IPFS Unveiled

Exploring Data Collection, Analysis,

and Security

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023

Who are we?

● Patrick Ventuzelo (@Pat_Ventuzelo) ● Tanguy Laucournet

○ CEO & Founder of Fuzzinglabs ○ Security Engineer
○ Senior Security Researcher ○ Blockchain/OSINT expert

● Specialized in ● Specialized in
○ Fuzzing, vulnerability research, and reversing. ○ Blockchain, cryptocurrencies, NFTs, etc.
○ Rust, Go, Blockchain, Wasm, & Browser security. ○ Scripting & Python development for data analysis
○ Speaker & trainer at various security conferences: ○ Investigations, profiling, de-anonymization
■ BlackHat USA, OffensiveCon, REcon, etc. related to blockchains and decentralized networks
© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 2
Introduction to IPFS

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 3

Inter Planetary File System (IPFS)
● IPFS
○ Inter Planetary File System HTTP IPFS
○ Protocol, hypermedia and file sharing Client - Server Model Peer to Peer Model
○ Peer-to-peer (P2P) network
■ based on libp2p
○ Distributed file system
○ Content Addressing

● History
○ Introduced in 2014, is developed by Server
Protocol Labs.

● IPFS in 2023: Client Peer

○ ~30k nodes annual
○ 90% using kubo (Go client/node)
○ 50 % are located in the US

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 4

Location addressing VS Content addressing
Location addressing Content addressing

35.185.224.76 145.15.211.54 66.268.98.478

https://website.com/site/ logos/mylogo.jpg
https://hack.lu/site/ logos/logo.jpg

DNS
website.com -> 145.15.211.54
hack.lu-> 66.268.98.478
CID : QmA.. CID : QmB…

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 5

IPFS in the wild

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 6

 Controversial & Illegal
IPFS in the wild Darknet Forum Phishing pages

Data Leak

Darknet Marketplace Malware

Powerstar

Botnet
NSFW:
Tochka A lot … IPStorm

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 7

EXAMPLE: POWERSTAR IPFS Variant
“Charming Kitten appears to be straying from their previously preferred cloud-hosting providers (OneDrive,
AWS S3, Dropbox) in favor of privately hosted infrastructure, Backblaze and IPFS, to deliver their malware.
In this version, POWERSTAR initially tries to retrieve its C2 server by decoding a file stored on the IPFS.
POWERSTAR contains a list of IPFS gateways it tries, in series, to retrieve a hardcoded CID containing a
subsequent C2 address to use” - source

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 8

 EXAMPLE: IPSTORM
“IPFS is currently being abused by IPStorm malware, a botnet that controls Windows, Android, Linux, and Mac
devices. The malware was initially identified by Anomali in May 2019. It is written in Go and uses IPFS for
communication of the nodes and sending commands to the infected devices. A comprehensive analysis of the
malware is provided by Bitdefender whitepaper”

IPStorm Tracker

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 9

How Alice can upload on IPFS?
● What is Pinning?
○ Refers to instructing a node IPFS
(whether local or a service) to retain Network
an object for an indefinite period.
Pinning
Service
● Local node
○ github.com/ipfs/kubo

● Centralized services Alice

○ Keep private information about the
user doing the pinning request
○ Examples: Pinata, Infura

● Decentralized services
○ Anyone can see who (wich address) Local node
made the pinning request
○ Examples: Filecoin, Storj

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 10

IPFS upload in details - IPLD creation

1. Create IPLD
structure

QmQ…4my

Qme…Kft Qms…bWP QmV…br3 Qmw…35T

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 11

Content Identifier (CID)
● Content Identifier (CID)
○ Used to identify files and directories
○ Each CID contains
■ Base, version
■ Codec
■ Unique cryptographic hash of the content
○ CID inspector: cid.ipfs.tech

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 12

Inter Planetary Linked Data (IPLD)
● Structure for addressable Folder A QmQ…4my
and linkable contents

● Based on CID to identify each

chunk of data

● Files can be separated into

chunks that are stored and 10
Qmw…35T
addressed individually 00
11
10
00
11
Qme…Kft Qms…bWP QmV…br3
● Use different merkle dag to
link those chunks together
(dag-pb, dag-cbor, etc)
10 00 11

● DAG builder: dag.ipfs.tech QmX…ccR Qmq…prt Qme…7xK

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 13

IPFS upload in details - Files upload
Node
12D…y7T
1. Create IPLD
structure
2. Upload to
node

QmQ…4my

Qme…Kft Qms…bWP QmV…br3 Qmw…35T

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 14

IPFS upload in details - Records creation
Node
12D…y7T
1. Create IPLD
structure
2. Upload to
node

QmQ…4my
3. Create
records

QmQ…4my 12D…y7T

Qme…Kft 12D…y7T
Qme…Kft Qms…bWP QmV…br3 Qmw…35T

Qms…bWP 12D…y7T

QmV…br3 12D…y7T

Qmw…35T 12D…y7T

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 15

IPFS upload in details - Records sharing
Node
12D…y7T IPFS Network
1. Create IPLD
structure
2. Upload to
node 4. Share
records
QmQ…4my
3. Create
records

QmQ…4my 12D…y7T

Qme…Kft 12D…y7T
Qme…Kft Qms…bWP QmV…br3 Qmw…35T

Qms…bWP 12D…y7T
5. Save records
QmV…br3 12D…y7T (If PeerID close to
CID)
Qmw…35T 12D…y7T

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 16

How Bob can read a file from IPFS?
● Local node
○ Direct access to the network Gateway
○ Download IPFS
■ ipfs get <CID> Network
○ Read
■ ipfs cat <CID>
Browser
(Brave, etc.)
● Gateways:
○ Access to IPFS over HTTP

Bob

● Browsers
○ Easy UI access of IPFS
■ via existing gateways
Local node
■ via local node

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 p2p 17

 Looking for a object in IPFS DHT
0x0000…

1. Do you have A record

1
2. No, ask to 5 he is closer
Bob

2
A record
Local or
service node 3. Do you have A record
3
A CID 7 PeerID
4. Yes, 7 is hosting A
5

5. Give me A

6. Send A
7 A 0xffff…

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 18

 OSINT & CTI
How to monitor IPFS links/CID?

