, Xpose employs advanced OSINT (Open Source Intelligence) methods such as:
- EXIF metadata extraction
- Reverse image search
- IRC (Internet Relay Chat) analysis
Additionally, modern fingerprinting techniques are used to analyze the behavior of onion site operators over time.
- Advanced OSINT: Extracting EXIF metadata, performing reverse image searches, and analyzing IRCs.
- Latest Research: Manipulating HTTP messages for more effective deanonymization.
- Scanning for OPSEC Flaws: Identifying poor operational security practices on dark web sites, including server misconfigurations and PII leaks.
- End-user Attacks: Using timing correlation attacks to track the individuals behind onion sites.
- Advanced Fingerprinting: Analyzing HTTP headers, SSH fingerprints, and certificate hashes.
- Target Site Exploitation: Techniques like exploiting recent 0-days, Local File Inclusion (LFI) vulnerabilities, and Server-Side Request Forgery (SSRF) to disclose actual IP addresses.
- TOR Daemon: For interaction with the TOR network.
- cURL: To implement advanced deanonymization techniques, such as manipulating HTTP messages.
- Python: Provides the flexibility needed for various tasks on the TOR network.
- Django: For web application development.
- Bash: For automation and CLI tasks.
- SQLite3: For data storage and management.
- HTML, JavaScript, Bootstrap: For building a dynamic and responsive user interface.
- Linux: Operating system used for development and operations.
- AWS: For CI/CD (Continuous Integration/Continuous Delivery).
- Others: EXIF-tools, Google reverse image search, Git/GitHub, etc.
- Xpose provides quick and effective results, saving valuable time compared to manual deanonymization techniques.
- Our solution avoids the use of AI or machine learning, ensuring highly accurate results. Only definitive data is provided, avoiding false positives.
- The solution is designed to scale as new techniques are developed, ensuring it remains effective in the future.
- Xpose is equipped to handle various CAPTCHAs and timeouts encountered on onion sites. Solutions to these challenges will be included in future updates.
- Xpose doesn’t just focus on deanonymization; it also employs OSINT and fingerprinting techniques for more comprehensive research.
- Xpose allows researchers to conduct their work in a secure and controlled environment, ensuring no harm to organizational privacy or infrastructure.
- Potential Impact / Benefits:
- Intelligence Agencies: Used for gathering critical intelligence.
- Law Enforcement Agencies (LEAs): A vital tool for tracking and investigating illegal activities.
- Security Researchers & Cybersecurity Experts: An essential resource for contributing to the fight against dark web crimes.
- Cyber Threat Intelligence Teams: Helping businesses and organizations detect and protect against dark web threats.
- Using Python to Monitor Dark Web
- Dark Web Scraping Using Python
- Is TOR Still Anonymous?
- Edward Snowden Research
- DEFCON-22: How People Got Caught
- DEFCON-22: Touring the Dark Side of the Internet
- Bad OPSEC: How TOR Users Got Caught
- Deanonymization of TOR HTTP Hidden Services
- Uncovering Tor Hidden Service with Etag
- OnionScan: Practical Deanonymization of Hidden Services