Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/theme.php on line 508

Deprecated: Function split() is deprecated in /home/teamfurr/public_html/wordpress/wp-content/plugins/inspector-wordpress/InspectorWordpress.php on line 110
MW-Blog » Blog Archive » TOR exit-node doing MITM attacks

TOR exit-node doing MITM attacks

I decided to do some more digging on the TOR network to see whether there really are exit-nodes doing MITM attacks. As a target site, I picked up my home computer that had an SSL enabled server.

Normally, the SSL Certificate on my server looks like this.

Real SSL Cert

I ran through all the exit-nodes in my current directory cache, connecting to my website and saving the certificate. After that I compared the certificates to see whether I picked up any that were different from the real SSL cert on my site. One certificate differed from the original:

Fake SSL Cert

So, what we have here is an TOR exit-node that is doing Man-In-The-Middle attacks on HTTPS connections. The configuration for the exit-node is as follows:

router LateNightZ 217.233.212.114 9001 0 0
platform Tor 0.1.2.16 on Windows XP Service Pack 2 [workstation] {terminal services, single user}
published 2007-11-20 02:20:19
opt fingerprint E7B6 4257 6A63 A397 5387 C2F4 BBC7 95DB D462 CAF7
uptime 40
bandwidth 32768 65536 38406
onion-key
—–BEGIN RSA PUBLIC KEY—–
MIGJAoGBAPE0d6xoupFYwZVU6pxMVLIVoFpn1sbdhRu6nXGDNqWPEqTcG6IW48lY
WpLJFK0bzkYqCv+X2aDWygXtB6A9m/5mJUr4NwDlTiPrB8auVv6MNXr80DMv4tVo
IpH8VYLZCf89kcaHWTLojX/gKOkizJBLWERPnwKacrvcu/15tiwZAgMBAAE=
—–END RSA PUBLIC KEY—–
signing-key
—–BEGIN RSA PUBLIC KEY—–
MIGJAoGBALmUDcz1zuPMmX2yfKSXWeCH+HLk8vtP11yC2vaarLTdZ8t6+/VIw18w
vYK3JAednH62Gyk9L2dPW+qc/KOe7bxqaRr4d05yE4+d7w9XDxb2KCZCZVbgtcuS
GahamdJoZUh8NLalrJJWHvSQhR8fLAQoaZeHHCdhS9IaiTw4Gt+9AgMBAAE=
—–END RSA PUBLIC KEY—–
opt write-history 2007-11-20 02:13:14 (900 s) 0,147456,122880,0,0,0,0,0,0,0,0,0,0,0,0,0,0,149504,450560,29696,62464,227328,91136,95232,1103872,1854464,656384,1941504,2434048,5716992,7706624,6257664,5371904,7851008,4059136,1441792,1683456,12103680,16930816,5545984
opt read-history 2007-11-20 02:13:14 (900 s) 0,2639872,635904,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1150976,1261568,871424,917504,1077248,954368,955392,1883136,2748416,1459200,2765824,3291136,6401024,9077760,7090176,6006784,8594432,4871168,2713600,2440192,12794880,17001472,6209536
contact <latenightz at truellz dot de>
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject *:25
reject *:119
reject *:135-139
reject *:445
reject *:465
reject *:563
reject *:587
reject *:1214
reject *:4661-4666
reject *:6346-6429
reject *:6699
reject *:6881-6999
accept *:*
router-signature
—–BEGIN SIGNATURE—–
cmjagfFYjtwSVMB1/Yi358Ew/9Z80fgstua1vvuVhi89ImjHInJXorDj4GKfergX
o5SnPOsplASZehjHprTt5mgeHL24TXkZcUBHjZSOIRnljDsaSfTSq7GCBZ10YX1Y
xNrKVsuHCPvOxIx0McSDmap6ngjdLtMcTAQajzA+AqI=
—–END SIGNATURE—–

The exit-node in question resides in Germany:

AS | IP | CC | AS Name
3320 | 217.233.212.114 | DE | DTAG Deutsche Telekom AG

Would be interesting to know what they are doing with stolen information, eh?

