dheeraj-jayaswal/DarkWeb-From-The-Trenches

# 🌐 深入前线：暗网 ## 🧠 在企业安全语境下，什么是“暗网”？ ``` The internet has three layers: Surface Web: Indexed by Google, Bing, etc. Publicly accessible without special tools ~5% of all internet content Deep Web: Not indexed — requires authentication to access Corporate intranets, email systems, databases Online banking portals, medical records ~90% of all internet content Dark Web: Requires Tor browser or I2P to access .onion domains — not resolvable via standard DNS Intentionally anonymous overlay network ~5% of all internet content Enterprise security relevance of the dark web: → Stolen credential marketplaces (breached username/password pairs) → Data leak forums (corporate documents, database dumps) → Ransomware group blogs (victim lists, stolen data proof) → Malware-as-a-Service and exploit kits → Threat actor communication channels → Dark web OSINT for proactive threat intelligence ``` ## 🎯 为什么企业安全专业人员要监控暗网 ``` Scenario 1 — Credential Stuffing Attack Prevention: A dark web marketplace lists 50,000 credentials from a breach that includes 200 email addresses from company.com. Attackers buy the list → credential stuff against the corporate portal. Proactive monitoring finds this BEFORE the attack happens. → Password reset campaign for affected users preempts the breach. Scenario 2 — Post-Breach Investigation: A ransomware group claims to have exfiltrated 10GB from Company X. Their dark web blog posts sample files to prove the claim. Threat intelligence identifies what data was taken, scope of exposure. → Informs breach notification obligations, regulatory response. Scenario 3 — Pre-Engagement Intelligence: Before a pentest, I check if the target organisation's credentials are already available on dark web forums or paste sites. → Immediately focuses testing on systems where leaked passwords apply. → "Your IT admin's password was in a breach from 2022" is a Critical finding. Scenario 4 — Brand Protection / Executive Monitoring: C-suite personal email addresses, home addresses, or identity documents appearing on dark web forums = executive impersonation risk. → Informs physical security and targeted phishing awareness. ``` ## 📚 系列内容 ### 🔷 威胁情报与 OSINT | # | 主题 | 描述 | |---|---|---| | 01 | [凭据泄露监控](./01_credential_leak_monitoring.md) | HIBP API，违规数据库，暗网粘贴监控 | | 02 | [暗网 OSINT 方法论](./02_dark_web_osint_methodology.md) | 安全访问设置，搜索技术，情报提取 | | 03 | [勒索软件情报](./03_ransomware_intelligence.md) | 追踪威胁行为者博客，受害者名单，TTPs | | 04 | [品牌与域名监控](./04_brand_domain_monitoring.md) | 域名仿冒，相似域名，论坛上的企业数据 | | 05 | [渗透测试中的泄露凭据](./05_leaked_credentials_pentest.md) | 在授权评估中使用 OSINT 发现 | | 06 | [威胁行为者画像](./06_threat_actor_profiling.md) | APT 组织追踪，TTPs，MITRE ATT&CK 映射 | | 07 | [暗网监控工具](./07_dark_web_monitoring_tools.md) | Tor，Ahmia，OnionSearch，SpiderFoot，Maltego | | 08 | [事件响应 TI](./08_incident_response_threat_intel.md) | 在活跃的事件响应期间使用暗网情报 | ## 🛠️ 使用的工具与平台 ### 开源 / 免费 | 工具 | 用途 | 使用场景 | |---|---|---| | **Tor Browser** | 匿名访问 .onion 站点 | 研究期间的安全浏览 | | **Ahmia** | 表面网索引的暗网搜索 | 初始关键字搜索 | | **OnionSearch** | CLI 暗网搜索聚合器 | 跨多个引擎的自动化搜索 | | **theHarvester** | OSINT 邮箱/域名收集 | 暗网侦察前的准备 | | **SpiderFoot** | 包含暗网的自动化 OSINT | 批量组织情报收集 | | **Maltego** | 可视化威胁情报映射 | 连接威胁行为者关系 | | **truffleHog** | Git 仓库中的泄露机密 | 凭据暴露检测 | | **gitleaks** | Git 仓库机密扫描 | 源代码凭据审计 | | **HIBP API** | Have I Been Pwned 违规数据 | 自动化凭据暴露检查 | | **Shodan** | 互联网设备情报 | 基础设施暴露映射 | ### 商业（企业级） | 平台 | 用途 | |---|---| | **Recorded Future** | 自动化暗网情报，威胁行为者追踪 | | **Digital Shadows (ReliaQuest)** | 品牌监控，泄露数据检测 | | **Flashpoint** | 犯罪论坛情报，凭据监控 | | **Mandiant Advantage** | 威胁情报，APT 追踪 | | **DarkOwl** | 暗网内容索引与搜索 | ## 🔍 方法论 — 企业暗网调查 ### 阶段 1 — 表面网预侦察（始终优先） ``` # 在接触 Tor 之前——穷尽 Surface web 来源 # HIBP — 凭据是否已暴露？ curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/target@company.com" \ -H "hibp-api-key: YOUR_API_KEY" | jq . # 检查 Domain-level 暴露： curl -s "https://haveibeenpwned.com/api/v3/breaches" | \ jq '.