Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Tor"

From NetSec
Jump to: navigation, search
(Getting Tor and Extra Uses)
 
(44 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
<div style="float:right">https://www.torproject.org/images/onion.jpg</div>
 
<div style="float:right">https://www.torproject.org/images/onion.jpg</div>
:''Special thanks to Nachash for this lesson.''
+
'''Tor''' is a group of thousands of volunteer-operated servers that allows people to improve their privacy and security while using the Internet.
'''Tor''' is, to put it simply, the world's largest anonymity service. Relied on by many, the onion has developed into a staple of tech-security culture. With the immense popularity of Tor, several rumors have circulated regarding its security and effectiveness. This article serves to answer said speculations, and provide further insight into the workings of the Tor service.
+
 
 +
==Installation==
 +
 
 +
===Debian===
 +
To install Tor on Debian stable, Debian sid, or Debian testing, simply execute the following:
 +
{{code|text=
 +
<source lang="bash">
 +
# apt-get install tor
 +
</source>
 +
}}
 +
 
 +
===Ubuntu===
 +
The Ubuntu repositories do not always have the most up-to-date versions of Tor. It is recommended that you use the official Tor Project repository or compile from source. To use the Tor Project's official repository, you need to add the following to <code>/etc/apt/sources.list</code>:
 +
 
 +
{{code|text=
 +
<source lang="bash">
 +
deb http://deb.torproject.org/torproject.org jessie main
 +
deb-src http://deb.torproject.org/torproject.org jessie main
 +
</source>
 +
}}
 +
 
 +
Next, you must add the Tor Project's GPG key used to sign the Tor packages:
 +
 
 +
{{code|text=
 +
<source lang="bash">
 +
gpg --keyserver keys.gnupg.net --recv 886DDD89
 +
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
 +
</source>
 +
}}
 +
 
 +
Now, you are able to install Tor from the official repository using:
 +
 
 +
{{code|text=
 +
<source lang="bash">
 +
# apt-get update
 +
# apt-get install tor deb.torproject.org-keyring
 +
</source>
 +
}}
 +
 
 +
===Fedora/RHEL===
 +
This section is applicable to Fedora 22/23 and RHEL 6/7. The repositories in these distributions are frequently out-of-date. It is strongly recommended to use the Tor Project's official repository or compile from source.
 +
 
 +
To use the Tor Project's official repository, first, you must create <code>/etc/yum.repos.d/tor.repo</code> and insert the following:
 +
 
 +
{{code|text=
 +
<source lang="bash">
 +
[tor]
 +
name=Tor repo
 +
enabled=1
 +
baseurl=https://deb.torproject.org/torproject.org/rpm/DISTRIBUTION/$basearch/    ##replace DISTRIBUTION with correct version (fc/22, fc/23, el/6, el/7)
 +
gpgcheck=1
 +
gpgkey=https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
 +
repo_gpgcheck=1
 +
 
 +
[tor-source]
 +
name=Tor source repo
 +
enabled=1
 +
autorefresh=0
 +
baseurl=https://deb.torproject.org/torproject.org/rpm/DISTRIBUTION/SRPMS    ##replace DISTRIBUTION with correct version (fc/22, fc/23, el/6, el/7)
 +
gpgcheck=1
 +
gpgkey=https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
 +
repo_gpgcheck=1
 +
</source>}}
 +
 
 +
Next, you need to take care of a name clash in the repos to avoid the two packages from overwriting each other. To do this, add <code>Exclude=tor</code> to the relevant repo file.
 +
 
 +
For example, you may need to add <code>Exclude=tor</code> to the <code>/etc/yum.repos.d/fedora.repo</code> and <code>/etc/yum.repos.d/fedora-updates.repo</code>.
 +
 
 +
Next, install tor by executing:
 +
{{code|text=
 +
<source lang="bash">
 +
# yum install tor
 +
# service start tor
 +
</source>}}
 +
 
 +
===Gentoo===
 +
{{code|text=
 +
<source lang="bash">
 +
# emerge tor
 +
</source>
 +
}}
 +
 
 +
===Arch Linux===
 +
{{code|text=
 +
<source lang="bash">
 +
# pacman -S tor
 +
</source>
 +
}}
 +
 
 +
===Compile from Source===
 +
First, grab the [https://www.torproject.org/download/download.html.en Tor Source Code] and verify you have the required dependencies including libevent, openssl, and the zlib packages.
 +
 
 +
After, extract and compile the source by executing:
 +
 
 +
{{code|text=
 +
<source lang="bash">
 +
# tar xzf tor-0.2.7.6.tar.gz; cd tor-0.2.7.6
 +
# ./configure && make
 +
# make install
 +
</source>
 +
}}
  
 
==How It Works==
 
==How It Works==
One takes a big chance using tor. Privacy isn't assured in any way; anonymity however is, given that one changes their habits.  
+
One takes a big chance using Tor. While privacy isn't guaranteed, anonymity can be if one changes their habits.
  
