Launching Attacks via TOR Re: Hacker strikes through student's router

tor tor at algae-world.com
Tue Nov 8 23:13:33 UTC 2005 

They are probably referring to articles like the following:


http://dhanjani.com/archives/cat_security.html


    Launching Attacks via Tor <http://dhanjani.com/archives/000085.html>

July 10, 2005

I have written about Tor before 
<http://dhanjani.com/archives/000069.html>. In my opinion, the Tor 
project <http://tor.eff.org/index.html> is an excellent effort towards 
protecting online privacy. I routinely use the Tor network, and it works 
well for me.

I believe that the merits of a project like Tor outweigh the channels of 
abuse it may grant malicious users. However, these channels of abuse do 
exist, and they cannot be ignored: if a malicious entity wants to scan 
or launch your network via the Internet, he or she can do this via the 
Tor network. This will make it incredibly difficult for you to track 
down the source of the attacks.

In order to demonstrate this, I setup a host on the Internet that I 
wanted to scan from my home network using the Nessus vulnerability 
scanner <http://nessus.org/>. Before an attacker can exploit a specific 
vulnerability, he or she will want to test the presence of the 
vulnerability using a scanner such as Nessus. Here are the steps I 
followed to launch the Nessus scan via Tor:

1) Install and Setup Tor <http://tor.eff.org/download.html>.

2) Download desproxysocat <http://www.dest-unreach.org/socat/> (Thanks 
Chris!). This tool will allow us to setup a local TCP listener that will 
tunnel connections via the Tor SOCKS server (listening on port 9050).

Let us assume that the IP address of the host I wanted to scan was 
10.0.0.1 (yes I know this is non-routable over the Internet, but I don’t 
want to publish the real IP address of my host). I invoked |socat| like 
this:

|./socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:10.0.0.1:80,
socksport=9050
|
The above command causes |socat| to listen on port 8080, and tunnel all 
incoming connections to 10.0.0.1 (port 80) via the Tor SOCKS server.

[Updated July 12, 2005. Step 3 is not applicable now].
3) Configure |privoxy| to allow HTTP CONNECT requests via port 80. By 
default, only port 443 is allowed. To do this, configure your web 
browser to use |privoxy| as the HTTP proxy (127.0.0.1 81118) and browse 
to http://config.privoxy.org/show-status. Click on the "Edit" button 
next to the applicable "default.action" file, and choose the "Enable" 
radio button on the left side of “limit-connect”. Enter “80, 443” in the 
edit box and click on "Submit".

4) Install and configure Nessus 
<http://www.oreillynet.com/pub/a/security/2004/04/22/nessus.html>.

5) Launch a Nessus scan against 127.0.0.1 port 8080. Configure Nessus to 
limit the scan to port 8080 in the “Scan Options” tab.

Here are some of the entries in my Apache log that were a result of the 
scan:

|
192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET /Agents/ HTTP/1.1" 404 
205 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET 
/cgi-bin/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 
HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET 
/index.php?err=3&email=<script>foo</script> HTTP/1.1" 404 207 "-" 
"Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET 
/scripts/fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus 
HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET 
/scripts/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 
HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET /Album/ HTTP/1.1" 404 
204 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET 
/fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus HTTP/1.1" 
404 209 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET 
/cgi-bin/wiki.pl?<script>foo</script> HTTP/1.1" 404 213 "-" 
"Mozilla/4.75 [en] (X11, U; Nessus)"|

The 192.168.1.1 IP address represents the host that is the last onion 
router in the random circuit that was setup by the Tor software (NOTE: I 
don't want to publish the actual IP address of the last onion router 
that I noticed in my logs, so 192.168.1.1 is a place holder to serve as 
an example). Given the design of Tor, it would be extremely difficult 
(if not impossible) to determine the source IP address (i.e. my IP 
address - and not the IP address of the last onion router). The above 
instructions can also be used to exploit software flaws (using tools 
such as Metasploit <http://www.metasploit.com/>) in order to anonymously 
execute arbitrary commands on vulnerable hosts.

I am a big fan of the Tor project. However, potential attackers who may 
want to hide their tracks may abuse the anonymity granted by Tor. The 
aim of this post is to shed light on this fact, and I hope it is helpful 
to administrators are effected by attacks that seem to originate from a 
source that is a onion router in reality.

More information about the tor-talk mailing list