Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Tor"

From NetSec
Jump to: navigation, search
(spring cleaning)
Line 1: Line 1:
 
<div style="float:right">https://www.torproject.org/images/onion.jpg</div>
 
<div style="float:right">https://www.torproject.org/images/onion.jpg</div>
 
'''Tor''' is, to put it simply, the world's largest anonymity service. Relied on by many, the onion has developed into a staple of tech-security culture. With the immense popularity of Tor, several rumors have circulated regarding its security and effectiveness. This article serves to answer said speculations, and provide further insight into the workings of the Tor service.
 
'''Tor''' is, to put it simply, the world's largest anonymity service. Relied on by many, the onion has developed into a staple of tech-security culture. With the immense popularity of Tor, several rumors have circulated regarding its security and effectiveness. This article serves to answer said speculations, and provide further insight into the workings of the Tor service.
 +
 +
==Installation==
 +
 +
*Debian/Ubuntu
 +
{{code|text=
 +
<source lang="bash">
 +
# apt-get install tor
 +
</source>
 +
}}
 +
 +
*Gentoo
 +
{{code|text=
 +
<source lang="bash">
 +
# emerge tor
 +
</source>
 +
}}
 +
 +
*Arch Linux
 +
{{code|text=
 +
<source lang="bash">
 +
# pacman -S tor
 +
</source>
 +
}}
  
 
==How It Works==
 
==How It Works==
Line 16: Line 39:
  
 
Without clicking links, exit node operators can sniff the traffic that passes through. Some operators choose to do so, and for this reason, it should be assumed that Tor traffic is being monitored, and therefore, always use some form of end to end encryption such as sshing into a box over Tor.
 
Without clicking links, exit node operators can sniff the traffic that passes through. Some operators choose to do so, and for this reason, it should be assumed that Tor traffic is being monitored, and therefore, always use some form of end to end encryption such as sshing into a box over Tor.
 
Another precaution Tor users can take to help protect themselves to a certain extent is to exclude known incompetent nodes, such as those found [http://pastebin.com/2t8tpeng here]. For Linux users, add that line to the /etc/tor/torrc file and restart Tor.
 
  
 
If running a tor service (it's very simple, just requires one additional line to tor config), it should be run as a Tor node for security reasons. Services not on a node are vulnerable to certain attacks.
 
If running a tor service (it's very simple, just requires one additional line to tor config), it should be run as a Tor node for security reasons. Services not on a node are vulnerable to certain attacks.
Line 26: Line 47:
 
A convenience for those who have Tor installed and/or running is to use it as a [[socks5 proxy]]. The proxy address should be set to 127.0.0.1, and the port to 9050.
 
A convenience for those who have Tor installed and/or running is to use it as a [[socks5 proxy]]. The proxy address should be set to 127.0.0.1, and the port to 9050.
  
For running command-line programs over tor, torify is recommended, which appears as:
+
For running command-line programs over tor, torsocks is recommended, which appears as:
{{LinuxCMD|torify ssh [email protected]}}
+
{{code
 
+
|text=
===Proxychains and Tor-Resolve===
+
<source lang="bash">
Proxychains and Tor-resolve work better than torify usually, as torify leaks DNS.  Proxychains adds a library to [[LD Preload]], which essentially wraps all DNS and connect calls to proxified ones, and Tor-resolve simply resolves a domain name to an [[IP address]] using Tor. One can additionally torify an entire box or shell session by adding "libproxychains.so.5" to /etc/ld.so.preload.
+
$ torsocks ssh [email protected]
 +
</source>
 +
}}
  
 
==Hidden services==
 
==Hidden services==
Line 57: Line 80:
 
First we will need to add these four lines to the end of your torrc found at /etc/tor/torrc on most systems.
 
First we will need to add these four lines to the end of your torrc found at /etc/tor/torrc on most systems.
  