 
<div style="float:right; margin:10px;">http://lejinternetplaza.com/wp-content/uploads/2012/01/how-tor-works.png</div>
 
<div style="float:right; margin:10px;">http://lejinternetplaza.com/wp-content/uploads/2012/01/how-tor-works.png</div>
Tor originally stood for "The Onion Router". How Tor essentially works is, traffic gets wrapped in multiple layers of encryption, passes from the initial box to the first node in the chain where traffic gets decrypted once, and passed to the next node. It then gets decrypted again and passed to the exit node from where decryption occurs the last time, and routes traffic in the clear.
+
Tor originally stood for "The Onion Router", though now it's called just ''Tor'', the german word for ''Gate''. How Tor essentially works is, traffic gets wrapped in multiple layers of encryption, passes from the initial box to the first node (Guard node) in the chain where traffic gets decrypted once, and passed to the next node (Middle node). It then gets decrypted again and passed to the exit node from where decryption occurs the last time, and routes traffic in the clear. Due to these multiple layers of encryption, each node only knows the last hop and the next hop in the chain.
 
+
Tor bridges are basically unofficial entry points into the tor network which are utilized by users in locations such as China in order to access Tor because a vast majority of the official nodes are banned. Such was the case during the Middle East protests, in which online activists were creating exit bridges with haste.
+
  
 +
Tor bridges are basically unofficial entry points into the tor network which are utilized by users in locations around the world, especially in heavily oppressed and monitored countries (ie. China), in order to access Tor. This is because a vast majority of the official nodes are banned or traffic is heavily monitored.
 
{{clear}}
 
{{clear}}
  
==Common Pitfalls==
+
===Common Pitfalls===
 
The onion structure undoubtedly has issues. Such problems can be read in a comical form [http://encyclopediadramatica.se/The_Great_Em/b/assy_Security_Leak_of_2007 here].
 
The onion structure undoubtedly has issues. Such problems can be read in a comical form [http://encyclopediadramatica.se/The_Great_Em/b/assy_Security_Leak_of_2007 here].
  
Without clicking links, exit node operators can sniff the traffic that passes through. Some operators choose to do so, and for this reason, you should assume Tor traffic is being monitored, and therefore, always use some form of end to end encryption such as sshing into a box over Tor.
+
Without clicking links, exit node operators can sniff the traffic that passes through. Some operators choose to do so, and for this reason, '''it should be assumed that all Tor traffic is being monitored''', and therefore, always use some form of end to end encryption such as sshing into a box over Tor.
  
Another precaution Tor users can take to help protect themselves to a certain extent is to exclude known incompetent nodes, such as those found [http://pastebin.com/2t8tpeng here]. For Linux users, add that line to the /etc/tor/torrc file and restart Tor.
+
==libtor==
  
If one is running a tor service (it's very simple, just requires one additional line to tor config), they should be running it as a Tor node for security reasons. Services not on a node are vulnerable to certain attacks.
+
<code>libtor</code> can be downloaded from [https://nets.ec/Releases/libtor.tar.gz here]. Once downloaded, extract the package and then run:
  
==Getting Tor and Extra Uses==
+
{{code | text=
For more practical usage, the browser bundle can be downloaded and installed from [http://torproject.org the Tor Project's website]. This being the easiest method.
+
<source lang="bash">
 +
# python setup.py install
 +
</source>}}
  
A convenience for those who have Tor installed and/or running is to use it as a [[socks5 proxy]]. The proxy address should be set to 127.0.0.1, and the port to 9050.
+
===Basic Usage===
 +
<code>libtor</code> provides three classes: <code>Tor</code>, <code>SocksSocket</code>, and <code>AsycnSocksSocket</code>. Using the <code>set_socks_proxy function, a default SOCKS proxy for usage with <code>SocksSocket</code> and <code>AsyncSocksSocket</code> can be configured:
  
For running command-line programs over tor, torify is recommended, which appears as:
+
{{code | text=
{{LinuxCMD|torify ssh user@some.box.ip.here}}
+
<source lang="python">
 +
import libtor
 +
libtor.set_socks_proxy("127.0.0.1", 9050)
 +
</source>}}
  
