The problem

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables developers / researchers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy

The Onion Router [TOR] is an excellent effort towards protecting online privacy. As of with every debate about exploitation frameworks, security tools, vulnerability disclosures such projects have also been victim of criticism, and debates of potential abuse that they can cause and the dangers of teaching individuals a dangerous and potentially illegal craft and a ‘secure’ channel to hide their online presence. But lets face it, the bad guys already know about it (that is the reason they’re bad ‘eh). However even though these channels of misuse and abuse do exist and they cannot be ignored, still the merits of it will always outweigh the harm black community can cause.

Unfortunately in the country I live in even most of the senior technology people I meet / see / have a chance to work with, don’t even have a clue of online privacy or security of their data.

Privacy is every individuals right, and is as important as any other basic human need. You will never want anyone tracking your IP, spywares tracing your network activity, and the next time you try to experiment with something, you get a nasty little email from an ISP admin that you were doing so-and-so. I am by no way TEMPTING you to do something wrong. Its all about your morale and motivation : ) , the little how-to below is just a kick starter for getting started with TOR and experimenting with some stuff securely. Interested ? move on, but don’t go about emailing me that this stuff like this is illegal to be posted and should be removed.

A basic problem for the privacy minded is that the recipient of your communication / conversation or even otherwise can see that you sent it by looking at the IP headers, or worse trace the complete path. And so can authorized intermediaries like ISPs, govt. organizations etc, and sometimes unauthorized intermediaries as well. A very simple form of network traffic analysis might involve sitting somewhere between sender and recipient on the network (man-in-the-middle), looking at headers.

But there are also more powerful kinds of packet analysis. Some attackers spy on multiple parts of the Internet and use sophisticated statistical techniques to track the communications patterns of many different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Internet traffic, not the headers (VPN ? duh!!) .

The solution:
A distributed, anonymous, secure network

To reduce the risks of both simple and sophisticated traffic analysis by distributing your internet traffic over several places / servers, so no single point can link you to your destination helps protecting your privacy. Its like taking a zig-zag random, hard to follow path to deceive someone who is tracing you (what the heroes usually do against the villain in action films : ) ) , and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on TOR take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the data came from or where it's going.

TOR incrementally builds a circuit of encrypted connections through servers on the network which is extended one hop at a time, and each server along the way knows only which server gave it data and which server it is giving data to. No individual server ever knows the complete path that a data packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop can't trace these connections as they pass through.

Once a circuit has been established any data can be exchanged and because each server sees no more than one hop in the circuit, neither an eavesdropper nor a compromised server can use traffic analysis to link the connection's source and destination.

Tor only works for TCP streams and can be used by any application with SOCKS support.

Just to experiment and write this little how-to, I setup a server on the Internet that I wanted to scan from my home network using Nmap, Nessus, and metasploit from my bacttrack suite installed in a VM. Here are the steps I followed to launch the scan / exploitation process via Tor:

A. Installing TOR: Detailed instructions can be viewed on the website.

B) Download socat .This tool is an excellent multipurpose relay and will allow to setup a local TCP listener that will tunnel my connections via the Tor SOCKS server (listening on 9050).

Unfortunately socat comes only on bsd and *nix systems. To use TOR on windows I would recommend using Privoxy, or better installing the complete TorCP bundle.

Let us assume that the IP address of the host I wanted to scan was 202.163.97.20

I invoked socat:

[talha@localhost#] ./socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1: 202.163.97.20:80, socksport=9050

The above command causes socat to listen on port 8080, and tunnel all incoming connections to 202.163.97.20 (port 80) via the Tor SOCKS server.

For using on windows you will need to:

1. Install privoxy
2. allow HTTP CONNECT requests via 80 through your firewall
3. Browse to http://config.privoxy.org/show-status

C. I assume Nmap, Nessus and metasploit are already installed and running. If not you can find the detailed instrucations on respective website.

D. Launch an nmap connect or nessus scan against 127.0.0.1 port 8080. Configure Nessus to limit the scan to port 8080 in the “Scan Options” tab.

Here are some of the entries in my Apache log that were a result of the scan:

212.9.32.5 - - [10/Jul/2005:17:29:56 -0700] "GET /Agents/ HTTP/1.1" 404 205 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:56 -0700] "GET /cgi-bin/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:57 -0700] "GET /index.php?err=3&email=<script>foo</script> HTTP/1.1" 404 207 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:57 -0700] "GET /scripts/fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:58 -0700] "GET /scripts/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:58 -0700] "GET /Album/ HTTP/1.1" 404 204 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:59 -0700] "GET /fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus HTTP/1.1" 404 209 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:59 -0700] "GET /cgi-bin/wiki.pl?<script>foo</script> HTTP/1.1" 404 213 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

The 212.9.32.5 IP address represents the host that is the last onion router in the random circuit that was setup by the Tor software

Simlarly once you find a vuln in a remote system, setup another instance of socat: Say for simplicity you are exploiting a webserver (port 80).

[talha@localhost#] ./socat TCP4-LISTEN:1234,fork SOCKS4:127.0.0.1: 202.163.97.20:80,

In metasploit when launching the exploit, set the target IP to 127.0.0.1 and remote port to 1234. Its that simple eh.

The above instructions can also be used to exploit software flaws in order to anonymously execute arbitrary commands on vulnerable hosts.

Some pieces of advice:

1. Nmap uses something that generates packets via the raw packet interface so the packets connect directly to the target, not via Tor. For example:
Doing a connect() scan (TCP) will work with Tor but using something like -sS connects directly to the target, revealing your true address.

2. Nmap & Nessus will often ping a target so see if it's up before doing a port scan. This is usually done via raw ICMP packet's, ICMP will not traverse the Tor network (since its not TCP) and will reveal your true address.

In the usage of socat, socks4 does client side DNS. So you resolve a target host name via DNS from your machine not via the Tor network proxies.

Hence it is not possible to leak your source IP because you tell your scanner to use 127.0.0.1 as the target IP . Therefore, nmap / nessus has no host name to resolve, and if you do forget to tell your scanner not to bother with ICMP pings, you will end up pinging yourself – not the target directly.

Staying anonymous

Tor cannot solve all anonymity problems. It focuses only on protecting the transport of data. You will need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy and open relays while web browsing to block cookies and withhold information about your browser type ident.

Be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.

The Electronic Privacy Information Centre (EPIC) lists down a comprehensive list which servers as a sampling of best available privacy enhancing tools.

Happy hunting …