TOP SECRETHCOMINTHRELTO USA, FVEY Tracking Targets Through Proxies Anonymizers (and the air speed velocity of an unladen swallow) Also known as: PaAatasvoaus CLASSIFICATION Classi?cation ofthis brie?ng is: SEYES TOP REL TO USA. FVEY Agenda Items _he issue at hand. . .(proxies, anonymizers oh my!) What we do about, and how we approach, this Ssue.? A couple examples of tracking targets through anonymizers (AnchorFree &Tor) Closing remarks and questions TOP USA. FVEY Up Front Caveat Before we begin this brie?ng, I want to set the stage by saying that there is no silver bullet for tracking target communications through anonymizers. Any methodology set forth in this brie?ng requires both manual analysis and (generally) lucl<. With that out of the TOP USA. FVEY The issue at anon mizers&Tor oh Targets generally don?t like to have their communications tracked by government agencies or ?ltered by national ?rewalls. Itthey are tech?savvy enough, they will use anonymizers to try to mask their real location. This generally makes for sad TOP USA. FVEY What we do about the issue at hand". The only way to track communications through anonymizers is if you understand how those anonymizers work. If you don?t know what the traf?c looks like, how will you recognize it in Generally our process is as follows: Identify new proxy/anonymizer Research/use anonymizer, document what happens, what does traf?c look like, what client traf?c does it pass through(if any)? Create ?ngerprints in SIGINT to identify such proxy traf?c Correlate proxy traf?c with known target activity TOP USA. FVEY Anchorfree TOP USA. FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet. TOP USA. FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet. Then you have a user I that downloads Hotspot I/i' Shleld to proxy their I: traf?c. .. m- TOP USA. FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet. Then you have a user that downloads Hotspot l/f' Preten :y Shield to proxy their want to 80 to a 00 traf?c (or whereever else) ii I l. up TOP USA. FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet. We'll pretend they want to go to Yahoo (or whereever else) When the user starts HSS, their browser sets up an connection to a randomly picked TOP USA. FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet. We'll pretend they want to go to Yahoo (or whereever else) When the user starts HSS, their browser sets up an connection to a randomly picked Then they access the webpage from the AnchorFree IP address. TOP USA. FVEY Anchorfree From testing, the IP address that the user connects to, and the IP they show up as are NOT the same. But there is a direct correlation between the two. When the user starts HSS, their browser sets up an connection to a randomly picked Then they access the webpage from the AnchorFree IP address. TOP USA. FVEY what? So when we see a target access their account from an AnchorFree lP, we know which IP to go look for tunnel connections to in order to ?nd their real client IP We can build static mappings between the inside/tunnel IP address and the IP they show can also write XKS ?ngerprints to look for AnchorFree tunnels en masse from interesting locations. ?f I I I TOP USA. FVEY I II I i] I TOR user I Face bookcom TOP USA. FVEY I) the user selects 3 relatively random Tor nodes to use. I TOR user Face bookcom TOP USA. FVEY i I Tor I) the user selects 3 relatively random Tor nodes to use. 2) The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop. a a a I 1 TOR user TOP USA. FVEY Face bookcom Tor I) the user selects 3 relatively random Tor nodes to use. 2) The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hopTOP USA. FVEY TOR user Tor I) the user selects 3 relatively random Tor nodes to use. 2) The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop. a a a TOR user TOP USA. FVEY Face bookcom Tor I) the user selects 3 relatively random Tor nodes to use. 2) The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop. a a a I TOR user TOP USA. FVEY Face bookcom Tor I) the user selects 3 relatively random Tor nodes to use. 2) The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop. a a a TOR user TOP USA. FVEY Face bookcom Interesting tidbits about Tor TOR uses SSL tunnels for we are able to identify what their SSL certi?cates look like (which allows us to identifyTor circuits in SIGINT). GOLDENFORTIN dataset and exit node traf?c TOP USA. FVEY And now for something completely A lot of research we do on anonymizers consists of open source research: The Interwebz (forums, 20 Circumvention Tool Usage Report, etc) Trial and Error Wireshark Basically about how stuff works and translating that to the SIGINT system. TOP USA. FVEY Contact Info TOP EC CO RE TO USA. FVEY Questions? NOBODY EXPECTS THE SPANISH