SlideShare a Scribd company logo

TOR... ALL THE THINGS Whitepaper

CrowdStrike
CrowdStrike

This document introduces Tortilla, software designed to allow security researchers to safely and anonymously interact with hostile servers and actors online. It discusses how traditional malware research was more passive, but now requires actively monitoring adversary infrastructure. The Tor network and Tor Browser Bundle are described as existing solutions for anonymity, but they have limitations like only supporting the Firefox browser and not plugins. Tortilla aims to address these issues by providing a more robust anonymity solution.

Technology
1 of 14
Download to read offline
       
      Contents   Introduction  .................................................................................................................................................  2   Tor  ...............................................................................................................................................................  3   Tor  Browser  Bundle  .....................................................................................................................................  4   Tortilla  Design  Goals  ....................................................................................................................................  5   Tortilla  Architecture  .....................................................................................................................................  7   Installation  and  Usage  ...............................................................................................................................  11   Conclusion  .................................................................................................................................................  12        
      Introduction   In  the  past,  malware  research  was  rather  passive.  Researchers  received  malware  samples  from   customers,  industry  partners,  and  honeypots,  and  would  analyze  the  files  in  a  network-­‐isolated   environment.  These  researchers  would  find  indicators  of  compromise  and  develop  detection  signatures   for  the  malware,  then  move  on  to  the  next  sample.   Today,  malware  research  often  falls  under  the  umbrella  of  security  intelligence  research.  In  addition  to   analyzing  malware  samples,  researchers  now  need  to  actively  interact  with  malicious  actors’  servers.     Whether  it’s  to  monitor  malicious  actors’  Command-­‐and-­‐Control  servers,  download  the  actors’  malware   for  analysis,  or  read  the  actors’  blogs  in  order  to  harvest  actionable  intelligence,  researchers  today  are   not  working  in  network-­‐isolation.   However,  as  more  and  more  researchers  are  now  working  from  home,  the  notion  of  exposing  one’s   home  IP  address  to  an  adversary  is  rather  unsavory,  especially  when  dealing  with  organized  crime   syndicates  and  nation-­‐state  adversaries.  As  such,  researchers  need  a  way  to  anonymously  communicate   with  servers  operated  by  hostile  entities.   This  whitepaper  discusses  a  new  software  project  named  Tortilla,  which  is  designed  to  allow  researchers   to  easily,  safely,  and  securely  use  Tor  to  anonymously  communicate  over  the  Internet.      
      Tor   The  Tor  Project1 ,  founded  in  2006,  oversees  development  and  operation  of  the  Tor  software  and  a   global  Tor  network,  which  together  allow  users  to  anonymously  route  their  traffic  through  the  Internet.   “Tor  protects  you  by  bouncing  your  communications  around  a  distributed  network  of  relays  run  by   volunteers  all  around  the  world:  it  prevents  somebody  watching  your  Internet  connection  from  learning   what  sites  you  visit,  and  it  prevents  the  sites  you  visit  from  learning  your  physical  location.”2   The  Tor  client  works  by  first  obtaining  a  list  of  Tor  nodes  from  a  Tor  directory  server.  When  the  client   seeks  to  establish  a  connection  with  a  destination  server,  the  client  picks  a  random  path  to  the   destination  server  through  several  Tor  nodes  and  uses  onion  routing3  to  encrypt  the  routing  information   and  network  data  for  each  hop  along  the  route.   The  Tor  software  is  free  and  open-­‐source,  and  the  Tor  network  (which  is  free  to  use)  consists  of  over   4,000  relay  servers4 .                                                                                                                                 1  https://www.torproject.org   2  https://www.torproject.org/docs/faq.html.en#WhatIsTor   3  http://patentimages.storage.googleapis.com/pdfs/US6266704.pdf   4  http://torstatus.blutmagie.de/  
      Tor Browser Bundle   When  most  people  want  to  use  Tor  on  Windows,  they  download  the  Tor  Browser  Bundle5  (TBB).  The   two  major  components  of  the  TBB  are  Tor  and  a  modified  version  of  Firefox  ESR6 .   Tor  runs  a  SOCKS7  server,  listening  locally  on  TCP  port  9050.  Tor  securely  routes  incoming  SOCKS   connections  through  the  anonymizing  Tor  network.  The  modified  version  of  Firefox  routes  all  of  its  DNS   and  HTTP(S)  traffic  through  this  SOCKS  server.   Though  download  and  installation  of  the  TBB  are  relatively  easy  and  indeed  sufficient  for  most  basic   web  surfing  needs,  the  TBB  has  many  shortcomings  with  regard  to  overall  online  anonymity.   Firstly,  Firefox  is  the  only  browser  natively  supported  by  the  TBB.  This  could  be  an  issue  for  security   conscious  users,  given  that  Firefox  had  more  than  six  times  the  number  of  vulnerabilities  discovered  in  it   over  the  past  two  years  than  did  Internet  Explorer8 .  Furthermore,  plugins  (such  as  Adobe  Flash)  are  not   compatible  with  TBB  since  TBB  cannot  redirect  plugin-­‐based  Internet  traffic.   The  Tor  SOCKS  server  listening  on  TCP  port  9050  is  not  restricted  solely  to  Firefox  traffic,  though.  