30 November 2006 | 12,407 views

Hacking Tor – A Flaw Appears?

Check For Vulnerabilities with Acunetix

It seems finally someone has found a flaw in the way Tor works, a way to beat it and find out who is using the system.

Perhaps an end to the most anonymous system on the Internet?

I got this info fresh from SANS.

One of our readers sent in a very worrying analysis of what appeared to be “traffic modification” (in his words) on the part of the Tor network.

The Tor (“The Onion Router”) network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.

It seems to point to traffic modification on an exit node, packetstorm in particular.

The key tenet of Tor is that it should protect anonymity and the reader’s analysis pointed not only to traffic modification on the part of a so-called “exit router” (the last hop in a Tor circuit before your packets reach the real destination) but also an attempt at tracking the true origin of the traffic (in a Tor network a hop only knows that the traffic comes from a previous hop but no futher back).

Both William Salusky and myself looked into the data and it seemed to implicate packetstormsecurity.org, an exit router in Denmark and, more curiously, a DNS tunnel to transmit data out (via obviously fake hosts under the t.packetstormsecurity.org domain). This last item was interesting because it replicated data which was apparently being submitted to the host via an HTTP cookie so it seemed that the idea was to have the cookie travel to the unwitting Tor user and be sent back via DNS tunnel to an external host to confirm the real identity of the host. As both of us were busy we looked a little deeper but ultimately we recommended that the reader report this to the Tor authors.

A quote from the actual paper.

Clearly Tor’s designers have done a pretty good job: I couldn’t find any weakness in Tor itself that violate the tenets set out at http://tor.eff.org/ (basically that end-to-end traffic analysis is always possible, but the traffic analysis should [be] difficult to everything but a global Echelon). So instead, I attacked the data which Tor carries the most of: web traffic.

Worrying indeed, you can download the paper here:

“Practical Onion Hacking” by Andrew Christensen

Source: SANS



Recent in Network Hacking:
- IPFlood – Simple Firefox Add-on To Hide Your IP Address
- masscan – The Fastest TCP Port Scanner
- BurpSentintel – Vulnerability Scanning Plugin For Burp Proxy

Related Posts:
- Skype Worm in the Wild – W32.Chatosky
- Microsoft IE7 Exploit Allows Remote Code Execution on XP & Vista
- Serious XSS Flaw in Google Desktop Allows Data Theft

Most Read in Network Hacking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,059,577 views
- Wep0ff – Wireless WEP Key Cracker Tool - 511,610 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 314,313 views

Low-cost VPS Hosting

7 Responses to “Hacking Tor – A Flaw Appears?”

  1. Brian 30 November 2006 at 7:40 pm Permalink

    Thanks for this post, I use tor pretty extensively myself and I have to say this is troubleing. The only thing is wouldn’t this “vulnerability” fall into the same category as the already known ActiveX and Flash vulnerabilities for these plugin’s requiring a direct connection with the client and thus circumventing the proxy network?

  2. gerg 1 December 2006 at 12:17 am Permalink

    This so called paper only describe methods that are known for more than 10 years and that work with every proxy…
    There’s no Tor specific flaws in this document.

    The paper title is just a way to make lamers talk and provide “instant celebrity” to his author… nothing new here

    If you want some real technical paper on Tor search a pdf document on how to discover the location of an hidden service using statistics based on rendez-vous nodes.

  3. ethernode 5 December 2006 at 12:09 pm Permalink

    So, if the SANS is serious about this, is tor a giant honeypot? Corporate or occult?

  4. Darknet 5 December 2006 at 4:41 pm Permalink

    Brian: Yah I guess it would, anything as such can circumvent the anonymity of a proxy, that’s why using something like AnonymOS is preferable.

    gerg: Thanks I’ll check that out.

    ethernode: I don’t think so this a flaw in any proxy based system, it’s just showing how its relevant to Tor aswell. It’s still the best system there is ATM.

  5. ethernode 5 December 2006 at 4:50 pm Permalink

    I was talking about the packetstormsecurity.org implications, not about the flaw itself. Following what i understood from the article, that would mean that tor’s anonymity features are fake (because of the “sent back via DNS tunnel to an external host to confirm the real identity of the host”) ? I’m beginning to guess i’m saying shit, but doesn’t this back-tunnel outpass the 1-hop only feature?

  6. Chris 12 January 2009 at 6:25 pm Permalink

    The problem with this paper is that they expect that the user is only using something like Privoxy for Tor. What if the user is default-routing all his TCP traffic through his own Tor proxy box? The method he uses for demasking won’t work because all the TCP traffic is being routed through Tor anyway.

    I don’t see anything groundbreaking about this paper and his methods are easily defeated.

  7. navin 13 January 2009 at 11:14 am Permalink

    I agree chris, but fact of the matter is tht most users do use privoxy for Tor and don’t really have the technical knowhow on how to set up a personal box…… tht leaves them in a state where their online security can be compromised