Archive for the 'Tor' Category

Panopticlick, Tor, Hello Again

Jan 22 2013 Published by antitree under OSINT,privacy,Tor

Panopticlick is a project run by the EFF that highlights the privacy concerns related to being able to fingerprint your browser. It suddenly popped back up in /r/netsec like it was a new project. The site works by showing you the results of a full fledge browser fingerprint tool, letting you compare how similar or dissimilar you are to other visitors. This is done in a variety of ways. By looking at the user agent, screen resolution, fonts installed, plugins installed, versions of those plugins, and much more. You can read the Panopticlick whitepaper if you want to understand more about how it works.

Hipster Tor: Privacy before it was cool

The issue was discussed years ago at Defcon XV where I first got interested in the project. They identified browser fingerprinting as concern that needed to be addressed in Tor. Their answer at the time was to use something they had just released called “TorButton.” TorButton, back in the day, was a Firefox plugin that when enabled, changed all the settings in your Firefox browser to stop leaking private information like those that Panopticlick checks.

TorButton (Mike Perry) soon realized that this was a loosing battle with Firefox who were trying to compete with sexy new browsers by adding in all kinds of automatic, privacy blind, features like live bookmarks. These things would just constantly query your bookmarks for updated content and had no way of reliably forwarding through a SOCKS proxy and anonymized, making it a major concern. This lead to the advent of the Tor Browser bundle which is a forked version Firefox, compiled specifically with privacy in mind, and the recommended way of using Tor today.

Panopticlick v. Tor

Back to Panopticlick: Tor’s Browser bundle (along with integrated TorButton) tries to defend you against this type of attack. It changes the user agent to the most common one at the time, disables JavaScript completely, spoofs your timezone, and more. Take a look at the comparison between the Tor Browser bundle, Chrome, and Chrome for Android:

Browser Characteristic	Tor	Windows 7 Chrome	Android Chrome
User Agent	78.88	1489.11	36249.45
HTTP_ACCEPT Headers	31.66	12.76	12.76
Browser Plugin Details	25.89	2646146	25.89
Time Zone	21.63	11.04	11.04
Screen Size and Color Depth	46.78	46.78	7714.9
System Fonts	8.5	2646146	8.5
Are Cookies Enabled?	1.34	1.34	1.34
Limited supercookie test	8.91	2	2

Numbers based on 1 in x visitors have the same value as your browser

Feel safer? Don’t.

The EFF’s project has been really good at increasing the public understanding of the risks of browser fingerprint style attacks, but risks definitely remain. One of the nastier ones, which has yet to be fully addressed, has been only theorized until last year. The scenario is that someone watching a user’s activities, can fingerprint their online activities. A presentation at last year’s 28C3 highlighted this issue. In it, they discussed how a user will usually go to the same groups of websites pretty consistently: Reddit, Google News, Wikipedia. Those activities can be used as a fingerprint for your online identity. Tor is coming up with an answer to this with their Moduler Transports initiative which allows Tor users to customize the traffic footprint using plugins.

My next post will highlight how to use Panopticlick for some operational security measures. 🙂

A Case For Spicy Mango

Nov 27 2012 Published by antitree under OSINT,Python,Tor

Spicy Mango is a project that Chris Centore started and presented on at Derbycon this year. It’s difficult to describe completely but in essence, it is an intelligence collection and analysis engine that helps you parse large amounts of data to extract items of interest. For example, say that you wanted to keep track of your nym and how it was used on the net. You could do something like a Google Alert that sends you an email every time “AntiTree” appears in the search engine. With Spicy Mango, you can search multiple sources (such as forums, blogs, news outlets) for relevant data and then carve out what is actionable. You probably don’t want to see Tweets that you sent yourself but you might want to see them referencing your account.

Overview of Spicy Mango

Here’s a quick overview of how the framework is setup:

Modules are used to collect relevant information. Some examples of modules right now are an RSS reader, IRC client, Facebook and Twitter, scraper.
The data collected from these modules is saved into a database
The database provides the back-end to a web interface
The web interface controls how to present the data either High, Medium, or Low relevancy. This is done by searching for keywords in the database and applying a weight based on that keyword.