[] | select(.Domain == "company.com") | {Name, Title, BreachDate, PwnCount}' # Pastebin/paste site 监控 (Surface web)： # Google：site:pastebin.com "company.com" "password" # Google：site:pastebin.com "@company.com" email # Google：site:paste.ee OR site:ghostbin.com "@company.com" # GitHub 凭据泄露检查： # github.com/search → "company.com" "password" in code # github.com/search → "company.com" filename:.env # 利用 Google dorking 搜索泄露文档： # site:company.com filetype:pdf "confidential" # "company.com" filetype:xlsx "internal" # "@company.com" "password" site:pastebin.com ``` ### 阶段 2 — 安全暗网访问设置 ``` Legal and safety requirements BEFORE accessing dark web: ✓ Written client authorisation for dark web investigation ✓ Dedicated investigation VM (not work or personal machine) ✓ VPN → Tor layering for additional anonymity ✓ Tor Browser only — never open documents inside Tor that could call home (PDFs, Word docs, media files) ✓ No login to any personal accounts inside Tor session ✓ Screenshot evidence only — no downloading files ✓ Documented methodology for legal defensibility VM setup for investigation: Dedicated Kali or Whonix VM Snapshot before and after each session No shared clipboard with host machine No network bridges to internal corporate network ``` ### 阶段 3 — 暗网搜索技术 ``` # Ahmia.fi — 可通过 Surface web 访问的暗网搜索引擎 # https://ahmia.fi/search/?q=company.com+credentials # OnionSearch — 用于多个暗网搜索引擎的 CLI 工具 pip install onionsearch --break-system-packages onionsearch "company.com credentials" --output company_results.txt onionsearch "company.com database dump" --output dump_results.txt onionsearch "@company.com email password" --output cred_results.txt # Targeted search operators： # "company.com" site:.onion # "company.com" "database" "download" # "company.com" "breach" "2024" # "company.com" "admin" "password" # SpiderFoot 自动化 OSINT（包含暗网来源）： # spiderfoot -s company.com -m sfp_ahmia,sfp_tor,sfp_pastes -o spiderfoot_results.json ``` ### 阶段 4 — 证据收集标准 ``` When dark web intelligence is found — documentation requirements: 1. Screenshot the source page (with Tor circuit path hidden) 2. Note the exact search query that surfaced the result 3. Record the date and time of discovery 4. Note the .onion URL (for reference — not for the report) 5. Extract only the minimum data needed to prove the exposure: → Number of records → Data types exposed (email, password hash, PII) → Date of apparent breach → Sample (masked) to confirm data is real and current 6. Do NOT download, store, or reproduce full datasets 7. Document what was NOT found (negative findings) Report format: "During pre-engagement threat intelligence, the client's domain (company.com) was found in [X] breach databases accessible via dark web sources. Approximately [N] employee credentials were identified in a dataset dated [approximate date], including email addresses matching the company.com domain paired with password hashes. Affected accounts should be identified and forced to reset passwords immediately." ``` ## 🚨 勒索软件组织追踪 ``` Major ransomware groups operate "leak blogs" on Tor where they: → List victim organisations → Post sample stolen files to prove access → Publish full datasets if ransom is not paid Monitoring these blogs is standard threat intelligence practice. Finding a client listed there during pre-engagement research = immediate Critical notification regardless of scope. Key tracking resources (surface web): → ransomwatch.telemetry.ltd — aggregates ransomware group posts → id-ransomware.malwarehunterteam.com — ransomware identification → CISA Known Ransomware Groups advisories → @vxunderground on Twitter/X — threat actor tracking Intelligence value for enterprise clients: "Your organisation is listed on [group]'s blog as a claimed victim. Sample files posted include [data type]. This was discovered during pre-engagement OSINT and is reported immediately outside the main pentest scope as it requires urgent response." ``` ## 🔐 在授权评估中使用泄露凭据 ``` When leaked credentials are found during pre-engagement OSINT, they become a valid test vector — with specific professional controls: Authorisation required: ✓ Explicit written permission in scope document to test leaked credentials ✓ Client informed of specific credentials being tested ✓ Test conducted only against agreed scope systems Safe testing methodology: 1. Report the credential exposure finding immediately 2. Obtain specific written authorisation for credential testing 3. Test