Indeed,   any  application  that  is  capable  of  communicating  via  a  SOCKS  proxy  can  be  configured  to  work  with  Tor,   and  third-­‐party  software  such  as  Privoxy9  allows  HTTP-­‐proxy-­‐aware  applications  to  work  with  Tor  as   well.  Unfortunately,  most  software  does  not  support  HTTP  and/or  SOCKS  proxying,  and  even  software   that  does  support  such  proxying  doesn’t  typically  support  DNS  proxying  via  SOCKS  (thus  leading  to  DNS   leaks  and  a  loss  of  confidentiality).   The  world  needs  a  more  robust  solution.                                                                                                                               5  https://www.torproject.org/projects/torbrowser.html.en   6  http://www.mozilla.org/en-­‐US/firefox/organizations/   7  http://en.wikipedia.org/wiki/SOCKS   8  http://secunia.com/?action=fetch&filename=Secunia_Vulnerability_Review_2013.pdf   9  http://www.privoxy.org  
      Tortilla Design Goals   Given  that  the  ideal  solution  will  wrap  Tor  around  all  traffic  that  can  be  handled  by  Tor,  this  new   platform  is  named  Tortilla.   Tortilla  consists  of  five  simple  design  goals:   1. Transparently  route  all  TCP  and  DNS  traffic  through  Tor   Tor  is  designed  to  route  IPv4  TCP  traffic.  It  does  not  handle  any  other  protocols,  though  it  does   allow  specially  formatted  DNS  lookups  to  be  made  via  a  Tor  exit  node.  Thus,  given  that  Tor  can   be  used  for  TCP  and  DNS,  Tortilla  is  designed  to  transparently  route  this  traffic.  In  this  context,   “transparent”  routing  means  that  applications  need  not  have  native  support  for  Tor  or  generic   SOCKS-­‐  or  HTTP-­‐proxying.  This  means  that  not  only  can  non-­‐Firefox  browsers  be  used  (along   with  plugins),  but  most  any  networking  applications  can  be  used  that  utilize  TCP  and  DNS.     2. Do  not  allow  any  network  traffic  onto  the  Internet  unless  it  goes  through  Tor   All  IPv4  TCP  and  DNS  packets  should  go  through  Tor,  and  all  other  packets  should  be  dropped.   This  packet  filtering  should  be  at  OSI  Layer  2,  as  filtering  at  Layer  3  or  above  could  allow  for   some  packets  to  “slip  through”  to  the  network  card.     3. Do  not  require  a  typical  user  to  install  an  unfamiliar  OS   As  of  July,  2013,  Microsoft  Windows  has  a  91.51%  market  share  on  desktop  computers10 .  While   various  flavors  of  Linux  are  more  conducive  to  intercepting  network  traffic,  Windows  is  still   much  more  familiar  to  most  desktop  users.  In  order  to  maximize  adoption  and  minimize  the   barrier  to  entry,  we  do  not  want  to  require  users  to  learn  a  new  operating  system.     4. Do  not  allow  malware  to  circumvent  the  Tor  tunnel  to  communicate  directly  with  the  Internet   Ideally,  Tortilla’s  integrity  should  remain  intact  even  if  a  user’s  system  is  exploited  by  visiting  a   malicious  website,  opening  a  malicious  e-­‐mail  attachment,  or  executing  a  malicious  download.   Although  standard  user  mode  or  kernel  mode  hooks  could  be  used  to  programmatically  hook   and  redirect  network  traffic,  malware  could  disable  these  hooks  and  circumvent  the  Tor-­‐ redirection  tunnel.       5. Do  not  require  extra  hardware  or  extra  virtual  machines  (VMs)   Extra  hardware  costs  extra  money.  Extra  VMs  require  extra  RAM,  which  in  turn  costs  extra   money.  In  order  to  make  Tortilla  as  accessible  as  possible,  it  should  not  have  any  unnecessary   requirements.                                                                                                                               10  http://www.netmarketshare.com/report.aspx?qprid=8&qpcustomd=0  
      Several  solutions  already  exist  that  meet  some  of  these  design  goals,  but  none  meet  them  all:   Solution   Design  Goal   Comments   1   2   3   4   5   Hardware-­‐Based   Transparent   Proxy             Onion  Pi11  and  P.O.R.T.A.L.12  are  the  most  well-­‐known   solutions  in  this  category.  We  assume  the  user  can  buy  a   prebuilt  and  preconfigured  device.  Malware  is  not  self-­‐ contained  because  it  could  connect  to  a  different  WiFi   network  and  circumvent  the  Tor  tunnel  offered  by  Onion   Pi.   Software-­‐Based   Transparent   Proxy         ?     Tor  does  not  support  transparent  proxying  on  Windows   since  such  proxying  is  implemented  via  /dev/pf.  As   such,  this  approach  requires  a  non-­‐Windows  gateway   (such  as  Whonix13 ).  Furthermore,  if  the  transparent  proxy   is  accessed  via  a  VPN,  malware  may  be  able  to  disable  the   VPN  route  to  circumvent  the  Tor  tunnel.   Tor  Integrated   Directly  into  OS             Tails14  is  Debian-­‐based,  not  Windows-­‐based.   Winsock  Hooks       Winsock  hooks  (such  as  the  type  used  by  Torcap15 )  can  be   circumvented  by  malware.                                                                                                                                 11  http://learn.adafruit.com/onion-­‐pi   12  https://github.com/grugq/portal   13  https://whonix.org   14  https://tails.boum.org/   15  http://freehaven.net/~aphex/torcap/  
      Tortilla Architecture   At  a  high  level,  Tortilla’s  architecture  is  as  follows:         Networked  applications  are  run  inside  of  a  VM  so  that  malicious  code  can’t  circumvent  the  Tor  tunnel  to   directly  access  the  Internet  and  can’t  discover  identifying  information  on  the  host  system.  Since  Tortilla’s   two  components—the  Tortilla  Client  and  Tortilla  Virtual  Network  Adapter—both  run  only  on  the  host   system,  the  solution  is  VM-­‐platform  agnostic  (VMware,  Bochs,  Virtual  Box,  etc.)  and  guest-­‐OS  agnostic.   Tortilla  installs  a  virtual  network  device  named  Tortilla  Adapter  and  a  corresponding  NDIS  miniport   driver  named  tortilla.sys.  At  installation  time,  Tortilla  also  disables  all  network  component  bindings   (clients,  services,  and  protocols)  except  for  that  of  the  Virtual  Network  Bridge,  to  ensure  that  those   components  on  the  host  OS  do  not  interfere  with  Tortilla’s  traffic:  