Some screenshots:

Maltego It Is Not

I’m not going to say that Spicy Mango is an amazing tool that fits into every intel gathering/recon/OSINT job you can think of. In fact, in many ways it starts overlapping with an already mature tool, Maltego. The latest version of Maltego supports “Machines” which is in someways the same idea as Spicy Mango. These machines are a recurring query for live data such as Tweets, Facebook posts, etc and is then collected in the beautiful Maltego interface that tries to visualize relationships between different pieces of intel. Very cool. But not really what I’m personally looking for.

The Best Case Scenarios

At its most usefulness, Spicy Mango would be an intel gathering tool that collects large pools of information from obscure locations on the net, and cuts down on the amount of time needed to find actionable intelligence. It could help be an operation security tool to help notify you of upcoming threats that were discussed over IRC. It could be a persistent stalking machine that keeps track of your friends.

WHY?

The “But, why?” question is the most common one I get when talking with my friends. First, I think that there is not an open-source tool today that aims to do what Spicy Mango tries. In fact, there are a bunch of secretive tools used for operation security and OSINT but we don’t know about them and they’re often a very custom design. Mostly because, the first rule of OPSEC is that you don’t talk about OPSEC.

Secondly, hackers are usually pretty proud about their doxing skills. “I can find your real name and home address in 15 minutes!” Usually they’re not wrong but their skills are based on tools that they’ve developed themselves otherwise they’re just using some site that does the work for them. I would find it interesting if the playing field was leveled so that every person had the same tools to stalk someone. In that case, real skills would have to be developed to excel passed the baseline.

Lastly, (or primarily) it’s fun to hack on. The modules are simple to develop and the code is straight-forward.

Future Opportunities

Since I started to help develop this framework, I’ve thought of some improvements it that would help take it from just a collection engine, to a more serious intelligence tool. I can see an advanced analysis engine that would take it above just keyword searches to support a modular framework in the same way that the collection phase works. I’ve been working on supporting natural language processing to help be able to support n-gram structured searches and implementing spam style text analysis to automatically strip out useless information. This is all based on my goal to better normalize the content that is collected.

Onion Porn: HashedControlPassword

Oct 27 2012 Published by antitree under Crypto,Python,Tor

I love excessively documented things. Design documents, protocols specs…whatever and Tor is one of those projects that I’ve always loved to randomly poke around into. I got sucked into Tor’s source code today and was entertained by the results. Beware, crypto time suck ahead.

ControlPort

Tor is controllable by making socket connections to it’s aptly named “ControlPort” usually on port 9051. The control port is not enabled by default if you’ve just installed Tor on Ubuntu or something, but it is enabled on the Windows packages that use front-ends like Vidalia. Anyways, this gives various third parties the ability to control all aspects of Tor on-the-fly.

There was a 2600 article years ago, about using the control port and it gives a really cool summary of some of the stuff you can do. Create custom circuits, create super long circuits, generate new circuits on demand. If you’ve used Vidalia, this is what it interfaces with.

But what I got sucked into today is the fact that there’s two ways to authenticate with the control port: Cookie, and HashedPassword. (Or none if you don’t care.) . This is what your standard TORRC looks like:
## The port on which Tor will listen for local connections from Tor ## controller applications, as documented in control-spec.txt. ControlPort 9051 ## If you enable the controlport, be sure to enable one of these ## authentication methods, to prevent attackers from accessing it. #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C

Crypto

Normally you can generate a hashed password for saving in your TORRC file by using the “–hash-password” switch to Tor. But today I wanted to waste my time and see how it’s generated. Thankfully, even though the documentation is a bit outdated, the control spec still goes into some pretty good detail.

https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt

Section 5.1 covers authentication and the HashedControlPassword function which looks like this:

If the 'HashedControlPassword' option is set, it must contain the salted
  hash of a secret password.  The salted hash is computed according to the
  S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.
  This is then encoded in hexadecimal, prefixed by the indicator sequence
  "16:".  Thus, for example, the password 'foo' could encode to:
     16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2
        ++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
           salt                       hashed value
                        indicator

If the 'HashedControlPassword' option is set, it must contain the salted

hash of a secret password. The salted hash is computed according to the

S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.