<pre>
+
{{code
 +
|text=
 +
<source lang="bash">
 
VirtualAddrNetworkIPv4 10.192.0.0/10
 
VirtualAddrNetworkIPv4 10.192.0.0/10
 
AutomapHostsOnResolve 1
 
AutomapHostsOnResolve 1
 
TransPort 9040
 
TransPort 9040
 
DNSPort 5353
 
DNSPort 5353
</pre>
+
</source>
 +
}}
  
 
Now for our iptables rules to force <b>all</b> traffic through Tor:
 
Now for our iptables rules to force <b>all</b> traffic through Tor:
  
<pre>
+
{{code
 +
|text=
 +
<source lang="bash">
 
#!/bin/bash
 
#!/bin/bash
  
Line 96: Line 124:
 
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
 
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
 
iptables -A OUTPUT -j REJECT
 
iptables -A OUTPUT -j REJECT
</pre>
+
 
 +
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
 +
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
 +
</source>
 +
}}
  
 
The Tor UID varies from system to system and one of the easiest ways to find it is by running:
 
The Tor UID varies from system to system and one of the easiest ways to find it is by running:
<pre>
+
{{code
grep tor /etc/passwd
+
|text=
</pre>
+
<source lang="bash">
 +
$ grep tor /etc/passwd
 +
</source>
 +
}}
  
There have been some issues come up about traffic leaking even after using a transparent Tor proxy however they are sileneced by adding this to your iptables rules:
+
Be sure to save the config above to rules.sh in your home folder.  
 
+
<pre>
+
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
+
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
+
</pre>
+
  
 
Now once you have done all that (saved Tor configuration, saved iptables rules to a file) you will need to run:
 
Now once you have done all that (saved Tor configuration, saved iptables rules to a file) you will need to run:
 
+
{{code
<pre>
+
|text=
killall -HUP tor
+
<source lang="bash">
</pre>
+
$ killall -HUP tor
 +
</source>
 +
}}
  
 
Which restarts tor and:
 
Which restarts tor and:
 
+
{{code
<pre>
+
|text=
chmod +x rules.sh
+
<source lang="bash">
./rules.sh
+
$ chmod +x rules.sh
</pre>
+
$ ./rules.sh
 +
</source>
 +
}}
  
 
This sets the iptables rules and you should now be properly transparently proxying all your traffic through Tor. One thing you must think about is whether the router or network you are connecting to is IPv6 only, since Tor traffic only is IPv4, the iptables rules won't apply on IPv6 traffic, thus leaking this traffic you think is going through Tor to the clearnet. It's highley recommended to disable IPv6 at the kernel level by modifying config.x86_64 and commenting out all the IPv6 entries or by excluding it through "make menuconfig"
 
This sets the iptables rules and you should now be properly transparently proxying all your traffic through Tor. One thing you must think about is whether the router or network you are connecting to is IPv6 only, since Tor traffic only is IPv4, the iptables rules won't apply on IPv6 traffic, thus leaking this traffic you think is going through Tor to the clearnet. It's highley recommended to disable IPv6 at the kernel level by modifying config.x86_64 and commenting out all the IPv6 entries or by excluding it through "make menuconfig"
Line 127: Line 161:
 
make menuconfig:
 
make menuconfig:
 
<pre>
 
<pre>
Netwokring Support ==> Networking Options ==> The IPv6 Protocol
+
Networking Support ==> Networking Options ==> The IPv6 Protocol
 
</pre>
 
</pre>
  

Revision as of 03:35, 22 June 2016

onion.jpg

Tor is, to put it simply, the world's largest anonymity service. Relied on by many, the onion has developed into a staple of tech-security culture. With the immense popularity of Tor, several rumors have circulated regarding its security and effectiveness. This article serves to answer said speculations, and provide further insight into the workings of the Tor service.

Installation

  • Debian/Ubuntu
 
# apt-get install tor
 
  • Gentoo
 
# emerge tor
 
  • Arch Linux
 
# pacman -S tor
 

How It Works

One takes a big chance using tor. Privacy isn't assured in any way; anonymity however is, given that one changes their habits.

how-tor-works.png

Tor originally stood for "The Onion Router". How Tor essentially works is, traffic gets wrapped in multiple layers of encryption, passes from the initial box to the first node in the chain where traffic gets decrypted once, and passed to the next node. It then gets decrypted again and passed to the exit node from where decryption occurs the last time, and routes traffic in the clear.