          After  the  Tortilla  Adapter  is  installed,  the  user  can  configure  their  VM  platform  to  bridge  their  VM’s   virtual  network  card  to  the  Tortilla  Adapter:  
          Once  bridged,  the  Tortilla  Client  receives  all  OSI  Layer  2  network  traffic  from  the  VM’s  virtual  network   card.   The  Tortilla  Client  handles  four  different  types  of  packets  received  from  the  VM:   • DHCP  Discover/Request  Packets   The  Tortilla  Client  acts  as  a  simple  DHCP  server  and  assigns  to  the  VM  client  an  IP  address,  IP   subnet  mask,  gateway  IP  address,  and  DNS  server  IP  address,  all  of  which  are  configurable.          
      • ARP  Request  Packets   The  Tortilla  Client  responds  to  all  ARP  requests  (except  for  requests  for  the  VM  client’s  IP   address)  with  the  default  Tortilla  MAC  address  7A:C0:7A:C0:7A:C0  (TACO  TACO  TACO),   which  is  also  configurable.     • DNS  Type  A  and  Type  PTR  Query  Packets   The  Tortilla  Client  parses  DNS  Type  A  and  Type  PTR  queries,  extracts  the  queried  hostname  or  IP   address,  connects  to  the  local  Tor  SOCKS  server,  and  uses  the  Tor-­‐specific  SOCKS  command   SOCKS_COMMAND_RESOLVE  or  SOCKS_COMMAND_RESOLVE_PTR,  respectively,  to  resolve   the  queried  hostname  or  IP  address  via  Tor.  The  Tortilla  Client  then  crafts  a  DNS  response   packet  with  the  resolved  information  (or  lack  thereof)  and  replies  to  the  VM  client.     • TCP  Packets   When  the  Tortilla  Client  detects  a  TCP  SYN  packet  from  the  VM  client,  it  uses  the  local  Tor  SOCKS   server  to  try  to  connect  to  the  destination  server  via  Tor.  If  the  connection  is  actively  refused  by   the  destination  server  then  the  Tortilla  Client  responds  to  the  VM  client  with  a  TCP  RST  packet.  If   the  connection  passively  fails  then  the  Tortilla  Client  doesn’t  respond  to  the  TCP  SYN  at  all,   effectively  dropping  the  packet.  However,  if  the  Tortilla  Client  can  successfully  connect  to  the   destination  server  via  Tor,  it  hands  the  connection  to  the  integrated  open-­‐source  Lightweight   TCP/IP16  (lwIP)  stack,  which  acts  to  “proxy”  TCP  sessions  between  the  VM  client  and  the  Tor   SOCKS  server.  Tortilla  uses  a  slightly  modified  version  of  lwIP  which  allows  it  to  not  only   transparently  bind  to  all  IP  addresses,  but  to  all  TCP  ports  as  well.     All  other  types  of  packets  are  ignored  and  effectively  dropped.                                                                                                                               16  http://savannah.nongnu.org/projects/lwip/  
      Installation and Usage   Tortilla’s  source  code  and  binary  builds  can  be  downloaded  for  free  from   http://www.crowdstrike.com/community-­‐tools   It  supports  32-­‐bit  and  64-­‐bit  versions  of  the  following  host  operating  systems:   • Windows  XP   • Windows  Server  2003   • Windows  Vista   • Windows  Server  2008   • Windows  7   • Windows  8   Tortilla  ships  as  a  single  executable,  Tortilla.exe.  When  executed,  Tortilla.exe  extracts  several  files  to  the   user’s  temporary  directory  in  order  install  the  Tortilla  Adapter  and  Tortilla  driver  if  not  already  installed.   Tortilla.exe  is  a  32-­‐bit  user  mode  program  (and  can  thus  run  on  32-­‐bit  and  64-­‐bit  versions  of  Windows),   and  contains  and  can  extract  from  itself  both  32-­‐bit  and  64-­‐bit  driver  packages  for  installation  on  32-­‐bit   and  64-­‐bit  versions  of  Windows.   After  Tortilla.exe  extracts  the  appropriate  driver  installation  package,  the  installation  package  installs  or   updates  the  device  and  driver  as  necessary  and  disables  all  of  the  device’s  network  component  bindings   except  for  that  of  the  Virtual  Network  Bridge.  The  Tortilla  Client  component  of  Tortilla.exe  then   establishes  a  secure  communication  channel  between  itself  and  the  Tortilla  driver,  after  which  the   Tortilla  Client  begins  listening  for  OSI  Layer  2  packets  received  from  the  VM.   Tortilla  is  designed  with  several  failsafe  mechanisms  to  allow  for  no-­‐hassle  ease  of  use.  A  user  can  run   Tor  before  or  after  starting  Tortilla.exe.  A  user  can  run  their  VM  before  or  after  starting  Tortilla.exe.  And   a  user  can  configure  their  VM  platform’s  Virtual  Network  Bridge  before  or  after  starting  Tortilla.exe   (though  the  Tortilla  Adapter  must  already  be  installed).   Tortilla  is  designed  to  have  a  minimal  system  footprint  to  make  uninstallation  as  simple  as  possible.   Tortilla  makes  no  registry  modifications  (aside  from  the  keys  that  automatically  get  created  when   installing  a  new  device  and  driver),  and  makes  no  file  system  modifications  (aside  from  an  INI  file  and   the  installed  driver  package).  Removal  of  Tortilla  is  as  simple  as  deleting  Tortilla.exe  and  Tortilla.ini,  and   uninstalling  the  Tortilla  Adapter  from  the  Network  Adapters  list  in  Device  Manager.      
      Conclusion   Security  researchers  have  a  strong  need  for  online  anonymity.  Until  now,  researchers  were  either   required  to  use  a  stripped-­‐functionality  web  browser  as  their  only  portal  to  Tor  or  work  with  an   operating  system  used  by  less  than  10%  of  the  desktop  market.   Tortilla  is  the  ideal  solution.  It  is  a  free  and  open-­‐source  project  for  Windows  that  transparently  routes   all  TCP  and  DNS  traffic  through  Tor  without  requiring  extra  hardware  or  an  extra  gateway  VM.   CrowdStrike  is  proud  to  offer  Tortilla  to  the  global  computer  security  industry  in  order  to  assist  all   researchers  in  raising  the  cost  to  the  adversary.
   

