Introduction

A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that's the case I know which node that was sniffing the traffic. You can read more about the project here.

The results are not so surprising, but what is most surprising about this is that 2 nodes with the "guard"-flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor. Read more about why I think this is bad here.

Methodology

The way I did this was by buying a domain with a tempting name(such as bitcoinbuy) and then created a sub-domain(admin.) by using vhost and sat up a simple login.

I did not use any databases for this, only a simple PHP-script which allowed any password ending in "sbtc" and therefore I just created random passwords using binascii.b2a_hex and the suffix "sbtc".(e.g d25799f05fsbtc)

This is how the login looks like(not a real captcha, but is randomized):

Once you login it looks like(yes, those links works, also dynamic numbers):

The python-script works by downloadning a list of all exit nodes using the Stem API, then create a unique password for each fingerprint and use that password for logging into the domain. All this is of course saved to a file so I later can go back and see what fingerprint used for password.

The PHP-login also saved all the logins with used username, password, user agent, IP and time. The Python-script uses Tor Browser Bundle's user agent.

The frontpage was copied from a legit bitcoin provider but heavily modified. There was also a public message announcement in the index saying that we're moving all the bitcoins to our wallets so you can't login yet because there was a login form on the frontpage also.

The Python-script also tries to make it look legit by first visiting the indexpage and sleep for 1-4 seconds and then navigating to the admin-page and login with the unique password and username "admin" and also a captcha. So it looks like this in the access log(IP removed):

UA=Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

[17/Jun/2015:21:38:01 -0400] "GET / HTTP/1.1" 200 1151 "-" "UA"
[...]Snip (GET on all the CSS, images and scripts on the frontpage)
[17/Jun/2015:21:38:08 -0400] "GET / HTTP/1.1" 200 593 "-" "UA"
[17/Jun/2015:21:38:15 -0400] "POST /adminlogin.php HTTP/1.1" 200 1151 "-" "UA"
[...]Snip (GET on all the CSS, images and scripts in the admin panel)

Here's an example of a sniffing node:

f88824b8b4sbtc- 65.181.112.176 - Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 - 2015-06-04 - 06:44:25
f88824b8b4sbtc- 95.187.208.34 - Mozilla/5.0 (Windows NT 6.3; rv:38.0) Gecko/20100101 Firefox/38.0 - 2015-06-04 - 07:59:21

All of this is of course done over HTTP so that the exit node can see the traffic. The POST-data was:

username=admin&password;=d25799f05fsbtc&captcha;=834kwv

The bottom line is that it needs to look legit in a PCAP, and I think it did.

Statistics

137,319 Exit nodes tested under 32 days.*

99,271 Successfully tested exit nodes.**

137,981 Total page visits.***

16 Instances of multiuse of a unique password.

12 Logins with wrong password.

27.4 GiB uploaded and 21.5 GiB sent through Tor.

(*)This number does not show the total amount of uniquely tested exit nodes, just how many fingerprints that was tested. But every node was tested around 95 times(there's around ~1400 exit nodes).

(**)The number is lower than the total amount because some nodes had timeout, did not allow posting through port 80 and/or was offline.

(***)Does not include robots, spiders and/or crawlers. Even if the website disallowed indexing some spiders found the website. This number is only calculated from Tor IP's so it's possible that a crawler used Tor for its connection, if that's the case its included. The number should be lower.

Results

Total: 15 fingerprints

Future work

I both want and need to continue this research. There are some things that needs to be fixed:

An open framework for easily setting up your own phishing site.
A thirdparty service that offers bad exits based on my work.(in work)
More people involving in the work(people that can set 'Bad exit').
More methods(read more).
Easier contact with the Tor Project people.
More websites needs to use HTTPS with a stable configuration(HSTS, good ciphers etc..).

If you want to support my work please send me an email. Verify the message below on my Keybase.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

If you want to help, please do and publish your research. If you want to help me you're free to do so by donating money for phising domains and servers that run the webserver. 

Please contact me at: [email protected]
Public key: https://countermail.com/process.php?pubview=Y2hsb2VAY291bnRlcm1haWwuY29t
BTC: 1AQ5R6pjdG92NBZeVR7mErm1TUra3Uh2Xh
Keybase: https://keybase.io/dotchloe
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.8
Comment: https://keybase.io/crypto

wsBcBAABCgAGBQJVhZM1AAoJEHycBYRDyBkBl98H/i1+R2ew1k8BaWGPvtqyKb5y
4ss0ifr6BwCBoqQovAe503bAnjgtUiXJ2EA2P3OwGrtO1ueJ8mkpucHhURUggWda
rhJlSN7elfitFLZ8DM2GEqdY8Ha36KnjdLXzb7md+/6cJ+0eh1d0zMi9dAXxlcIA
A8+Y7/wiiTF3jjLFkd4tltT57pnHVt5xdoEyiJYPy81gM/U07kOdnnozIjL4ei4N
rJ0jPdnRfRJB4Dgmvr1dTi9teXlKWNH50SiXBV4qLwEUj4lzzATOkMzj7yO6JUqi
3QBTLlx6jzz/3EYCipzvTsClf4JumUhxCKAzdL0XSUL24lUmIOYBR9XHF7rYVnY=
=u+5U
-----END PGP SIGNATURE-----

Conclusion

In conclusion we can see that there's passive MITM going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing. Tools such as exitmap can only detect if the node is misconfigured or is manipulating traffic but with BADONIONS you can have the luck and find nodes that sniff traffic and actively uses it.

We can also see that nodes that have been running so long that they have earned the "Guard"-flag also sniffs traffic.

We can also see that not all uses the logins but rather just visiting the website, this indicates that they are sniffing but does not use the provided logins. So by using Tor you are drawing attention to your site.

Both Tor, independent security researchers and website owners need to work towards a safer Internet. In 32 days I've found 15 instances where a node is sniffing and using my credentials and over 650 uniqe pagevisits which means that others also sniffs. We need more people involving in this project and hopefully we'll see an improvement from here and on.

Special thanks

https://keybase.io/redpois0n
https://keybase.io/likvidera
https://swehack.org/