Tor bridges are basically unofficial entry points into the tor network which are utilized by users in locations such as China in order to access Tor because a vast majority of the official nodes are banned. Such was the case during the Middle East protests, in which online activists were creating exit bridges with haste.


Common Pitfalls

The onion structure undoubtedly has issues. Such problems can be read in a comical form here.

Without clicking links, exit node operators can sniff the traffic that passes through. Some operators choose to do so, and for this reason, it should be assumed that Tor traffic is being monitored, and therefore, always use some form of end to end encryption such as sshing into a box over Tor.

If running a tor service (it's very simple, just requires one additional line to tor config), it should be run as a Tor node for security reasons. Services not on a node are vulnerable to certain attacks.

Getting Tor and Extra Uses

For more practical usage, the browser bundle can be downloaded and installed from the Tor Project's website. This being the easiest method.

A convenience for those who have Tor installed and/or running is to use it as a socks5 proxy. The proxy address should be set to 127.0.0.1, and the port to 9050.

For running command-line programs over tor, torsocks is recommended, which appears as:

 
$ torsocks ssh user@some.box.ip.here
 

Hidden services

When connecting to "normal" websites, the connection looks roughly like:

you -> tor node 1 -> tor node 2 -> exit node -> internet

Hidden services appear as:

you -> arbitrary # nodes -> rendezvous <- arbitrary # nodes <- hs box

While hidden service tends to be very slow, ssl is practically moot.

There was an article in 2600 a couple of years ago detailing use of the control port to change the length of tor circuits, and other uses.

One of the pitfalls with hidden services is a correlation attack. If someone controls enough nodes, they can send enough traffic to the hidden service to find its location. The best way to help prevent this is to make the hidden service a Tor node as well. At that point, it passes non-hs traffic and keeps anonymity static.

Hidden services use .onion as a pseudo-tld. An example being the hidden wiki at http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page .onion is a way of describing a hidden service without giving away its location. The string before the .onion is actually a key fingerprint, which ensures the service cannot be found, and it has the expected private key.

One of the more well known .onions is The Silk Road, a venue for buying and selling drugs.

Transparent Proxy

What is a transparent proxy? A transparent proxy forces all your outbound traffic through a proxy of your choosing, Tor is perfect for using this and we will cover setting one up in this section.

First we will need to add these four lines to the end of your torrc found at /etc/tor/torrc on most systems.

 
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 5353
 

Now for our iptables rules to force all traffic through Tor:

 
#!/bin/bash
 
_non_tor="192.168.1.0/24 192.168.0.0/24"
 
_tor_uid="43"
 
_trans_port="9040"
 
iptables -F
iptables -t nat -F
 
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353
 
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
done
 
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
 
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
for _clearnet in $_non_tor 127.0.0.0/8; do
   iptables -A OUTPUT -d $_clearnet -j ACCEPT
done
 
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT
 
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
 

The Tor UID varies from system to system and one of the easiest ways to find it is by running:

 
$ grep tor /etc/passwd
 

Be sure to save the config above to rules.sh in your home folder.

Now once you have done all that (saved Tor configuration, saved iptables rules to a file) you will need to run:

 
$ killall -HUP tor
 

Which restarts tor and:

 
$ chmod +x rules.sh
$ ./rules.sh
 

This sets the iptables rules and you should now be properly transparently proxying all your traffic through Tor. One thing you must think about is whether the router or network you are connecting to is IPv6 only, since Tor traffic only is IPv4, the iptables rules won't apply on IPv6 traffic, thus leaking this traffic you think is going through Tor to the clearnet. It's highley recommended to disable IPv6 at the kernel level by modifying config.x86_64 and commenting out all the IPv6 entries or by excluding it through "make menuconfig"

make menuconfig:

Networking Support ==> Networking Options ==> The IPv6 Protocol

Hit the "n" key to exclude it and continue building your kernel.

External Links

Tor is part of a series on anonymity.