EH-Net

So in the beginnning of hacking exposed vol.6 I remember seeing a case example where a hacker used tor to assist in their attack. I figured I would come across it in my studies, but not as of yet. So, what ways can tor be used to assist in the hacking process? It is logical to use during the recon phase, so your IP is untraceable, but what about tunneling your attacks through the network?

Personally, I would say this is a bad idea for pen-testers. As you probably already know, whoever is in control of the exit-node, or the last person in the chain of Tor routes, would be able to sniff that traffic as if it was originating from their network. Just because the Tor traffic is encrypted between nodes, doesn't mean it can encrypt the traffic to the final destination, unless it was encrypted in the first place.

That means whatever information discovered during a pen-test, which is supposed to help reveal security faults before the public can exploit it, would then have a chance of being disclosed to an anonymous person in the Tor community. And if you've signed a nondisclosure agreement, that would not be good for you if it was to be released to the public.

That's how I see it, anyway.

While I totally agree with eth3real, I would just like to add that unencrypted traffic being sent across *any* network will be viewable by device owners between the pentester and the target. This is true for devices located between the exit node in the Tor network and the target, as well as devices from your home directly to the target... the question really is what devices do you trust?

However, if your traffic is encrypted, Tor is definitely useful for hiding your attack platform IP address. I've had system operators block my attack platform IP address in the past, thinking they can out-smart me. Tor's come in handy a couple times to verify they were blocking my probes... got them in some hot water with their managers.

Thanks for both replies. I dont intend to do this on assignment, but I would like to know how this is done, As Grendel said, it could be useful one day. Besides, I dont know how many tor users are hackers, most being pirates and users in countries with "great firewalls". The one i'm in has a "little firewall".

I found a video on youtube that shows one way to do it, it requires proxychains, which is a linux program. There also appears to be a commercial product that does the same thing, Protoport Proxy Chain,but it has low reviews in terms of functionality. http://download.cnet.com/Protoport-Proxy-Chain/3000-2144_4-10497250.html

In certain circumstances I would use Tor for an authorized PenTest.  If anything use it to test how effective the administrators are with reviewing logs and finding offending IPs. 

Anyway, look at this recent post that will walk you through setting up your box to use Tor for a Pentesting.

http://securitystreetknowledge.com/?p=283 (http://securitystreetknowledge.com/?p=283)

Thanks for the info, I have set it aside for later, once I get a linux PT box set up. Are you familiar with any ways to do the same on Windows? Im fairly sure that proxychains is *nix only.

Sorry but I do not know of a Windows solution yet.  I will let you know when I come across one.

I must warn you that even if you use SSL through Tor it can be stripped off.  So if you are hacking i wouldn't be so worried about a bad guy seeing your traffic but rather big brother.  If you look at some of the fastest ExitNodes they tend to be located in areas near state-owned cyber defense establishments.(Do a GeoIP on the ExitNode IP address)  If you read a lot of blogs you will hear authors say how they capture this or that attack in the wild.  Then they get credit for the exploit.  It is my guess they are monitoring their own Tor ExitNode.

Thanks for the heads up!

Tor is soooo slow! Even if there were not issues of confidentiality, I cannot even imagine trying to push any significant traffic through Tor. At least that was my experience a couple years ago when I used for browsing.

Hey TT,

I replied to your message a few days ago, wasnt sure if you received it?

I agree with the above comments, only use in an authorized PenTest..any other reason to use it shouldnt be done.