Recommended

End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 

Recommended

End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
Angler talk
Angler talkAngler talk
Angler talkArtsiom Holub
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS AttackGopi Krishnan S
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb Jose Manuel Ortega Candel
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152huynhvanphuc
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOGZobair Khan
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?Vikas Phonsa
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019Milad Es'Haghi
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 

More Related Content

What's hot

2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb Jose Manuel Ortega Candel
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152huynhvanphuc
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
 

What's hot (20)

Angler talk
Angler talkAngler talk
Angler talk
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS Spoofing
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker Webcast
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and Defenses
 

Viewers also liked

I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明CODE BLUE
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsCrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
Capacidad de degradación xenobióticas por microorganismos aislados de
Capacidad de degradación xenobióticas por microorganismos aislados deCapacidad de degradación xenobióticas por microorganismos aislados de
Capacidad de degradación xenobióticas por microorganismos aislados deluismontoyabiologia
 
pantalla de internet exploer
pantalla de internet exploerpantalla de internet exploer
pantalla de internet exploerFranklin Ch
 
Family office elite magazine Spring 15
Family office elite magazine Spring 15Family office elite magazine Spring 15
Family office elite magazine Spring 15Ty Murphy
 
The case for social business small
The case for social business smallThe case for social business small
The case for social business smallPurple Spinnaker
 

Viewers also liked (20)

I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Capacidad de degradación xenobióticas por microorganismos aislados de
Capacidad de degradación xenobióticas por microorganismos aislados deCapacidad de degradación xenobióticas por microorganismos aislados de
Capacidad de degradación xenobióticas por microorganismos aislados de
 
CONAPREF 2016
CONAPREF 2016CONAPREF 2016
CONAPREF 2016
 
pantalla de internet exploer
pantalla de internet exploerpantalla de internet exploer
pantalla de internet exploer
 
Sin garantias
Sin garantiasSin garantias
Sin garantias
 
Family office elite magazine Spring 15
Family office elite magazine Spring 15Family office elite magazine Spring 15
Family office elite magazine Spring 15
 
The case for social business small
The case for social business smallThe case for social business small
The case for social business small
 

Similar to TOR... ALL THE THINGS Whitepaper

Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsBiagio Botticelli
 
Anonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing ProtocolsAnonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing ProtocolsBiagio Botticelli
 
2012 in review: Tor and the censorship arms race - 44CON 2012
2012 in review: Tor and the censorship arms race - 44CON 20122012 in review: Tor and the censorship arms race - 44CON 2012
2012 in review: Tor and the censorship arms race - 44CON 201244CON
 
ORTC Library - Introduction
ORTC Library - IntroductionORTC Library - Introduction
ORTC Library - IntroductionErik Lagerway
 
Onion protocol
Onion protocolOnion protocol
Onion protocolAnshu Raj
 
Tor Project overview
Tor Project overviewTor Project overview
Tor Project overviewJorge Couchet
 
0150519-kurento.pdf
0150519-kurento.pdf0150519-kurento.pdf
0150519-kurento.pdfDejVoleti
 
