[tor-talk] Regarding the Hacking Team leak and the "TOR interception" (all uppercase Tor obviously)
coderman
coderman at gmail.com
Wed Jul 8 08:43:16 UTC 2015
On 7/7/15, chloe <chloe at countermail.com> wrote:
> ...
> how would this method work if an infected client tries to visit a hidden
> service?
there are at least three common ways:
1. using an evil proxy, as directed above. they install a rogue CA so
they can sign for any SSL/TLS required. this works for hidden
services, because their proxy strips ssl, then forwards to hidden
service. e.g. https://www.facebookcorewwwi.onion
2. using memory scraping - they don't appear to do this, but other
exploit kit does. if your browser is rendering pages and accepting
input, it does so on the local machine, and inspecting local machine
memory gets at these bits before encryption (before network I/O)
3. using key exfiltration, so that encrypted streams captured on the
network can be decrypted later. note that exfiltration key material is
very small, easy to hide. and then gets you access to all the
plain-text. call this the #BULLRUN method.
best regards,
More information about the tor-talk
mailing list