[tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!)
Hi all, sorry for cross-posting but it's relevant to know that nmap is going to start supporting high performance port scanning over proxy, including Tor. That would likely means an increase in the issues for Tor Exit Relay operators for abuses related to port-scans being reported. Should Tor implement some kind of exit-policy-configurable-rate-limiting on the amount of new Tcp connections that can be opened over the same established circuit? Forwarded Message Subject: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Date: Fri, 03 Jul 2015 14:24:27 +0200 From: Jacek Wielemborek d33...@gmail.com To: Nmap dev d...@nmap.org List, (TL;DR: Just perform BUILDING INSTRUCTIONS and let me know if it worked on your system.) A few days ago [1][2] I mentioned that I was working on a modification to Nmap's port scanning engine that would - among other things - allow scanning behind proxies. I had a few issues with the code that I needed to work on, mostly memory errors causing crashes. Right now, I am happy to announce that this branch is ready for beta testing and I'm looking for volunteers to help me with this task. Hopefully all the major bugs were shaken out and the code could be integrated soon. BUILDING INSTRUCTIONS = This is the same as in [1]: 1. Pull my nmap-nsock-ultrascan branch: svn co https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-ultrascan 2. Enter nmap-nsock-ultrascan directory and build Nmap: cd nmap-nsock-ultrascan ; ./configure make 3. If all went well, try a simple -sT scan: ./nmap -sT scanme.nmap.org == HOW TO TEST IT == Apart from a simple -sT scan I mentioned in step 3 of BUILDING INSTRUCTIONS, I would definitely welcome trying out more complicated test scenarios. One of the features that my modifications enable is performing port scanning behind proxies. I only scanned it using SOCKS4 server built into Tor - to repeat that, you can run the tor command in the background and execute the following line to scan scanme.nmap.org: ./nmap -sT --proxy socks4://localhost:9050 scanme.nmap.org First segfaults were found and fixed thanks to stress testing I performed by adding -p- to the command, which scans all TCP ports possible and running this command in a loop. Note that this can sometimes take incredibly long time - probably due to rate limiting detection feature, the scanning can slow down to as little as a probe per second, which would make -p- scan take 18 hours. This is why I also tried --top-ports=1, which has lower chances of behaving this way. If you run across an error (segmentation fault, assertion error or something else), it would be perfect if you could recompile Nmap with debugging support, add -d9 to the command line and run the command within a diagnostic tool such as gdb or valgrind. Here's how I did this: CXXFLAGS=-ggdb -O0 CFLAGS=-ggdb -O0 ./configure make valgrind ./nmap -sT scanme.nmap.org -d9 -p- log 21 I hadn't tested proxy chain support or various command-line switches. I did very little testing outside of Tor. It might also be a good idea to scan multiple targets and try -iR scan - I tried neither of those. Also, please pay attention to scan timing - if the scan is much slower or faster than the old Nmap mechanism, this is a red flag that I would like to know about. Please do note that even though port scanning within Tor is possible, you cannot scan .onion names due to lack of SOCKS4A support. Also, the changes should only affect -sT connect() scan, so don't expect any improvements while trying to perform SYN scanning or any other non-connect() techniques, such as UDP/SCTP/protocol scans. = FEEDBACK LOOKING FOR BUGS == Any feedback is welcome! If you just built it and ran the step 3 of BUILDING INSTRUCTIONS successfully, this is already some good news I'd love to hear. Please mention what system you used, this might prove to be useful information as well. If you ran into any errors, please tell me how I could reproduce it (what command you ran) and what system you used. If you could take some time and run through my comments in HOW TO TEST IT, your report would be even better. Thanks in advance! Cheers, d33tah [1] http://seclists.org/nmap-dev/2015/q2/374 [2] http://seclists.org/nmap-dev/2015/q3/0 ___ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
Hi. On 07/03/2015 09:43 PM, mtsio wrote: If you to Preferences-Applications-Portable Document Format there is the option 'Preview in Tor Browser' that opens the PDF without opening an external application. What's the problem with that? I'd echo this advice from the TBB download page: Don't open documents downloaded through Tor while online The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however. https://www.torproject.org/download/download hope you are well tim -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
If you to Preferences-Applications-Portable Document Format there is the option 'Preview in Tor Browser' that opens the PDF without opening an external application. What's the problem with that? Speak Freely: Generally, no, but that hasn't stopped me depending on the source. I usually take one of two approaches, depending on the intention. http://view.samurajdata.se/ You can point an online pdf document on this site, and it will load it for you, without using a plugin. Or, download the pdf yourself, get off Tor, and open the pdf in a sandboxed environment. Matt Speak Freely -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
