RSS
Hacker Magazine News Articles Bugtrack Forum

Make Tor go the whole hog

If you think that ensuring ones Internet privacy is the only mean of the Tor software then you are wrong twice. First off, its suballocated network can be used for different purposes. And secondly, its not as safe as its painted. Alas.

This wonderful tool for ensuring the anonymity and security of Internet data is good for many reasons. Any sniffer just stays out of work (including Internet routers built-in ones) because all traffic passes through a chain of nodes only in encrypted form. Its extremely difficult or (in case of giving implicit confidence to what developers say) even impossible to trace the data source due to the ever-changing chains of special intermediary units through which the data is transmitted. Who hasnt tried using Tor for a trivial IP change? At first glance, the speed is the only one drawback. Each node within the chain makes a serious delay, both in response time and in bandwidth. The result is an anonymous connection. Anonymous and dial-up :). But that dial-up connection is not the main problem of Tor active users. Theres a thing they should worry about much stronger - any data can be intercepted and, hell, that can be done easily!

Where all that nodes come from?

In order to let the application traffic go through Tor itll be enough to specify the local SOCKS-server address in the applications proxy settings. If this option isnt available you can use some socks manage software (e.g. Sockcap), but at the same time you should remember that socks allow TCP traffic only. However, most users are much more interested in ready-to-use software builds (so-called Bundles) that include Tor itself, as well as reconfigured Firefox browser and Pidgin IM-client. You just install it and thats it! Incidentally, theres a Torbutton Firefox plugin. You just click the button and all the traffic starts a secure transmitting through a chain of intermediate nodes. What are these nodes, and how, in principle, is Tor designed? Lets try to get it.

So-called nodes (between which the encrypted data is transferred) underlie the suballocated nodes system. Three servers which form a temporary chain are normally used for connection. Each server is chosen randomly. It knows only from what segment the data was received and whom it intends to. Moreover, the chain is constantly changing. Tracking the full packets path (including their sender) is not possible even in the case of data interception from one server. The package is encrypted with three keys before sending and sequentially they are: the key for the third node, then for the second and, eventually, for the first one. When the first node receives a packet, it decrypts the "upper" layer of encryption and finds out where the packet should be sent next. The second and the third servers do likewise.

So whats the catch?

Thus, the path is constantly changing, the data transfers through intermediate nodes in the form of some shitty code, i.e. in the encrypted form. The question is wheres the catch? It has to be somewhere. You know, no matter how seriously the data is protected, and no matter how sophisticated and tangled the route is, all the data still needs to be deciphered somewhere at the exit. After all, only this way it can be delivered to a destination server. This operation comes at the last node of the chain - the so-called Exit Node. If you set up a sniffer on such a node, then the data will remain nothing but getting straight into your logs :).

You may think that the system excludes that circumstances and setting up the Tor as the exit node is impossible? No kidding! The entire system is built on a large number of involved enthusiasts who provide their home computers as nodes, including exit ones. A few lines of code in the config file will serve as a ticket to their ranks.

Hurray for the Exit Node!

Well, lets do it. For this experiment youll need any *NIX distribution. Its absolutely unimportant whether itll be a Backtrack launched on a flash drive, or some Ubuntu launched on a virtual machine. Next thing youll need is the latest version of Tor (at the time of publication its v. 0.2.1.19). GUI lovers can also download and install the Vidalia but we're going to work in the console mode. So now you download the packages, unpack em and install. I think there should be no problems at this stage.

Tor requires the clock to be set correctly. Otherwise you should synchronize your clock with public time servers. Looking ahead, I have to say that its better to create a separate user before starting the Tor (You can do this by running adduser). Ive created a toruser user by: uid = 111 (toruser) gid = 10 (wheel) groups = 0 (wheel), 10 (wheel). Now you need to create a configuration file. Tor uses the .tor folder in its user's home directory (/ home/toruser) to store the data. You should create a .tor folder and a torrc file in it. Then open it in some text editor.

Now we are interested in several parameters:

ControlPort - at this port Tor will receive the connections to control a Tor-server (i.e. you can remotely connect to the Tor configuration. This option is important for those who use the desktop environments such as Vidalia or Tork). Set it in 9051.

DirPort through this port Tor will receive the data from the directories server. Set in 9030.