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceDEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceFelipe Prado
 
Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)Stéphane M. Grueso
 
Introduction to anonymity network tor
Introduction to anonymity network torIntroduction to anonymity network tor
Introduction to anonymity network torKhaled Mosharraf
 
Exploring the Technical Architecture of TRON.pptx
Exploring the Technical Architecture of TRON.pptxExploring the Technical Architecture of TRON.pptx
Exploring the Technical Architecture of TRON.pptxTron Token
 
Comparison of Anonymous Communication Networks-Tor, I2P, Freenet
Comparison of Anonymous Communication Networks-Tor, I2P, FreenetComparison of Anonymous Communication Networks-Tor, I2P, Freenet
Comparison of Anonymous Communication Networks-Tor, I2P, FreenetIRJET Journal
 
UTOPOLL白皮書.pdf
UTOPOLL白皮書.pdfUTOPOLL白皮書.pdf
UTOPOLL白皮書.pdfaipaypoll
 
Tron token development services
Tron token development servicesTron token development services
Tron token development servicesAmniAugustine
 

Similar to TOR... ALL THE THINGS Whitepaper (20)

Introduction to Tor
Introduction to TorIntroduction to Tor
Introduction to Tor
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
 
Anonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing ProtocolsAnonymity in the Web based on Routing Protocols
Anonymity in the Web based on Routing Protocols
 
2012 in review: Tor and the censorship arms race - 44CON 2012
2012 in review: Tor and the censorship arms race - 44CON 20122012 in review: Tor and the censorship arms race - 44CON 2012
2012 in review: Tor and the censorship arms race - 44CON 2012
 
ORTC Library - Introduction
ORTC Library - IntroductionORTC Library - Introduction
ORTC Library - Introduction
 
Onion protocol
Onion protocolOnion protocol
Onion protocol
 
Tor Project overview
Tor Project overviewTor Project overview
Tor Project overview
 
0150519-kurento.pdf
0150519-kurento.pdf0150519-kurento.pdf
0150519-kurento.pdf
 
Tor
TorTor
Tor
 
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceDEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
 
Usability of Tor
Usability of TorUsability of Tor
Usability of Tor
 
Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)
 
Introduction to anonymity network tor
Introduction to anonymity network torIntroduction to anonymity network tor
Introduction to anonymity network tor
 
Anonymity Network TOR
Anonymity Network TOR Anonymity Network TOR
Anonymity Network TOR
 
Exploring the Technical Architecture of TRON.pptx
Exploring the Technical Architecture of TRON.pptxExploring the Technical Architecture of TRON.pptx
Exploring the Technical Architecture of TRON.pptx
 
Comparison of Anonymous Communication Networks-Tor, I2P, Freenet
Comparison of Anonymous Communication Networks-Tor, I2P, FreenetComparison of Anonymous Communication Networks-Tor, I2P, Freenet
Comparison of Anonymous Communication Networks-Tor, I2P, Freenet
 
.Onion
.Onion.Onion
.Onion
 
UTOPOLL白皮書.pdf
UTOPOLL白皮書.pdfUTOPOLL白皮書.pdf
UTOPOLL白皮書.pdf
 
Tron token development services
Tron token development servicesTron token development services
Tron token development services
 
Tor
TorTor
Tor
 

More from CrowdStrike

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 

More from CrowdStrike (10)

