reverse engineering a nit that unmasks tor users

Annual ADFSL Conference on Digital Forensics, Security and Law 2016 Proceedings

May 25th, 1:00 PM

Reverse Engineering a Nit That Unmasks Tor Users Reverse Engineering a Nit That Unmasks Tor Users

Matthew Miller University of Nebraska at Kearney, [email protected]

Joshua Stroschein Dakota State University, [email protected]

Ashley Podhradsky Dakota State University, [email protected]

(c)ADFSL

Follow this and additional works at: https://commons.erau.edu/adfsl

Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense and Security

Studies Commons, Forensic Science and Technology Commons, Information Security Commons,

National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, and

the Social Control, Law, Crime, and Deviance Commons

Scholarly Commons Citation Scholarly Commons Citation Miller, Matthew; Stroschein, Joshua; and Podhradsky, Ashley, "Reverse Engineering a Nit That Unmasks Tor Users" (2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 10. https://commons.erau.edu/adfsl/2016/wednesday/10

This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].

http://commons.erau.edu/

http://commons.erau.edu/

https://commons.erau.edu/adfsl

https://commons.erau.edu/adfsl/2016

https://commons.erau.edu/adfsl/2016

https://commons.erau.edu/adfsl?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Fwednesday%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1320?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Fwednesday%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages










https://commons.erau.edu/adfsl/2016/wednesday/10?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Fwednesday%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

/creativecommons.org/licenses/by-nc-nd/4.0/

/creativecommons.org/licenses/by-nc-nd/4.0/

Reverse Engineering a NIT that unmasks TOR users CDFSL Proceedings 2016

REVERSE ENGINEERING A NIT THAT UNMASKS

TOR USERS

Miller, Matthew

[email protected]

Stroschein, Joshua

[email protected]

Podhradsky, Ashley

[email protected]

University of Nebraska at Kearney and Dakota State University

ABSTRACT

This paper is a case study of a forensic investigation of a Network Investigative Technique (NIT)used by the FBI to deanonymize users of a The Onion Router (Tor) Hidden Service. The forensicinvestigators were hired by the defense to determine how the NIT worked. The defendant was ac-cused of using a browser to access illegal information. The authors analyzed the source code, binary�les and logs that were used by the NIT. The analysis was used to validate that the NIT collectedonly necessary and legally authorized information. This paper outlines the publicly available casedetails, how the NIT logged data, and how the NIT utilized a capability in �ash to deanonymize aTor user. The challenges with the investigation and concerns of the NIT will also be discussed.

Keywords: Tor, NIT, deanonymization, Tor Hidden Services, �ash

1. INTRODUCTION

The FBI was given access to a group of comput-ers that were running a The Onion Router (Tor)Hidden Service that hosted illegal content. TheFBI then requested and received a warrant toinvestigate the individuals whom accessed theillegal content on those servers. When content isaccessed via the Tor network [1], the IP addressof the computer requesting the content is hid-den. The FBI developed a Network Investiga-tive Technique (NIT) that would deanonymizethe users of the Tor Hidden Service. For a shortperiod of time, the FBI ran a server that sup-plied a �ash object (NIT) to a users browser,which in turn would deanonymize those users.The data gathered from the NIT was used asprobable cause to acquire search warrants. Thisstory was reported in many outlets [2] [5] [6] [9][10]. Our team was retained to investigate theNIT to ensure that it only collected the infor-mation speci�ed in the original warrant. Ourteam's original report has been published forpublic viewing [8].

This investigation is one of the �rst where law

enforcement have actively modi�ed Tor hiddenservice website to deanonymize the users. In atraditional website, the Internet Protocol (IP)address of a client is used as a component ofthe IP networking layer. Thus an IP addressis required for a website to operate properly.To thwart authorities, users of illegal contentmoved to using proxy addresses to access web-sites. The poxy service will make the connectionfor the client and mask the identity of the user.To deanonymize proxy users, law enforcementcan get a court order to seize and modify theproxy servers. With the advent of Tor, users canbounce their encrypted tra�c through the Tornetwork to achieve anonymity. The movementto Tor has pushed law enforcement to use moretechnically advanced methods of deanonymiza-tion.

