Launching Attacks via TOR Re: Hacker strikes through student's router

Dustin Eward plasma at tampabay.rr.com
Wed Nov 9 00:22:49 UTC 2005


tor wrote:

> They are probably referring to articles like the following:
>
>
> http://dhanjani.com/archives/cat_security.html
>
>
>    Launching Attacks via Tor <http://dhanjani.com/archives/000085.html>
>
> July 10, 2005
>
> I have written about Tor before 
> <http://dhanjani.com/archives/000069.html>. In my opinion, the Tor 
> project <http://tor.eff.org/index.html> is an excellent effort towards 
> protecting online privacy. I routinely use the Tor network, and it 
> works well for me.
>
> I believe that the merits of a project like Tor outweigh the channels 
> of abuse it may grant malicious users. However, these channels of 
> abuse do exist, and they cannot be ignored: if a malicious entity 
> wants to scan or launch your network via the Internet, he or she can 
> do this via the Tor network. This will make it incredibly difficult 
> for you to track down the source of the attacks.
>
> In order to demonstrate this, I setup a host on the Internet that I 
> wanted to scan from my home network using the Nessus vulnerability 
> scanner <http://nessus.org/>. Before an attacker can exploit a 
> specific vulnerability, he or she will want to test the presence of 
> the vulnerability using a scanner such as Nessus. Here are the steps I 
> followed to launch the Nessus scan via Tor:
>
> 1) Install and Setup Tor <http://tor.eff.org/download.html>.
>
> 2) Download desproxysocat <http://www.dest-unreach.org/socat/> (Thanks 
> Chris!). This tool will allow us to setup a local TCP listener that 
> will tunnel connections via the Tor SOCKS server (listening on port 
> 9050).
>
> Let us assume that the IP address of the host I wanted to scan was 
> 10.0.0.1 (yes I know this is non-routable over the Internet, but I 
> don’t want to publish the real IP address of my host). I invoked 
> |socat| like this:
>
> |./socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:10.0.0.1:80,
> socksport=9050
> |
> The above command causes |socat| to listen on port 8080, and tunnel 
> all incoming connections to 10.0.0.1 (port 80) via the Tor SOCKS server.
>
> [Updated July 12, 2005. Step 3 is not applicable now].
> 3) Configure |privoxy| to allow HTTP CONNECT requests via port 80. By 
> default, only port 443 is allowed. To do this, configure your web 
> browser to use |privoxy| as the HTTP proxy (127.0.0.1 81118) and 
> browse to http://config.privoxy.org/show-status. Click on the "Edit" 
> button next to the applicable "default.action" file, and choose the 
> "Enable" radio button on the left side of “limit-connect”. Enter “80, 
> 443” in the edit box and click on "Submit".
>
> 4) Install and configure Nessus 
> <http://www.oreillynet.com/pub/a/security/2004/04/22/nessus.html>.
>
> 5) Launch a Nessus scan against 127.0.0.1 port 8080. Configure Nessus 
> to limit the scan to port 8080 in the “Scan Options” tab.
>
> Here are some of the entries in my Apache log that were a result of 
> the scan:
>
> |
> 192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET /Agents/ HTTP/1.1" 
> 404 205 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> 192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET 
> /cgi-bin/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 
> HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> 192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET 
> /index.php?err=3&email=<script>foo</script> HTTP/1.1" 404 207 "-" 
> "Mozilla/4.75 [en] (X11, U; Nessus)"
> 192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET 
> /scripts/fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus 
> HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> 192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET 
> /scripts/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 
> HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> 192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET /Album/ HTTP/1.1" 
> 404 204 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> 192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET 
> /fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus HTTP/1.1" 
> 404 209 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> 192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET 
> /cgi-bin/wiki.pl?<script>foo</script> HTTP/1.1" 404 213 "-" 
> "Mozilla/4.75 [en] (X11, U; Nessus)"|
>
> The 192.168.1.1 IP address represents the host that is the last onion 
> router in the random circuit that was setup by the Tor software (NOTE: 
> I don't want to publish the actual IP address of the last onion router 
> that I noticed in my logs, so 192.168.1.1 is a place holder to serve 
> as an example). Given the design of Tor, it would be extremely 
> difficult (if not impossible) to determine the source IP address (i.e. 
> my IP address - and not the IP address of the last onion router). The 
> above instructions can also be used to exploit software flaws (using 
> tools such as Metasploit <http://www.metasploit.com/>) in order to 
> anonymously execute arbitrary commands on vulnerable hosts.
>
> I am a big fan of the Tor project. However, potential attackers who 
> may want to hide their tracks may abuse the anonymity granted by Tor. 
> The aim of this post is to shed light on this fact, and I hope it is 
> helpful to administrators are effected by attacks that seem to 
> originate from a source that is a onion router in reality.
>
>
>
>
Did such "bad guys" not find ways to cover their tracks before the Tor 
concept existed?

Becasue a thing can be abused, does not make the thing a bad idea, or 
make it at fault for the abuse.  It facilitates nothing; as this same 
behavior would still continue without Tor, and has existed long before 
there was Tor.

Much like Firearms, a good analogy made by another or-talk subscriber.  
I don't honestly feel we have any obligation to curb our function or 
behavior simply becasue there is a dirty mind out there capable of 
misusing it. 

Government Issued Tor Licenses a la FCC?  The more Government control 
there is over a given freedom/right, the more conflict of interest there 
is.  Serving up that Conflict of Interest on a silver platter, by 
insisting that abusers should be a concern of ours, is not responsible.

All tyrants rise from false "need."  What we "need" is for companys to 
have tighter security.  Failure to do so implies that Tor created the 
exploit, when in reality, it was just a conduit to a pre-existing deficit.

If you leave your garage dor open, and go on vacation, you might just 
get some of your stuf stolen...  Wether the theif drove up in a car with 
a tracable license plate, or did it with an Invisibility Cloak; doesn't 
matter.

Be careful what you wish for, you just might get it.



More information about the tor-talk mailing list