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 19

IPFS links/CID - Where to find them & what to learn?

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 20

IPFS links/CID - Examples in the wild
● Written on the blockchain related to NFT
with time stamped and signed
transactions associated.
→ date & blockchain address

● Analysed with scanning tools like https://d.tube/#!/v/sagar.kothari.88/QmYUFogsvquP9yNHTdQ6jMV

VirusTotal this could give information. Lp6FTs7GG13xh7uN2o5qUvk

→ date first seen

● Shared on different “archive” and social

media website(LibGen, Dtube, etc.)
→ date & username

● Shared in forums and discussions

channel (Telegram, discord, etc.)
→ date & username
© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 21
 OSINT & CTI
What if files are not available anymore?

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 22

What if files are not available anymore?
● Censored (410) ● Unavailable (504)
○ Gateways block the access to “malicious” CID ○ Root cause:
■ Hosting nodes are not accessible
■ File has never been on IPFS

● TIPS
○ Use Wayback Machine with gateway url for a CID
○ Look for the equivalent file signature on other
● TIPS content addressable networks.
○ Use another gateway ■ Filecoin, Arweave
○ Direct download of the file using local node

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 23

 OSINT & CTI
How to find IPFS file variants?

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 24

How to find IPFS file variants?
QmQ…4my

10
00 Qmw…35T
11
Qme…Kft Qms…bWP QmV…br3

10 00 11

QmX…ccR Qmq…prt Qme…7xK

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 25

IPLD similarity in action - Same JPG
QmQ…4my Qme…90X

10 10
00 Qmw…35T 00 Qmc…yX8
11
Qme…Kft Qms…bWP QmV…br3
01 Qme…pkP

10 00 11

QmX…ccR Qmq…prt Qme…7xK

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 26

IPLD similarity in action - Same chunks of bytes
QmQ…4my Qme…90X

10 10
00 Qmw…35T 00 Qmc…yX8
11
Qme…Kft Qms…bWP QmV…br3
01 Qme…pkP

10 00 11 01

QmX…ccR Qmq…prt Qme…7xK Qmd…9z0

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 27

 OSINT & CTI
How to retrieve files from IOCs?

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 28

Correlation between IOC and CID
● Reminder
○ CID contain SHA256

● Use-case examples:
○ Retrieve file from hash
○ Improve network detection

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 29

EXAMPLE: From IOC SHA256 hash to IPFS CID

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 30

 OSINT & CTI
How to monitor IPFS nodes?

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 31

Nodes/PeerID analysis
● Get the peers hosting a file (return PeerIDs):
○ ipfs dht findprovs <CID>
● Get the identity of a peer:
○ ipfs id <PeerID>

● How to use informations:

○ Publickey
■ Compute IPNS (DNS for IPFS)
○ Addresses
■ IP Recon (Shodan. etc.)
○ AgentVersion
■ Fingerprint
○ Protocols
■ Monitoring PubSub topics/messages

● Example: IPStrom
○ AgentVersion: storm

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 32

Network Monitoring: IPFS Crawler (Nebula)

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 33

Continuous monitoring of nodes & files
● IPFS does not store any “historical” information about peers or objects IPFS Network

● By monitoring the DHT & Bitswap constantly we can:

○ Know who was the first peer hosting a file
○ Know when this file was first seen on the IPFS network
○ Get all the CID composing the IPLD structure and check if some of them are
already known (existing CID or computed from an IOC)
○ Track the nodes joining and quitting the network
○ Track all the PubSub topics used by the nodes
○ And more…

● As for most decentralized (Tor, Bittorent, etc.) the best way to get as much
information as possible is to understand the protocol, setup a sufficient
amount of nodes in the network and make them logs the information
you are interested in.

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 34

Conclusion & Future

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 35

Conclusion & Future
● IPFS
○ Decentralized P2P network built on libp2p
○ Based on content addressing where objects are identified with hash of their content (CID) and structured using IPLD

● OSINT/CTI can be applied at different levels

○ CID/links diffusion
○ File content and structure
○ Nodes fingerprinting
○ Global monitoring
■ If your company doesnʼt need ipfs, block all the common gateways

● Current Fuzzinglabs research

○ Monitoring InterPlanetary Name System (IPNS)
○ Monitoring IPFS PubSub usage and actors (rendezvous, etc.)
○ Other web3 decentralized storage network (Arweave, Swarm, etc.)
○ Integration of IPFS inside FuzzingLabs OSINT plateform

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 36

Thanks for your time! Any questions?
Patrick Tanguy

● Twitter: @Pat_Ventuzelo
● Mail: [email protected]

© FuzzingLabs - IPFS OSINT & CTI - Hack.lu/CTI summit 2023 37