TOR exit-node doing MITM attacks
I decided to do some more digging on the TOR network to see whether there really are exit-nodes doing MITM attacks. As a target site, I picked up my home computer that had an SSL enabled server.
Normally, the SSL Certificate on my server looks like this.
I ran through all the exit-nodes in my current directory cache, connecting to my website and saving the certificate. After that I compared the certificates to see whether I picked up any that were different from the real SSL cert on my site. One certificate differed from the original:
So, what we have here is an TOR exit-node that is doing Man-In-The-Middle attacks on HTTPS connections. The configuration for the exit-node is as follows:
router LateNightZ 217.233.212.114 9001 0 0
platform Tor 0.1.2.16 on Windows XP Service Pack 2 [workstation] {terminal services, single user}
published 2007-11-20 02:20:19
opt fingerprint E7B6 4257 6A63 A397 5387 C2F4 BBC7 95DB D462 CAF7
uptime 40
bandwidth 32768 65536 38406
onion-key
—–BEGIN RSA PUBLIC KEY—–
MIGJAoGBAPE0d6xoupFYwZVU6pxMVLIVoFpn1sbdhRu6nXGDNqWPEqTcG6IW48lY
WpLJFK0bzkYqCv+X2aDWygXtB6A9m/5mJUr4NwDlTiPrB8auVv6MNXr80DMv4tVo
IpH8VYLZCf89kcaHWTLojX/gKOkizJBLWERPnwKacrvcu/15tiwZAgMBAAE=
—–END RSA PUBLIC KEY—–
signing-key
—–BEGIN RSA PUBLIC KEY—–
MIGJAoGBALmUDcz1zuPMmX2yfKSXWeCH+HLk8vtP11yC2vaarLTdZ8t6+/VIw18w
vYK3JAednH62Gyk9L2dPW+qc/KOe7bxqaRr4d05yE4+d7w9XDxb2KCZCZVbgtcuS
GahamdJoZUh8NLalrJJWHvSQhR8fLAQoaZeHHCdhS9IaiTw4Gt+9AgMBAAE=
—–END RSA PUBLIC KEY—–
opt write-history 2007-11-20 02:13:14 (900 s) 0,147456,122880,0,0,0,0,0,0,0,0,0,0,0,0,0,0,149504,450560,29696,62464,227328,91136,95232,1103872,1854464,656384,1941504,2434048,5716992,7706624,6257664,5371904,7851008,4059136,1441792,1683456,12103680,16930816,5545984
opt read-history 2007-11-20 02:13:14 (900 s) 0,2639872,635904,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1150976,1261568,871424,917504,1077248,954368,955392,1883136,2748416,1459200,2765824,3291136,6401024,9077760,7090176,6006784,8594432,4871168,2713600,2440192,12794880,17001472,6209536
contact <latenightz at truellz dot de>
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject *:25
reject *:119
reject *:135-139
reject *:445
reject *:465
reject *:563
reject *:587
reject *:1214
reject *:4661-4666
reject *:6346-6429
reject *:6699
reject *:6881-6999
accept *:*
router-signature
—–BEGIN SIGNATURE—–
cmjagfFYjtwSVMB1/Yi358Ew/9Z80fgstua1vvuVhi89ImjHInJXorDj4GKfergX
o5SnPOsplASZehjHprTt5mgeHL24TXkZcUBHjZSOIRnljDsaSfTSq7GCBZ10YX1Y
xNrKVsuHCPvOxIx0McSDmap6ngjdLtMcTAQajzA+AqI=
—–END SIGNATURE—–
The exit-node in question resides in Germany:
AS | IP | CC | AS Name
3320 | 217.233.212.114 | DE | DTAG Deutsche Telekom AG
Would be interesting to know what they are doing with stolen information, eh?
November 23rd, 2007 at 11:31 am
[…] L’analisi dell’attacco, su MW-Blog, qui. […]
November 23rd, 2007 at 5:45 pm
[…] & Man-in-the-Middle über TOR-Schnüffelei Hallo. Verstehe ich MW-Blog Blog Archive TOR exit-node doing MITM attacks richtig, dass es möglich wäre, sogar Homebanking beliebiger Banken in Klartext umzuwandeln, um dann […]
November 27th, 2007 at 3:51 am
[…] More details on the investigative process can be found here and here. […]
December 7th, 2007 at 8:17 am
[…] MW-Blog » Blog Archive » TOR exit-node doing MITM attacks Yeah, the TOR network is not safe at all. […]
December 7th, 2007 at 10:23 am
[…] 2 und […]
December 11th, 2007 at 12:32 am
[…] a virus or Trojan.) This actually happens; Bruce Schneier linked to some logs of a TOR exit node trying to carry out a MitM on an SSL session. So while TOR protects your anonymity, it may actually risk your privacy — it’s very […]
January 28th, 2008 at 9:22 am
Playing with TOR…
I’ve been playing with TOR again lately, and a but more carefully because the last time I tried michaelw got banned from IRC because of the exit server :-D
It seems the crooks are really running it themselves these days. This is a “conversa…
May 2nd, 2008 at 6:24 am
[…] option: I would use an IronKey device to setup a TOR-like SSL session with known (known is important) IronKey TOR servers. Then I would login to the bank’s web server using the log on web page. […]
August 1st, 2008 at 11:35 pm
[…] sich führen, da sonst man-in-the-middle möglich wäre (was z.B. bei Tor schon gang und gäbe ist: tor ssl man-in-the-middle). Hinzu kommt noch, dass ältere PCs ein bisschen länger brauchen (Schlüssel aushandeln, Daten […]
November 22nd, 2008 at 8:38 am
[…] password and other sensitive information is possibly being snared by a hacker. In the following posting the gatherer is from […]
January 15th, 2009 at 12:00 am
[…] Lo peligroso que puede resultar usarlas sin informarse antes, y es que si bien se garantiza el anonimato dentro de la red, es posible capturar la información desde los nodos de salida a Internet. […]
September 14th, 2009 at 3:38 am
[…] and does not make you more secure by using it. If you use tor with encrypted protocols and avoid fake SSL certificates then you should be fine. However, if you use a plain text protocol such as HTTP, you are pretty much […]