you're reading...
Deep Packet Analysis, Hacking / Counter Intelligence, Lawful Intercept

MITM Attack against Tor SSL for Deep Packet Analysis

Tor is wonderful tool to ensure your privacy on the Internet. Tor prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

Tor achieves this by bouncing through other Tor users via an anonymous and encrypted interchange. In short a series of VPNs before your traffic exits back out on the internet and your request is completed.

By setting up a Tor node and installing a sniffer on the server you will be able to see all non encrypted traffic, and you will be able to gather data and sensitive information. To sniff SSL traffic you will need to setup and configure sslstrip a python tool that issues a false SSL cert to the connecting client.

To start you have to get Linux distribution like Backtrack or Ubuntu on a virtual machine it is free and available online. Next download the latest Tor version (currently O.2.1.20). After installing the packages it is better to create a new user on the system trouser: uid=111(toruser) gid=10(wheel) groups=0(wheel),10(wheel). Now Tor use to store the config file .tor in the home directory (/home/toruser) so you need to open this file on the text editor.

In the setting we customize the following:

ControlPort – this is the port used for the remote management of Tor server. Most use the value of 9051.

DirPort – Advertise the directory service on this port. The value is 9030.

ControlPort 9051
DirPort 9030

ExitPolicy – determines what traffic we will receive and forward. By default the policy is as follows:

reject *: 25 , reject *: 119 ,reject * :135-139 , reject *: 445, reject *: 563, reject *: 1214
reject * :4661-4666 ,reject * :6346-6429 ,reject *: 6699 ,reject * :6881-6999 ,accept *: *

here we need to choose the services that we need to receive on our Node and forward (HTTP,HTTPS,POP3,IMAP,IMAPS, POP3S) .so it will be as follows:


accept *: 80, accept *: 443, accept *: 110, accept *: 143,accept *: 993, accept *: 995, reject *: *

HashedControlPassword – this to configure the password for remote Tor server configuration and to not allow a malicious user control the server.

Nickname – the server name.

ORPort – port to connect with other nodes 9001.

SocksListenAddress – this will be the localhost (

Save the changes and close the file. Now the server is ready to lunch:

$ Tor-f /home/toruser/.tor/torrc

You will take approximately 20 minutes to check the system and ports. Than you can go to http://moria.seul.org:9032/tor/status/authority and you will find our server among other server names.

So Excellent our server is working and it’s time to choose the favorite sniffer Wireshark , Wireshark is already exists in the Backtrack4 select the interface and enable packets capturing. Wireshark will give you all non encrypted traffic like website browsing and other HTTP navigation while it’s in clear. Not bad so far.

Now what about the encrypted traffic, here it’s time to use SSLStrip to get it you go to the official Moxie Marlinspike website and download the last version there is already an update released 2 days ago.

Run the command:

$ Python sslstrip.py-a-l 8080-w today.log

If we are not the last node the traffic will be transmitted in an encrypted form so to decrypt this traffic before it goes to the final destination we need to pass it over the sslstrip by adding this rule to iptable:

$ Iptables-t nat-I OUTPUT-p tcp-m owner-uid-owner 111 – dport 80-j DNAT – to-destination

This will make all outdoing HTTP-traffic from user toruser pass through sslstrip automatically, and at this point we need just to wait till that we collect some logs and check the log file.

It is important to note that all programs are used just for educational purposes.

Related Information:


About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: