[tor-talk] Someone is crawling TorHS Directories: Honeypot

Fabio Pietrosanti (naif) lists at infosecurity.ch
Fri Sep 12 19:51:39 UTC 2014

Hi ,

about a month ago i wanted to verify if someone is actively crawling
TorHS that are inside the memory of Tor HS directories.

So, i've setup a small Tor Hidden Service Honeypot at home with unknown,
unpublished, non-publicly-linked TorHS, with a relatively simple setup:
- Setup 30 Tor HS (just to increase the chance to be on different TorHSDir)
- Redirected all of them to
- Setup inetd on port 80 executing a small shell script

With such setup if someone would connect to my TorHS, it would be for
sure a malicious user whose primary goal is to harvest TorHS addresses
for research or intelligence purposes.

To know about such TorHS address the attacker must be running a
malicious Tor Relay acting as a TorHS Directory, with Tor's code
modified to dump from the RAM memory the TorHS list, then harvest them
with an http client/script/crawler.

The shell script honeypot.sh does just:
- execute date
- read the incoming requests
- write those data to a log file
- answer 404 not found to the client
- send me an email

Yesterday i've received my first email from the honeypot, report below.

It would be nice to extend this concept to proactively detect and
identify who's running such malicious Tor Relays by logging/mapping
every HSDir that is selected/rotated for such Tor Hidden Services.

-------- Messaggio originale --------
Oggetto: 	ALERT da Honeypot TorHS
Data: 	Thu, 11 Sep 2014 10:12:48 +0000 (UTC)
Mittente: 	root at pietrosanti.it (root)
A: 	fabio.pietrosanti at logioshermes.org

Thu Sep 11 10:12:48 UTC 2014
GET / HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/ libidn/1.23 librtmp/2.3
Host: yefc7p6pv3lsvqrn.onion
Accept: */*

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

More information about the tor-talk mailing list