===Proxychains and Tor-Resolve===
+
===Tor Class===
Proxychains and Tor-resolve work better than torify usually, as torify leaks DNS.  Proxychains adds a library to [[LD Preload]], which essentially wraps all DNS and connect calls to proxified ones, and Tor-resolve simply resolves a domain name to an [[IP address]] using Tor. One can additionally torify an entire box or shell session by adding "libproxychains.so.5" to /etc/ld.so.preload.
+
The Tor class is initialized with a "tor instance number," which is just an index specifying what port to start the Tor instance on. The Tor directory will be created in the working directory at ".tor[instace_number]." This class provides the following methods:
 +
{| class="wikitable"
 +
! style="text-align: center;" | Function
 +
! style="text-align: center;" | Arguments
 +
! style="text-align: center;" | Description
 +
|-
 +
| create_tor()
 +
| check (default=1, verify that Tor started with errors)
 +
| Writes out a new torrc and spawns a Tor process.
 +
|-
 +
| kill_tor()
 +
| none
 +
| Kill a running Tor process.
 +
|-
 +
| restart_tor()
 +
| none
 +
| Restart a Tor process.
 +
|-
 +
| cleanup()
 +
| none
 +
| Delete the Tor directory.
 +
|-
 +
| read_from_tor_proc()
 +
| none
 +
| Read the Tor process' output.
 +
|-
 +
| torctl()
 +
| command (default="", command to send)
 +
password (default="", Torctl password)
 +
| Send a command to the Tor control port
 +
|-
 +
| newnym()
 +
| none
 +
| Send a newnym to the Tor process to get a new identity.
 +
|-
 +
| hidden_service()
 +
| listen_port (port to listen on)
 +
forward_port (default=listen_port, port to forward to)
 +
| Create a new hidden service on a given port.
 +
|-
 +
| append_to_torrc()
 +
| line (line to append to torrc)
 +
| Append a line to the torrc for this Tor instance
 +
|-
 +
| verify_tor()
 +
| none
 +
| Verify that the Tor process is working (returns true or false)
 +
|}
  
==Hidden services==
+
====Example====
When connecting to "normal" websites, the connection looks roughly like:
+
{{code | text=
 +
<source lang="python">
  
<center><pre>you -> tor node 1 -> tor node 2 -> exit node -> internet</pre></center>
+
import libtor
 +
 +
t = libtor.Tor(0)
 +
t.hidden_service(80)
 +
t.create_tor()
 +
print "Tor process started."
 +
if t.verify_tor():
 +
  print "Connection to Tor verified."
 +
tor.kill_tor()
 +
tor.cleanup()
 +
</source>}}
  
Hidden services appear as:
+
===SocksSocket Class===
 +
The SocksSocket class inherits from the standard Python socket class and can be used in the same way, the only difference is that it accepts a tor_host and tor_port argument. These default to the socks settings set by the Tor class.
  
<center><pre>you -> arbitrary # nodes -> rendezvous <- arbitrary # nodes <- hs box</pre></center>
+
{{code | text=
 +
<source lang="python">
  
Hidden service is also very slow but ssl is basically moot. So literally, 7 proxies and someimes more than 7 proxies.
+
import libtor
 +
 +
t = libtor.Tor(0)
 +
t.create_tor()
 +
 +
sock = libtor.SocksSocket() # or libtor.SocksSocket(tor_host="127.0.0.1", tor_port=9052)
 +
sock.connect(("google.com", 80))
 +
sock.send("GET / HTTP/1.1\r\n\r\n")
 +
print sock.recv(1024)
 +
sock.close()
 +
 +
t.kill_tor()
 +
</source>}}
  
There was [http://thesprawl.org/memdump/?entry=8 an article] in 2600 a couple of years back about using the control port to change the length of tor circuits, and other things.  
+
===AsyncSocksSocket Class===
 +
The AsyncSocksSocket class also inherits from socket.socket. The provided interface is similar to a standard interface and can be used with select. Any packets sent before the SOCKS negotiation is complete will be queued and sent upon completion.
  
Hidden services are fairly badass. One of the pitfalls with them is a correlation attack. If someone controls enough nodes, they can send enough traffic to the hidden service to find its location. The best way to help prevent this is to make your hidden service a tor node, as well. Then it passes non-hs traffic and keeps anonymous.
+
{{code | text=
 +
<source lang="python">
 +
import libtor
 +
import select
 +
 +
t = libtor.Tor(0)
 +
t.create_tor()
 +
 +
sockets = [ libtor.AsyncSocksSocket() ]
 +
sockets[0].connect(("google.com", 80))
 +
 +
while len(sockets) > 0:
 +
  readable, writable, exceptional = select.select(sockets, [], [])
 +
  for s in readable:
 +
    try:
 +
      data = s.recv(1024)
 +
    except socket.error:
 +
      sockets.remove(s)
 +
      break
 +
    print data
 +
    s.send("GET / HTTP/1.1\r\n\r\n")
 +
 +
t.kill_tor()
 +
</source>}}
  