ControlPort 9051
DirPort 9030

ExitPolicy - determines what kind of traffic will Tor receive and then forward. It has the following format: "ExitPolicy Accept | reject address: port". By default, the policy is as follows:

reject *:25
reject *:119
reject *:135-139
reject *:445
reject *:563
reject *:1214
reject *:4661-4666
reject *:6346-6429
reject *:6699
reject *:6881-6999
accept *:*

It means that all the traffic destined to the above ports will be cut and the rest of it will be allowed. Basically, it can be left default. Well, that's for you to choose. I used the following:

ExitPolicy accept *:80, accept *:443, accept *:110, accept *:143, accept *:993, accept *:995, reject *:*

HashedControlPassword - hash of the password to access and configure the Tor-server (hackers wont be able to reconfigure your server) is created with the command: tor - hash-password.

Nickname - the name of your server.

ORPort - the port, which waits for connections from other nodes.

SocksListenAddress - the address that all applications running through SOCKS will connect to. Format: SocksListenAddress IP [: PORT]. Set the IP to 127.0.0.1, and leave the default port (9050). Youll need this if youll want to use Tor in tandem with Privoxy or some other proxy software.

HashedControlPassword 16:91495A0B7CBC41C76073E1EC00A5CF1510D41462884391CCB24BF489F1
Log notice stdout put message in to console
Nickname HelloXakep
ORPort 9001
SocksListenAddress 127.0.0.1

Save the changes and close the file. Now youre ready to launch. Open the console, login and run the Tor as trouser, passing the path to the config file as a parameter:

$ tor -f /home/toruser/.tor/torrc

And look at the error messages. Once the server will be able to connect to the network, it will check the availability of its ports from the outside. It may take up to 20 minutes. It logs messages like "Self-testing indicates your ORPort is reachable from the outside. Excellent". If not, it means that the server is not reachable from the outside and you should double-check the firewall.

As soon as the server determines the ports availability, it will upload its descriptor on the directory server (node database). This will allow customers to know the address, ports, keys and other information about our server. To make sure that server is on the list you can go to http://moria.seul.org:9032/tor/status/authority and check your servers nickname. However, its not updated immediately. Sometimes it may take some time to have that information refreshed in the database.

So we have our server in the list. Let's look at the line below HelloHacker. You can see the s Exit Fast Running V2Dir Valid phrase. Exit - means your computer is an Exit Node!

Lets sniff it

Thus, the output node is set upped, launched and added to the database. No doubt someone must take advantage of it in the very near future. Well, I can only run my favorite Wireshark sniffer, select the Interface which will be sniffing the external network and enable the packets capturing. And then just wait. In most cases full soon packages start crumbling to the logs :))

Then you can disable the capture and analyze the resulting dump (e.g. search the packets for a pass strings). As you know, HTTP-protocol transmits everything without any encryption, so it can swallow something interesting (I caught login details for 2 tracker accounts in 40 minutes of sniffer work). Thats not so bad, admit it. But the most delicious things just past through us (actually they stay with us, but theyre encrypted). But even in this case there is a way out. In the May edition of TOOLS weve already mentioned about sslstrip - a tool that intercepts the SSL-connections data. Moxie Marlinspike unreleased the new version of this remarkable tool at the BlackHat2009 conference that was held in August (by the way, I advise you to read his report. We added all the BlackHat materials on the September DVD). Download the sslstrip tool from the authors website and try it (see the May issue for details on how to use the sslstrip).

Run the next thing:

$ Python sslstrip.py-a-l 8080-w today.log

Since you are the last node then all the traffic from the previous node is transmitted in encrypted form. Then its decrypted on our server and after its sent to the final destination. So, you need to get the outgoing http traffic through the sslstrip. To do this, lets add an iptables rule:

$ iptables -t nat -I OUTPUT -p tcp -m owner -uid-owner 111 --dport 80 -j DNAT --to-destination 127.0.0.1:8080

Where the 111 is a trouser id. In other words, youll forward all outgoing HTTP-traffic of the trouser to go through sslstrip. Now everythings completely automated and the only thing you can do is wait and check the logs :).