This is then encoded in hexadecimal, prefixed by the indicator sequence

"16:". Thus, for example, the password 'foo' could encode to:

16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2

++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

salt hashed value

indicator

I’m all double rainbow on this at first which made me spend more time on it. Se we see the RFC for OpenPGP and how it documents the generation of this hash. And it starts to make sense. I’ll try to explain how I understand it:

OpenPGP’s RFC explains that the S2K (string to key) algorithm takes in a secret value, a specifier (I’ll come back to), an 8 byte salt, a “count” value, and generates a hash. The count value is an encoded hex value that affects how many times the secret is hashed. The salt is just a random 8 byte value. But the specifier dictates the type of S2K and the hashing function to use. It consists of 2 bytes, the first specifies the type of hashing function that will be performed. These options are:

0x00 Simple: A key comes in, a hash goes out

0x01 Salted: A key is salted and then hashed

0x03 Iterated and Salted: A key, and a salt, all hashing the crap out of eachother over and over. This is what Tor uses.

The second byte specifies the hashing algorithm. In the case of Tor, they use SHA1 so this specifier should be 0x02. So putting that together for Tor, we would expect to see the hex encoded version of 32. But you’ll notice in the control-spec, there is no 32 at all but there is a “16:”.

I spent far too long trying to rationalize how 16 fits into the hash but it turns out that Tor does not use the specifier in their implementation of S2K. That makes sense after I think about it since Tor doesn’t need to worry about different hashing algorithms or varied number of hashing iterations. They implement a static password hashing function that uses SHA1 and iterates based on a counter value of 60 which is also static. This is why you’ll always a 60 in the middle of the HashedControlPassword value in the TORRC file.

I really needed to find out why 16. There had to be a reason. The most amount of beers that Roger Dingledine consumed in one sitting? The number of times Nick Mathewson was arrested for dealing meth? Someone from the Tor-talk mailing list finally pointed out what I was missing:

if (!strcmpstart(hashed, "16:")) {
 if (base16_decode(decoded, sizeof(decoded), hashed+3, strlen(hashed+3))&lt;0
 || strlen(hashed+3) != (S2K_SPECIFIER_LEN+DIGEST_LEN)*2) {
 goto err;
 }
} else {
 if (base64_decode(decoded, sizeof(decoded), hashed, strlen(hashed))
 != S2K_SPECIFIER_LEN+DIGEST_LEN) {
 goto err;
 }
}

if (!strcmpstart(hashed, "16:")) {

if (base16_decode(decoded, sizeof(decoded), hashed+3, strlen(hashed+3))<0

|| strlen(hashed+3) != (S2K_SPECIFIER_LEN+DIGEST_LEN)*2) {

goto err;

}

} else {

if (base64_decode(decoded, sizeof(decoded), hashed, strlen(hashed))

!= S2K_SPECIFIER_LEN+DIGEST_LEN) {

goto err;

}

16 appears to be describing whether or not it’s base16 as opposed to base64. There’s nothing in the documentation about this and attempts to use a base64 encoded password didn’t work out for me. I’ll have to just leave this alone until someone can tell me more.

Code

Nothing useful really came out of this besides making myself happy diving into some code but I still wanted an actual output of some kind so I rolled my own version of the hashing algorithm in Python.

import os, binascii, hashlib

#supply password
secret = 'foo'

#static 'count' value later referenced as "c"
indicator = chr(96)

#used to generate salt
rng = os.urandom

#generate salt and append indicator value so that it
salt = "%s%s" % (rng(8), indicator)

#That's just the way it is. It's always prefixed with 16
prefix = '16:'

# swap variables just so I can make it look exactly like the RFC example
c = ord(salt[8])

# generate an even number that can be divided in subsequent sections. (Thanks Roman)
EXPBIAS = 6
count = (16+(c&15)) << ((c>>4) + EXPBIAS)  #

d = hashlib.sha1()

#take the salt and append the password
tmp = salt[:8]+secret

#hash the salty password as many times as the length of
# the password divides into the count value
slen = len(tmp)
while count:
  if count > slen:
    d.update(tmp)
    count -= slen
  else:
    d.update(tmp[:count])
    count = 0
hashed = d.digest()
#Convert to hex
salt = binascii.b2a_hex(salt[:8]).upper()
indicator = binascii.b2a_hex(indicator)
torhash = binascii.b2a_hex(hashed).upper()