20 Responses to “TOR exit-node doing MITM attacks”

  1. Ancora TOR « Fare, disfare e rifare Says:

    […] L’analisi dell’attacco, su MW-Blog,  qui. […]

  2. SSL & Man-in-the-Middle ber TOR-Schnffelei - Forum Fachinformatiker.de Says:

    […] & Man-in-the-Middle ber TOR-Schnffelei Hallo. Verstehe ich MW-Blog Blog Archive TOR exit-node doing MITM attacks richtig, dass es mglich wre, sogar Homebanking beliebiger Banken in Klartext umzuwandeln, um dann […]

  3. [security,f-secure]-Testing TOR Nodes for Man-in-the-Middle Attacks « Malnews4’s Weblog Says:

    […] More details on the investigative process can be found here and here. […]

  4. links for 2007-12-07 : Bob Plankers, The Lone Sysadmin Says:

    […] MW-Blog » Blog Archive » TOR exit-node doing MITM attacks Yeah, the TOR network is not safe at all. […]

  5. foobla - das Weblog von Norbert Wigbels » Blog Archive » Wenn Kaspertruppen für Anonymität kämpfen… Says:

    […] 2 und […]

  6. Anonymity with TOR and its limits | Perimeter Grid Says:

    […] a virus or Trojan.)  This actually happens; Bruce Schneier linked to some logs of a TOR exit node trying to carry out a MitM on an SSL session.  So while TOR protects your anonymity, it may actually risk your privacy — it’s very […]

  7. Volker noch immer in Macao Says:

    Playing with TOR…

    I’ve been playing with TOR again lately, and a but more carefully because the last time I tried michaelw got banned from IRC because of the exit server :-D

    It seems the crooks are really running it themselves these days. This is a “conversa…

  8. Wi-Fi security for road warriors: On-line banking | Network Administrator | TechRepublic.com Says:

    […] option: I would use an IronKey device to setup a TOR-like SSL session with known (known is important) IronKey TOR servers. Then I would login to the bank’s web server using the log on web page. […]

  9. OpenSSL für gesamten Domain-Namespace sinnvoll - sharkBLOG Says:

    […] sich führen, da sonst man-in-the-middle möglich wäre (was z.B. bei Tor schon gang und gäbe ist: tor ssl man-in-the-middle). Hinzu kommt noch, dass ältere PCs ein bisschen länger brauchen (Schlüssel aushandeln, Daten […]

  10. TOR Proxy network under heavy fire for MITM attacks Says:

    […] password and other sensitive information is possibly being snared by a hacker. In the following posting the gatherer is from […]

  11. Disculpen las Molestias » 2. Cifrado Says:

    […] Lo peligroso que puede resultar usarlas sin informarse antes, y es que si bien se garantiza el anonimato dentro de la red, es posible capturar la información desde los nodos de salida a Internet. […]

  12. Sniffing/MITM attacks on the Tor network | Chucks Blog Says:

    […] and does not make you more secure by using it. If you use tor with encrypted protocols and avoid fake SSL certificates then you should be fine. However, if you use a plain text protocol such as HTTP, you are pretty much […]

  13. HTTPS and Tor: Working Together to Protect Your Privacy and Security Online « Says:

    […] a malicious end router [Link] More evidence of Tor exit node performing man in the middle attacks: [Link] Source discussion of the above evidence: [Link] Sun, 04 Mar 2012 07:45 CST Rate this: […]

  14. best ecig Says:

    best ecig…

    MW-Blog » Blog Archive » TOR exit-node doing MITM attacks…

  15. Niwali Supplement Says:

    Niwali Supplement…

    MW-Blog » Blog Archive » TOR exit-node doing MITM attacks…

  16. software development consultancy company Says:

    software development consultancy company

    MW-Blog Blog Archive TOR exit-node doing MITM attacks

  17. test kits Says:

    test kits

    MW-Blog Blog Archive TOR exit-node doing MITM attacks

  18. their website Says:

    their website…

    MW-Blog » Blog Archive » TOR exit-node doing MITM attacks…

  19. unsecured loan for debt consolidation Says:

    unsecured loan for debt consolidation…

    MW-Blog » Blog Archive » TOR exit-node doing MITM attacks…

  20. advertising Says:

    advertising…

    MW-Blog » Blog Archive » TOR exit-node doing MITM attacks…

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.


InspectorWordpress has prevented 27 attacks.