Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Tor detection project
Posted by: jungsonn
Date: November 15, 2006 03:30AM

Hi all.

I'm currently busy with a new project: building a webapplication which detect Tor exit nodes when they access a script or webpage.

Some methods:

* detecting tor nodes (known ip's)
* detection firefox Tor extensions

I found some very interesting info about the Tor network status:

https://nighteffect.com/tns/

and:

http://serifos.eecs.harvard.edu:8000/cgi-bin/exit.pl

My goal with this is to detect them in the background and rout them to another place on the given site where the detection takes place and lead them into a honeypot, or an exact copy of the site, though beefed up with logs on steroids and or raising a higher security level upon detection. i'm not sure yet of all the things i can do with it, but it seems an interesting project.

if anyone is interested or want to contribute info/data with me,
i like to hear about it.



Edited 1 time(s). Last edit at 11/15/2006 03:31AM by jungsonn.

Options: ReplyQuote
Re: Tor detection project
Posted by: maluc
Date: November 15, 2006 11:59AM

jungsonn, you said this didn't work for you two months ago: http://maluc.sitesled.com/tortest.html

from http://ha.ckers.org/blog/20060911/detecting-privoxy-users-and-circumventing-it/#comment-2565 , but can you view this website when on tor? http://6sxoyfb3h2nvok2d.onion/

If you can, and have javascript enabled, that test should work perfectly. You can amass a list with that by just adding the IP to your exit-node list whenever it triggers

-maluc

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 15, 2006 04:30PM

Gha.. i can't remember. But i do know that it did not work, you use that image from that link above i presume?

i just tested it on your site, with and without Tor, still with Tor i see test running but no result, without tor i get the message faster :)

But i can view the Hidden Wiki, yes. :)

I like the idea of that image you use, do you have other ideas on the topic?

Options: ReplyQuote
Re: Tor detection project
Posted by: digi7al64
Date: November 15, 2006 08:52PM

Personally, when i create a site where i need to detect tor users/changing ips i simply create a md5 signature for the user and assign that to session variable which i compare on subsequent requests.

Generally a signature would contain
- Remote Address
- User Agent
- Http Forwarded For
- Session Id
- Remote Host

Therefore as tor users change ip every request the value generated for the comparing against the session value is always different.

I know it can provide a few false postives for tor but overall its works as a great deterrent against users trying to hide the location by using exit nodes.

Also check out https://nighteffect.com/tns/ for a list of tor routers (with IP addresses) which might be helpful.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 11/15/2006 08:56PM by digi7al64.

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 16, 2006 03:52AM

That's an interesting idea digi7al64!

But the "Http Forwarded For" isn't always correct/or empty (even with proxy) i found out, and many times fails to be revealed.

I like the signature idea, i'm back to the drawing boards with this one.

Options: ReplyQuote
Re: Tor detection project
Posted by: digi7al64
Date: November 16, 2006 06:16PM

You are correct with the http forwarded for value not being correct or even used (when behind a truly anonymous proxy) and therefore you can add or remove it at your own leisure. I however do like to use it (rightly or wrongly) as when it is available it beefs up the signature.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Tor detection project
Posted by: devloop
Date: November 21, 2006 12:09PM

ShowMyIp can detect tor nodes :
http://showmyip.com/

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 21, 2006 12:56PM

Yeah i saw that they can do that, still don't know how they do it. Maybe against some large exit server list. if anyone has such info, i really like to know.

Options: ReplyQuote
Re: Tor detection project
Posted by: devloop
Date: November 21, 2006 04:45PM

check their blog :
http://privacy-ecosystem.blogspot.com/

Options: ReplyQuote
Re: Tor detection project
Posted by: rsnake
Date: November 21, 2006 05:01PM

They could just look at the IP address and match it up with this list https://nighteffect.com/tns/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 22, 2006 02:23AM

I have another idea now, by default Tor servers listen upon port 9001.
The list confirms this.

Options: ReplyQuote
Re: Tor detection project
Posted by: rsnake
Date: November 22, 2006 10:15AM

Interesting! That's a first.

etlservicemgr 9001/tcp ETL Service Manager

http://www.iana.org/assignments/port-numbers

They should really revise this to include that if it's true. It's odd that they would take an assigned port number, but I guess not that odd. Now if it's connecting to a remote webserver, is it connecting from port 9001 or is another port?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Tor detection project
Posted by: rsnake
Date: November 22, 2006 11:29AM

In some tests this isn't that indicative. They would have to scan the entire internet looking for an open port 9001 to find all the tor nodes, it seems fairly random in the outbound port it picks. Maybe there is some statistical analysis that can be done to see what the difference is between IE, Firefox and Tor nodes but I doubt it will prove to work from what I've seen in the limited tests I performed over the last few minutes.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 22, 2006 11:44AM

Yeah well, i wrote a script once that phased out users who accessed the script by port 80 or 443, http or ssl. No standard users surfs on this, and most of those servers contain spamscripts, so blocking on port 80 would solve alot. but i'm not satisfied on this, i want to be precise on this.

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 22, 2006 11:56AM

Also normal browsing always runs over unassigned ports only, one could build a list and match against it i guess.

Options: ReplyQuote
Re: Tor detection project
Posted by: id
Date: November 22, 2006 12:19PM

jungsonn Wrote:
-------------------------------------------------------
> Also normal browsing always runs over unassigned
> ports only, one could build a list and match
> against it i guess.


