[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Launching Attacks via TOR Re: Hacker strikes through student's router



while I believe deeply and truly in what Dustin is saying, I feel
obligated to point out that the logic behind gun control laws would
(sadly i think) still apply to tor and other anonymizers... law makers
understand that the gun is just a tool to be used for good or bad.
guns kill people just as dead as knives, but guns can do it much more
effortlessly and from a distance. Yes hackers can/did hide their
traces b-4 tor... but with tor even the incompetent script kiddies can
easily hide their traces. personally I feel that the good in tor
outwieghs all of the potential bad that could be done with it, but as
they say: "the path to hell is paved with good intentions..."

I really want people to understand that I support tor 110%. I just
cant resist playing devil's advocate in any given debate.

-=Matt=-

On 11/8/05, Dustin Eward <plasma@xxxxxxxxxxxxxxx> wrote:
> tor wrote:
>
> > They are probably referring to articles like the following:
> >
> >
> > http://dhanjani.com/archives/cat_security.html
> >
> >
> >    Launching Attacks via Tor <http://dhanjani.com/archives/000085.html>
> >
> > July 10, 2005
> >
> > I have written about Tor before
> > <http://dhanjani.com/archives/000069.html>. In my opinion, the Tor
> > project <http://tor.eff.org/index.html> is an excellent effort towards
> > protecting online privacy. I routinely use the Tor network, and it
> > works well for me.
> >
> > I believe that the merits of a project like Tor outweigh the channels
> > of abuse it may grant malicious users. However, these channels of
> > abuse do exist, and they cannot be ignored: if a malicious entity
> > wants to scan or launch your network via the Internet, he or she can
> > do this via the Tor network. This will make it incredibly difficult
> > for you to track down the source of the attacks.
> >
> > In order to demonstrate this, I setup a host on the Internet that I
> > wanted to scan from my home network using the Nessus vulnerability
> > scanner <http://nessus.org/>. Before an attacker can exploit a
> > specific vulnerability, he or she will want to test the presence of
> > the vulnerability using a scanner such as Nessus. Here are the steps I
> > followed to launch the Nessus scan via Tor:
> >
> > 1) Install and Setup Tor <http://tor.eff.org/download.html>.
> >
> > 2) Download desproxysocat <http://www.dest-unreach.org/socat/> (Thanks
> > Chris!). This tool will allow us to setup a local TCP listener that
> > will tunnel connections via the Tor SOCKS server (listening on port
> > 9050).
> >
> > Let us assume that the IP address of the host I wanted to scan was
> > 10.0.0.1 (yes I know this is non-routable over the Internet, but I
> > don't want to publish the real IP address of my host). I invoked
> > |socat| like this:
> >
> > |./socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:10.0.0.1:80,
> > socksport=9050
> > |
> > The above command causes |socat| to listen on port 8080, and tunnel
> > all incoming connections to 10.0.0.1 (port 80) via the Tor SOCKS server.
> >
> > [Updated July 12, 2005. Step 3 is not applicable now].
> > 3) Configure |privoxy| to allow HTTP CONNECT requests via port 80. By
> > default, only port 443 is allowed. To do this, configure your web
> > browser to use |privoxy| as the HTTP proxy (127.0.0.1 81118) and
> > browse to http://config.privoxy.org/show-status. Click on the "Edit"
> > button next to the applicable "default.action" file, and choose the
> > "Enable" radio button on the left side of "limit-connect". Enter "80,
> > 443" in the edit box and click on "Submit".
> >
> > 4) Install and configure Nessus
> > <http://www.oreillynet.com/pub/a/security/2004/04/22/nessus.html>.
> >
> > 5) Launch a Nessus scan against 127.0.0.1 port 8080. Configure Nessus
> > to limit the scan to port 8080 in the "Scan Options" tab.
> >
> > Here are some of the entries in my Apache log that were a result of
> > the scan:
> >
> > |
> > 192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET /Agents/ HTTP/1.1"
> > 404 205 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> > 192.168.1.1 - - [10/Jul/2005:17:29:56 -0700] "GET
> > /cgi-bin/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0
> > HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> > 192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET
> > /index.php?err=3&email=<script>foo</script> HTTP/1.1" 404 207 "-"
> > "Mozilla/4.75 [en] (X11, U; Nessus)"
> > 192.168.1.1 - - [10/Jul/2005:17:29:57 -0700] "GET
> > /scripts/fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus
> > HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> > 192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET
> > /scripts/viewpic.php?id=7&conversation_id=<script>foo</script>&btopage=0
> > HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> > 192.168.1.1 - - [10/Jul/2005:17:29:58 -0700] "GET /Album/ HTTP/1.1"
> > 404 204 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> > 192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET
> > /fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus HTTP/1.1"
> > 404 209 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
> > 192.168.1.1 - - [10/Jul/2005:17:29:59 -0700] "GET
> > /cgi-bin/wiki.pl?<script>foo</script> HTTP/1.1" 404 213 "-"
> > "Mozilla/4.75 [en] (X11, U; Nessus)"|
> >
> > The 192.168.1.1 IP address represents the host that is the last onion
> > router in the random circuit that was setup by the Tor software (NOTE:
> > I don't want to publish the actual IP address of the last onion router
> > that I noticed in my logs, so 192.168.1.1 is a place holder to serve
> > as an example). Given the design of Tor, it would be extremely
> > difficult (if not impossible) to determine the source IP address (i.e.
> > my IP address - and not the IP address of the last onion router). The
> > above instructions can also be used to exploit software flaws (using
> > tools such as Metasploit <http://www.metasploit.com/>) in order to
> > anonymously execute arbitrary commands on vulnerable hosts.
> >
> > I am a big fan of the Tor project. However, potential attackers who
> > may want to hide their tracks may abuse the anonymity granted by Tor.
> > The aim of this post is to shed light on this fact, and I hope it is
> > helpful to administrators are effected by attacks that seem to
> > originate from a source that is a onion router in reality.
> >
> >
> >
> >
> Did such "bad guys" not find ways to cover their tracks before the Tor
> concept existed?
>
> Becasue a thing can be abused, does not make the thing a bad idea, or
> make it at fault for the abuse.  It facilitates nothing; as this same
> behavior would still continue without Tor, and has existed long before
> there was Tor.
>
> Much like Firearms, a good analogy made by another or-talk subscriber.
> I don't honestly feel we have any obligation to curb our function or
> behavior simply becasue there is a dirty mind out there capable of
> misusing it.
>
> Government Issued Tor Licenses a la FCC?  The more Government control
> there is over a given freedom/right, the more conflict of interest there
> is.  Serving up that Conflict of Interest on a silver platter, by
> insisting that abusers should be a concern of ours, is not responsible.
>
> All tyrants rise from false "need."  What we "need" is for companys to
> have tighter security.  Failure to do so implies that Tor created the
> exploit, when in reality, it was just a conduit to a pre-existing deficit.
>
> If you leave your garage dor open, and go on vacation, you might just
> get some of your stuf stolen...  Wether the theif drove up in a car with
> a tracable license plate, or did it with an Invisibility Cloak; doesn't
> matter.
>
> Be careful what you wish for, you just might get it.
>