Generally, no, but that hasn't stopped me depending on the source. I usually take one of two approaches, depending on the intention. http://view.samurajdata.se/ You can point an online pdf document on this site, and it will load it for you, without using a plugin. Or, download the pdf yourself, get off Tor, and open the pdf in a sandboxed environment. Matt Speak Freely -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] pdf with tor
Hello everyone, Is it safe to open pdf documents inside Tor Browser? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
You asked the wrong question, so you got the wrong answer. mtsio: If you to Preferences-Applications-Portable Document Format there is the option 'Preview in Tor Browser' that opens the PDF without opening an external application. What's the problem with that? Speak Freely: Generally, no, but that hasn't stopped me depending on the source. I usually take one of two approaches, depending on the intention. http://view.samurajdata.se/ You can point an online pdf document on this site, and it will load it for you, without using a plugin. Or, download the pdf yourself, get off Tor, and open the pdf in a sandboxed environment. Matt Speak Freely -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
mtsio writes: If you to Preferences-Applications-Portable Document Format there is the option 'Preview in Tor Browser' that opens the PDF without opening an external application. What's the problem with that? There are two kinds of risks that lead to the suggestion not to view documents like PDFs inside your Tor Browser (or even not on the same machine) -- exploits and IP address leaks. The first risk is that sometimes there are software bugs in application and viewer software that would allow someone who knew about the bugs to take over your computer by constructing an invalid input file that exploits the bug and then getting you to render the file. So in that case, someone could, for example, make an invalid PDF that exploits a bug in the PDF renderer in your browser, and get you to view it somehow, and then take over the browser. The other is that many formats can cause software to make Internet requests (for example, it's possible to embed image links in a Word document so that a Word viewer will go and download those images). Here, the concern is that if the software makes some kind of network request when displaying the document, whoever is on the other end may see that request coming directly over the Internet -- not via Tor -- and connect the request with your Tor activity. So, some cautious Tor users advise copying all downloaded files onto a different computer that's not connected to the Internet, or at least inside of a virtual machine with no direct Internet access, and viewing them there. I don't know of specific cases in which people have deliberately used these approaches to identify anonymous Tor users, but it's something that's been discussed, and there _is_ a high rate of malware and tracking links hidden inside e-mail attachments. I liked the anecdote (which I've seen in a few places) that Tibetan Buddhists who've received a lot of malware are now practicing a new non-attachment principle. https://www.yahoo.com/tech/hit-by-cyberattacks-tibetan-monks-learn-to-be-wary-of-102361885314.html -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
mtsio: If you to Preferences-Applications-Portable Document Format there is the option 'Preview in Tor Browser' that opens the PDF without opening an external application. What's the problem with that? Well, Mozilla announced a secadv for pdf.js recently, so there's that. https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/ -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Fwd: Re: Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!)
(reposting again because I still wasn't subscribed to tor-talk) W dniu 03.07.2015 o 22:01, grarpamp pisze: One of the features that my modifications enable is performing port scanning behind proxies. I only scanned it using SOCKS4 server built into Tor ./nmap -sT --proxy socks4://localhost:9050 scanme.nmap.org Please do note that even though port scanning within Tor is possible, you cannot scan .onion names due to lack of SOCKS4A support. SOCKS4 and SOCKS4A are old and deprecated and should not be implemented (unless you're also implementing the current SOCKS5 and adding in 4/4A as a bonus). Tor supports SOCKS5 (and the deprecated 4/4A but it will complain). So scanning onions and anything else by name should be possible. SOCKS5 also supports IPv6 which is becoming the way of things. Therefore, implement SOCKS5 :) I think that SOCKS5 support within Nsock library (on which my modification depends) is planned. SOCKS5 also supports UDP, so it could bring even more benefits. For now, SOCKS4 has to do though. signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
On 07/03/2015 02:36 PM, Lars Luthman wrote: On Fri, 2015-07-03 at 14:30 -0600, Mirimir wrote: On 07/03/2015 02:16 PM, mtsio wrote: Hello everyone, Is it safe to open pdf documents inside Tor Browser? As other have said, it is NOT safe to do that, because PDFs can bypass Tor. However, it IS safe to open PDFs in Whonix, because all Internet-bound traffic either uses Tor, or is black-holed. Can PDF.js bypass Tor? How? I thought it used the same networking code and proxy settings as the rest of Firefox. Maybe so. But without firewall rules, there's risk. There's also risk of downloading the PDF, and opening it with another app. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
