The OSINT-ification of ISIS on the Dark Web

The Dark Web is less than 1% of the total Internet; credit: Worldstack

There has been a lot of literature written about the Dark Web and what sort of unsavory activities occur on this medium. Nothing much good ever comes from the Dark Web. It has earned the reputation of being the seedy underbelly of the Internet and the Deep Web. I find it absolutely hilarious that in 2019, many Internet users do not understand the difference between the Deep Web and the Dark Web (a.k.a., the DarkNet). A safe haven for cybercriminals and the sale of illicit information, images, drugs, weapons, and underground services such as hacking and 0-day software vulnerabilities and malware. Some websites on the Dark Web are by invitation-only. However, law enforcement, security researchers, hacktivist groups, and white hat hackers have turned the Dark Web upside-down on occasion by taking down cybercriminal underground markets and syndicate operations. For all the negative press the Dark Web gets though, it isn’t all bad. There are also some good sites like ProPublica, Sci-Hub, Facebook, and Keybase that live on the Dark Web too. As with most things in life, it is rarely ever an all-or-nothing approach.

Open-source intelligence (OSINT) is a recent phenomenon that involves performing analysis of information that is freely available on the open Internet using a combination of various application tools, techniques, and websites to uncover identities or unlinked disaggregated information. Before we get started with this OSINT stuff, please be advised that it takes a lot of time to research thoroughly and be forewarned that you may find some things that could be very disturbing.


Let’s go OSINT’ing Shall We?

  1. First, we need the means to access the Dark Web because normal Web browsers will not take you there. Install the Tor Project’s Tor browser on your computer (available also for mobile devices) or you can also use the I2P anonymous network form the Invisible Internet Project to access .onion (Dark Web) sites.
https://www.torproject.org/
I2P= the Invisible Internet Project

2. Using any Web browser or Tor, navigate to the Hidden Wiki site. This will give a sizeable list of .onion (Dark Web) sites you may wish to visit.

The Hidden Wiki site offers many links to .onion sites on the Dark Web accessible with the Tor browser

I’ll just go ahead and say it up front:

**WARNING: Viewing child pornography is a crime in many countries which carries severe penalties that may result in your being prosecuted, convicted in a court of law, labeled a sexual predator for life, and possibly also having to serve long prison sentences. It is also a crime in many places to solicit illegal services such as illegal drugs, purchase weapons, or pay for illegal hacking services.

Most readers already know this, of course, but the warning needs to be said. However, if you want to roll the dice and feel comfortable with your $8/mo. Virtual Private Network (VPN) paid service that is probably logging your browsing activity and selling it third parties anyway and 3 onion layers of “anonymity” the Tor browser affords you, then it is also worth mentioning that the FBI and INTERPOL have on multiple occasions worked in concert and used various “investigative” techniques to reveal the actual, true IP addresses of users of the Tor browser. The FBI has even been known to have taken over .onion domains and continued running these illegal services to collect as many users’ true IP addresses as possible which it then provides to law enforcement agencies in other cooperating countries to hunt down and prosecute pedophiles and illegal drug and service traffickers.

As a security and digital forensics professional, I would be remiss not to also inform readers that any images viewed from your regular Internet browser are automatically saved to your computer’s Temporary Internet Folder. It’s one of the first places digital forensics investigators will look along with your browser history which is still accessible long after you thought you had deleted it. So, if you’re the type who is going to view illegal images and save them to your computer hard drive, just know that eventually you will likely be caught and rot the rest of your life away behind bars.

Moreover, the Tor Project designed it’s Tor browser with privacy-themed security requirements such as proxy obedience, state separation, disk avoidance, and application data isolation. For instance, the disk avoidance security requirement specifically states that:

“The browser MUST NOT write any information that is derived from or that reveals browsing activity to the disk, or store it in memory beyond the duration of one browsing session, unless the user has explicitly opted to store their browsing history information to disk.”
Some additional .onion sites found on The Hidden Wiki site

3. To perform Open Source Intelligence (OSINT) collection on the .onion sites, we will need the assistance of some special tools. We are in luck, it just so happens that Intel Techniques by Michael Bazzell created a Linux Virtual Machine (VM) that is specially designed for OSINT called Buscador. Download and install the Buscador VM in either VirtualBox (free) or VMware. For assistance with how to install the VM, Null-Byte did a nice write-up on Buscador here that you may find useful. I use VirtualBox for which the Checksum (MD5) is 09dd771716502771af5f2bb86835e6c2. If you prefer to use VMware, the checksum (MD5) is 27f2d1ba37d1a15531ff34a050012ef4. You want to compare file hashes to ensure you downloaded a safe version.

