Using proxies with anonymity networks
In this section, we will be exploring two important tools that are utilized by attackers to maintain their anonymity on a network: Tor and Privoxy.
Tor (www.torproject.org) is an open source implementation of third-generation onion routing that provides free access to an anonymous proxy network. Onion routing enables online anonymity by encrypting user traffic and then transmitting it through a series of onion routers. A layer of encryption is removed by each router to obtain routing information, and the message is then transmitted to the next node. This has been likened to the process of gradually peeling an onion, hence the name. It protects against traffic analysis attacks by guarding the source and destination of a user's IP traffic.
In this example, Tor will be used with Privoxy, a noncaching web proxy that sits in the middle of an application that communicates with the internet, and uses advanced filtering to ensure privacy and remove ads and potentially hostile data being sent to the tester.
To install Tor, perform the following steps:
- Issue the apt-get update and apt-get upgrade commands, and then use the following command:
apt-get install tor
- Once Tor is installed, edit the Proxychains.conf file located in the /etc directory.
This file dictates the number and order of proxies that the test system will use on the way to the Tor network. Proxy servers may be down, or they may be experiencing a heavy load (causing slow or latent connections); if this occurs, a defined or strict ProxyChain will fail because an expected link is missing. Therefore, disable the use of strict_chains and enable dynamic_chains, which ensures that the connection will be routed, as shown in the following screenshot:
- Next, edit the [ProxyList] section to ensure that the socks5 proxy is present, as shown in the following screenshot:
Open proxies can easily be found online and added to the Proxychains.conf file. Testers can take advantage of this to further obfuscate their identity. For example, if there are reports that a certain country or block of IP addresses has been responsible for recent online attacks, look for open proxies from that location and add them to your list or a separate configuration file.
- To start the Tor service from a Terminal window, enter the following command:
#service tor start
- Verify that Tor has started by using the following command:
#service tor status
It is important to verify that the Tor network is working and providing anonymous connectivity.
- Verify your source IP address first. From a Terminal, enter the following command:
#Firefox www.whatismyip.com
This will start the Iceweasel browser and open it on a site that provides the source IP address connected with that web page.
- Note the IP address, and then invoke Tor routing using the following proxychains command:
#proxychains firefox www.whatismyip.com
In this particular instance, the IP address was identified as 96.47.226.60. A whois lookup of that IP address from a Terminal window indicates that the transmission is now exiting from a Tor exit node, as shown in the following screenshot:
Although communications are now protected using the Tor network, it is possible for a DNS leak to occur, which happens when your system makes a DNS request to provide your identity to an ISP. You can check for DNS leaks at www.dnsleaktest.com.
Most command lines can be run from the console using proxychains to access the Tor network:
- When using Tor, some considerations to be kept in mind are as follows:
- Tor provides an anonymizing service, but it does not guarantee privacy. Owners of the exit nodes are able to sniff traffic, and may also be able to access user credentials.
- Vulnerabilities in the Tor browser bundle have reportedly been used by law enforcement agencies to exploit systems and gain user information.
- ProxyChains do not handle User Datagram Protocol (UDP) traffic.
- Some applications and services cannot run over this environment – in particular, Metasploit and nmap may break. The stealth SYN scan of nmap breaks out of ProxyChains and the connect scan is invoked instead; this can leak information to the target.
- Some browser applications (ActiveX, Adobe's PDF applications, Flash, Java, RealPlay, and QuickTime) can be used to obtain your IP address.
- Attackers can also use random chaining. With this option, ProxyChains will randomly choose IP addresses from our list and use them to create our ProxyChain. This means that, each time we use ProxyChains, the chain of proxy will look different to the target, making it harder to track our traffic from its source.
- To do so, in a similar fashion, edit the /etc/proxychains.conf file, comment out dynamic chains, and uncomment random_chain, since we can only use one of these options at a time.
- In addition, attackers can uncomment the line with chain_len, which will then determine the number of IP addresses in the chain while creating a random proxy chain.
This technique can be used by attackers to establish qualified anonymity and to then remain anonymous on the network.