2. NIT FRAMEWORK

The NIT consisted of several di�erent systemsthat worked in concert to deanonymize usersof the Tor Hidden Service. This section isbroken down into separate sections based thedi�erent systems that were analyzed. A high

c© 2016 ADFSL Page 195

CDFSL Proceedings 2016 Reverse Engineering a NIT that unmasks TOR users

Users Browser

hidden service request

TOR Hidden Service Server (FBI Controlled)

FBI DNS and Logging Server

hidden service response

Flash

TOR Network

socket connection

Cookie Logger

1 2

3

Figure 1. NIT High Level Overview

level overview of the NIT is shown in Figure1. Section 2.1 describes how a Session Identi�er(SessionID) was generated and logged. Section2.2 describes the �ash application that makessocket connections. Section 2.3 describes howthe FBI decrypted and logged data gatheredfrom DNS queries. Section 2.4 describes howthe socket connection was logged. Section 2.5discusses how the data from the logs on di�er-ent servers were correlated. Section 2.6 discussesour testing of the reliability and reproducibilityof the NIT. Section 2.7 discusses some of theissues related to the log correlation and data va-lidity.

2.1 Server Side Code

The main goal of the NIT was to deanonymizeusers of a Tor Hidden Service by revealing theirpublic IP address. To accomplish this the FBIgenerated an identi�er for users of the Tor Hid-den Service. This code needed to be dynamicand change for each user of the webpage, andthus the FBI used php for the server side script-ing. When the user would visit one of thepages that was being tracked, a page namedgallery.php would be executed. Figure 3 showsone of these pages that included gallery.php.The gallery.php page is included in an iframeand it has a size of 1 pixel by 1 pixel.

gallery.php

Line 15: generate random SID

Lines 18-38: determine method of decloaking

Lines 1680-1692: use GALLERY_API_KEY to encrypt (server, SID, type) which creates the ECID

Line 73: include ECID as id in gallery.swf

gallery.swf

Lines 46-48: resolve domain that includes ECID

Line 49: make a socket connection to cornhusker

Lines 29-34: send operating system, architecture, and ECID to cornhusker

cornhuskerServer

Figure 2. NIT Source Code Overview

The server side code in gallery.php createda unique SessionID each time a tracked web-page was loaded. The data �ow is shownin Figure 2. This SessionID is a randomnumber generated using the mcrypt_create_iv

and MCRYPT_DEV_URANDOM functions,which are both standard mcrypt encryptionfunctions. The random number generation isshown in Figure 4 on Line 15. After theSessionID was generated, the FBI would log thedata which included IDs for the uri, discussionboard, the thread and if the user was a modera-tor (mod). This is done on line 16 and is shownin Figure 4. The code for the logging is shownin Figure 5. This code simply logs to a tablenamed 'visitors' in a SQL database.

After the SessionID was created, the FBI'scode would determine which decloaking methodto use. This is shown in Figure 6. The browserthat we tested was the Rekonq browser (as perthe logs and FBI report). The Rekonq browserwould cause the 3rd case (Lines 33-36) to beexecuted. The code then delivers the correctmethod of decloaking based on the variableswith a pre�x display. For the Rekonq browser,gallery.php �le would include a �ash �le namedgallery.swf and it would pass an id to the �ashobject. This id is created using the FBI's gen-erate_cookie function. The result of the gener-

Page 196 c© 2016 ADFSL


Figure 3. Tracked Webpage 1481.html

Figure 4. PHP Variables in gallery.php

ate_cookie function will be known as the En-crypted Session Identi�er (ECID). The gener-ate_cookie function uses the shared key namedGALLERY_API_KEY , sets method to 'swf'and uses the random SessionID that was gener-ated above.

Figure 8 shows the code that was used to gen-erate the ECID. The data stored in the ECIDis a commercial at (@) delimited data structure,and data is terminated with a $. The num-ber 2 at the beginning represents which servergenerated the cookie. There were three di�er-ent servers, each one had a di�erent hardcodedvalue. The method is 'swf' and the $session_idis the SessionID from above. This data is en-crypted with a random initialization vector (iv)and using the GALLERY_API_KEY . Thiskey is only readable on the server and not inthe client's browser. To decrypt the data, theshared key and the iv are required. At the endof the function, the randomly generated iv isprepended to the result, so that the FBI candecrypt the encoded data.

All of the above occurs when the user requestsa page that included gallery.php. In Figure 1this is step 1. While this data is processed, theresponse is also sent back to the anonymous Toruser. This process is step 2 in Figure 1. Whenthe user's Rekonq browser processes the page, itwill load and execute the the �ash object thatis embedded (as shown in Figure 7).

