Originally posted to whitedust.net (Broken): http://www.whitedust.net/article/28/TOR:%20The%20Ying%20or%20the%20Yang?/
Archive.org version: https://web.archive.org/web/20060601202144/http://www.whitedust.net/article/28/TOR:%20The%20Ying%20or%20the%20Yang?/
Slashdot post: http://it.slashdot.org/story/05/07/22/1955246/tor---the-yin-or-the-yang
Tor: The Onion Router is an interesting tool that can be used for good or evil. What the creator of Tor wants you to think is that it is an anonymization tool that allows users to connect to servers free of the worry that those servers are logging every detail of your browser, email address, and other information. In my own opinion, I think they just wanted to create a hacking tool that would allow them, and others not to get caught. But we will get to that later.
After surfing to the Tor website the average user can have a Tor client up and running, surfing the Internet, chatting on their favorite IRC client, or connecting to a Peer to Peer network such as Limewire, Shareaza, Bittorrent or Edonkey, within minutes. He or she would have successfully become, metaphorically, an 'it' to the rest of the Internet.
How does it work? As a user, how do I install and use Tor? And as a network administrator, how do I defend against Tor internally and externally? Or better yet, how do I use it to investigate attacks on my network?
Tor! How do you work?
When you start your Tor client, it downloads into a “cached-directory” file, a list of 'nodes', which is completely dynamic and constantly growing because users are installing and uninstalling servers (nodes) all the time.
Bob starts his Tor client, which automatically refreshes his list of nodes.
Now the fun part, Bob's client maps a 'random' path to his destination server. Whether it is his IRC server such as irc.cad-net.org or his favorite website such as Whitedust.net (I swear, I'm not getting paid for this... promise). Anyways, the server that he is connected to ONLY sees the connection to the last node, or “exit” node, making Bob completely invisible to everyone except for his entry node.
If Bob wants to access another site or IRC server, a new 'random' route is created. Tor is not limited to just to web traffic or IRC traffic, any piece of software that can be configured to connect to the IP address 127.0.0.1 over SOCKS4 or SOCKS5, can be successfully connected through the wonderful world of the Tor network.
I'm a user! How do I install and get this up and running on my system? (RTFM)
1. Download: Tor's website, tor.eff.org, you can download Tor for Windows, Mac OS X, Red Hat Linux, Debian, FreeBSD, OpenBSD, NetBSD, and Gentoo. Other OS users can scour the Internet and most likely come up with a version for their OS.
2. Installation: Once you have Tor downloaded, installation on all of the operating systems is a snap. Next -> Next - > Install -> Finish is all it takes on Windows. Yum, Emerge and Portage take care of it for the Linux and BSD users. Oh, and for you MAC people, follow the Windows instructions. That's gotta hurt.
3. RUN: Run Tor. Be it the executable or the 'shortcut', click it or type it and press your handy dandy carriage return.
4. The Wait: Once it is running, you will get a console screen that has a couple lines on it that is similar to this Windows version screen shot:
Sometimes getting an ‘open circuit’ can take up to 2 minutes. Once Tor has established an ‘open circuit’, it then listens on the local host for traffic over port 9050.
5. Configuration: Now we have to configure your browser to us Tor. Under your browser’s proxy settings, set the IP address to 127.0.0.1, port 9050. This will tell your browser to send its web traffic to your Tor listener. For any other application or service, find its proxy settings and configure it like we just did your browser. Before you connect, check and make sure that Tor has “successfully opened a circuit”, if so start surfing/chatting/hacking.
The whole process from start to finish took me about 5 minutes, from finding the correct download for my OS, downloading it, installation, and configuration of my browser. Now, I am not going to go too off-topic, but on the Tor site, they tell you to install another piece of software called “Privoxy”. It supposedly catches up all the other traffic that isn’t sent through Tor to make you ‘more anonymous’.
I am the Network Admin. I am God… Help me?
Here is where we have to get into the nitty-gritty. For us, Tor is bad, very bad. What Tor allows is our users the ability to circumvent all of our Firewall, IPS, IDS, and Router configurations, which means they can chat, surf to hotmail, and play Quake online. They can do this all without us knowing or any of our hardware/software ‘protection’ systems knowing. So, how do you defend against a dynamic enemy that never has the same IP address and can communicate all of its traffic over ports 80 and 443? In 4 ways, starting from the bottom up:
1. Administration: Don’t allow anyone local administration on their own computer. Unless they have a specific job related reason to have that access, it is a liability. This is one of the Ten Commandments of Network Administration anyways. But if you don’t know how to lock your systems down enough to not allow the installation of Tor, I have three words for you: WWW GOOGLE COM.
2. Prevention: Block all traffic to the following IP addresses: 86.59.5.130 (asteria.debian.or.at), 18.244.0.114 (belegost.mit.edu), 18.244.0.188 (moria.mit.edu). These are the directory servers. This is where they, the user, get the dynamic list of node IP addresses. When Tor is started for the first time on that local machine, it queries the aforementioned IP addresses and downloads a file called “cached-directory”. These servers are contacted over port 80, 443, 9001, and 9031. Now, a user could actually install Tor at home and download the cached-directory file and bring it to work, but most users won’t take that kind of time, and by the time they figure out to try that you have already got a bead on them.
3. Detection: Say this user is bent on getting around your rules, now they have their cached-directory file in place. When Tor is started, it tries to download a fresh cached-directory file. Blocked. Then it tries the first server on the stored list. Each individual server specifies to the directory servers which ports they want open to Tor users. They could allow only 9001 in and out. This is where you can catch that user. Set your IPS or IDS to trigger on any traffic going out over port 9001 or 9031. These ports do not have normal traffic, which will limit the false-positives you see on your IDS/IPS. So, when that user runs Tor , he might get lucky on the first one, and go over port 80 or 443. But, remember that Tor chooses a new 'random' route with each connection. So, the next website the user goes to, Tor might try a couple 9001 or 9031 servers before it gets a connection through on 80 or 443. When your IPS / IDS detects those signatures you can assume that the user using that internal IP address has installed and is attempting to or successfully using Tor .
4. Protection: Externally there is no way to protect against a hacker that uses Tor . Your best protection is just keeping your firewalls, IDS, IPS, and Router configurations up to date. Tor doesn’t create holes in your network unless an internal user sets it up, and we have already discussed how to prevent that.
I’m Still God. How do I use Tor to ‘investigate’ attacks on my network?
There is an upside to Tor, once we have all of our policies and block in place so an internal user can’t punch holes in our network, we can start to use Tor to our advantage. Say we install a Tor client on our DMZ. Now that we have a clear way out we can use any number of tools to ‘investigate’ an attack attempt. http://www.oreillynet.com/pub/wlg/7333 is a link to an article by Nitesh Dhanjani called “Launching Attacks via Tor”, which details using Nessus through the Tor network.
Are you done yet?
Tor is a perfect way for, a home user to cull his or her need for anonymity, the hacker to not get caught, or the network admin to check out an attacker anonymously, but it creates a big concern for the network administrator, even though it is also a tool for them. I personally hope that the creators of Tor have the decency to keep the directory servers the same to insure that it is easy for the poor, lonely, no-girlfriend network admin to block Tor, so that it stays a useful tool, and not just a headache.
0 comments:
Post a Comment