Tor: The Onion Router
layer 7
Contents
Introduction
This tutorial discusses the plugin torDetector. Unlike basicFlow, it also detects Tor flows which do not use Tor address ranges and uncovers Tor obfuscation tricks.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpFlags torDetector txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: tor-nobridge-http-external.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing Tor traffic!
torDetector
Note that torDetector requires tcpFlags as dependency to detect obfuscation protocols and the basicFlow plugin is always nice to have!
Let’s look at the plugin configuration first:
torDetector
vi src/torDetector.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define TOR_DETECT_OBFUSCATION 1 // Detect obfuscation protocols
#define TOR_DEBUG_MESSAGES 0 // Activate debug output
#define TOR_PKTL 1 // Activate packet length modulo 8 heuristic
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for torDetector */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...It is very simple. You can choose whether you want to detect also obfuscated Tor protocols or just leave it out for performance reasons or if you are not interested in such. The debug is for development purposes, so feel free to improve the plugin. And I added a packet length magic as a last resort, in case everything is encrypted.
The supplied pcap does not use the standard Tor addresses, so undetectable for basicFlow!
Run t2 on the supplied pcap.
t2 -r ~/data/tor-nobridge-http-external.pcap -w ~/results -s
If you look at the torStat in the end report, it labels clearly 4 flows as Tor:
The torStat column with value 0xb1 is to be interpreted as follows: bit | torStat | Description ============================================================================= 0 | 0x01 | Tor flow 4 | 0x10 | Internal state: SYN detected 5 | 0x20 | Internal state: obfuscation checked 7 | 0x80 | Packet snapped or decoding failed
You will find the 4 flows in the flow file, if you search for the 0x01 (Tor flow) bit in the torStat column.
tawk 'bitsanyset($torStat, 0x01)' ~/results/tor-nobridge-http-external_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPdssF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve torStat
A 2 0x0400000000004000 1520594008.353611 1520594372.111536 363.757925 1 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 "Private network" 33152 158.58.170.183 it "CloudFlow Virtual Datacenter" 443 6 0x4a33 1 2 64 64 0 0x00 0x0840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2597746474 2633 623714 1 2637 6423297 5 9869 29200 233088 29200 233088 419 355 420 0 0x011b 0x004c 2638 7937 0x0000013e 1460 128 0x0000 0x00 0 0x00 216463 3801765560 0.004 865.852041 1520593506.259495 0.013286 3e-06 7.645392 0.05011251 0.3469249 0.013443 0 0xb1
B 2 0x0400000000004001 1520594008.366897 1520594372.111436 363.744539 1 3 eth:ipv4:tcp 8c:04:ff:31:9a:3f 52:54:00:f8:29:c8 0x0800 158.58.170.183 it "CloudFlow Virtual Datacenter" 443 192.168.150.106 07 "Private network" 33152 6 0x4a13 1 64304 55 55 0 0x28 0x0844 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2288126131 3745 6452066 0 3750 620275 4 20005 28960 185852.8 28960 185856 37 122 38 0 0x031b 0x02c8 3750 11315 0x0000013e 1460 128 0x0000 0x00 0 0x00 3801765560 216459 0.004 15207062.962297 1505387309.149140 0.000157 0 7.859543 0.08542283 0.5849248 0.1355353 0.680069 0xb1
A 1 0x0400000000004000 1520594003.756441 1520594383.776386 380.019945 1 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 "Private network" 36832 185.21.216.198 gb "feralhostingcom network" 9001 6 0x0a13 1 2 64 64 0 0x00 0x0840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 3481612513 299 113819 0 299 94793 0 3113 29200 185855.5 29200 185856 2 136 3 0 0x011b 0x0000 1 5 0x0000011e 1460 128 0x0000 0x00 0 0x00 124374 0 0.004 497.496024 1520593506.260418 0.024216 0.006561 8.716528 0.3753675 1.248649 0.02441 0 0xb1
B 1 0x0400000000004001 1520594003.780657 1520594383.776204 379.995547 1 3 eth:ipv4:tcp 8c:04:ff:31:9a:3f 52:54:00:f8:29:c8 0x0800 185.21.216.198 gb "feralhostingcom network" 9001 192.168.150.106 07 "Private network" 36832 6 0x0a11 1 8186 53 53 0 0x00 0x0840 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2145018101 330 94793 0 330 113819 0 2599 65535 262040.7 65535 262144 1 2 2 0 0x031b 0x0000 1 6 0x0000001e 1460 2048 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000 0.000194 6e-05 8.861889 0.9113142 1.881575 1.286682 2.258196 0xb1The packet mode also labels the Tor packets:
tawk 'bitsanyset($torStat, 0x01)' ~/results/tor-nobridge-http-external_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpOptLen tcpOpts torStat l7Content
4 1 0x0400000000004000 1520594003.781495 0.000644 0.000838 0.025054 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54585 1 0x4000 64 0x7bf1 0x7bf1 0xe9bf 0xf8e5 0x0840 0 0 0 3481612514 2145018102 3481612514 0 0 0 0 0 0 182 182 0x0a13 0x0018 0x0000 29312 128 1460 124374 0 0 0x11 ...........~U...h...~T...uee.Xj.....B=q..g.....+./.....,.0.\n.\t.....3.9./.5.....f.........www.re27phfboihedwu.com.........\n.\n...........#...\r. ........................................