2.2 Flash Application and Socket

Server

The above section describes how the SessionIDand ECID are generated. The ECID is passed tothe �ash object through the parameter namedid. The FBI did not provide the sourcecode for the �ash application for our analy-sis. This will be discussed in Section 4. Tounderstand the functionality of the applica-tion, we reverse engineered the source codefor the �ash application using the JPEXS de-compiler [7]. The reverse engineered sourceis shown in Figure 9. In this �ash codethe function loadGallery is called shortly afterthe �ash application is loaded by the browser.This function loads the ECID on Line 42. Ifthat value is not null, the �ash applicationwill make a socket connection to the domain96.126.124.96.ECID.cpimagegallery.com, wherethe ECID is replaced by the value of the ECID.The domain cpimagegallery.com was controlledby the FBI. When cpimagegallery.com was re-solved by a DNS resolver it returned the addressof an FBI controlled server (known hereafter ascornhusker) and the use of this domain is dis-cussed in Section 2.3. Flash will make a DNSrequest to resolve the IP address of the domainabove. After the IP address is resolved, the�ash application will call the onConnect func-tion (Line 27 of Figure 9). The onConnect func-tion builds a string that contains the operatingsystem, cpu architechure and the id that waspassed to the �ash app (ECID). This string is



Figure 5. Request Log Function in functions.php

Figure 6. Browser Check in gallery.php

Figure 7. �ash �le inclusion in gallery.php



Figure 8. ECID Generation in fuctions.php

Figure 9. Reverse Engineered NIT source code from gallery.swf



sent to the cornhusker server via a TCP socketconnection. These are the parameters that theFBI was allowed to collect via the search war-rant that they were issued. Another key pointhere is that �ash will ignore the proxy settingsfor the Rekonq browser. This means that theconnection will not traverse the Tor network,but go over the users normal internet connec-tion. This lack of proxy usage will allow the Toruser's public IP address to be revealed and theiranonymous TOR activity to be deanonymized.The socket connection will be made using thepublic IP address of the Tor user.

2.3 DNS parsing and logging

Section 2.2 described how the �ash appli-cation would make a request to connect toa server with a domain name of the form96.126.124.96.ECID.cpimagegallery.com. Fig-ure 10 gives a high level overview of the DNSparsing code on cornhusker. The FBI providedus with the code that ran on the cornhuskerserver along with the logs from that server.This server was destroyed after the operationhad completed, so we were unable to analyzethe actual server that ran the code. The corn-husker server was running the Twisted Pythonserver [4]. Twisted is "an event-driven network-ing engine written in Python" that allowed theFBI to perform the resolution of the domainsin a �exible manner. This �exibility allowedthe FBI to resolve the domains to their IP ad-dress, as well as parse ECID that was embeddedwithin those DNS queries. The parsing code isshown in Figure 14. On Line 136 the parsingcode will decrypt the cookie. In the call to de-crypt_cookie, the value of self.key is the sharedsecret key and the cookie is the ECID. The codeused to decrypt the ECID is shown in Figure 15.Lines 50 and 51 extract the iv and then decryptthe stored information. Line 55 checks to seethat the text contains a $ and Line 60 splits upthe decrypted text based on the @ delimiter. Ifthere are no errors, the decrypt_cookie functionreturns the board_id, method of decloaking andthe session_id (SessionID). Returning to Figure14, we can see that the code from Lines 137-138logs the board_id,method and session_ID to a

log �le. Lines 140-159 log data to a database.Lines 161-168 create a DNS response with thecorrect IP address of the cornhusker server andLine 177 sends that response back to the �ashapplication.

cornhusker.py

decrypt_cookie

Lines 50-51: extract iv and decrypt

Line 55: check for $

Line 60: tokenize using the @ delimiter

board_id method session_IDReturn

handleQuery

Line 136: decrypt cookie

Lines 137-138: Log to logfile

Lines 140-159: Log to database

Figure 10. Cornhusker Code Overview

2.4 Flash TCP Logging

The �ash application that we reverse engineeredwould make a socket connection after the DNSquery returned the IP address of the cornhuskerserver. Figure 16 shows the code used to logthe data acquired from that socket connection.Lines 294-303 show the server providing a policy�le if that is requested. Line 317 decrypts theECID using the same decrypt_cookie functiondescribed in Section 2.3. Lines 318 and 319 logthe data to a log �le and Lines 321-337 log thedata to a database.

