TOR exit-node doing MITM attacks
I decided to do some more digging on the TOR network to see whether there really are exit-nodes doing MITM attacks. As a target site, I picked up my home computer that had an SSL enabled server.
Normally, the SSL Certificate on my server looks like this.
I ran through all the exit-nodes in my current directory cache, connecting to my website and saving the certificate. After that I compared the certificates to see whether I picked up any that were different from the real SSL cert on my site. One certificate differed from the original:
So, what we have here is an TOR exit-node that is doing Man-In-The-Middle attacks on HTTPS connections. The configuration for the exit-node is as follows:
router LateNightZ 217.233.212.114 9001 0 0
platform Tor 0.1.2.16 on Windows XP Service Pack 2 [workstation] {terminal services, single user}
published 2007-11-20 02:20:19
opt fingerprint E7B6 4257 6A63 A397 5387 C2F4 BBC7 95DB D462 CAF7
uptime 40
bandwidth 32768 65536 38406
onion-key
—–BEGIN RSA PUBLIC KEY—–
MIGJAoGBAPE0d6xoupFYwZVU6pxMVLIVoFpn1sbdhRu6nXGDNqWPEqTcG6IW48lY
WpLJFK0bzkYqCv+X2aDWygXtB6A9m/5mJUr4NwDlTiPrB8auVv6MNXr80DMv4tVo
IpH8VYLZCf89kcaHWTLojX/gKOkizJBLWERPnwKacrvcu/15tiwZAgMBAAE=
—–END RSA PUBLIC KEY—–
signing-key
—–BEGIN RSA PUBLIC KEY—–
MIGJAoGBALmUDcz1zuPMmX2yfKSXWeCH+HLk8vtP11yC2vaarLTdZ8t6+/VIw18w
vYK3JAednH62Gyk9L2dPW+qc/KOe7bxqaRr4d05yE4+d7w9XDxb2KCZCZVbgtcuS
GahamdJoZUh8NLalrJJWHvSQhR8fLAQoaZeHHCdhS9IaiTw4Gt+9AgMBAAE=
—–END RSA PUBLIC KEY—–
opt write-history 2007-11-20 02:13:14 (900 s) 0,147456,122880,0,0,0,0,0,0,0,0,0,0,0,0,0,0,149504,450560,29696,62464,227328,91136,95232,1103872,1854464,656384,1941504,2434048,5716992,7706624,6257664,5371904,7851008,4059136,1441792,1683456,12103680,16930816,5545984
opt read-history 2007-11-20 02:13:14 (900 s) 0,2639872,635904,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1150976,1261568,871424,917504,1077248,954368,955392,1883136,2748416,1459200,2765824,3291136,6401024,9077760,7090176,6006784,8594432,4871168,2713600,2440192,12794880,17001472,6209536
contact <latenightz at truellz dot de>
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject *:25
reject *:119
reject *:135-139
reject *:445
reject *:465
reject *:563
reject *:587
reject *:1214
reject *:4661-4666
reject *:6346-6429
reject *:6699
reject *:6881-6999
accept *:*
router-signature
—–BEGIN SIGNATURE—–
cmjagfFYjtwSVMB1/Yi358Ew/9Z80fgstua1vvuVhi89ImjHInJXorDj4GKfergX
o5SnPOsplASZehjHprTt5mgeHL24TXkZcUBHjZSOIRnljDsaSfTSq7GCBZ10YX1Y
xNrKVsuHCPvOxIx0McSDmap6ngjdLtMcTAQajzA+AqI=
—–END SIGNATURE—–
The exit-node in question resides in Germany:
AS | IP | CC | AS Name
3320 | 217.233.212.114 | DE | DTAG Deutsche Telekom AG
Would be interesting to know what they are doing with stolen information, eh?
November 23rd, 2007 at 11:31 am
[…] L’analisi dell’attacco, su MW-Blog, qui. […]
November 23rd, 2007 at 5:45 pm
[…] & Man-in-the-Middle über TOR-Schnüffelei Hallo. Verstehe ich MW-Blog Blog Archive TOR exit-node doing MITM attacks richtig, dass es möglich wäre, sogar Homebanking beliebiger Banken in Klartext umzuwandeln, um dann […]
November 27th, 2007 at 3:51 am
[…] More details on the investigative process can be found here and here. […]
December 7th, 2007 at 8:17 am
[…] MW-Blog » Blog Archive » TOR exit-node doing MITM attacks Yeah, the TOR network is not safe at all. […]
December 7th, 2007 at 10:23 am
[…] 2 und […]
December 11th, 2007 at 12:32 am
[…] a virus or Trojan.) This actually happens; Bruce Schneier linked to some logs of a TOR exit node trying to carry out a MitM on an SSL session. So while TOR protects your anonymity, it may actually risk your privacy — it’s very […]
January 28th, 2008 at 9:22 am
Playing with TOR…
I’ve been playing with TOR again lately, and a but more carefully because the last time I tried michaelw got banned from IRC because of the exit server :-D
It seems the crooks are really running it themselves these days. This is a “conversa…
May 2nd, 2008 at 6:24 am
[…] option: I would use an IronKey device to setup a TOR-like SSL session with known (known is important) IronKey TOR servers. Then I would login to the bank’s web server using the log on web page. […]
August 1st, 2008 at 11:35 pm
[…] sich führen, da sonst man-in-the-middle möglich wäre (was z.B. bei Tor schon gang und gäbe ist: tor ssl man-in-the-middle). Hinzu kommt noch, dass ältere PCs ein bisschen länger brauchen (Schlüssel aushandeln, Daten […]
November 22nd, 2008 at 8:38 am
[…] password and other sensitive information is possibly being snared by a hacker. In the following posting the gatherer is from […]
January 15th, 2009 at 12:00 am
[…] Lo peligroso que puede resultar usarlas sin informarse antes, y es que si bien se garantiza el anonimato dentro de la red, es posible capturar la información desde los nodos de salida a Internet. […]