About hidden services, they use .onion as a pseudo-tld. Example: hidden wiki is here: http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page.
+
==Transparent Proxy==
.onion is a way of describing a hidden service without giving away its location. The string before the .onion is actually a key fingerprint.
+
This ensures a few different things, the service cant be found and it has the private key you expect it to have (it's what it claims to be).
+
  
===The Silk Road===
+
What is a transparent proxy? A transparent proxy forces all your outbound traffic through a proxy of your choosing, Tor is perfect for using this and we will cover setting one up in this section.
One of the more well known .onions is The Silk Road. For those who missed out, it's a venue for buying and selling drugs.
+
Also, the gawker article on Silk Road: http://gawker.com/5805928/the-underground-website-where-you-can-buy-any-drug-imaginable
+
You can buy drugs with bitcoins now. Welcome to the future.
+
  
==Conclusion==
+
First we will need to add these four lines to the end of your torrc found at /etc/tor/torrc on most systems.
Remember when I said you don't really have privacy, but you have anonymity? As long as youre careful about what info you disclose.
+
However if youre buying goods you at least have to disclose your address. A lot of vendors on SR have PGP keys for this reason.
+
This is not the biggest problem. While sellers are pretty much in the clear, assuming tor or SR itself arent compromised, buyers are vulnerable to stings.
+
Either from sloppy sellers getting busted (maybe they werent so careful about erasing/storing your address) or from stings where the buyer is a fed/informant.
+
  
{{series
+
{{code
| Name = Tor
+
|text=
| PartOf = Anonymity
+
<source lang="bash">
 +
VirtualAddrNetworkIPv4 10.192.0.0/10
 +
AutomapHostsOnResolve 1
 +
TransPort 9040
 +
DNSPort 5353
 +
</source>
 
