Tuesday, November 27, 2012

Anonymizing With Tor

While using the Internet, one may wish to anonymize their activities as much as possible.  Tor is a tool that allows for some anonymity.

In it's simplest form, tor is a tool that routes TCP traffic through a series of nodes while encrypting it so that the destination host cannot determine where the traffic originated.  The tor website has a much more technical description of it along with various tools and applications that allow you to use it.

Of course one can see how a tool like this can be useful for security enthusiasts for both good and bad.

tor creates a proxy server on the local host that allows all traffic pointed to the it to be routed through the tor network.  However, if an application cannot be configured to use a proxy, then a tool like tsocks can be used to direct the application's traffic through the tor proxy.

On a Debian based system tor and nmap can be installed by using the familar apt-get install tor tsocks

Once installed, all one has to do is edit the /etc/tsocks.conf file and change the server_port entry to specify tor's port 9050 as the server port and the server entry to 127.0.0.1.  tor itself should need no configuration at all.

To use applications through tor, either configuration the application to use a proxy at 127.0.0.1:9050 or if the application doesn't support proxy use, just run it by pre-pending tsocks to the command (i.e tsocks nmap scanme.nmap.org).  Keep in mind that tor only supports anonymizing of TCP traffic and not UDP and ICMP.

One popular usage of tor is to anonymize nmap scans.  You simply run nmap via tsocks as follows: tsocks nmap <host> -PN  .  The -PN argument is required so that nmap doesn't perform a ping scan which will reveal your IP address. 

I would provide examples, but I would have to change my network configuration in order to perform a pcap to show tor actually doing it's thing.

One caveat of tor is that it's quite slow do to the way it routes your traffic through three hops before it gets to the destination host.  A tool called tortunnel routes your traffic only through one exit node which will improve performance, but reduce anonyminity.