Irongeek

Sniffing a Tor Exit Node: Need some more ideas

21 posts in this topic

Ok, I've decided to sniff a Tor exit node and see what most folks use Tor for, then do a write up. So far the tools I'm using are:

Ettercap

Cain

Driftnet

Ethereal

What other tools should I play with/what sort of things do you want me to find out about?

1

Share this post


Link to post
Share on other sites
Ok, I've decided to sniff a Tor exit node and see what most folks use Tor for, then do a write up. So far the tools I'm using are:

Ettercap

Cain

Driftnet

Ethereal

What other tools should I play with/what sort of things do you want me to find out about?

You need a list of financial institutions and other confidential sites and log how many of them are accessed. Not account information, just accesses. It'd be curious to see who actually trusts Tor to do online banking and paypal.

0

Share this post


Link to post
Share on other sites

Lots of folks seem to use it for Yahoo email. :)

0

Share this post


Link to post
Share on other sites

Ok, I've stated to use PIAFCTM to log images since Drifnet is not as functional.

0

Share this post


Link to post
Share on other sites

Anyone know a good free tool for making graphs of what ports are being used from a libpcap file?

0

Share this post


Link to post
Share on other sites
Anyone know a good free tool for making graphs of what ports are being used from a libpcap file?

This was the same idea (sniffing exit nodes) that kids got called the "best hacker in the world" (or some crap). I know you're just doing it for research/fun.... Anyways... on utilities, "sniffit" and "iftop" might be useful. About the graphing. I don't know of anything right off that'll do it out of the box for you - but look into "rrdtool". It's the same people that created MRTG, and is probably right with what you need.

Also, you might want to look into Wireshark/ethereal's abilities.... Anyways, hope this helps and look forward to reading what you've found!

0

Share this post


Link to post
Share on other sites

Make a database for data-mining purposes. Then send me the database.

0

Share this post


Link to post
Share on other sites

I'm sure you have thought about it, but you might want to avoid keeping images. I would guess that as tor is almost untraceable people would use it to access illegal content (i.e. child porn). Possibly not the best stuff to have ono your server. Especially if that machine was used to access it.

0

Share this post


Link to post
Share on other sites

Yeah, I've realized that, that's one of the reasons the project is on hold. :)

0

Share this post


Link to post
Share on other sites

Can you give us any stats on uses of Tor so far?

Edited by Swerve
0

Share this post


Link to post
Share on other sites

I'm still wanting to find a good package to make such stats.

0

Share this post


Link to post
Share on other sites

Why don't you just leave a packet sniffer running for a while and dump all the output then just write something in perl to parse it ?

0

Share this post


Link to post
Share on other sites
Why don't you just leave a packet sniffer running for a while and dump all the output then just write something in perl to parse it ?

Because I'm very lazy and was hoping there was already something that fit my needs.

0

Share this post


Link to post
Share on other sites

Sniffing tor exit nodes is "relatively" new. It's been done for months now, but months is still "new" relatively speaking. If you'd like, I could help you write some tools (in C, of course). Let me know what you need, and I can help.

0

Share this post


Link to post
Share on other sites

Well, I'm thinking something that lists bytes per port from a pcap file so we could get and idea about usage. What do you think?

Thanks.

0

Share this post


Link to post
Share on other sites

That shouldn't be hard to do at all. I haven't worked with pcap, but it probably won't be hard at all.

0

Share this post


Link to post
Share on other sites
That shouldn't be hard to do at all. I haven't worked with pcap, but it probably won't be hard at all.

pcap is easy use in C (and, actually quite fun). There is also Net::Pcap for perl. The only reason I mention it is with RRDTool and Net::Pcap, creating pretty graphs should be easy. If you're planning on doing it in C still, what's the graphic output (just curious). GD works okay... I ask, because I'd be interested in knowing for my own future development.

0

Share this post


Link to post
Share on other sites

You could pipe the output from tcpdump into a c++ parser. Which i will be willing to code, if you could show a sample tcpdump output. For the graphing we could try to use the graphing library that comes with boost.

0

Share this post


Link to post
Share on other sites
You could pipe the output from tcpdump into a c++ parser. Which i will be willing to code, if you could show a sample tcpdump output. For the graphing we could try to use the graphing library that comes with boost.

Err.. why write a parser? You can read pcap files directly with the pcap library. Just save the exit node data to a pcap file, then run your program to pull the data in and give it to you. No need for parsing the output, and pcap is pretty trivial to learn.....

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now