}}
 
}}
 +
 +
Now for our iptables rules to force <b>all</b> traffic through Tor:
 +
 +
{{code
 +
|text=
 +
<source lang="bash">
 +
#!/bin/bash
 +
 +
_non_tor="192.168.1.0/24 192.168.0.0/24"
 +
 +
_tor_uid="43"
 +
 +
_trans_port="9040"
 +
 +
iptables -F
 +
iptables -t nat -F
 +
 +
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
 +
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353
 +
 +
#allow clearnet access for hosts in $_non_tor
 +
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
 +
  iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
 +
done
 +
 +
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
 +
 +
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +
for _clearnet in $_non_tor 127.0.0.0/8; do
 +
  iptables -A OUTPUT -d $_clearnet -j ACCEPT
 +
done
 +
 +
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
 +
iptables -A OUTPUT -j REJECT
 +
 +
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
 +
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
 +
</source>
 +
}}
 +
 +
The Tor UID varies from system to system and one of the easiest ways to find it is by running:
 +
{{code
 +
|text=
 +
<source lang="bash">
 +
$ grep tor /etc/passwd
 +
</source>
 +
}}
 +
 +
Be sure to save the config above to rules.sh in your home folder.
 +
 +
Now once you have done all that (saved Tor configuration, saved iptables rules to a file) you will need to run:
 +
{{code
 +
|text=
 +
<source lang="bash">
 +
$ killall -HUP tor
 +
</source>
 +
}}
 +
 +
Which restarts tor and:
 +
{{code
 +
|text=
 +
<source lang="bash">
 +
$ chmod +x rules.sh
 +
$ ./rules.sh
 +
</source>
 +
}}
 +
 +
This sets the iptables rules and you should now be properly transparently proxying all your traffic through Tor. One thing you must think about is whether the router or network you are connecting to is IPv6 only, since Tor traffic only is IPv4, the iptables rules won't apply on IPv6 traffic, thus leaking this traffic you think is going through Tor to the clearnet. It's highley recommended to disable IPv6 at the kernel level by modifying config.x86_64 and commenting out all the IPv6 entries or by excluding it through "make menuconfig"
 +
 +
make menuconfig:
 +
<pre>
 +
Networking Support ==> Networking Options ==> The IPv6 Protocol
 +
</pre>
 +
 +
Hit the "n" key to exclude it and continue building your kernel.
 +
 +
==Hidden services==
 +
When a user connects to a clearnet website via Tor, the connection, in general, looks like:
 +
 +
<center><pre style="background:transparent; border:none;">you -> tor node 1 -> tor node 2 -> exit node -> internet</pre></center>
 +
 +
However, when a user connects to a Tor Hidden Service, the connection route looks like:
 +
 +
<center><pre style="background:transparent; border:none;">you -> arbitrary # nodes -> rendezvous <- arbitrary # nodes <- hs box</pre></center>
 +
 +
Hidden services use .onion as a pseudo-tld. An example being the hidden wiki at [http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page] .onion is a way of describing a hidden service without giving away its location. The string before the .onion is actually a key fingerprint, which ensures the service cannot be found, and it has the expected private key.
 +
 +
===Configuration===
 +
Assuming that you have Tor configured correctly and running, you are ready to set up your Tor Hidden Service.
 +
 +
First, make sure that your web server, or whatever other service you are going to host, is running and configured correctly. (These examples will be geared towards a web server).
 +
 +
Next, add the following to lines to <code>/etc/tor/torrc</code>:
 +
 +
{{code|text=
 +
<source lang="bash">
 +
HiddenServiceDir /var/lib/tor/hidden_service/
 +
HiddenServicePort 80 127.0.0.1:80
 +
</source>}}
 +
 +
After restarting the Tor service, you will have to files in the <code>/var/lib/tor/hidden_service/</code> directory: <code>hostname</code> and <code>private_key</code>.
 +
 +
The <code>hostname</code> file will contain the .onion address to access your service. The <code>private_key</code> will contain the private key used to generate your .onion address. '''Do NOT lose your private key''', otherwise, anybody can steal your .onion address.
 +
 +
You can also host more than one service on your server and have a different .onion address for each service. For example, to host IRC and SSH on another onion, add the following to your <code>/etc/tor/torrc</code>:
 +
 +
{{code|text=
 +
<source lang="bash">
 +
HiddenServiceDir /var/lib/tor/other_hidden_service/
 +
HiddenServicePort 6667 127.0.0.1:6667
 +
HiddenServicePort 22 127.0.0.1:22
 +
</source>}}
 +
 +
===ControlPort===
 +
The ControlPort is a port you can open to allow a service to connect and control the Tor Process. The ControlPort is disabled by default but can be enabled by entering the following into your <code>/etc/tor/torrc</code>:
 +
 +
{{code|text=
 +
<source lang="bash">
 +
ControlPort 9051
 +
</source>}}
 +
 +
To connect to the ControlPort:
 +
 +
{{code|text=
 +
<source lang="bash">
 +
telnet 127.0.0.1:9051
 +
authenticate ""
 +
</source>}}
 +
*Note: "" is the default authentication for the ControlPort. It is recommended to edit <code>HashedControlPassword</code> in the <code>/etc/tor/torrc</code> file.
 +
 +
There is a lot that can be done via the ControlPort. It is possible to change the number of hops per circuit, create custom circuits, use arbitrary exit nodes, view logs and settings, and a lot more.
 +
 +
For more information and further reading, visit [https://www.thesprawl.org/research/tor-control-protocol/ here].
 +
 +
===HidServAuth===
 +
The <code>HidServAuth</code> section of the <code>/etc/tor/torrc</code> file is used to restrict access to your onion via a unique cookie.
 +
 +
To generate and use the cookie, add the following to <code>/etc/tor/torrc</code>:
 +
 +
{{code|text=
 +
<source lang="bash">
 +
HiddenServiceAuthorizeClient stealth client
 +
</source>}}
 +
 +
After adding this to the <code>/etc/tor/torrc</code> file, saving, and exiting, execute:
 +
{{code | text=
 +
<source lang="bash">
 +
#killall -HUP tor
 +
</source>}}
 +
 +
Now, view your hidden service's hostname file as specified in your <code>/etc/tor/torrc</code>
 +
 +
{{code | text=
 +
<source lang="bash">
 +
mhiz7mrtk4tezuop.onion xcd7ClMNU5dAyVXy80h+lh # client
 +
</source>}}
 +
 +
To utilize the new cookie, add the following to your <code>/etc/tor/torrc</code>:
 +
 +
{{code | text=
 +
<source lang="bash">
 +
HidServAuth mhiz7mrtk4tezuop.onion xcd7ClMNU5dAyVXy80h+lh # client
 +
</source>}}
 +
 +
Now, only the users that are provided with and include the above string in their <code>/etc/tor/torrc</code> file will be able to access your hidden service.
 +
 +
===Issues===
 +
*Sniper Attack
 +
One de-anonymization attack that Hidden Services are vulnerable to is the [https://www.internetsociety.org/sites/default/files/05_4_0.pdf Sniper Attack]. [https://encyclopediadramatica.se/Operation_Onymous Operation Onymous], probably being the most famous, is theorized to use a type of attack where exit nodes were taken offline via denial of service attacks. This forced users onto nodes controlled by law enforcement where they could utilize a combination of techniques to de-anonymize and locate the servers actual locations.
 +
 +
*Correlation/Confirmation Attack
 +
One of the pitfalls with Hidden Services is a correlation attack. If someone controls enough nodes, they can send enough traffic to the hidden service to find its location. While expensive, it is also possible for adversaries to monitor entry and exit node traffic to correlate traffic in an attempt to de-anonymize uesrs.
 +
 +
*Badmin
 +
Badmin'ing is an issue for any infrastructure. In this case, a badmin could keep logs on his exit node leaving evidence if the adversary identifies the location of your exit node. They may also perform MITM attacks on your traffic in an attempt to compromise your account or de-anonymize you.
 +
 +
'''Awareness and OpSec is key to insuring PRIVACY. REMEMBER: ANONYMITY IS NOT GUARANTEED.''''
 +
 +
==External Links==
 +
*[https://www.torproject.org/ The Tor Project's website]
 +
*[https://www.eff.org/torchallenge/what-is-tor/ EFF on Tor]
 +
*[http://www.torservers.net/ torservers.net]
 +
*[https://gist.githubusercontent.com/WonderSwan/72deb6c85de2be8e4922/raw/df7d3e182b9932ba10baedcbbcb003fbf7a03256/Walter%2520White So, you want to be a darknet drug lord...]
 +
 +
{{anonymity}}
 +
 +
[[Category:Administration]]

