Jump to content


Photo
* * * * * 1 votes

Hacking with TOR - Why not?


  • Please log in to reply
8 replies to this topic

#1 discard

discard

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 20 September 2007 - 03:18 PM

Hey guys I've been hearing a lot about TOR and the TOR browser and it looks like a great replacement for proxies, which often have questionable origins.

So far, in all my research of TOR, I have found nothing to indicate that hacking on TOR (basically HTTP pen testing i guess you would call it) would get you caught.

On TOR's own website, they indicate that ABUSE cannot be stopped. It's a trade-off they say they are willing to accept.

(obviously no personal info is ever going across TOR, cookies and whatever shit are never sent over a direct connection, no writing style that could be identified is ever used, and no personal accounts are ever logged into)

So, ethical issues aside, if somebody hacked the -huge- gibson over TOR are they gonna get busted?

#2 McGrewSecurity

McGrewSecurity

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 338 posts
  • Location:Starkville, MS

Posted 20 September 2007 - 03:34 PM

Short answer: Probably not

Long answer: Depending on the nature of the attack, and how much intelligence is available about what happened (logs, packet captures, forensic analysis of the disks, examination of tools and exploits left laying around), something can be determined about an attack. My research focuses around the profiling of attacks, techniques, and attackers. Much like a real crime scene (or even one you see on CSI) the evidence left behind can often tell you a lot about an attacker's level of skill, attitude, motives, and possible origins. It's often very easy, for example, to look at multiple attacks (that you have some data for) and classify which ones were carried out by the same person or group.

Even without Tor, though, it's very difficult to pin an attack on an actual real-world person, with other proxies, hacked computers used to bounce attacks, etc. The above can provide a good profile though, and get you a few steps closer.

If you were, hypothetically, in control of a system that the attacker is after, a good idea would be to give them information that would uniquely identify them if they're not that bright and screw up. Maybe some "warez" that phones home, subverting TOR, or even data that nobody else would know, like a phone number and extension to a "elevated support line" that they may try and call to social engineer. There's plenty of opportunities for an attacker to let their guard down, and it takes a very well disciplined bad-guy to never screw up.

If you have bad intelligence on your network in the first place, though, and you find out about the attack once you're listed on Zone-H. you can basically forget it, though.

#3 discard

discard

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 20 September 2007 - 03:47 PM

Even without Tor, though, it's very difficult to pin an attack on an actual real-world person, with other proxies, hacked computers used to bounce attacks, etc. The above can provide a good profile though, and get you a few steps closer.


Is there any way that a person using TOR can be traced, besides 3rd party software bypassing TOR?

Would you say that information sent from the browser, such as OS and browser version, would be useful in identifying an attacker?

#4 kitche

kitche

    Hakker addict

  • Members
  • 549 posts

Posted 20 September 2007 - 04:12 PM

If you hit the right exit node then everything that you did would eb logged probably about 80% of tor is sniffed on exit and why would you use tor for this it's so Slow by the time you hit your designation you would have probably entered 5 commands before the first one got there

#5 signull

signull

    SUP3R 31337

  • Members
  • 160 posts

Posted 20 September 2007 - 04:14 PM

Even without Tor, though, it's very difficult to pin an attack on an actual real-world person, with other proxies, hacked computers used to bounce attacks, etc. The above can provide a good profile though, and get you a few steps closer.


Is there any way that a person using TOR can be traced, besides 3rd party software bypassing TOR?

Would you say that information sent from the browser, such as OS and browser version, would be useful in identifying an attacker?

If you're really that paranoid, and don't mind going mobile, then use an open AP.

#6 McGrewSecurity

McGrewSecurity

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 338 posts
  • Location:Starkville, MS

Posted 20 September 2007 - 04:31 PM

Is there any way that a person using TOR can be traced, besides 3rd party software bypassing TOR?


One theoretical attack on Tor is to run enough nodes that you have a good chance of being the first node the person connects to AND their exit node as well, and match things up by the timing and length of connections. In practice, this is very very difficult.

Would you say that information sent from the browser, such as OS and browser version, would be useful in identifying an attacker?


Every bit of information you can get is helpful in putting together a larger picture of "who?", "why?", "where?", and "how?".

If you hit the right exit node then everything that you did would eb logged probably about 80% of tor is sniffed on exit and why would you use tor for this it's so Slow by the time you hit your designation you would have probably entered 5 commands before the first one got there


Tor's great when I'm investigating sites that I wouldn't want to leave my real IP address at. Forums where attackers collaborate, sites that their tools are being hosted from, etc. It's slow but it's pretty reliable, and as long as you keep in mind that what your doing is being watched, it's no big deal (anonymity and privacy are two different things).

For an attacker it's probably even better. Who cares how slow it is if most of your attack is scripted? The exit-node monitoring is probably more of a concern for attackers. I have heard of large botnets being turned into private Tor networks for the herders, which would solve a lot of the speed and monitoring issues for them.

#7 n3xg3n

n3xg3n

    "I Hack, therefore, I am"

  • Members
  • 960 posts
  • Country:
  • Gender:Male
  • Location:(703)

Posted 20 September 2007 - 04:51 PM

I have recently found Tor to be usable speeds, as in I look down at Tor button to find that it was enabled but I wasn't suffering to dearly...

#8 Zapperlink

Zapperlink

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 951 posts
  • Country:
  • Gender:Not Telling

Posted 20 September 2007 - 06:57 PM

Assuming that you have your client system configured correctly so that such protocols in use are being tunneled through the proxy correctly, then theoretically yes, however that also assumes your exit node is going to tolerate such traffic, (Some properly configured exit nodes are getting smarter about the traffic they are allowing.)

In short, don't assume that because you installed TOR all pretty and setup your nifty firefox plugins that its going to 'keep you anonymous' as you trailblaze the interwebs.

#9 kingospam

kingospam

    SUP3R 31337

  • Members
  • 177 posts

Posted 20 September 2007 - 09:41 PM

By changing the timing of specific packets on the TOR network, you can pinpoint who is talking to whom.

References
=======
http://www.onion-rou...den-servers.pdf
http://www.cs.umass....vine-timing.pdf
http://en.wikipedia....i/Onion_routing
http://ntrg.cs.tcd.i...up10/index.html




BinRev is hosted by the great people at Lunarpages!