Buscador OSINT VM

Not a fan of the Buscador VM? No worries, there are also other tools you can use to perform OSINT of the Dark Web using the OSINT Framework (see image below).

The OSINT Framework tools for Dark Web analysis; credit: The OSINT Framework

For the purposes of this article, we will focus on threats to national security that exist on the Dark Web and how OSINT can assist with uncovering information associated with these shadowy groups. Organizations such as government intelligence agencies and private organizations like Bellingcat <https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/mobilebasic> have people working for them that are very skilled and knowledgeable in OSINT to include many tools, techniques, and analysis of disaggregated information. Bellingcat, in particular, has done a phenomenal job of using OSINT to de-mystify several notable events involving Russian war crimes, or Syrian and African atrocities. Many everyday people have begun learning about OSINT to uncover the identities of white supremacy group members involved in violence against protesters. Drawing the parallels and links between incomplete information and image metadata requires “a particular set of skills…” Cue Liam Neeson…

Threats posed by the Dark Web to National Security; credit: Small Wars Journal

When we think about the Dark Web, most people may not immediately think of terrorists using it to communicate or post information in secret. Typically, the Dark Web is associated with other nefarious activities such as child pornography, illegal drugs, guns, malware markets, and illegal hacking services. But how do we know that terrorist groups such as Al Qaeda or ISIS are not using the Dark Web to plan, coordinate, and facilitate new terror attacks? They are, you can bet on it. This is one reason why intelligence agencies and law enforcement agencies worldwide must keep their eye on what is happening on the Dark Web. To dismiss it as just a handful of cybercriminals selling their wares would be a colossal mistake.

As the war with ISIS in Syria draws to an end, expect to see remnants of this terrorist group resurface online to coordinate actions and raise new followers and supporters. Of course, these Dark Web .onion terrorist websites will not be easy to find. OSINT hunters will not likely find them on the list of Tor hidden services and may only be by-invitation-only. SadaqaCoins is a crowdfunding Tor2Web site created on the Dark Web specifically to fund the expenses for the mujahideen fighters that they use to buy weapons and ammunition. Not that Tor2Web sites are not secure.

The Twitter @sadaqacoins account has been suspended indefinitely.
“These donations are also used to equip items such as a tor server to expand their tor onion site, Intel laptops, to pay for translation work for the site and services. They also purchase hardware cold wallets to store the cryptocurrency on a platform that is not connected to the internet and protect the wallet from unauthorized access and cyber hacks.” — Ajay Narayan, AMBCrypto article, 25 August 2018
Using Tor browser to navigate to SadaqaCoins website, but the site uses an invalid security certificate

As often happens in this type of research, you may reach a dead end and have to pivot and search elsewhere from a different starting point. Further research I performed reveals that to access this site, you must navigate to http://sadaqabmnor4ufnj[dot]onion/.

Screenshot 1 of SadaqaCoins .onion site

Success! I have reached a not-too-easy place to find, a jihadist funding site on the Dark Web. Let’s dig a little and see what we find.

Screenshot 2 of SadaqaCoins .onion site
Screenshot 3 of SadaqaCoins .onion site
Screenshot 4 of SadaqaCoins .onion site
Screenshot 5 of SadaqaCoins .onion site
Screenshot 6 of SadaqaCoins .onion site

So, there we have several screenshots that encompass some of the information on the SadaqaCoins .onion Dark Web site. It is truly disgusting what this website is offering a secure means of supporting those would harm innocent people through acts of terrorism through Bitcoin, Monero, and Etherium cryptocurrencies. This is yet another example of how encryption and anonymity technologies are being used for evil purposes. It never fails, technology is always a double-edged sword.

Project “Jihad Investment” is organized by JunudAshSham
This “project” even has a QR code to donate cryptocurrency to

Project “Jihad Investment” published on 13 August 2018 lists an organizer by the name of Junud Ash Sham. I wonder what OSINT analysis can be done on this handle.