7 1 0x0400000000004000 1520594003.808495 0.027000 0.000167 0.052054 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54586 1 0x4000 64 0x7ca6 0x7ca6 0xe909 0x2d03 0x0840 0 0 0 3481612696 2145019116 3481612696 182 1014 182 1014 182 1014 182 0 0x0a13 0x0010 0x0000 31232 128 1460 124374 0 0 0x11
8 1 0x0400000000004000 1520594003.810099 0.001604 0.001771 0.053658 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54587 1 0x4000 64 0x7c27 0x7c27 0xe987 0xd4c6 0x0840 0 0 0 3481612696 2145019116 3481612696 0 0 0 0 182 1014 308 126 0x0a13 0x0018 0x0000 31232 128 1460 124374 0 0 0x11 ....F...BA.../h,."........fL.'.&...U3...3.+.B..v.....n.0}+.g.!4.........dO...........(yOz..x\t>...L:....+>.Y|qWy.....2F.4...#.g
10 1 0x0400000000004000 1520594003.834719 0.024620 0.000660 0.078278 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54588 1 0x4000 64 0x7c7c 0x7c7c 0xe931 0x0c0f 0x0840 0 0 0 3481612822 2145019167 3481612822 126 51 126 51 308 1065 348 40 0x0a13 0x0018 0x0000 31232 128 1460 124374 0 0 0x11 ....#yOz..x\t?....%B.~......<Tv....T.....
12 1 0x0400000000004000 1520594003.860102 0.025383 0.000187 0.103661 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54589 1 0x4000 64 0x7ca3 0x7ca3 0xe909 0x23ec 0x0840 0 0 0 3481612862 2145021244 3481612862 40 2077 40 2077 348 3142 348 0 0x0a13 0x0010 0x0000 35456 128 1460 124374 0 0 0x11
13 1 0x0400000000004000 1520594003.861555 0.001453 0.001640 0.105114 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54590 1 0x4000 64 0x7881 0x7881 0xed2a 0xdd74 0x0840 0 0 0 3481612862 2145021244 3481612862 0 0 0 0 348 3142 1405 1057 0x0a13 0x0018 0x0000 35456 128 1460 124374 0 0 0x31 .....yOz..x\t@.-....R.v...\.b3..u....L....|...N...&E.....\tX..S....8$p{|..........qT?j.DF.[1..pM....gu...j..(....g...D"*..D...k...J..Z .@...Qq.U.s..\r.Np{=..O..m&.42.o..S.[...m.N&Vyr..o...1.1..B.yd\r.~...-...;.dy....G.Psx..E...H&.\M........Wh....Sf..H..~....\t.|.=A..6.|x .u62.nN.......}c.V.X ...a.PL0.4k....D+"..[......Q..o..B.~.,..).C.vz!]`......9..=\n!M...$...X..m.......d...........H]....9r."Ns...r.k/z.u.'...p.%.lG..".8.........K.j..C_..B.u(.....bJzRWx..x........hR..}y.......d..,......:.p..E...}...l.Z...H...\rs.`...W.>~.l.....q........P...T.Ye{...H..9V"...Q..}j...x......!k!.L.y..B3|..6...h(........#........Yf..j.._l.$..a*g.6).U.B.a..e.U*.N.}K.#p.......K.QE~.....`....{$.8..#....1.p1Y$......2......L=..\n.Z.~=........k..f%c....m?aElV!..#.D<}n.`!.*......[.?.....\r..l7..uQ.T/>n.h(.L$....I.eV...*..b......D`...G..Y.....\r...p}..}.T..\tB.........z*>.RPQ.4....m0.....5x.....q.-<.n_.U.e.4...K1! ... ...d.....l........B....T.. ......'.W....A.@d6..<........./.^TI..i...>...Z.......X.ei..K._.Cb.8q.....:.Z.EB....J.\.N........{I0m.h......a.?.w(.........{......8Z.1D5..e
