This article is a collection of interesting methods to use the Tor network for more than just what it is perceived to be used for. This is a way to utilize the overlay network to prevent need to punch holes in your firewall at home, prevent need for dynamic dns, and you might find your own interesting uses.
Tor, the layers.
Tor, The Onion Router, is an overlay network originally designed by the United States Navy. It is still mostly funded by them. Many may inquire as to why this software should be trusted, that answer is quite simple. The same level of privacy that a covert operative needs, should be the same level of privacy that a user should have if it is used properly. Governments while they do hate people using Tor, they actually need users on the network for their own protection. It is also important to note while they may also be ever increasing attempts to de-anonymize users, the government really wants this to be stopped for their own sake. Let’s go over that these layers and a little dive into Tor, as there are layers to the ways it can be used.
The Tor network does not require special hardware to use, and this has a keen advantage for a variety of users. Most users in this world will be able to just start the browser or enable torsocks to connect to the network. In some cases their country or ISP may block access and they will have to connect to a bridge relay. Tor consists of three relay types: Guard/Middle Relays, Bridge Relays, and Exit Relays. Each of the relay types play an important part in providing access to the network and the exit relay provides access to the normal internet aka “clearnet”. The Guard/Middle relays intercommunicate to the other nodes in the network and if you access a hidden service you will only use these types of relays without going to an exit relay as you would not be accessing the clearnet. Bridge relays are stored in the BridgeDB and are the true fight against censorship, as they are often distributed non publicly as many oppressive regimes look to block them once they are found. Some methods of distribution can come from sneakernet, private communications, and in some cases stegonagraphy. To connect to the network some users will have to directly connect to the bridge using obfs4 transport plugins to mask traffic. This is a very critical aspect of users in oppressed conditions. Americans do not quite understand oppression and therefore do not see the purpose in some tools, keep this in mind when discussing privacy.
Relays do involve some levels of trust as you are accessing the network via another machine and you do have to trust that the system is not running other software that could be used against you. Some examples of this would be nation states running MITM proxy or other de-anonymyzing software. There are many techniques that can be employed to unmask users of the network. This is also an important consideration about the tor network as well as any other anonymized network. Anonymity is very important as it allows for individuals to speak openly in an ever increasingly privacy eroding internet that is the modern day. Tor is not a silver bullet, no software can be. You should do your analysis of your attack surfaces and risk factors. If there is interest, I can provide some useful guides in the future on understanding attack surfaces.
While this diagram demonstrates in simple format of how traffic over tor works, we often assume that it is just for browsing content on the dark web. There is a lot of content on the dark web, however, tor has much more uses and we are about to explore a few of them. I encourage you to also spend some time experimenting and researching what can be done. One giant deterrent for exploration is that many are afraid when others have not done something, do not get intimidated, push forward you may surprise yourself and others in your findings.
More than browsing.
As Tor is an overlay network, you can utilize this for more than browsing. You can utilize this as a tool for your own personal needs that might normally require firewall access. As we often think of Tor as being just a browser, we overlook the other aspects of the overlay network and it’s features. The hidden services features allow us to host a variety of services such as databases, communication protocols, and remote access services. There is at the current time with version 2 implementation of hidden services a number of great features to also secure these tools. Tor is in need of version 3 developers and support, consider donating or helping with code.
As there are many more services that you can run over the Tor network. If you work on servers or many remote machines for family or friends, you may find yourself having to use firewall rules to allow access. When we open a port on a firewall we are also allowing anyone to find this open port as well. While it is possible to restrict access it also becomes very tedious to manage with leaving ports exposed and the system vulnerable. So how can we avoid this potential vulnerability? We can use onion services(hidden services), this allows us to create an endpoint that we do not need to worry about such things as DynamicDNS for our personal systems. There is a multi level approach for authentication in some cases that can be employed here to prevent unauthorized access. In the next section we will setup a couple of types of hidden services, again these are just examples and I encourage you to explore and experiment for your own needs.
How to setup a hidden service
In order to setup a hidden service we will first need to install the tor daemon, not the Tor Browser, though you should install it as well and use it. The following steps will be provided for Unix/Linux users, I do apologize but at this time I do not have a Windows machine in order to do this setup and I am completely unfamiliar with their platform. If someone would like to work with me on the future on such things I would greatly appreciate it. The most common and easy way to install the tor daemon would be to simply use your package manager, here are some command examples to install:
For Debian based Linux:
- sudo apt get install tor -y
- sudo yum install tor -y
- sudo pkg install tor -y
- brew install tor -y
- ports install tor -y
Once installed you will need to find the path to the torrc file, the torrc is the configuration file used for the daemon itself. In Linux and BSD’s(Other than than Mac) you should find it in the following path:
For MacOS you will find the torrc here:
Open the torrc with your favorite editor, I will not even get into that debate on *nix systems what is the best editor, we know it is ed. Once we open file we can search and find the HiddenServices section. See screenshot below for the example that is included.
