- Find the "bad guy" server onion address "hidden service"
- Run a tor relay. Ideally many. No exit node shenanigans needed - hidden service, not exiting TOR. This is quite nice from a legalistic perspective since you're not on the hook for hacks coming off the exit node.
- Run a bunch of clients. Instruct to connect to "bad guy" onion.
- Gather data over time for correlation attacks. Correlate your client to relay to endpoint server.
- At some point, you'll find one of your relays is the guy connecting directly to said hidden service.
Very simple lesson here. One needs to encrypt the information, yes, but failing to consider packet timing as "information" is the fallacy.
- Find the "bad guy" server onion address "hidden service"
- Run a tor relay. Ideally many. No exit node shenanigans needed - hidden service, not exiting TOR. This is quite nice from a legalistic perspective since you're not on the hook for hacks coming off the exit node.
- Run a bunch of clients. Instruct to connect to "bad guy" onion.
- Gather data over time for correlation attacks. Correlate your client to relay to endpoint server.
- At some point, you'll find one of your relays is the guy connecting directly to said hidden service.
Very simple lesson here. One needs to encrypt the information, yes, but failing to consider packet timing as "information" is the fallacy.