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 

Recently uploaded

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

Recently uploaded (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

TOR... ALL THE THINGS Whitepaper

  • 1.        
  • 2.       Contents   Introduction  .................................................................................................................................................  2   Tor  ...............................................................................................................................................................  3   Tor  Browser  Bundle  .....................................................................................................................................  4   Tortilla  Design  Goals  ....................................................................................................................................  5   Tortilla  Architecture  .....................................................................................................................................  7   Installation  and  Usage  ...............................................................................................................................  11   Conclusion  .................................................................................................................................................  12        
  • 3.       Introduction   In  the  past,  malware  research  was  rather  passive.  Researchers  received  malware  samples  from   customers,  industry  partners,  and  honeypots,  and  would  analyze  the  files  in  a  network-­‐isolated   environment.  These  researchers  would  find  indicators  of  compromise  and  develop  detection  signatures   for  the  malware,  then  move  on  to  the  next  sample.   Today,  malware  research  often  falls  under  the  umbrella  of  security  intelligence  research.  In  addition  to   analyzing  malware  samples,  researchers  now  need  to  actively  interact  with  malicious  actors’  servers.     Whether  it’s  to  monitor  malicious  actors’  Command-­‐and-­‐Control  servers,  download  the  actors’  malware   for  analysis,  or  read  the  actors’  blogs  in  order  to  harvest  actionable  intelligence,  researchers  today  are   not  working  in  network-­‐isolation.   However,  as  more  and  more  researchers  are  now  working  from  home,  the  notion  of  exposing  one’s   home  IP  address  to  an  adversary  is  rather  unsavory,  especially  when  dealing  with  organized  crime   syndicates  and  nation-­‐state  adversaries.  As  such,  researchers  need  a  way  to  anonymously  communicate   with  servers  operated  by  hostile  entities.   This  whitepaper  discusses  a  new  software  project  named  Tortilla,  which  is  designed  to  allow  researchers   to  easily,  safely,  and  securely  use  Tor  to  anonymously  communicate  over  the  Internet.      
  • 4.       Tor   The  Tor  Project1 ,  founded  in  2006,  oversees  development  and  operation  of  the  Tor  software  and  a   global  Tor  network,  which  together  allow  users  to  anonymously  route  their  traffic  through  the  Internet.   “Tor  protects  you  by  bouncing  your  communications  around  a  distributed  network  of  relays  run  by   volunteers  all  around  the  world:  it  prevents  somebody  watching  your  Internet  connection  from  learning   what  sites  you  visit,  and  it  prevents  the  sites  you  visit  from  learning  your  physical  location.”2   The  Tor  client  works  by  first  obtaining  a  list  of  Tor  nodes  from  a  Tor  directory  server.  When  the  client   seeks  to  establish  a  connection  with  a  destination  server,  the  client  picks  a  random  path  to  the   destination  server  through  several  Tor  nodes  and  uses  onion  routing3  to  encrypt  the  routing  information   and  network  data  for  each  hop  along  the  route.   The  Tor  software  is  free  and  open-­‐source,  and  the  Tor  network  (which  is  free  to  use)  consists  of  over   4,000  relay  servers4 .                                                                                                                                 1  https://www.torproject.org   2  https://www.torproject.org/docs/faq.html.en#WhatIsTor   3  http://patentimages.storage.googleapis.com/pdfs/US6266704.pdf   4  http://torstatus.blutmagie.de/  
  • 5.       Tor Browser Bundle   When  most  people  want  to  use  Tor  on  Windows,  they  download  the  Tor  Browser  Bundle5  (TBB).  The   two  major  components  of  the  TBB  are  Tor  and  a  modified  version  of  Firefox  ESR6 .   Tor  runs  a  SOCKS7  server,  listening  locally  on  TCP  port  9050.  Tor  securely  routes  incoming  SOCKS   connections  through  the  anonymizing  Tor  network.  The  modified  version  of  Firefox  routes  all  of  its  DNS   and  HTTP(S)  traffic  through  this  SOCKS  server.   Though  download  and  installation  of  the  TBB  are  relatively  easy  and  indeed  sufficient  for  most  basic   web  surfing  needs,  the  TBB  has  many  shortcomings  with  regard  to  overall  online  anonymity.   Firstly,  Firefox  is  the  only  browser  natively  supported  by  the  TBB.  This  could  be  an  issue  for  security   conscious  users,  given  that  Firefox  had  more  than  six  times  the  number  of  vulnerabilities  discovered  in  it   over  the  past  two  years  than  did  Internet  Explorer8 .  Furthermore,  plugins  (such  as  Adobe  Flash)  are  not   compatible  with  TBB  since  TBB  cannot  redirect  plugin-­‐based  Internet  traffic.   The  Tor  SOCKS  server  listening  on  TCP  port  9050  is  not  restricted  solely  to  Firefox  traffic,  though.  Indeed,   any  application  that  is  capable  of  communicating  via  a  SOCKS  proxy  can  be  configured  to  work  with  Tor,   and  third-­‐party  software  such  as  Privoxy9  allows  HTTP-­‐proxy-­‐aware  applications  to  work  with  Tor  as   well.  Unfortunately,  most  software  does  not  support  HTTP  and/or  SOCKS  proxying,  and  even  software   that  does  support  such  proxying  doesn’t  typically  support  DNS  proxying  via  SOCKS  (thus  leading  to  DNS   leaks  and  a  loss  of  confidentiality).   The  world  needs  a  more  robust  solution.                                                                                                                               5  https://www.torproject.org/projects/torbrowser.html.en   6  http://www.mozilla.org/en-­‐US/firefox/organizations/   7  http://en.wikipedia.org/wiki/SOCKS   8  http://secunia.com/?action=fetch&filename=Secunia_Vulnerability_Review_2013.pdf   9  http://www.privoxy.org  
