Dark Web Part II - TOR Network

In our previous blog, we discussed that there are different types of "darknets" (https://www.osintcombine.com/post/dark-web-searching). In this blog, we are going to talk about The Onion Router (TOR) specifically to understand the network, look at ways to correlate network activity with geopolitical events, and configure our TOR client to control our traffic flow a little better.


TOR is the most popular "darknet" used today. It is well known for its association with illegal activity, such as forums & vendors selling drugs, weapons & more. However, there are legitimate uses for TOR as well, such as avoiding state-based censorship or communicating anonymously in contested environments to get important information out.


Whilst most people who learn & access TOR simply jump straight in with a TOR browser and use search engines, wiki/index sites or know their destination .onion address, we can learn more about what is happening around the world by taking a step back and looking at the network itself. Luckily, TOR's network details are open for people to view & analyze.


TOR Network

Let's begin with a quick overview of how the TOR network works. It is made up of a series of volunteer-hosted relays to route traffic through to a destination & back. A client will connect to what is called an "Entry Guard", pass through a series of "Relays" and then exit through what is called an "Exit Node". The terminology may differ from reference to reference, however, as long as you understand the concept it will resonate with why it is similar to layers on an onion (hence the name).


Now that we have a basic understanding of traffic flow, let's take a look at macro network activity.


Network Activity & Metrics

The TOR Project publishes a site that lets you look at the metrics of the network. This is useful for understanding peaks & troughs in network activity. A key takeaway from analyzing this is the correlation with geopolitical events. When there is civil unrest or major events around the world, you will often see a spike in people connecting to the TOR network. The exactness of what they are doing on the network can't be viewed by macro network analysis, but the inference is still useful for assessments.


TOR Metrics (https://metrics.torproject.org/)


User Activity

The first metric that is useful for correlating a spike in activity to events around the world is how many users are accessing services. Clicking the "Users" option lets us look at how many people are connecting to TOR and from which country. Consider this when there are geopolitical events unfolding around the world. It can provide inference to how well known discrete internet communication & access is within a country, and if there are channels or opportunities that may exist for communicating with a population in a contested environment.


Filter options for TOR Users (https://metrics.torproject.org/userstats-relay-country.html)



Use case - Afghanistan 2021

We analyzed user activity on TOR from Jan 2020 - Sep 2021 to see shifts in TOR activity over time within Afghanistan. The IP locations are derived from the relays resolving client IPs as they pass through which provides a geo-database. VPN-connected clients could potentially obfuscate this, but unlikely at scale, so we have the ability to lean on these metrics for analysis.


If we narrow down further, looking just at activity within 2021, we can identify key periods of spiked activity.


So what happened in April 2021? - well, we simply need to use our standard OSINT skills with some advanced Google searching to correlate events.


Using the search query "Afghanistan" after:2021/04/01 before:2021/05/01 we can bracket our search and find events of interset.


The key event was the formal announcement of US troop withdrawal and the plan forward with Afghanistan. Whilst there may have been other underlying reasons for the spike in TOR activity, this serves as an example of how we can analyze TOR user activity in a more geopolitical context.


Servers & Clients

Another useful way we can use TOR network analysis is by identifying the fastest routes for our traffic. TOR is generally a lot slower than surface web browsing, so being able to at least pick up an optimal entry & exit node could be useful. Also, whilst you can't control the relays, there is plenty of open-source reporting of threat actors controlling exit nodes, so you may want to pipe your traffic to a known & trusted exit, such as one you set up yourself (https://securityaffairs.co/wordpress/107076/hacking/attackers-control-23-tor-exit-nodes.html)


Servers

From the graph below, we can see that Germany & the US host the lions share of TOR relays. We can also use the graph below & other metrics available on the TOR project site to analyse speeds. If we wanted to create an optimal speed route, we could use these metrics to identify what is best from your specific location. Further down, we'll detail how to configure your client to specify entry & exit nodes for greater control when connecting to TOR.


https://metrics.torproject.org/bubbles.html#country


An additional metric that is of interest is looking at the total available bandwidth of all the relays. We can generally correlate this to geopolitical events also, where additional relays or nodes are established during these times. Additionally, we can use it as a troubleshooting mechanism if TOR was running unexpectedly slow or unable to connect.


https://metrics.torproject.org/bandwidth.html


Relays

We can search for relays on the TOR network also. If you are investigating IPs and looking at routing activity for hosts, you can use the relay search to find a potential start or pivot points. We can also use this feature to identify relays we may want to configure for specific traffic routing when we configure our client further in the post.


https://metrics.torproject.org/rs.html#advanced


Consider a scenario where you wanted to find relays that may be associated with an investigation. If you have an email address, nickname or alias, you may use a relay search as a new pivot point to find other markers during your usual OSINT workflow. Below, we searched for relays specifically in Australia who are using an @gmail.com as a contact email. Whether these are legitimate emails or not, is not part of this blog when referring to validation, but it is another place to search.


We can then go into the relays and get more specific details, such as the fingerprint. This identifier can be used in the client configuration below to allow us to direct our traffic to a specific node



Client Configurations

Based on our previous analysis & comments around controlling entry & exit nodes, we can configure TOR browser bundle to go in & out of a specific country, IP, or nodes fingerprint.


To do this, we simply edit the file torrc for where our client has been installed.

Windows/Linux: If you installed Tor Browser on Windows or Linux, the torrc file is a folder within the install directory which may look like Tor Browser\Browser\TorBrowser\Data\Tor

Windows example


If you’re on macOS, you should be able to find the torrc file is in the directory at ~/Library/Application Support/TorBrowser-Data/Tor/Data - note: we could not confirm this location at the time of writing.


Torrc file: Once you open the torrc file, you simply need to add the following lines depending on what you want to achieve:


Connect to a specific IP: (replace the x's with the IP address)

Connect to a specific nodes fingerprint: (replace the fingerprint string with the desired node)

  • ExitNodes 02E98BBE0B12570E4E2974E2A7472B297F8D9959

  • Note: the fingerprint above is an example from an existing relay. You can find your desired relay using the search methods detailed further up in the blog.

Connect to a specific country only

  • ExitNodes {us} StrictNodes 1

  • EntryNodes {us} StrictNodes 1

Simply replace "us" with the ISO alpha-2 country code of choice - most of these are obvious but a reference list can be found here: https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes


You should end up with something like the image below if you wanted to pipe all your traffic to enter & exit in the US:


Save the file, then connect to TOR and validate your route by clicking the icon left of the search bar in the TOR browser. Example below



Network Flow

Unchartered have built a useful map & dashboard to visualise TOR network traffic flow & bandwidth. There are various controls to drill into bits of information, however, the data is derived from the public data sets on The TOR Project metrics website.

https://torflow.uncharted.software/


Finally, if you want a list of all the TOR exit nodes to feed into a SIEM, map out using tools, or to integrate into a project you are building, you can view them here: https://check.torproject.org/torbulkexitlist


You can use tools like Bulk IP lookup to map (limited to 1000 nodes) the list of nodes by simply copy & pasting the IPs you want to map (https://app.ipapi.co/bulk), or build your own tool with IP lookup services & APIs.


Conclusion

There is a lot we can learn from & utilize as part of OSINT workflows by understanding TOR networks. Whether it is to correlate geopolitical events to activity spikes, which will have a different relevance depending on your mission which we haven't delved into in this blog, or understanding the network so you can build optimal routing flows for access. Additionally, controlling our client configurations with trusted TOR node routing may play a role in your threat mitigation strategy to avoid threat actors sitting on malicious nodes.