Using Tor#
Introduction#
One may want to hide his tracks when connecting to remotes.
This can be achieved by tunnelling through the Tor network with tor and proxychains.
Setup#
Install
tor.
sudo apt update
sudo apt install tor -y
Install
proxychains.
sudo apt update
sudo apt install proxychains -y
Edit your proxychains config
location: /etc/proxychains4.conf
Use the SOCKS5 version instead.
(bottom of proxychains4.conf)
#socks4 127.0.0.1 9050
socks5 127.0.0.1 9050
Edit the config file to enable (uncomment) those lines:
proxy_dns
dynamic_chain
Setup Tor for Hidden service hosting (for reverse connections)
Generate a password for the controlport:
tor --hash-password "<yourpassword"
At the bottom of the /etc/tor/torrc file:
ControlPort 9051
HashedControlPassword <generated password>
Usage#
proxychains (-q for quiet) <command>
Test that your connection is tunnelled as intended:
proxychains curl ifconfig.me
(or)
proxychains curl checkip.dyndns.org
Or using ./myip.sh: curl -s checkip.dyndns.org | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' -o
In most cases, ifconfig won’t give an answer if you are curl’ing via a Tor relay.
You can also test for dns leaks with this test (macvk/dnsleaktest)[macvk/dnsleaktest].
proxychains ./dnsleaktest.sh
There you can use the msfconsole
proxychains -q msfconsole
Tool for monitoring dns queries of the system#
Remote forwarding ports on WAN#
Alternatives: serveo.net
Here: https://localhost.run/.
ssh -R 80:localhost:8080 nokey@localhost.run
Tunelling reverse connections#
For a lot of exploitation, the target machine has to connect back to the attacker.
With the previous method, only connections initiated from the attacker are tunnelled.
However, we may want to have an anonymous endpoint in order for the victim to be able to connect back to us.
One method is via ngrok, which works fine.
However, ngrok requires an account and a api token, so there is no anonymity between us and ngrok.
Solution:
Setup a Tor hidden service (<long_url>.onion) which forwards to a local port, and
Tor2Webin order to make this hidden service accessible to anyone.
This can be done quite easily via Python, with the stem library.
Setup#
Here a basic template of the Python file to create momentarly a hidden service.
This code can be customized. In the current states it forwards the port 80 of the remote service to the localhost:5000.
Tor2Web don’t need a local installation.
In order to access to a .onion hidden service from the WWW, you can add .foundation as a prefix (check Tor2Web doc).
import os
import shutil
from stem.control import Controller
print(' * Connecting to tor')
with Controller.from_port() as controller:
controller.authenticate()
# All hidden services have a directory on disk. Lets put ours in tor's data
# directory.
hidden_service_dir = os.path.join(controller.get_conf('DataDirectory', '/tmp'), 'hello_world')
# Create a hidden service where visitors of port 80 get redirected to local
# port 5000
print(" * Creating our hidden service in %s" % hidden_service_dir)
result = controller.create_hidden_service(hidden_service_dir, 80, target_port = 5000)
# The hostname is only available when we can read the hidden service
# directory. This requires us to be running with the same user as tor.
if result.hostname:
print(" * Our service is available at %s, press ctrl+c to quit" % result.hostname)
print("Add .foundation to the URL to use with Tor2Web")
else:
print(" * Unable to determine our service's hostname, probably due to being unable to read the hidden service directory")
try:
input("Press a key to exit")
finally:
# Shut down the hidden service and clean it off disk. Note that you *don't*
# want to delete the hidden service directory if you'd like to have this
# same *.onion address in the future.
print(" * Shutting down our hidden service")
controller.remove_hidden_service(hidden_service_dir)
shutil.rmtree(hidden_service_dir)
Usage#
Use msfconsole with proxychains in order to tunnel exploitations.
Use the hidden service as an LHOST for the exploitation. Be careful it only works with reverse http or HTTPS payloads.