Latest revision as of 23:50, 19 July 2016

onion.jpg

Tor is a group of thousands of volunteer-operated servers that allows people to improve their privacy and security while using the Internet.

Installation

Debian

To install Tor on Debian stable, Debian sid, or Debian testing, simply execute the following:

 
# apt-get install tor
 

Ubuntu

The Ubuntu repositories do not always have the most up-to-date versions of Tor. It is recommended that you use the official Tor Project repository or compile from source. To use the Tor Project's official repository, you need to add the following to /etc/apt/sources.list:

 
deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main
 

Next, you must add the Tor Project's GPG key used to sign the Tor packages:

 
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
 

Now, you are able to install Tor from the official repository using:

 
# apt-get update
# apt-get install tor deb.torproject.org-keyring
 

Fedora/RHEL

This section is applicable to Fedora 22/23 and RHEL 6/7. The repositories in these distributions are frequently out-of-date. It is strongly recommended to use the Tor Project's official repository or compile from source.

To use the Tor Project's official repository, first, you must create /etc/yum.repos.d/tor.repo and insert the following:

 
[tor]
name=Tor repo
enabled=1
baseurl=https://deb.torproject.org/torproject.org/rpm/DISTRIBUTION/$basearch/     ##replace DISTRIBUTION with correct version (fc/22, fc/23, el/6, el/7)
gpgcheck=1
gpgkey=https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
repo_gpgcheck=1
 
[tor-source]
name=Tor source repo
enabled=1
autorefresh=0
baseurl=https://deb.torproject.org/torproject.org/rpm/DISTRIBUTION/SRPMS     ##replace DISTRIBUTION with correct version (fc/22, fc/23, el/6, el/7)
gpgcheck=1
gpgkey=https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
repo_gpgcheck=1
 

Next, you need to take care of a name clash in the repos to avoid the two packages from overwriting each other. To do this, add Exclude=tor to the relevant repo file.

For example, you may need to add Exclude=tor to the /etc/yum.repos.d/fedora.repo and /etc/yum.repos.d/fedora-updates.repo.

Next, install tor by executing:

 
# yum install tor
# service start tor
 

Gentoo

 
# emerge tor
 

Arch Linux

 
# pacman -S tor
 

Compile from Source

First, grab the Tor Source Code and verify you have the required dependencies including libevent, openssl, and the zlib packages.

After, extract and compile the source by executing:

 
# tar xzf tor-0.2.7.6.tar.gz; cd tor-0.2.7.6
# ./configure && make
# make install
 

How It Works

One takes a big chance using Tor. While privacy isn't guaranteed, anonymity can be if one changes their habits.

how-tor-works.png

Tor originally stood for "The Onion Router", though now it's called just Tor, the german word for Gate. How Tor essentially works is, traffic gets wrapped in multiple layers of encryption, passes from the initial box to the first node (Guard node) in the chain where traffic gets decrypted once, and passed to the next node (Middle node). It then gets decrypted again and passed to the exit node from where decryption occurs the last time, and routes traffic in the clear. Due to these multiple layers of encryption, each node only knows the last hop and the next hop in the chain.