2.5 Log correlation

The FBI needed to correlate the tra�c on theTor Hidden Service website with the data that



Client’s Browser

TOR Hidden ServiceFBI DNS Server

(cornhusker)

1481.html FBI DNS and Logging Server

gallery.php

generate SID

gallery.swf

generate ECID

ECID

Log SID to visitors table Visitors Table

ECID

cornhusker.log

decrypt ECID and log SID

Figure 11. SID Data movement overview

was gathered via the cornhusker server. Themethod for this correlation was to log the sameunique SessionID on both servers. Figure 11 il-lustrates how the SessionID was logged in bothlocations. Figure 3 shows a page on the Tor Hid-den Service website, which loads gallery.php andlogs the generated SessionID. That SessionIDis encrypted and stored in the ECID (Fig-ure 8), which is passed as an argument(id) togallery.swf (Figure 7). The ECID is sent tothe cornhusker server as a substring in the do-main. Section 2.3 describes how the ECID isdecrypted and logged. Figure 12 shows thelogged data in the visitors table and Figure 13shows the SessionID and the IP address loggedon cornhusker. The FBI used the fact that theSessionID is the same in both logs to correlatethe activity on the two di�erent servers.

2.6 Reliability and Reproducibility

We were able to create an environment that wassimilar to the environment that was used for theTor Hidden Service, cornhusker server and ourclients operating system. When we connected tothe Tor Hidden Service server with an Ubuntu12.04 computer using the Rekonq browser, thelogs generated on the Tor Hidden Service andcornhusker were consistent with the logs we re-ceived from the FBI. The DNS requests go overUDP and thus they can be spoofed. However,the cornhusker log indicates that DNS requestwas made via the the proxy server and thus thatdata was not logged in this case. The socket con-nection in the �ash application uses TCP andthe SessionID is encrypted. Therefore, we be-lieve that the data received from the NIT is re-producible. The TCP connection is not easily

spoofed, but the ability to spoof a request iselaborated in the next section.

2.7 Data Validity

This section describes scenarios where the datagathered from the NIT could be faulty.

1 Section 2.5 showed how the FBI correlated thelogs from the two servers. There is no guar-antee that the request made from gallery.swfwas made by the same client that requestedthe Tor Hidden Service. Outbound connec-tion monitoring would make it trivial to de-duce that something unusual was happening.Suppose that gallery.swf were to be placed onanother website and given the same id pa-rameter. Then the connection to cornhuskerwould have logged an inaccurate IP address.

2 Another scenario is one which an actor thatknew that the Tor Hidden Service site wasdeanonymizing users. The requests for thepages 1481.html and index.html could havebeen placed inside of hidden iframes withinother legitimate Tor websites. We found noevidence to suggest that this occurred.

3 The cornhusker server was unavailable for ouranalysis. Therefore we were unable to analyzeany access controls that were in place for thatserver.

We could not �nd any evidence that any ex-ternal actor planted links on additional websitesthat would have allowed (scenarios 1 or 2 fromabove) the creation of faulty data. Additionally,we were not given access by our client to decryptand analyze his encrypted computer hard drives.

3. LAB SETUP

For the analysis, we used an Ubuntu 12.04 vir-tual machine to simulate the activity that ourclient used (Client). This was the browser thatour client stated he used; it was logged in corn-husker log �les and it was included in the FBIreports. We also used Ubuntu 12.04 virtual ma-chine to simulate running Tor website as well ascornhusker logging server(Server). We were notprovided with the details of the server running



the cornhusker logging software, but we lookedat the software requirements to select an ap-propriate operating system. The requirementsfor this server were a MySQL database, a web-server(Apache), Haxe [3] �ash compiler and theTwisted framework. We installed all of thesepackages as well as their dependancies. We con-nected the Client and Server together via an iso-lated Ethernet network.

To reverse engineer the NIT software, we uti-lized the JPEXS [7] �ash decompiler. We down-loaded the native binaries for our native oper-ating system (Mac OS X) and decompiled theswf �le. We used the free Haxe �ash compilerto compile our own �ash swf �les.

3.1 Testing Methodology

The initial goal for our team was to verify theinformation that was sent to the FBI's server.Some of this information was located in plaintext source �les (gallery.php, functions.php, in-dex.html) and some of it was located in acompiled swf �le (gallery.swf). To determinethe functionality of gallery.swf, we utilized theJPEXS decompiler. The decompiler will takethe swf byte code and return �ash action scriptcode. We then used the Haxe complier to com-pile the reverse engineered source code to cre-ate galleryRE.swf. We used galleryRE.swf toverify that both the reverse engineered �ash�le (galleryRE.swf) and the original �ash �le(gallery.swf) send the same information to thecornhusker server.

