Tor MiTM Relay

So in light of recent events I thought I'd show you a quick way to setup a Tor MiTM Relay, this was done on Debian Buster (10.5)

Let's install Tor (You can get the latest packages by adding the Tor repo to your /apt/sources.list

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

When those packages have finished installing Tor will automatically start running so let's stop that

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Now remove the default Tor config

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Now create a new torrc file and paste the following

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Remember to change the HASHED CONTROL PASSWORD with the following and the Nickname with whatever you want

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Now our relay is up and running so how do we start sniffing the traffic ? with one simple command

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Excellent tutorial.

I assume the process Is similar on the Windows platform when editing the Tor configuration file?

(09-10-2020, 04:07 AM)mothered Wrote:

[To see links please register here]

Excellent tutorial.

I assume the process Is similar on the Windows platform when editing the Tor configuration file?

Although I haven't tested it I do believe so it should be cross platform.

(09-10-2020, 08:50 AM)Shiroi Õkami Wrote:

[To see links please register here]

Although I haven't tested it I do believe so it should be cross platform.

No problem, appreciate your feedback.

My Tor file Is heavily configured, so I'll download a raw/default copy and test It on that.

(09-10-2020, 10:38 AM)mothered Wrote:

[To see links please register here]

(09-10-2020, 08:50 AM)Shiroi Õkami Wrote:

[To see links please register here]

Although I haven't tested it I do believe so it should be cross platform.

No problem, appreciate your feedback.

My Tor file Is heavily configured, so I'll download a raw/default copy and test It on that.

I'm still trying to figure out how to add a BTC regex to the ettercap filter so that it will modify on the fly unfortunately still haven't been able to figure that part out yet

(09-10-2020, 10:55 AM)Shiroi Õkami Wrote:

[To see links please register here]

I'm still trying to figure out how to add a BTC regex to the ettercap filter so that it will modify on the fly unfortunately still haven't been able to figure that part out yet

I haven't looked Into It, so It'll be premature to suggest anything one way or the other.

Thanks for the tutorial it helped me personally to have a hands on approach setting this up in a vm to really understand the full process instead of just reading about it.

If anybody is interested, there are a few white papers on Tor de-anonymization as well. You should check out The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU).

[To see links please register here]

& Operation Onymous

[To see links please register here]

... Just to start you out.

You can further research techniques on both de-anonymization using FOXACID, previously explained by Bruce Schneier. It's a large scale MITM (man-in-the-middle attack).

Then you can also look at technical writeups on browser-based attacks and

[To see links please register here]

"The most commonly assumed threat is based on a passive adversary that can observe part of the Tor network and is able to compromise and operate his own onion routers. Such an attacker simply observes inputs and outputs of the network and correlates their patterns, so called traffic analysis. The attacker tries to measure similarities in the traffic that the client sends and the traffic that the server receives. Traffic analysis is commonly used in attacks on hidden services that try to de-anonymize users. Tor does not protect against a global passive adversary. Its focus is to prevent attacks where an attacker tries to determine in which points in the network a traffic pattern based attack should be executed. By making it difficult for an attacker to determine where to attack, a precision attack is difficult."

Also definitely check out this paper by the University of Colorado at Boulder

[To see links please register here]

That's already days worth of research on the topic of attacking for in that paper alone. The GitHub link is extensive and you an go as far down the rabbit hole as you wish.