15 1 0x0400000000004000 1520594003.899955 0.038400 0.000801 0.143514 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54591 1 0x4000 64 0x7880 0x7880 0xed2a 0xb09e 0x0840 0 0 0 3481613919 2145021787 3481613919 1057 543 1057 543 1405 3685 2462 1057 0x0a13 0x0018 0x0000 38400 128 1460 124374 0 0 0x31 .....yOz..x\tA...R..c..N...Y.2.*A....dM.....[h.}. C......{-V6...;\n....V~.....^.....F.c.7.|.4.NE.C....;.A~.y<..E.o.v.}S.%0.K..KJ.|C....~.*..b..aSa.}.(..].3.y......{1.E........_T..z.OH1.c.......H.SL-..[.>S.Ikf%e\....%E9..f.[.....|.....V.+hb^X.Z.{.t...[.!..@..q...U.@p.......kUxs..s,+D..\td.n..N..j<1.N.)K......z...va..p.C8............0...,L.8.S\n8. 1y.S<..j-S..o.....s..4.j..>..ZJ.L\...v.]..G.a....Zo ........|..q..K!.)..."F..^q..W....'.....h......j...!'..l`....S...t>...2A@..S..d|....tAO.xw...qi....[..4.$......3L.$.\n..1...]d.>-....'av..Xy....h.r.V!.......k.SaN.VD..iUU.Q.6."3~.!..k...[$.Phar......Y.9.........a...c....M..l2.1N..v.c%f..=.\0.D\r.\......SN..#.'.o.....j.0....E..$....5.O...?.8^..A!.<.......&..$........)...>@..%...C..............M...F=wG..k.....2...z.fh...*......1.l.z*t..m[............&%...".-k..mA..om....C...#..O......k...?wU.Z..x..=BI!@QL........:.#.|1#.M.R...#.L*k...t.......>?.H,+...z.V3]\n .@...=.Fl...T.f.W:*{...F...G.jyy.\=...r.G.....}.\n...%..,.gL..P3w\t....x..rNy.........A..:..fs7.=\r.Z......."......k./+%...r....... S4.?\t..F..p./..f%..0..@
18 1 0x0400000000004000 1520594003.935583 0.035628 0.000060 0.179142 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54592 1 0x4000 64 0x7ca0 0x7ca0 0xe909 0x0f20 0x0840 0 0 0 3481614976 2145024386 3481614976 1057 2599 1057 2599 2462 6284 2462 0 0x0a13 0x0010 0x0000 44160 128 1460 124374 0 0 0x31
19 1 0x0400000000004000 1520594004.207406 0.271823 0.271883 0.450965 3 eth:ipv4:tcp 52:54:00:f8:29:c8 8c:04:ff:31:9a:3f 0x0800 192.168.150.106 07 Private network 36832 185.21.216.198 gb feralhostingcom network 9001 6 0x00 54593 1 0x4000 64 0x7a80 0x7a80 0xeb28 0xe12f 0x0840 0 0 0 3481614976 2145024386 3481614976 0 0 0 0 2462 6284 3005 543 0x0a13 0x0018 0x0000 44160 128 1460 124374 0 0 0x31 .....yOz..x\tB..kgr.n*9\r..6...rN.4...9.............D...y*...F..Rb.......D. ...(.........w.....z.}e.h.).\nw.=.C.0.vB.._sN.\..M..>..F..Q:..*\.W.[jT.n~o.Z?.^N...>\ro....u.~.KD......w..dUg-.*@?.vI_.........(.t...3N......b:S._.~.R.Q.Pyw......C..f6.......5 .E........C..F..G.n..s.....r.s.h8..Y1.G.F.7..#.wMk.\....+.I....%........7*,'74s...4:...3>.....I\n..54N^..UU.......N>..[i!...E...C...\t......b.....R...uqO^.. ..dX.89\r.:gP}.A.f..2....lm....M.K.\n.Xe{.b.w...=...w..Ja`..zN.......$.h.... w.\n........y....h6S...i.?!.q.)Q..Z1pJ..r:|.....xU..mS*....0.....
...Conclusion
Don’t forget to reset the plugin configuration if you changed it, for the next tutorial.
t2conf torDetector --reset && t2build torDetector
Have fun analyzing.