Do you mean sources from? You couldn't tell if a machine was a tor proxy by the source port of the connect, and it would always as a final hop connect to a known port on your server. Not exactly sure what you are saying there.

-id

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 22, 2006 12:42PM

Well i learned from observation that normal browsing activities on my own pc lies lies between port 1000-3000 if i activate Tor, it runs from 4000 - 9000. but this is on my system only so can't make any conclusions.

but i made a test:

http://www.jungsonnstudios.com/mirror/tor.php

here i check the port, and ping on port 80.

Options: ReplyQuote
Re: Tor detection project
Posted by: rsnake
Date: November 22, 2006 01:33PM

Hmm... I haven't noticed any consistencies like that. It seems to depend on which tor server you're connected to. Sometimes it's very consistent within a range, and sometimes it moves around. But yes, there may be something to detecting any assigned ports, as those are generally scripts.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 22, 2006 01:40PM

I think about 2 things:

> first check on the ip list provided by nighteffect.com

if true: we've got a tor user.

if false:

>> then check/try socket connection to port 80

if true: we've got a tor user or a site-spammer.
(i presume cause he has port 80 open)

if false, genuine user.

Options: ReplyQuote
Re: Tor detection project
Posted by: id
Date: November 22, 2006 02:02PM

Your checking source port, which the tor server's networking stack should choose randomly and shouldn't tell you anything really. Then you check if the remote machine is listening on port 80...so what if they are just running a web server on that port, or is an apache proxy, or squid...or?

And more importantly (and I don't know why, it might have a reason) why would a tor server even listen on port 80?

-id



Edited 1 time(s). Last edit at 11/22/2006 02:15PM by id.

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 22, 2006 04:23PM

Yeah i agree with your last statement, the ones i come accros have a plain apache install, just open the ip's from the nighteffect list in the browser and see. So many have port 80 open.

But id, is it an option to just try to make a socket connection to port 9001, which is the default Tor port?

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 22, 2006 06:38PM

Ok, well i'm not into "ports" alot, so i'll goto a coding idea. :]

http://www.jungsonnstudios.com/mirror/tor_real_ip.html

If all goes well and you are running Tor, (and i hope on a MS system with FF!),
i can show you your real ip. On my system i get my localhost(ofcorse:linux:)
I really like to know if it works on your PC also, so please let me know.

So i could make an XmlHttpRequest and send the IP to a file with a session attached to it so i can identify the user through the whole site, and log everything the user does.

And again Java/Script comes to save my day :)



Edited 1 time(s). Last edit at 11/22/2006 07:05PM by jungsonn.

Options: ReplyQuote
Re: Tor detection project
Posted by: Ghozt
Date: November 22, 2006 08:28PM

@jungsonn: I DETECTED: ~IP: 127.0.0.1 ~HOST: localhost

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 23, 2006 03:21AM

Yeah it's not a verry consistent method :( i did however saw my real IP and host but one time only. Think it's access is being prevented in FF. :)

Options: ReplyQuote
Re: Tor detection project
Posted by: digi7al64
Date: November 23, 2006 06:59PM

jungsonn - you are on the right track so far (but as you have already noticed it is not the best method)

Therefore the following files will help you with determining some other types of tor detection.

http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf
http://www.fortconsult.net/images/pdf/tpr_100506.pdf

btw:
here are some other list of tor nodes
> http://torstat.xenobite.eu
> http://proxy.org/tor.shtml

Finally - The idea of a Tor detection project is very interesting and here are some thoughts that i think will make developing the project easier.

> Create a Cron Job/Service that will automatically pull and sort tor server/nodes lists (using the links provided on these pages)
> Create an "new session function" that tests any supplied IP's against the list.
> Using the script idea provided by me above check for any changes to the user signature. When a change is detected use maluc's javascript img test.

Overall, i believe this would be the most non intrusive way to detect tor users.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 11/23/2006 08:26PM by digi7al64.

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 24, 2006 06:21AM

Nice digi7al64!

good information, i go take a closer look at it.

I had another idea yesterday, by just setting a unique cookie with every visitor logging their known ip, then later when they come back surfing on a Tor node, check the cookie and match it with the ip that was first logged in combination with the first cookie.

Well, alot to think about.

Options: ReplyQuote
Re: Tor detection project
Posted by: maluc
Date: November 24, 2006 01:15PM

that's not so much a tor check as it is a dynamic IP check. a LOT of people have dynamic IPs including everyone on dialup still. so expect more false positives than real positives

using it as one piece of a heuristic is possible though.. just not the only piece

-maluc

Options: ReplyQuote
Re: Tor detection project
Posted by: jungsonn
Date: November 24, 2006 10:56PM

Yes i agree maluc.

this is the case, i'm always positive when something doesn't work properly, it's not worth the effort. I'm pretty strict in what i want to filter, so even that isn't an option.

But, the main idea was not to detect Tor users, but to expand my knowledge on it with input from you guys to see if it is really private as they say they are. untill now i've come to the conclusion that it's a pretty good medium. Though i would advise to use it in a browser with at least javascript disabled, cause this could lead to leaking information. Given this, and after reading the papers above even flash should be disabled due to the effect of actionscript etc.

Though, i'm not giving up :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.