We followed the Twisted documentation andread the cornhusker.py �le to learn the con-�guration options for the cornhusker server.To ensure that the domain name for cpimage-gallery.com worked, we added the correct IP ad-dress for the cornhusker server in the resolv.conf�le of the client machine.

A second goal set forth by our client wasto verify that the data in the FBI report wascorrectly correlated. We veri�ed that the ses-sion_ids in the visitors table matched the ses-sion session ids in the cornhusker logs (Figures12 and 13).

4. CHALLENGES

Reverse engineering a Tor unmasking frameworkstarts with understanding how the framework isset up. The �rst challenge was that it was dif-�cult to ascertain the details of the unmaskingframework. When we arrived for our �rst visit,they handed us the original three hard drivesthat were used to host the Tor Hidden Services.The FBI did notify us that php �les and a swf�le were used for the NIT to generate the datafor the reports. We were not given any direc-tion as to how the framework was set up andthe cornhusker server was not provided at thattime. We were given copies of the reports thatsummarized the data that was collected by theFBI. We asked the FBI for a copy of the sourcecode for the NIT, but the FBI was unable toprovide us with that source code and they be-lieved that they could produce it at a later date.During the Daubert Hearing, the FBI admittedthat they were not able to locate the source codeto the swf (�ash) application. Thus, we had toreverse engineer the �ash application to investi-gate its functionality.

5. CONCLUSIONS

Our team investigated the FBI's NIT that wasused to deanonymize users of a Tor Hidden Ser-vice that was hosting illegal content. We foundthat the NIT would deanonymize Tor users. Wefound that the FBI logged data that was consis-tent with the search warrant. We found that theNIT produced repeatable results that were con-sistent with the data we found in the server logs.There are scenarios that could render the datainvalid (Section 2.7) , but we found no evidencethat any of these scenarios occurred.The loss of the source code in this case sets a

troubling precedent. We believe that due to thesmall size of the �ash application, our analysisin this case is correct. However, if this trendcontinues, the likelihood that additional func-tionality (accidental or covert) will increase asthe size of the code increases.



Figure 12. Visitors Table

Figure 13. Cornhusker Log



Figure 14. Handle DNS Query in cornhusker.py



Figure 15. decrypt_cookie in cornhusker.py



Figure 16. �ash Socket Connection on cornhusker.py



REFERENCES

[1] Roger Dingledin and Nick Mathewson. Torproject. https://www.torproject.org/,2015 12.

[2] Cyrus Farivar and Sean Gallagher.Feds bust through huge tor-hiddenchild porn site using questionable mal-ware. http://arstechnica.com/tech-

policy/2015/07/feds-bust-through-

huge-tor-hidden-child-porn-site-

using-questionable-malware/.

[3] The Haxe Foundation. Haxe tool kit web-site. http://haxe.org/, 03 2016.

[4] Glyph Lefkowitz. Twisted server.https://twistedmatrix.com/trac/, 122015.

[5] Pierluigi Paganini. Nit, the �ash codethe fbi used to deanonymize pedo'son tor. http://securityaffairs.co/

wordpress/38213/cyber-crime/nit-

fbi-deanonymize-tor.html, 07 2015.

[6] Pierluigi Paganini. Operation tornado � fbiused metasploit to unmask tor users. http://securityaffairs.co/wordpress/

31174/cyber-crime/operation-

tornado-fbi-against-tor.htm, 122015.

[7] Jindra Petrik. Jpexs decompiler.https://www.free-decompiler.com/�ash/,12 2015.

[8] Ashley Podhradsky, Matt Miller,and Josh Strochein. Usa v cot-tom et al 8:13-cr-00108-jfb-tdt u.s.district court district of nebraska.https://assets.documentcloud.org/

documents/2124281/fbi-tor-busting-

227-1.pdf, 06 2015.

[9] KEVIN POULSEN. The fbi used theweb's favorite hacking tool to unmask torusers. http://www.wired.com/2014/12/

fbi-metasploit-tor/.

[10] VIJAY PRABHU. Fbi used metas-ploit for illegal, warrantless snooping ontor users. http://www.techworm.net/

2014/12/fbi-used-metasploit-for-

illegal-warrantless-snooping-on-

tor-users.html, 12 2014.


reverse engineering a nit that unmasks tor users

Documents