Tor control port - self-renewing proxy

[frog]

I recently discovered you can control the tor service using the control port(9051). On linux, this was turned off by default. If you are running tor on linux, you have to edit /etc/torrc and enable the control port. Once you do you can login to this port using telnet and interact with the tor service. I wanted a way to automatically change my exit node interactively through scripts, so I found this useful.

Once you modify torrc, restart the tor service. When it's back up login to port 9051 on localhost using telnet. Next you have to authenticate by typing ' authenticate "" ' and if you did not enable any of the special authentication settings in the torrc(hash or cookie for example) then you should get an OK response from the service. After this type ' signal newnym ' which will(according to the tor control protocol spec.) switch to clean circuits, so new application requests don't share any circuits with old ones. Also clears your client-side DNS cache.

With nmap and proxychains this could make for a useful 'anonymous' scanning utility.

Example(scan:

Code: (bash) [Select]

hostname $: proxychains nmap -iR 7000000 -p23 -P0 -v --open > open-telnet.txt & # Scan for 7 million hosts looking for open telnet ports and save results to a file

hostname $: while true; do python new-proxy.py; sleep 300; done & # Every 5 min call a python script that uses telnetlib to issue tor control command to effectively renew proxy
While all this runs in the background, you could parse the file with a script to try default/weak username/password combinations on any active hosts, logging any success to a file for later exploration

[proxx]

I recently discovered you can control the tor service using the control port(9051). On linux, this was turned off by default. If you are running tor on linux, you have to edit /etc/torrc and enable the control port. Once you do you can login to this port using telnet and interact with the tor service. I wanted a way to automatically change my exit node interactively through scripts, so I found this useful.

Once you modify torrc, restart the tor service. When it's back up login to port 9051 on localhost using telnet. Next you have to authenticate by typing ' authenticate "" ' and if you did not enable any of the special authentication settings in the torrc(hash or cookie for example) then you should get an OK response from the service. After this type ' signal newnym ' which will(according to the tor control protocol spec.) switch to clean circuits, so new application requests don't share any circuits with old ones. Also clears your client-side DNS cache.

With nmap and proxychains this could make for a useful 'anonymous' scanning utility.

Example(scan:

Code: (bash) [Select]

hostname $: proxychains nmap -iR 7000000 -p23 -P0 -v --open > open-telnet.txt & # Scan for 7 million hosts looking for open telnet ports and save results to a file

hostname $: while true; do python new-proxy.py; sleep 300; done & # Every 5 min call a python script that uses telnetlib to issue tor control command to effectively renew proxy
While all this runs in the background, you could parse the file with a script to try default/weak username/password combinations on any active hosts, logging any success to a file for later exploration

Didnt know that, thanks for sharing.
I would suggest to use the -n switch for speed enhancement + prevent leaking at the source.

[frog]

No doubt, obviously 7mil hosts is way too many; would take forever. I started a 7000 host scan through tor about 12 hours ago and it still wasn't done when I woke up(about 10% complete). I wonder if -n would have sped it up that much.

[Z3R0]

Holy shit, I had no idea tor had a control port. I'd really like to see someone write a script that bruteforces the authentication and changes entry nodes. Could make for an epic mitm attack!

[proxx]

No doubt, obviously 7mil hosts is way too many; would take forever. I started a 7000 host scan through tor about 12 hours ago and it still wasn't done when I woke up(about 10% complete). I wonder if -n would have sped it up that much.

Well maybe not that much but realize that it comes with a timeout.
It will query some DNS server and waits for response, that query can take quite some time when running through TOR.
If you really need the hostname I would suggest running nmap again with the -n switch on the hosts that are known to have this service running.
You can also mess around with the timeouts since only a connect scan can be done through the tunnel.
In fact if all you need to know is if that port is open I suggest you write some script to do it.
NMAP is great but also at times too bulky.

[frog]

Well maybe not that much but realize that it comes with a timeout.
It will query some DNS server and waits for response, that query can take quite some time when running through TOR.
If you really need the hostname I would suggest running nmap again with the -n switch on the hosts that are known to have this service running.
You can also mess around with the timeouts since only a connect scan can be done through the tunnel.
In fact if all you need to know is if that port is open I suggest you write some script to do it.
NMAP is great but also at times too bulky.

Agreed, I think writing a script that tries a basic socket.connect() on a certain port would be a much better way to look for hosts with a certain port open. The benefit of nmap is that it will do the random host scan for me, whereas if I tried to implement that in Python would be a lot of work just to work within valid IP ranges. I could be wrong but I figured writing IP range scanning code would be a waste of time if nmap could just log to a file and I could parse it.

Also @m0rph, using telnet libraries and any scripting language could be the first step in implementing a brute force tool for the authentication. Sounds simple in theory, I haven't used the auth for the tor control port so I don't know exactly whats going on back there. Good idea though.

[proxx]

Im too fucking lazy right now to write an example but it is pretty easy.
And yes you could just generate a list of random addresses with nmap.

[Architect]

Holy shit, I had no idea tor had a control port. I'd really like to see someone write a script that bruteforces the authentication and changes entry nodes. Could make for an epic mitm attack!

Exactly why you run Tor under an underprivileged user and [hopefully] over an uncommon control port and in a jailshell. Not just a bashlogin shell, get creative. This pretty much is a one-way ticket to avoid most attacks. Common ports (i.e. for telenet, FTP, SSH, etc.) are most often easily brute-forced.

As for controlling the Tor service in general, why not just use tor-arm (a/k/a ARM)? It is like you reinvented the wheel in an even less useful way by coding this. Plus the fact that ARM offers many more things than simply control-port access. It offers practical identification of nodes so as to save you time using netcat and such to ID hosts.