ONLY against the agreed target systems 4. Stop immediately on first successful authentication 5. Document: which credential, which system, what access level 6. Do not use the access beyond confirming it works (screenshot) Report finding: "Employee credentials found in dark web breach database were valid against the corporate email portal. The password 'Company@2022' was used by 3 employees whose accounts were found in the breach. All three accounts successfully authenticated to Outlook Web Access. This demonstrates that the affected users had not changed their passwords following the 2022 breach disclosure." ``` ## 📋 授权前 TI 报告模板 ``` ## Threat Intelligence Report — 预先 Engagement OSINT **Target:** Company Name **Date:** [DD-MM-YYYY] **Investigator:** Dheeraj Kumar Jayaswal ### Credential Exposure 总结 | Source | Records Found | Data Types | Approximate Date | |--------|--------------|------------|-----------------| | HIBP | 247 accounts | Email + password hash | 2022 breach | | Paste sites | 12 entries | Email + plaintext passwords | 2023 | | Dark web forum | ~50 accounts | Email + bcrypt hashes | Q1 2024 | **Total exposed accounts:** ~309 unique company.com email addresses ### 示例（为报告作 Redacted 处理） Email format: [name]@company.com Password type: bcrypt hash / plaintext (indicates reuse from older breach) Source confirmation: 3 of 5 sampled email addresses verified as current employees via LinkedIn ### Risk Assessment **Severity: High** Active employee credentials are available for purchase or freely accessible. Credential stuffing attacks against corporate email, VPN, and SSO portals are immediately feasible without any technical exploitation. ### 建议行动（在 Pentest 开始前） 1. Immediate: Force password reset for all 309 identified accounts 2. Immediate: Enable MFA on all corporate portals (email, VPN, SSO) 3. Short-term: Deploy credential monitoring service for ongoing alerting 4. Short-term: Dark web monitoring integration for automated breach detection ``` ## ⚖️ 法律与道德框架 ``` Dark web investigation is legitimate professional activity. These principles govern how I conduct every investigation: ALWAYS: ✓ Written client authorisation before investigating their exposure ✓ Dedicated isolated investigation environment ✓ Purpose limited to intelligence gathering — no purchasing of data ✓ Minimum necessary data extraction for evidence purposes ✓ Documentation of methodology for legal defensibility ✓ Immediate notification if critical exposure found mid-engagement ✓ Compliance with local law on data handling (GDPR, IT Act) NEVER: ✗ Purchase leaked data from criminal markets ✗ Download or store full breach databases ✗ Use dark web intelligence against non-agreed targets ✗ Interact with threat actors or provide cover for their activities ✗ Access dark web without explicit authorisation and documented purpose ✗ Share or republish leaked personal data ✗ Use dark web access for any purpose beyond the engagement scope The professional standard: Observe and document → Report to client → Delete local copies The goal is to help the client understand their exposure and take protective action — not to possess their leaked data. ``` ## 🧭 企业安全团队的关键要点 **1. 授权前的暗网 OSINT 是投资回报率（ROI）最高的威胁情报活动。** 在测试开始前，花一小时检查 HIBP、粘贴站点和暗网论坛，就能告诉你哪些员工的凭据已经被泄露。像“247 名员工凭据可在线免费获取”这样的发现，会在尚未利用任何漏洞之前改变客户的风险态势。 **2. 暗网上的违规数据通常比检测时间早几个月或几年。** 企业经常在自身系统发出警报之前很久，就通过暗网情报发现了违规行为。2022 年的违规数据库在 2024 年出现在论坛上并不罕见。持续监控至关重要——时间点的检查是远远不够的。 **3. 凭据:访问链是企业测试中最具影响力的发现链。** 泄露的凭据 → 有效的身份验证 → 确认的访问权限 → 提升权限 → 全面沦陷。无需任何注入漏洞。最难的部分（凭据窃取）已经由之前的违规行为替你完成了。在评估中用证据展示这一链条，是任何评估中最具说服力的高管级发现。 **4. 文档记录与法律合规是不可妥协的。** 暗网调查会产生敏感证据。记录每一个步骤，只保留报告所需的内容，其余的删除。书面授权保护了你和客户。方法论文档在法律上保护了你。这是专业纪律，而不是可选项。 ## 🔗 参考文献 - [Have I Been Pwned](https://haveibeenpwned.com) - [CISA 勒索软件资源](https://www.cisa.gov/ransomware) - [Ahmia 暗网搜索](https://ahmia.fi) - [MITRE ATT&CK 框架](https://attack.mitre.org) - [Tor 项目](https://www.torproject.org) - [OnionSearch GitHub](https://github.com/megadose/OnionSearch) - [SpiderFoot OSINT](https://www.spiderfoot.net) - [RansomWatch](https://ransomwatch.telemetry.ltd)

标签：AppSec, ESC4, OSINT, Tor, 企业安全, 凭证泄露, 勒索软件, 品牌保护, 威胁情报, 实时处理, 开发者工具, 恶意软件, 撞库攻击, 数据泄露监控, 暗网, 网络安全, 网络资产管理, 隐私保护