Anonymous scanning

Youve learned about how to intercept someones logins and passwords. But theres much more interesting task. Have you ever been in such situation when you are in some internal network and theres some server that interests you in some way but you cant scan it because thatll immediately attract the IDS and respectively admins attention? Or here's another option: imagine youre scanning the remote host but it recognizes the scan and blocks your IP. What an adversity. But theres a way out! The Tor will help us again because it can be used as a scan intermediary. After all, who said that this system can be used only for anonymous surfing? :)

Whats the advantage of such kind of scan? In our first case, scanning the server will take place from Internet but not from the local network, and in second one - even if youre blocked you can always let the traffic go through another Tor-server (the wheal is that theres lots of em). So, for our experiments youll need the following stuff:

  1. Tor (which is already installed and configured)
  2. Privoxy (www.privoxy.org)
  3. proxychains (proxychains.sourceforge.net)
  4. tortunnel (www.thoughtcrime.org/software/tortunnel)
  5. Nmap (nmap.org)

Install everything except of tortunnel tool. Config the proxychains to let the traffic go through Tor just by taking off the commenting signs from the following line:

Socks4 127.0.0.1 9050

Now you save the configuration and launch the scan (the address is 92.241.175.142 - IP of xakep.ru server): "proxychains nmap-PN 92.241.175.142". At first glance this way of scan seems like the most quick and efficient one, but its not. The packages wont go through Tor while the default SYN-scanning is used. If youd scan the server that way (directly), you would probably be nicked down. Now let's see what other options are offered in Nmap: "SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN / Connect () / ACK / Window / Maimon scans".

Now set the complete connection as the Nmap scanning mode: "proxychains nmap -sT -PN 92.241.175.142"

Congratulations! Now you're scanning through the Tor-network. To say true its pretty slow because our packages go through the three nodes before reaching the target server and these nodes may not be the fastest on the planet. In the case of scanning an entire subnet, the process can drag on for hours or even days. Moreover, such scanning is still not anonymous, cause the Nmap sends icmp requests (coming directly from our computer) to check the remote machine availability before scanning. Youll have to use the firewall for cutting all outbound traffic going to that computer and by-passing the Tor or simply specify the -PN option for Nmap (it wouldnt check the remote machine availability then): "iptables-A OUTPUT-dest 92.241.175.142-j DROP" . As for me, I use the -PN option everywhere because the xakep.ru servers firewall cuts the ICMP_traffic. So I manually specify that the host is alive.

Increasing the speed

So what about speed? Having speed that low wont let us do the things we want to. The torrtunnel tool will help us in this case. It serves to forward the traffic directly through the exit node, bypassing the previous two ones. So in this case, the scanning speed depends only on the last node youll choose. This tool requires some additional boost libraries. You can download the latest version of the libraries from www.boost.org. Unpack em, enter the folder and execute like this:

$ bootstrap.sh --libdir=/usr/lib --includedir=/usr/include
$ ./bjam --prefix=/usr
$ ./bjam install

As a result youll have all your header files in /us /include/boost and libraries in /usr/lib folder. Now you should manually create a symbolic link to the libboost_system.so.1.40.0 library:

$ ln -s /usr/lib/libboost_system.so.1.40.0 /usr/lib/libboost_system-mt.so

After that you can compile and install the tortunnel tool. Launch the torproxy. Itll give the torproxy <torExitNodeHost> message. Now you need to choose an appropriate exit node. To do this, go here http://128.31.0.34:9031/tor/status/all or here http://moria.seul.org:9032/tor/status/authority and find the node with a following description: "Exit, Fast, Stable, Valid ". All reliable and fast nodes are indicated that way and thats the ones we need. Then copy the IP address and execute: ". / Torproxy [ExitNodeIP]".

Now, to make things work youll need to configure the proxychains tool to use socks5 in order. Thus, lets comment the Socks4 127.0.0.1 9050 line in /etc/proxychains.conf and add the socks5 127.0.0.1 5060 (5060 - the port, which will be listened by tortunnel).

Then you can run the Nmap:

@ proxychains nmap-sT-p 80,443,21,23 92.241.175.142

As you see, the scanning speed has increased (if not - try another node). You can even scan your own computer. Lets teach Privoxy to work through tortunnel tool to top it. Youll weaken the anonymity (one intermediate node instead of three), but youll get the faster surfing instead. Go to the configuration file and add the line:

forward-socks5 / 127.0.0.1:5060

Now open the Fox and configure the http-proxy on 127.0.0.1:8118. Then go to http://torcheck.xenobite.eu/index.php and check whether youre surfing through Tor. If everythings OK youll get the "Your IP is identified to be a Tor-EXIT." notification. That's all, now you can make even a manual audit of the remote system.

