MW-Blog

As most, if not everyone, know TOR is a network of proxies designed to give some privacy and anonymity to it’s users. Lately TOR has been in the news for quite a bit since a swedish hacker managed to sniff a huge load of user accounts and passwords belonging to foreign embassies.

If you haven’t managed to read about the incident, here’s a few links:

Article on techtarget.com
Article on wired.com

People tend to think that the TOR network is a silver bullet, which is not the case. Even on the TOR webpages it’s clearly said that TOR will not quarantee complete privacy.

Since the TOR exit-nodes can decide what traffic (or rather, what ports) it wants to relay it’s easy to set up a rogue exit-node that relays only cleartext traffic (and of course sniffs it on the fly :) ) I decided to take a peek at the exit-nodes and found a few interesting things.

Reminder: Even though I rate these to be suspicious it does not necessarily mean the nodes are evil. None of the exit-nodes discussed here were checked for MITM attacks.

First, let’s take a look at an exit-node called XCOPY:

This is the configuration it advertises on the network:

router XCOPY 71.105.20.179 9001 0 0
platform Tor 0.1.2.16 on Windows XP Service Pack 2 [workstation] {terminal services, single user}
published 2007-11-17 08:29:57
uptime 2014
bandwidth 2097152 5242880 86770
contact <your@email.com>
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
accept *:22
accept 67.134.143.0/24:80
accept 204.16.32.0/22:80
accept 216.178.32.0/20:80
accept 63.146.123.0/27:80
accept 63.236.5.128/27:80
accept 66.77.90.48/28:80
accept 63.236.5.224/28:80
accept 63.236.123.128/27:80
accept *:143
accept *:5190
accept *:5050
accept *:5900
accept *:5901
accept *:1863
reject *:*

The node resides under Verizon:

AS | IP | AS Name
19262 | 71.105.20.179 | VZGNI-TRANSIT - Verizon Internet Services Inc.

First in the configuration we see a few BOGON address spaces filtered as well as a few private ranges.

Next, we see it accepting SSH traffic to any destination. Nothing suspicious so far. What we see next is interesting:

accept 67.134.143.0/24:80
accept 204.16.32.0/22:80
accept 216.178.32.0/20:80
accept 63.146.123.0/27:80
accept 63.236.5.128/27:80
accept 66.77.90.48/28:80
accept 63.236.5.224/28:80
accept 63.236.123.128/27:80

We see it accepting HTTP traffic only towards IP ranges owned by MySpace and Google. So, we seem to have a samaritan here that wants us to be able to anonymously search for midget pr0n and update our myspace profiles. I can live with that, so let’s move on. These are the next configurations:

accept *:143 <- Accept unencrypted IMAP traffic to anywhere
accept *:5190 <- Accept unencrypted AIM traffic to anywhere
accept *:5050 <- Accept unencrypted Yahoo IM traffic to anywhere
accept *:5900 <- Accept unencrypted VNC traffic to anywhere
accept *:5901 <- Accept unencrypted VNC traffic to anywhere
accept *:1863 <- Accept unencrypted MSN Messenger traffic to anywhere

And last:

reject *:* <- reject all other traffic.

Would you trust this exit node to carry your traffic?

Let’s take another exit-node:

router skkdk88993992299fig 81.169.188.223 9001 0 0
platform Tor 0.1.2.17 on Linux i686
published 2007-11-17 08:11:46
uptime 1598635
bandwidth 61440 61440 67591
contact 1234D/FFFFFFFF Random Person <nobody@example.com>
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
accept *:21
accept *:110
accept *:119
reject *:*

Again, we can see the normal BOGON and private spaces dropped. The exit-node resides in Germany:

AS | IP | AS Name
6724 | 81.169.188.223 | STRATO Strato AG

We can see it accepting only these ports:

accept *:21 <- Unencrypted telnet traffic
accept *:110 <- Unencrypted POP3 mailtraffic
accept *:119 <- <- Unencrypted nntp traffic (news protocol)

Let’s move on again:

router bettyboop 149.9.0.27 9001 0 9030
platform Tor 0.1.2.16 on Linux x86_64
published 2007-11-17 07:45:32
uptime 8596860
bandwidth 104857600 1073741824 2918361
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
accept *:53
accept *:110
accept *:143
accept *:1863
accept *:5190
accept *:6660-6667
reject *:*

This node will also accept only unencrypted traffic: DNS, POP3, IMAP, MSN Messenger, VNC and IRC.

To the next exit-node:

router orange 81.57.232.6 9001 0 0
platform Tor 0.1.1.23 on Linux i686
published 2007-11-17 02:07:04
uptime 11468
bandwidth 102400 6291456 14796
null
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject 80.239.236.0/24:*
reject 130.117.156.0/24:*
reject 69.31.34.0/24:*
reject 146.82.200.248:*
reject 81.95.147.0/24:*
reject 194.182.148.0/24:*
accept *:110
accept *:143
accept *:23
reject *:*

We can see it rejecting a few webspaces (including an IP range that formerly belonged to RBN, a real shithole of the Internet.) This node accepts only unencrypted POP3, IMAP and telnet traffic.

The TOR proxydirectory is riddled with these kinds of exit-nodes. Even though just a suspicious configuration isn’t enough to tag an exit-node evil, I wouldn’t touch these with a ten-foot long toothpick. Regardless of whether you use TOR or not, I’d suggest you check with the service provider of your telnet|pop|imap|whatever account whether they serve versions of their accounts that would utilize SSL encryption or similar. Even though SSL encryption does not make you 100%, it adds another defensive layer. Just keep in mind that you should always check the certificate :)

And as a small reminder, I am not calling these exit-nodes evil, and I do think that the TOR network is a good thing. Any technology can be used in the wrong way, a fact that will never change. Just be careful out there :)

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Monday, November 19th, 2007 at 10:55 am and is filed under General InfoSec. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.