Tor bridges are basically unofficial entry points into the tor network which are utilized by users in locations around the world, especially in heavily oppressed and monitored countries (ie. China), in order to access Tor. This is because a vast majority of the official nodes are banned or traffic is heavily monitored.


Common Pitfalls

The onion structure undoubtedly has issues. Such problems can be read in a comical form here.

Without clicking links, exit node operators can sniff the traffic that passes through. Some operators choose to do so, and for this reason, it should be assumed that all Tor traffic is being monitored, and therefore, always use some form of end to end encryption such as sshing into a box over Tor.

libtor

libtor can be downloaded from here. Once downloaded, extract the package and then run:

 
# python setup.py install
 

Basic Usage

libtor provides three classes: Tor, SocksSocket, and AsycnSocksSocket. Using the set_socks_proxy function, a default SOCKS proxy for usage with <code>SocksSocket and AsyncSocksSocket can be configured:

 
import libtor
libtor.set_socks_proxy("127.0.0.1", 9050)
 

Tor Class

The Tor class is initialized with a "tor instance number," which is just an index specifying what port to start the Tor instance on. The Tor directory will be created in the working directory at ".tor[instace_number]." This class provides the following methods:

Function Arguments Description
create_tor() check (default=1, verify that Tor started with errors) Writes out a new torrc and spawns a Tor process.
kill_tor() none Kill a running Tor process.
restart_tor() none Restart a Tor process.
cleanup() none Delete the Tor directory.
read_from_tor_proc() none Read the Tor process' output.
torctl() command (default="", command to send)

password (default="", Torctl password)

Send a command to the Tor control port
newnym() none Send a newnym to the Tor process to get a new identity.
hidden_service() listen_port (port to listen on)

forward_port (default=listen_port, port to forward to)

Create a new hidden service on a given port.
append_to_torrc() line (line to append to torrc) Append a line to the torrc for this Tor instance
verify_tor() none Verify that the Tor process is working (returns true or false)

Example

 
 
import libtor
 
t = libtor.Tor(0)
t.hidden_service(80)
t.create_tor()
print "Tor process started."
if t.verify_tor():
  print "Connection to Tor verified."
tor.kill_tor()
tor.cleanup()
 

SocksSocket Class

The SocksSocket class inherits from the standard Python socket class and can be used in the same way, the only difference is that it accepts a tor_host and tor_port argument. These default to the socks settings set by the Tor class.

 
 
import libtor
 
t = libtor.Tor(0)
t.create_tor()
 
sock = libtor.SocksSocket() # or libtor.SocksSocket(tor_host="127.0.0.1", tor_port=9052)
sock.connect(("google.com", 80))
sock.send("GET / HTTP/1.1\r\n\r\n")
print sock.recv(1024)
sock.close()
 
t.kill_tor()
 

AsyncSocksSocket Class

The AsyncSocksSocket class also inherits from socket.socket. The provided interface is similar to a standard interface and can be used with select. Any packets sent before the SOCKS negotiation is complete will be queued and sent upon completion.

 
import libtor
import select
 
t = libtor.Tor(0)
t.create_tor()
 
sockets = [ libtor.AsyncSocksSocket() ]
sockets[0].connect(("google.com", 80))
 
while len(sockets) > 0:
  readable, writable, exceptional = select.select(sockets, [], [])
  for s in readable:
    try:
      data = s.recv(1024)
    except socket.error:
      sockets.remove(s)
      break
    print data
    s.send("GET / HTTP/1.1\r\n\r\n")
 
t.kill_tor()
 

Transparent Proxy

What is a transparent proxy? A transparent proxy forces all your outbound traffic through a proxy of your choosing, Tor is perfect for using this and we will cover setting one up in this section.

First we will need to add these four lines to the end of your torrc found at /etc/tor/torrc on most systems.

 
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 5353
 

Now for our iptables rules to force all traffic through Tor:

 
#!/bin/bash
 
_non_tor="192.168.1.0/24 192.168.0.0/24"
 
_tor_uid="43"
 
_trans_port="9040"
 
iptables -F
iptables -t nat -F
 
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353
 
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
done
 
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
 
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
for _clearnet in $_non_tor 127.0.0.0/8; do
   iptables -A OUTPUT -d $_clearnet -j ACCEPT
done
 
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT
 
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
 

The Tor UID varies from system to system and one of the easiest ways to find it is by running:

 
$ grep tor /etc/passwd
 

Be sure to save the config above to rules.sh in your home folder.