  • 6.       Tortilla Design Goals   Given  that  the  ideal  solution  will  wrap  Tor  around  all  traffic  that  can  be  handled  by  Tor,  this  new   platform  is  named  Tortilla.   Tortilla  consists  of  five  simple  design  goals:   1. Transparently  route  all  TCP  and  DNS  traffic  through  Tor   Tor  is  designed  to  route  IPv4  TCP  traffic.  It  does  not  handle  any  other  protocols,  though  it  does   allow  specially  formatted  DNS  lookups  to  be  made  via  a  Tor  exit  node.  Thus,  given  that  Tor  can   be  used  for  TCP  and  DNS,  Tortilla  is  designed  to  transparently  route  this  traffic.  In  this  context,   “transparent”  routing  means  that  applications  need  not  have  native  support  for  Tor  or  generic   SOCKS-­‐  or  HTTP-­‐proxying.  This  means  that  not  only  can  non-­‐Firefox  browsers  be  used  (along   with  plugins),  but  most  any  networking  applications  can  be  used  that  utilize  TCP  and  DNS.     2. Do  not  allow  any  network  traffic  onto  the  Internet  unless  it  goes  through  Tor   All  IPv4  TCP  and  DNS  packets  should  go  through  Tor,  and  all  other  packets  should  be  dropped.   This  packet  filtering  should  be  at  OSI  Layer  2,  as  filtering  at  Layer  3  or  above  could  allow  for   some  packets  to  “slip  through”  to  the  network  card.     3. Do  not  require  a  typical  user  to  install  an  unfamiliar  OS   As  of  July,  2013,  Microsoft  Windows  has  a  91.51%  market  share  on  desktop  computers10 .  While   various  flavors  of  Linux  are  more  conducive  to  intercepting  network  traffic,  Windows  is  still   much  more  familiar  to  most  desktop  users.  In  order  to  maximize  adoption  and  minimize  the   barrier  to  entry,  we  do  not  want  to  require  users  to  learn  a  new  operating  system.     4. Do  not  allow  malware  to  circumvent  the  Tor  tunnel  to  communicate  directly  with  the  Internet   Ideally,  Tortilla’s  integrity  should  remain  intact  even  if  a  user’s  system  is  exploited  by  visiting  a   malicious  website,  opening  a  malicious  e-­‐mail  attachment,  or  executing  a  malicious  download.   Although  standard  user  mode  or  kernel  mode  hooks  could  be  used  to  programmatically  hook   and  redirect  network  traffic,  malware  could  disable  these  hooks  and  circumvent  the  Tor-­‐ redirection  tunnel.       5. Do  not  require  extra  hardware  or  extra  virtual  machines  (VMs)   Extra  hardware  costs  extra  money.  Extra  VMs  require  extra  RAM,  which  in  turn  costs  extra   money.  In  order  to  make  Tortilla  as  accessible  as  possible,  it  should  not  have  any  unnecessary   requirements.                                                                                                                               10  http://www.netmarketshare.com/report.aspx?qprid=8&qpcustomd=0  
  • 7.       Several  solutions  already  exist  that  meet  some  of  these  design  goals,  but  none  meet  them  all:   Solution   Design  Goal   Comments   1   2   3   4   5   Hardware-­‐Based   Transparent   Proxy             Onion  Pi11  and  P.O.R.T.A.L.12  are  the  most  well-­‐known   solutions  in  this  category.  We  assume  the  user  can  buy  a   prebuilt  and  preconfigured  device.  Malware  is  not  self-­‐ contained  because  it  could  connect  to  a  different  WiFi   network  and  circumvent  the  Tor  tunnel  offered  by  Onion   Pi.   Software-­‐Based   Transparent   Proxy         ?     Tor  does  not  support  transparent  proxying  on  Windows   since  such  proxying  is  implemented  via  /dev/pf.  As   such,  this  approach  requires  a  non-­‐Windows  gateway   (such  as  Whonix13 ).  Furthermore,  if  the  transparent  proxy   is  accessed  via  a  VPN,  malware  may  be  able  to  disable  the   VPN  route  to  circumvent  the  Tor  tunnel.   Tor  Integrated   Directly  into  OS             Tails14  is  Debian-­‐based,  not  Windows-­‐based.   Winsock  Hooks       Winsock  hooks  (such  as  the  type  used  by  Torcap15 )  can  be   circumvented  by  malware.                                                                                                                                 11  http://learn.adafruit.com/onion-­‐pi   12  https://github.com/grugq/portal   13  https://whonix.org   14  https://tails.boum.org/   15  http://freehaven.net/~aphex/torcap/  
  • 8.       Tortilla Architecture   At  a  high  level,  Tortilla’s  architecture  is  as  follows:         Networked  applications  are  run  inside  of  a  VM  so  that  malicious  code  can’t  circumvent  the  Tor  tunnel  to   directly  access  the  Internet  and  can’t  discover  identifying  information  on  the  host  system.  Since  Tortilla’s   two  components—the  Tortilla  Client  and  Tortilla  Virtual  Network  Adapter—both  run  only  on  the  host   system,  the  solution  is  VM-­‐platform  agnostic  (VMware,  Bochs,  Virtual  Box,  etc.)  and  guest-­‐OS  agnostic.   Tortilla  installs  a  virtual  network  device  named  Tortilla  Adapter  and  a  corresponding  NDIS  miniport   driver  named  tortilla.sys.  At  installation  time,  Tortilla  also  disables  all  network  component  bindings   (clients,  services,  and  protocols)  except  for  that  of  the  Virtual  Network  Bridge,  to  ensure  that  those   components  on  the  host  OS  do  not  interfere  with  Tortilla’s  traffic:  
