News

Researcher demonstrates deanonymization of Tor servers via ETag

Security Parrot Editorial Team

Researcher Reveals How To Detect Real IP Addresses of Tor Servers

An information security specialist known by the nickname Sh1ttyKids has recently demonstrated a way to detect the real IP addresses of Tor servers. The researcher used ETag (entity tag) in the HTTP response header for this.

Background

Sh1ttyKids began his research in connection with the hacking of Capcom, which was compromised in 2020 by the extortionate group Ragnar Locker. Since Capcom refused to pay the ransom, then about 67 GB of stolen files were published on the dark web.
At that time, the group’s site contained only a link to the leak, but not the files themselves, and Sh1ttyKids noticed that there was a separate Onion address for posting such Ragnar Locker leaks. So, the files were placed on the Onion address starting with “t2w…”.

Research Process

An attempt to directly access this address resulted in a blank page. Then the researcher thought that when looking for the IP addresses of darknet sites, they usually check the source code of the site, the SSL certificate, response headers, and so on. This is done in order to get unique strings and fingerprinting, which can then be used by Shodan, Censys and other similar services to discover the real IP address of the resource. However, the source code of the site in this case could not be obtained.
Then Sh1ttyKids checked the response headers, because if they contain a unique string, they can be used to get the source IP address. As a result, the researcher came to the conclusion that even an ETag in the response header can also be useful.
Through Shodan, he searched the ETag “0-5a4a8aa76f2f0” he received from the Ragnar Locker website and found one match.
When trying to access this IP address directly, only a blank page could be found, just like when accessing the t2w5by<…>.onion address directly. However, upon checking the response headers, the researcher found the same ETag. Sh1ttyKids then tried to download a file with the same name from the Onion address and IP address, eventually confirming that the file was found in both cases.
Thus, research The author concluded that the source IP address of the Onion site t2w5by<…>.onion is 5[.]45[.]65[.]52.

Implications

He notes that this information can be used by law enforcement agencies, because knowing the IP address could potentially help them take over the server and use it in the investigation.
Moreover, after a while it turned out that the address 5[.]45[.] 65[.]52 discovered by the specialist appeared in the FBI report. While there is no further information about this IP address in the document, Sh1ttyKids is confident that it is associated with the server that was used to host the compromised Capcom data.
The research conducted by Sh1ttyKids is an important step in understanding how to detect the real IP addresses of Tor servers. This process can be used by law enforcement agencies to investigate cybercrime and other malicious activities. It is also important to note that this method can be used to protect the privacy of Tor users, as it can help them to identify malicious actors and protect themselves from potential attacks.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?