Now once you have done all that (saved Tor configuration, saved iptables rules to a file) you will need to run:

 
$ killall -HUP tor
 

Which restarts tor and:

 
$ chmod +x rules.sh
$ ./rules.sh
 

This sets the iptables rules and you should now be properly transparently proxying all your traffic through Tor. One thing you must think about is whether the router or network you are connecting to is IPv6 only, since Tor traffic only is IPv4, the iptables rules won't apply on IPv6 traffic, thus leaking this traffic you think is going through Tor to the clearnet. It's highley recommended to disable IPv6 at the kernel level by modifying config.x86_64 and commenting out all the IPv6 entries or by excluding it through "make menuconfig"

make menuconfig:

Networking Support ==> Networking Options ==> The IPv6 Protocol

Hit the "n" key to exclude it and continue building your kernel.

Hidden services

When a user connects to a clearnet website via Tor, the connection, in general, looks like:

you -> tor node 1 -> tor node 2 -> exit node -> internet

However, when a user connects to a Tor Hidden Service, the connection route looks like:

you -> arbitrary # nodes -> rendezvous <- arbitrary # nodes <- hs box

Hidden services use .onion as a pseudo-tld. An example being the hidden wiki at http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page .onion is a way of describing a hidden service without giving away its location. The string before the .onion is actually a key fingerprint, which ensures the service cannot be found, and it has the expected private key.

Configuration

Assuming that you have Tor configured correctly and running, you are ready to set up your Tor Hidden Service.

First, make sure that your web server, or whatever other service you are going to host, is running and configured correctly. (These examples will be geared towards a web server).

Next, add the following to lines to /etc/tor/torrc:

 
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
 

After restarting the Tor service, you will have to files in the /var/lib/tor/hidden_service/ directory: hostname and private_key.

The hostname file will contain the .onion address to access your service. The private_key will contain the private key used to generate your .onion address. Do NOT lose your private key, otherwise, anybody can steal your .onion address.

You can also host more than one service on your server and have a different .onion address for each service. For example, to host IRC and SSH on another onion, add the following to your /etc/tor/torrc:

 
HiddenServiceDir /var/lib/tor/other_hidden_service/
HiddenServicePort 6667 127.0.0.1:6667
HiddenServicePort 22 127.0.0.1:22
 

ControlPort

The ControlPort is a port you can open to allow a service to connect and control the Tor Process. The ControlPort is disabled by default but can be enabled by entering the following into your /etc/tor/torrc:

 
ControlPort 9051
 

To connect to the ControlPort:

 
telnet 127.0.0.1:9051
authenticate ""
 
  • Note: "" is the default authentication for the ControlPort. It is recommended to edit HashedControlPassword in the /etc/tor/torrc file.

There is a lot that can be done via the ControlPort. It is possible to change the number of hops per circuit, create custom circuits, use arbitrary exit nodes, view logs and settings, and a lot more.

For more information and further reading, visit here.

HidServAuth

The HidServAuth section of the /etc/tor/torrc file is used to restrict access to your onion via a unique cookie.

To generate and use the cookie, add the following to /etc/tor/torrc:

 
HiddenServiceAuthorizeClient stealth client
 

After adding this to the /etc/tor/torrc file, saving, and exiting, execute:

 
#killall -HUP tor
 

Now, view your hidden service's hostname file as specified in your /etc/tor/torrc

 
mhiz7mrtk4tezuop.onion xcd7ClMNU5dAyVXy80h+lh # client
 

To utilize the new cookie, add the following to your /etc/tor/torrc:

 
HidServAuth mhiz7mrtk4tezuop.onion xcd7ClMNU5dAyVXy80h+lh # client
 

Now, only the users that are provided with and include the above string in their /etc/tor/torrc file will be able to access your hidden service.

Issues

  • Sniper Attack

One de-anonymization attack that Hidden Services are vulnerable to is the Sniper Attack. Operation Onymous, probably being the most famous, is theorized to use a type of attack where exit nodes were taken offline via denial of service attacks. This forced users onto nodes controlled by law enforcement where they could utilize a combination of techniques to de-anonymize and locate the servers actual locations.

  • Correlation/Confirmation Attack

One of the pitfalls with Hidden Services is a correlation attack. If someone controls enough nodes, they can send enough traffic to the hidden service to find its location. While expensive, it is also possible for adversaries to monitor entry and exit node traffic to correlate traffic in an attempt to de-anonymize uesrs.

  • Badmin

Badmin'ing is an issue for any infrastructure. In this case, a badmin could keep logs on his exit node leaving evidence if the adversary identifies the location of your exit node. They may also perform MITM attacks on your traffic in an attempt to compromise your account or de-anonymize you.

Awareness and OpSec is key to insuring PRIVACY. REMEMBER: ANONYMITY IS NOT GUARANTEED.'

External Links

Tor is part of a series on anonymity.