Hacking Tor – A Flaw Appears?

Outsmart Malicious Hackers

It seems finally someone has found a flaw in the way Tor works, a way to beat it and find out who is using the system.

Perhaps an end to the most anonymous system on the Internet?

I got this info fresh from SANS.

One of our readers sent in a very worrying analysis of what appeared to be “traffic modification” (in his words) on the part of the Tor network.

The Tor (“The Onion Router”) network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.

It seems to point to traffic modification on an exit node, packetstorm in particular.

The key tenet of Tor is that it should protect anonymity and the reader’s analysis pointed not only to traffic modification on the part of a so-called “exit router” (the last hop in a Tor circuit before your packets reach the real destination) but also an attempt at tracking the true origin of the traffic (in a Tor network a hop only knows that the traffic comes from a previous hop but no futher back).

Both William Salusky and myself looked into the data and it seemed to implicate packetstormsecurity.org, an exit router in Denmark and, more curiously, a DNS tunnel to transmit data out (via obviously fake hosts under the t.packetstormsecurity.org domain). This last item was interesting because it replicated data which was apparently being submitted to the host via an HTTP cookie so it seemed that the idea was to have the cookie travel to the unwitting Tor user and be sent back via DNS tunnel to an external host to confirm the real identity of the host. As both of us were busy we looked a little deeper but ultimately we recommended that the reader report this to the Tor authors.

A quote from the actual paper.

Clearly Tor’s designers have done a pretty good job: I couldn’t find any weakness in Tor itself that violate the tenets set out at http://tor.eff.org/ (basically that end-to-end traffic analysis is always possible, but the traffic analysis should [be] difficult to everything but a global Echelon). So instead, I attacked the data which Tor carries the most of: web traffic.

Worrying indeed, you can download the paper here:

“Practical Onion Hacking” by Andrew Christensen

Source: SANS

Posted in: Networking Hacking, Privacy

, , , ,

Latest Posts:

OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.

7 Responses to Hacking Tor – A Flaw Appears?

  1. Brian November 30, 2006 at 7:40 pm #

    Thanks for this post, I use tor pretty extensively myself and I have to say this is troubleing. The only thing is wouldn’t this “vulnerability” fall into the same category as the already known ActiveX and Flash vulnerabilities for these plugin’s requiring a direct connection with the client and thus circumventing the proxy network?

  2. gerg December 1, 2006 at 12:17 am #

    This so called paper only describe methods that are known for more than 10 years and that work with every proxy…
    There’s no Tor specific flaws in this document.

    The paper title is just a way to make lamers talk and provide “instant celebrity” to his author… nothing new here

    If you want some real technical paper on Tor search a pdf document on how to discover the location of an hidden service using statistics based on rendez-vous nodes.

  3. ethernode December 5, 2006 at 12:09 pm #

    So, if the SANS is serious about this, is tor a giant honeypot? Corporate or occult?

  4. Darknet December 5, 2006 at 4:41 pm #

    Brian: Yah I guess it would, anything as such can circumvent the anonymity of a proxy, that’s why using something like AnonymOS is preferable.

    gerg: Thanks I’ll check that out.

    ethernode: I don’t think so this a flaw in any proxy based system, it’s just showing how its relevant to Tor aswell. It’s still the best system there is ATM.

  5. ethernode December 5, 2006 at 4:50 pm #

    I was talking about the packetstormsecurity.org implications, not about the flaw itself. Following what i understood from the article, that would mean that tor’s anonymity features are fake (because of the “sent back via DNS tunnel to an external host to confirm the real identity of the host”) ? I’m beginning to guess i’m saying shit, but doesn’t this back-tunnel outpass the 1-hop only feature?

  6. Chris January 12, 2009 at 6:25 pm #

    The problem with this paper is that they expect that the user is only using something like Privoxy for Tor. What if the user is default-routing all his TCP traffic through his own Tor proxy box? The method he uses for demasking won’t work because all the TCP traffic is being routed through Tor anyway.

    I don’t see anything groundbreaking about this paper and his methods are easily defeated.

  7. navin January 13, 2009 at 11:14 am #

    I agree chris, but fact of the matter is tht most users do use privoxy for Tor and don’t really have the technical knowhow on how to set up a personal box…… tht leaves them in a state where their online security can be compromised