#Put it all together into the proprietary Tor format.
print(prefix + salt + indicator + torhash)

import os, binascii, hashlib

#supply password

secret = 'foo'

#static 'count' value later referenced as "c"

indicator = chr(96)

#used to generate salt

rng = os.urandom

#generate salt and append indicator value so that it

salt = "%s%s" % (rng(8), indicator)

#That's just the way it is. It's always prefixed with 16

prefix = '16:'

# swap variables just so I can make it look exactly like the RFC example

c = ord(salt[8])

# generate an even number that can be divided in subsequent sections. (Thanks Roman)

EXPBIAS = 6

count = (16+(c&15)) << ((c>>4) + EXPBIAS) #

d = hashlib.sha1()

#take the salt and append the password

tmp = salt[:8]+secret

#hash the salty password as many times as the length of

# the password divides into the count value

slen = len(tmp)

while count:

if count > slen:

d.update(tmp)

count -= slen

else:

d.update(tmp[:count])

count = 0

hashed = d.digest()

#Convert to hex

salt = binascii.b2a_hex(salt[:8]).upper()

indicator = binascii.b2a_hex(indicator)

torhash = binascii.b2a_hex(hashed).upper()

#Put it all together into the proprietary Tor format.

print(prefix + salt + indicator + torhash)

This will generate a hash for the password “foo”. Place the hash in the TORRC file and restart Tor and then you can test like this:

[me@me]# nc localhost 9051 authenticate "foo" 250 OK

External Links

https://gitweb.torproject.org/tor.git/blob?f=src/common/crypto.c#l2829 – the “secret_to_key” method implements most of the OpenPGP standard.
https://gitweb.torproject.org/tor.git/blob?f=src/or/control.c#l1153 – portion of Tor source code that reads in the HashedControlPassword value
https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt – the Tor control spec. (Planned to be updated “soon”)
https://gist.github.com/3962751 – my Tor hashing algorithm in Python
http://www.thesprawl.org/research/tor-control-protocol/ – The Sprawl’s article that was posted in 2600 about using the control port for fun and profit

6 Months of Tor in the Clouds!

Apr 11 2012 Published by antitree under Tor

It’s been 6 month’s since I started running a Tor bridge node on an Amazon EC2 instance. Back then, Tor had just announced an initiative to get people setting up cloud images to run as bridge nodes. This was during the then recent upheaval in the Middle East where connections to the Internet were either disabled completely, or they were extremely restricted as to what sites they were allowed to see. Tor couldn’t directly help with re-establishing network connectivity, but those that blocked Twitter and other social networking sites, could be evaded by Tor and their bridge nodes.

Skip this paragraph if you already know about bridge nodes: Tor has built in features that make it hard to detect at the protocol level. When a user establishes a connection to a entry node, the data is encrypted and designed to be difficult to fingerprint so firewalls/network policies have trouble detecting who’s using Tor. As a result, companies/countries/fascist organizations have created a list of all the Tor entry nodes (information that is publicly available) and blocked access to them completely. To circumvent this, bridge nodes were created. When a user finds themselves blocked from connecting to the Tor network, they can request a bridge node through a couple of different ways but most commonly, emailing “[email protected]” will automatically reply with a current bridge node. But why am I explaining this. Go here to learn all about them.

Running a bridge node works perfectly for Amazon’s Free Tier since they’re lower traffic than an exit or entry node. In fact, I have not spent a single penny while running it.

Below are the days with the highest usage in bytes. November was definitely the Middle East scuffles and you can probably chalk up most of the others to the same. I was trying to correlate a specific event that happened on these days but couldn’t find any. If you notice something, let me know. I’m guessing a blog post went online showing more people over there how they can use Tor and bridge nodes. To get setup and run a bridge node of your own on an EC2 instance, you can read more here.

11/21/2011 16:00	5034870
11/21/2011 17:00	3861440
11/26/2011 6:00	51935
12/6/2011 14:00	41933
12/11/2011 17:00	38003
1/8/2012 18:00	230296
2/2/2012 15:00	65177
2/28/2012 8:00	786658
3/1/2012 8:00	47005
3/1/2012 9:00	149672

« Prev