Nusret cephesi

Oh, look at this. Thank you Twitter, we have an associated profile (@JunudAshSham) and some suggested others to follow who also appear to be sympathizers of terrorism under the “Who to follow” area to the right of the screen. Another way to follow further down the rabbit hole is to view this Twitter user’s followers and who they are following to see who may also be connected to this terrorist “cause.” Now, pay attention to details here. This Twitter account has been in existence since January 2016!! Additionally, “yeni hesap” translates from Turkish to English as “new account” suggesting that his previous account was likely suspended.

People followed by Twitter user @JunadAshSham
Some of the Twitter accounts following @JunudAshSham; note that Fisebilillah account is both following/follower
Reporting Twitter account @JunudAshSham

It is fairly surprising that in 2019, that social media sites such as Twitter don’t have an option for reporting terrorist sympathizer accounts such as this. Apparently, tech companies such as Twitter, Facebook, and Telegram are okay with letting users post content to their platforms unless a number of users report it.

What other information is available about this group? A quick Google search reveals that it is a mujahadeen group fighting in the Syrian civil war and is aligned with pro-Al Qaeda groups.

Wikipedia
Google Search for “Junud al Sham”
Junud Sham|Jih@d image from WordPress.com site

Venturing further down the Internet black hole yields another site that appears to be some type of jihadist propaganda website dedicated to this Junud Ash Sham group which appears to be affiliated to Al Qaeda and is fighting against the Syrian Assad regime forces.

https://ojihad.wordpress.com/tag/junud-sham/

Using Buscador, we have several tools that can be used to enumerate Web domains. Let’s try the Knock tool to see what results if we can get anything useful from the domain: https://ojihad.wordpress.com/tag/junud-sham/

https://ojihad.wordpress.com/tag/junud-sham/ = 192.0.78.12/.13; nginx server

Knock reveals the site IP address and other useful information such as alias URLs and even what type of server it’s running: nginx. Running that IP address through Onyphe.io reveals the below information:

Onyphe.io reveals that 192.0.78.12 is hosted by a company in San Francisco

Alright, so here I’ve decided to end this particular search because the WordPress jihad site appears to belong to a European journalist going by the name of Florian Flade. No worries, this often happens when performing OSINT. Just re-adjust, and look for another angle of information exploit as if you were performing vulnerability analysis scans for various ports in ethical hacking.

Listing at the bottom of the WordPress jihad site

At this point, I decided to shift my focus back to the SadaqaCoins .onion Dark Web site. There are specific OSINT tools that we can use to enumerate .onion sites such as OnionScan which is available on Github here.

OnionScan is one method, but I’d prefer to switch over to Kali Linux at this point and use another tool called ONIOFF (Python tool) for .onion URL inspection of the http://sadaqabmnor4ufnj.onion/ domain. ONIOFF doesn’t come included in Kali’s massive hacker tool repository, so you’ll need to clone the Git Repo from the xterm using the command:

git clone https://github.com/k4m4/onioff.git
Cloning the ONIOFF Git Repo onto Kali from VirtualBox

Before we go any further we need to ensure the Tor browser is properly configured to run in Kali. There is a quick how-to article here on how to do this. Use the following command in the xterm:

apt install torbrowser-launcher

Getting Tor configured and running will take a few minutes. Once Tor is running, then we’re going to cd to the ONIOFF directory and get down to business.

In this instance, the report.txt did not yield any actionable information that we didn’t already have:

http://sadaqabmnor4ufnj.onion/ — SadaqaCoins — 100% Donation Policy — Donate now!

There are some other tools that can be used to further enumerate, but the chances of discovering juicy, actionable information is waning with the daylight as sunset nears. Realize that terrorists are becoming wiser with their communication secrecy and there has been a noticeable preference by these individuals using the end-to-end encrypted Telegram App to communicate in secrecy. Of course, Bin Laden’s Al Qaeda inner circle never used cell phones or Internet-connected computers. They considered it too much of a risk. They preferred to use human messengers that had been vetted and that they could trust which meant they would kill their entire family if they betrayed them. Al Qaeda traditionally has used media that was pre-recorded and then posted by someone weeks or months later after Bin Laden and his associates had plenty of time to relocate. It is very important that we quickly identify communication mediums that are being used by extremist groups to fund and further their violent agendas. OSINT is the perfect tool for these types of operations. Off to another hunt…