Launching Attacks via Tor

by Nitesh Dhanjani

I have written about Tor before. In my opinion, the Tor project is an excellent effort towards protecting online privacy. I routinely use the Tor network, and it works well for me.

I believe that the merits of a project like Tor outweigh the channels of abuse it may grant malicious users. However, these channels of abuse do exist, and they cannot be ignored: if a malicious entity wants to scan or launch your network via the Internet, he or she can do this via the Tor network. This will make it incredibly difficult for you to track down the source of the attacks.

In order to demonstrate this, I setup a host on the Internet that I wanted to scan from my home network using the Nessus vulnerability scanner. Before an attacker can exploit a specific vulnerability, he or she will want to test the presence of the vulnerability using a scanner such as Nessus. Here are the steps I followed to launch the Nessus scan via Tor:

1) Install and Setup Tor.

2) Download desproxysocat (Thanks Chris!). This tool will allow us to setup a local TCP listener that will tunnel connections via the Tor SOCKS server (listening on port 9050).

Let us assume that the IP address of the host I wanted to scan was 10.0.0.1 (yes I know this is non-routable over the Internet, but I don’t want to publish the real IP address of my host). I invoked socat like this:

./socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:10.0.0.1:80,
socksport=9050

The above command causes socat to listen on port 8080, and tunnel all incoming connections to 10.0.0.1 (port 80) via the Tor SOCKS server.

[Updated July 12, 2005. Step 3 is not applicable now].
3) Configure privoxy to allow HTTP CONNECT requests via port 80. By default, only port 443 is allowed. To do this, configure your web browser to use privoxy as the HTTP proxy (127.0.0.1 81118) and browse to http://config.privoxy.org/show-status. Click on the "Edit" button next to the applicable "default.action" file, and choose the "Enable" radio button on the left side of “limit-connect”. Enter “80, 443” in the edit box and click on "Submit".

4) Install and configure Nessus.

5) Launch a Nessus scan against 127.0.0.1 port 8080. Configure Nessus to limit the scan to port 8080 in the “Scan Options” tab.

Here are some of the entries in my Apache log that were a result of the scan:


192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET /Agents/ HTTP/1.1" 404 205 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET /cgi-bin/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET /index.php?err=3&email=<script>foo</script> HTTP/1.1" 404 207 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET /scripts/fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET /scripts/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET /Album/ HTTP/1.1" 404 204 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET /fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus HTTP/1.1" 404 209 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET /cgi-bin/wiki.pl?<script>foo</script> HTTP/1.1" 404 213 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"


The 192.168.1.1 IP address represents the host that is the last onion router in the random circuit that was setup by the Tor software (NOTE: I don't want to publish the actual IP address of the last onion router that I noticed in my logs, so 192.168.1.1 is a place holder to serve as an example). Given the design of Tor, it would be extremely difficult (if not impossible) to determine the source IP address (i.e. my IP address - and not the IP address of the last onion router). The above instructions can also be used to exploit software flaws (using tools such as Metasploit) in order to anonymously execute arbitrary commands on vulnerable hosts.

I am a big fan of the Tor project. However, potential attackers who may want to hide their tracks may abuse the anonymity granted by Tor. The aim of this post is to shed light on this fact, and I hope it is helpful to administrators are effected by attacks that seem to originate from a source that is a onion router in reality.

5 Comments

FrankBruzzaniti
2005-07-25 02:54:16
Not so anonymous
Just a few things to remember for people when subscribing to the method above. Many port scanners
including Nessus will often ping a target so see if it's up before doing a port scan. This is usually done via ICMP packet's, ICMP will not traverse the Tor network and will reveal your true address.


Also in the usage of socat. I noticed you specify socks4 not socks4a. I believe that socks4 dose client side DNS. Meaning that your resoving a target's host name via DNS from your machine not via the Tor network proxies.

FrankBruzzaniti
2005-08-03 00:46:39
Food for thought
If nessus is using something that generates packets via the raw packet interface then the packets may connect directly to the target, not via Tor.


For example nmap (which can be used as the port scanner for nessus) doing a connect() scan will work with Tor but using something like -sS may connect directly to the target, revealing your true address.

niteshd
2005-08-04 09:31:28
Not really
As per the example I presented, it is NOT possible for Nessus to connect directly to the target and reveal your true IP address. This is because I give Nessus the IP address of 127.0.0.1 as the target. So if you forget to tell nessus to only use the connect method for portscanning, you will end up scanning your own host, but not send any packets directly to the target.
niteshd
2005-08-04 09:34:34
Target == 127.0.0.1
In the example, I presented, it is not possible to leak your source IP address because I tell nessus to use 127.0.0.1 as the target IP address. Therefore, Nessus has no host name to resolve, and if you do forget to tell Nessus not to bother with ICMP pings, you will end up pinging yourself - not the target directly.
deviousz
2006-03-17 15:26:00
Taking the Tor route but Nessus result failed
I just replicated this setup and have verified that my scan is taking the Tor route as the destination web server did not see my real ip whatsoever. The scan took place as well as seen in the logs. However, the scan result when using Tor did not show the actual vulnerabilites which do exist.


For instance, when I perform the scan directly, not going through Tor, Nessus found a Horde vulnerability on port 80, but this was not found when using Tor. Also, the direct scan took much longer and was more active, producing many more entries in the log file.


Both tests were performed using the same settings, and I've verified that I'm targeting localhost, and port 8080. My socat syntax matches the above exactly (excluding the ip address of course).


Were there any specific additional Nessus settings?