Tuesday, November 1, 2011

TOR Attack Technical Details

Hi to all

As announced in a previous one, this post presents and details the different technical details on our TOR attack. These data will be released little by little but everything should be finally available before the end of November. So stay tuned to follow regular additions to this post.

We do prefer take time and release the most recent developments with respect to the TOR foundation updates, patches... But we also understand that people are looking forward to have those technical details. Since some of them are ready and since making them public does not challenge the interests of H2HC2011/PacSec 2011 organizers, well why wait more?

An updated version of the attack (to adapt to the forthcoming updates and patches of the TOR code in November and December and to present the TOR security evaluation dedicated botnet we are currently developping) will be presented at the 28th Chaos Communication Congress (28C3) in Berlin.

Here are the data provided:
  • The Google Earth maps of existing ORs (public and hidden ones; allOS ORs and Windows ORs) at the date of November 1st, 2011. Hidden TOR relay bridges (195 extracted by now; text list here) have been automatically extracted with the tor_brige library provided hereafter. This map is essentiel and is part of the intelligence step of the attack. Building large, coordinated, multilevel attacks -- as militaries usually do -- requires to have this generalized view of the target. New maps at the date of November 10th, 2011 (310 hidden relay bridges extracted so far): all ORS and Windows ORs.
  • The tor_extend library which enables (1) to automate the extraction of hidden TOR nodes (relay bridges) and (2) to execute the spinning technique (second of the 3 combined techniques to force 3-node routes towards compromised nodes). This library has been written by Oluwaseun Remi-Omowoson. The library can also be accessed through the Rubyforge link and Rubygem link (relevant documentation here). Simply typeset "gem install tor-extend" to install.
  • H2HC 2011/Pacsec 2011 slides.
  • PacSec video.
  • Technical paper which also contains the SCAPY script code to play the TCP Reset technique (first of the 3 techniques combined to force 3-node routes towards compromised nodes). Available by end of January 2012.
  • The tor_extend library version 2.0.0 (28C3 version). Contains everything in a single file (source code, documentation, ruby code, Google Earth map of ORs including 355 hidden relays extracted so far...). 28C3 slides. These data will be the last public version available. Very important point following feedbacks and comments from Roger Dingledine (thanks Roger!): in our slides we focus on Windows ORs/relays without correlating to bandwidth. This was just a choice among many other possible. Optimally it is true that we have to target/infect primarily the nodes with high bandwidth. And following this dicussion it is clear that many other options are possible. So, up to the choice of the target subset to infect, the general concept/approach of our attack remains valid.
  • The malware part (installing the dynamic cryptographic trapdoor) is not public. The malware also embeds a few structures to contribute to forcing 3-route nodes (refer to the paper).
Please note that the source code provided (when relevant) is the PoC version only (not optimized). Optimized versions are not public (since they are part of the TOR security evaluation botnet which is currently developped).

To conclude, we would like to stress on the fact that TOR is not only solution available (just to counter stupid comments claiming that without TOR the security world would be empty). We recommand the excellent book (free) "How to bypass Internet censorship" which describes various tools which are worth mentioning and considering.