Tor Scanner

Well, youve forced the Tor to work for you. You can scan through Tor and intercept other people's passwords. But what if youll need to use Tor to, for example, log in to your Gmail account? How not to get in the sslstrip's logs? Theres the way out! Theres a torscanner utility in the tortunnel package. Torscanner is designed to search for Exit Node's which use the sslstrip. It works as follows: we give the utility some URL that contains the https link (s) and it connects directly to all Exit Node's and requests the specified page. The data is displayed in the console, but you can redirect the output to a file for some further study. Heres the launch syntax: "torscanner destinationHost destinationPort request".

E.g.

$ torscanner www.google.ru 80 / > 1.txt

If youll find the HTTPS to HTTP substitution in the server responses after analyzing the 1.txt file, itll definitely mean that the server has the sslstrip utility launched.
Torscanner scans all exit nodes, so it can take a long time. But I think youll be able to modify the program so that it checks only a certain range or a specific server and uses it as an exit node (Tor can be configured to use some certain exit nodes).

Wait for a spoof :-)

Theres only one conclusion - be careful using Tor. Yes, the system provides a nice level of anonymity, but it cannot protect your data from interception. And even after youve checked the last node is not running sslstrip, still no one can guarantee that the packets arent sniffed n dumped. On the other hand Tor shouldnt be considered only as an anonymous surfing tool. I think a couple of showed examples had confirmed it.

Being an Exit Node server is a tough guys job

You have to understand that users are out on limb while being an Exit Node. After all, your IP will be spotted during some hacking, etc. In the process of writing the article some people have tried to make the SQL-injection attacks through my server, twice. So keep your eyes open because you can easily get in trouble with some law enforcement authorities or with your provider as a minimum. Here are some examples:

In 2006, Germany's intelligence services have carried out the seizure of six computers running as the Tor network nodes, having based on the fact that they were illegally used to access the child pornography.

In 2007 National Swedish police arrested a well-known expert on computer security Dehn Egerstada on charges of unauthorized access to computer information. 22-year Deranged Security employee had published the passwords to e-mails of embassies, NGOs, commercial firms and government agencies of different countries on his work site. According to him, as an experiment, he created 5 Exit Tor-servers and just intercepted the unencrypted traffic.

In 2007 German police arrested the Alexander Janssen as his Tor computer server was used by some unknown person to send a false report on terror attack. Despite the fact that soon Mr. Janssen was released, he decided not to use his computer as a Tor exit node anymore.

Tors hidden services

Tor has another interesting feature the hidden services. Tor users can provide various services such as web access or server instant messaging without opening their true location. Hidden services are available through special pseudo-top-level domains called .onion. The Tor network knows these domains and anonymously sends the information to the hidden services. Then hidden service processes it through the standard software, which is configured to listen only for non-public (closed to external access) interfaces. This functionality could be used to accommodate the site without worrying about the censorship. Nobody will be able to determine the site owner and the owner of the site will not be able to find out who used the site.

Specialized OS

WWW

Tor + Vidalia + Proxomitron + Freecap http://wsnow.net/my_soft/41-narushaya-zaprety.html

OperaTor - Opera + Tor + Polipo http://archetwist.com/en/opera/operator

Portable Tor is a portable Tor package. It doesnt require installation on your computer http://portabletor.sourceforge.net

Torbutton - Firefox Extension. Adds the on and off Tor button. Also provides enhanced privacy protection and browser isolation http://addons.mozilla.org/ru/firefox/addon/2275

Vuze a client for file sharing BitTorrent network with a built-in Tor support http://azureus.sourceforge.net

A good manual to configure Tor - www.torproject.org/docs/tor-doc-relay.html.ru

Full list of supported options -- www.torproject.org/tor-manual.html

Configuring the Hidden Services - www.torproject.org/docs/tor-hidden-service.html.ru

WARNING

This article is not an instruction or a call to some action. It is intended only to show that even those programs that are created for some good purposes can be used for some evil ones either.




: .
, .

    Rambler's Top100