As we can see the lines are commented out but we do see that there is some information for setting up a web servers and for ssh. In this example let’s use ssh as it would provide us a secure shell over tor without a firewall port to access our let’s say home network or some other machine maybe behind a VPC or other private network. The first thing we will want to do is uncomment the line for HiddenServiceDir, this is where the information for hidden service will be placed. You may want to change your hidden_service default name for it to be something unique, for example:
In this example we can see that now there is a change in the file path to hidden_ssh and we also now see a HiddenServiceVersion 2 declaration.I will be doing an entire write up for v3 methods in the coming days as well. We also see the stealth declaration in the HiddenServiceAuthorizedClient to state that stealth for hidden_ssh. What this does it generates another authentication channel to access the ssh daemon, this will require some client configuration which will be addressed in the next section. So now we will need to start the tor daemon in order to generate a couple of pieces of information. To do this you can run the following commands based on your operating system:
For systemd Linux systems:
- sudo systemctl start tor.service
- /etc/init.d/tor start
- brew services start tor
- sudo port load tor
To verify the command started the process properly you can run the following command:
- ps -ef | grep tor
- ps -aux | grep tor
Look for the tordaemon to be started, you will see it in the output. From here we can now get information from the following directories:
In this directory you will find a couple of files and the one we will need is the hostname file, in this file you will find the .onion url as well as a password, please take note of this as that password will be needed to set up your client to securely access the service. Note you can change any of the names of the location directories in the torrc, also feel free to experiment with services and share the setup processes you found works for you. Just remember in sharing information not to share the host and password for the client authorization as this could compromise your machine. Another important note is that you can setup multiple clients for connections and each client would receive it’s own connection url and password. Now that this is setup on our host, let’s connect with our client. I also would encourage you to not use the 127.0.0.1 address but instead map to your unix socket. I will be doing a deep dive soon on hidden service security and proper setups for prevention of information leaks.
Dependent on what type of hidden service you setup you will need to first on your client or machine you plan to connect with to have the appropriate client. For example, as we are using ssh you will want to make sure that ssh is installed on your client device. You will also need to do a few configuration changes that we are going to go over now to properly and securely connect to the hidden services. You will need to install the tor daemon on your client machine as well. Please see above for installing just the daemon. For this section we will only need to make one change to the torrc, that password and url that we have from our hidden service we just setup. At the bottom of your torrc on the client machine add the following line:
HidServAuth $url $password
Where $url is obtained from the hidden service directory on the host machine and $password is also in that hostname file where you obtained the $url. Now that this is done, we can then setup torsocks and test our configuration to connect. To do this use the following command for your operating system:
For Debian based Linux:
- sudo apt get install torsocks -y
- sudo yum install torsocks -y
- sudo pkg install torsocks -y
- brew install torsocks -y
- ports install torsocks -y
The default torsocks configuration file will be found in the same directory as tor, please see the previous section to get this location for your operating system. Once you have this information we will now need to make an edit to torsocks.conf, here is an example:
We will want to uncomment AllowInbound so that we can connect to the socks proxy, we will also want to take note of the TorPort as this should be the default port your tor daemon and the proxy will listen to on your client machine to connect through. Once we have made this change we have the last pieces to install and that is connect-proxy and netcat, this is important as it allows proxy connection and we can then begin testing and verifying our connections to our new shiny hidden service over tor. To install connect and netcat run the following command for your operating system:
For Debian based Linux:
- sudo apt get install connect-proxy nc -y
- sudo yum install connect-proxy nc -y
- sudo pkg install connect-proxy nc -y
- brew install connect nc -y
- ports install connect nc-y
Once installed, we do not need to configure them, we now need to start the tor daemon on our machine we plan to connect from, use the commands from previous section to do this. Once the daemon is started we can now begin testing that we are in fact connecting over tor to the hidden service. Note that you may encounter on MacOS with SIP. Do not be alarmed, you do not need to reboot and disable SIP as many will tell you online. Simply run copy ssh and curl over to yoru /usr/local/bin/ directory with following command:
- sudo cp /usr/bin/ssh /usr/local/bin/
- sudo cp /usr/bin/curl /usr/local/bin/
This will bypass the SIP, I know silly simple but this is all you need to do. So now let’s do some testing. First command to run is the following:
- torify curl
Verify the IP address you received in response is not your actual IP address and you are now sending commands over tor using your local tor daemon. Now let’s test that ssh:
- ssh $user@$onionURL -o “ProxyCommand=/usr/bin/nc -X 5 -x 127.0.0.1:9050 %h %p”
In this command the $user is the user for the remote host ssh service, a system account that is permitted to use ssh and $onionURL is the url that we added to our client machine’s torrc. The proxy command here is calling netcat to use the proxy 5 or socks5 proxy over our local host. You should now be either prompted with a request for the user password insert or if you are using public key authentication you should dropped into the user shell. Note that this is going to me much slower than your normal ssh connection. You are now able to access a machine behind a firewall without needing a firewall port. If you encounter issues reach out to me and I will help you. Enjoy!
There a variety of ways to use the tor network that is not just for browsing, in this little write up we explored and setup a remote ssh daemon on a host without a firewall port needing to be opened to access. We also were able to see how to do this for any other service we wanted. There are some caveats and not all services on the internet have been tested, however, this should not be a deterrent. This should encourage you to push the boundary and see what is possible. I can attest from a personal friend that he has RDP working and will use that to help his grandparents. There is a lot that one could find creative uses for these types of services.
You can find me on Twitter, Signal,Telegram(@nixops), and Tox(D7D264EA7541C4324625A8360267C3C54F9C1AF564D4266FE45F2BCB68924E21CB2A75746D51). Tox or Signal is easier for me to respond these days. Thanks.