  • 9.           After  the  Tortilla  Adapter  is  installed,  the  user  can  configure  their  VM  platform  to  bridge  their  VM’s   virtual  network  card  to  the  Tortilla  Adapter:  
  • 10.           Once  bridged,  the  Tortilla  Client  receives  all  OSI  Layer  2  network  traffic  from  the  VM’s  virtual  network   card.   The  Tortilla  Client  handles  four  different  types  of  packets  received  from  the  VM:   • DHCP  Discover/Request  Packets   The  Tortilla  Client  acts  as  a  simple  DHCP  server  and  assigns  to  the  VM  client  an  IP  address,  IP   subnet  mask,  gateway  IP  address,  and  DNS  server  IP  address,  all  of  which  are  configurable.          
  • 11.       • ARP  Request  Packets   The  Tortilla  Client  responds  to  all  ARP  requests  (except  for  requests  for  the  VM  client’s  IP   address)  with  the  default  Tortilla  MAC  address  7A:C0:7A:C0:7A:C0  (TACO  TACO  TACO),   which  is  also  configurable.     • DNS  Type  A  and  Type  PTR  Query  Packets   The  Tortilla  Client  parses  DNS  Type  A  and  Type  PTR  queries,  extracts  the  queried  hostname  or  IP   address,  connects  to  the  local  Tor  SOCKS  server,  and  uses  the  Tor-­‐specific  SOCKS  command   SOCKS_COMMAND_RESOLVE  or  SOCKS_COMMAND_RESOLVE_PTR,  respectively,  to  resolve   the  queried  hostname  or  IP  address  via  Tor.  The  Tortilla  Client  then  crafts  a  DNS  response   packet  with  the  resolved  information  (or  lack  thereof)  and  replies  to  the  VM  client.     • TCP  Packets   When  the  Tortilla  Client  detects  a  TCP  SYN  packet  from  the  VM  client,  it  uses  the  local  Tor  SOCKS   server  to  try  to  connect  to  the  destination  server  via  Tor.  If  the  connection  is  actively  refused  by   the  destination  server  then  the  Tortilla  Client  responds  to  the  VM  client  with  a  TCP  RST  packet.  If   the  connection  passively  fails  then  the  Tortilla  Client  doesn’t  respond  to  the  TCP  SYN  at  all,   effectively  dropping  the  packet.  However,  if  the  Tortilla  Client  can  successfully  connect  to  the   destination  server  via  Tor,  it  hands  the  connection  to  the  integrated  open-­‐source  Lightweight   TCP/IP16  (lwIP)  stack,  which  acts  to  “proxy”  TCP  sessions  between  the  VM  client  and  the  Tor   SOCKS  server.  Tortilla  uses  a  slightly  modified  version  of  lwIP  which  allows  it  to  not  only   transparently  bind  to  all  IP  addresses,  but  to  all  TCP  ports  as  well.     All  other  types  of  packets  are  ignored  and  effectively  dropped.                                                                                                                               16  http://savannah.nongnu.org/projects/lwip/  
  • 12.       Installation and Usage   Tortilla’s  source  code  and  binary  builds  can  be  downloaded  for  free  from   http://www.crowdstrike.com/community-­‐tools   It  supports  32-­‐bit  and  64-­‐bit  versions  of  the  following  host  operating  systems:   • Windows  XP   • Windows  Server  2003   • Windows  Vista   • Windows  Server  2008   • Windows  7   • Windows  8   Tortilla  ships  as  a  single  executable,  Tortilla.exe.  When  executed,  Tortilla.exe  extracts  several  files  to  the   user’s  temporary  directory  in  order  install  the  Tortilla  Adapter  and  Tortilla  driver  if  not  already  installed.   Tortilla.exe  is  a  32-­‐bit  user  mode  program  (and  can  thus  run  on  32-­‐bit  and  64-­‐bit  versions  of  Windows),   and  contains  and  can  extract  from  itself  both  32-­‐bit  and  64-­‐bit  driver  packages  for  installation  on  32-­‐bit   and  64-­‐bit  versions  of  Windows.   After  Tortilla.exe  extracts  the  appropriate  driver  installation  package,  the  installation  package  installs  or   updates  the  device  and  driver  as  necessary  and  disables  all  of  the  device’s  network  component  bindings   except  for  that  of  the  Virtual  Network  Bridge.  The  Tortilla  Client  component  of  Tortilla.exe  then   establishes  a  secure  communication  channel  between  itself  and  the  Tortilla  driver,  after  which  the   Tortilla  Client  begins  listening  for  OSI  Layer  2  packets  received  from  the  VM.   Tortilla  is  designed  with  several  failsafe  mechanisms  to  allow  for  no-­‐hassle  ease  of  use.  A  user  can  run   Tor  before  or  after  starting  Tortilla.exe.  A  user  can  run  their  VM  before  or  after  starting  Tortilla.exe.  And   a  user  can  configure  their  VM  platform’s  Virtual  Network  Bridge  before  or  after  starting  Tortilla.exe   (though  the  Tortilla  Adapter  must  already  be  installed).   Tortilla  is  designed  to  have  a  minimal  system  footprint  to  make  uninstallation  as  simple  as  possible.   Tortilla  makes  no  registry  modifications  (aside  from  the  keys  that  automatically  get  created  when   installing  a  new  device  and  driver),  and  makes  no  file  system  modifications  (aside  from  an  INI  file  and   the  installed  driver  package).  Removal  of  Tortilla  is  as  simple  as  deleting  Tortilla.exe  and  Tortilla.ini,  and   uninstalling  the  Tortilla  Adapter  from  the  Network  Adapters  list  in  Device  Manager.      
  • 13.       Conclusion   Security  researchers  have  a  strong  need  for  online  anonymity.  Until  now,  researchers  were  either   required  to  use  a  stripped-­‐functionality  web  browser  as  their  only  portal  to  Tor  or  work  with  an   operating  system  used  by  less  than  10%  of  the  desktop  market.   Tortilla  is  the  ideal  solution.  It  is  a  free  and  open-­‐source  project  for  Windows  that  transparently  routes   all  TCP  and  DNS  traffic  through  Tor  without  requiring  extra  hardware  or  an  extra  gateway  VM.   CrowdStrike  is  proud  to  offer  Tortilla  to  the  global  computer  security  industry  in  order  to  assist  all   researchers  in  raising  the  cost  to  the  adversary.
  • 14.