On 07/03/2015 02:16 PM, mtsio wrote: Hello everyone, Is it safe to open pdf documents inside Tor Browser? As other have said, it is NOT safe to do that, because PDFs can bypass Tor. However, it IS safe to open PDFs in Whonix, because all Internet-bound traffic either uses Tor, or is black-holed. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] pdf with tor
On Fri, 2015-07-03 at 14:30 -0600, Mirimir wrote: On 07/03/2015 02:16 PM, mtsio wrote: Hello everyone, Is it safe to open pdf documents inside Tor Browser? As other have said, it is NOT safe to do that, because PDFs can bypass Tor. However, it IS safe to open PDFs in Whonix, because all Internet-bound traffic either uses Tor, or is black-holed. Can PDF.js bypass Tor? How? I thought it used the same networking code and proxy settings as the rest of Firefox. --ll signature.asc Description: This is a digitally signed message part -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] help needed to stress-test an onionbalanced HS - everyone is invited
On Thu, Jul 02, 2015 at 11:10:03PM +0200, Frédéric CORNU wrote: running : watch -n 20 wget -O /dev/null http://eujuuws2nacz4xw4.onion/ I should point out that this approach should do one rendezvous with the onion service, and then re-use that circuit for each following request, until the circuit fails at which point it builds one more and repeats. While normal Tor circuits expire 10 minutes after the activity started, circuits to onion services expire after 10 minutes of inactivity. We chose that difference because the rendezvous process is so expensive relative to normal Tor circuits. A better approach here would be to flush the circuits and hidden service descriptor between fetches -- the onionperf tools that various folks are working on has code for this I think. But it would indeed be more complex than what you are doing here. :) --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] help needed to stress-test an onionbalanced HS - everyone is invited
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Le 03/07/2015 10:56, Roger Dingledine a écrit : On Thu, Jul 02, 2015 at 11:10:03PM +0200, Frédéric CORNU wrote: running : watch -n 20 wget -O /dev/null http://eujuuws2nacz4xw4.onion/ I should point out that this approach should do one rendezvous with th e onion service, and then re-use that circuit for each following request , until the circuit fails at which point it builds one more and repeats. While normal Tor circuits expire 10 minutes after the activity started , circuits to onion services expire after 10 minutes of inactivity. We chose that difference because the rendezvous process is so expensive relative to normal Tor circuits. A better approach here would be to flush the circuits and hidden servi ce descriptor between fetches -- the onionperf tools that various folks are working on has code for this I think. But it would indeed be more complex than what you are doing here. :) --Roger Hi, I'm not very familiar with the server-side aspect of HS. Maybe s7r can give us details about how OnionBalance works, related to incomming circuits. So we can tell which one of the approach you describe is best for his tests. Cheers - -- Frédéric CORNU http://wardsback.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlWWUR8ACgkQieXg+ErX/wPPZgD9HYcku3tREdfzHBAW23a188ec I7XfMEAJSV8GgpeNWgsBAIxx5OB0HkKuvnqxrzG1vgjXtYVVqaH7Hi/HEUDTJ5jG =deia -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] help needed to stress-test an onionbalanced HS - everyone is invited
Hello Roger, I also made some thoughts about making this test as effective as possible. I thought about HUPing the TOR process every 20 minutes. Do you think this will help? ~Josef Am 03.07.2015 um 10:56 schrieb Roger Dingledine: On Thu, Jul 02, 2015 at 11:10:03PM +0200, Frédéric CORNU wrote: running : watch -n 20 wget -O /dev/null http://eujuuws2nacz4xw4.onion/ I should point out that this approach should do one rendezvous with the onion service, and then re-use that circuit for each following request, until the circuit fails at which point it builds one more and repeats. While normal Tor circuits expire 10 minutes after the activity started, circuits to onion services expire after 10 minutes of inactivity. We chose that difference because the rendezvous process is so expensive relative to normal Tor circuits. A better approach here would be to flush the circuits and hidden service descriptor between fetches -- the onionperf tools that various folks are working on has code for this I think. But it would indeed be more complex than what you are doing here. :) --Roger signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] help needed to stress-test an onionbalanced HS - everyone is invited
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OnionBalance doesn't modify the rendezvous spec. Basically it just uses the HSDir system to publish descriptors signed with the master key containing introduction points to the failback servers. When you connect to http://eujuuws2nacz4xw4.onion/ you are in fact connecting to another hidden service, one of the failback servers. OnionBalance doesn't modify how Tor builds and handles circuits. I think there is a controlport command to drop all existing circuits (similar to New Identity in Torbutton). On 7/3/2015 12:08 PM, Frédéric CORNU wrote: Le 03/07/2015 10:56, Roger Dingledine a écrit : On Thu, Jul 02, 2015 at 11:10:03PM +0200, Frédéric CORNU wrote: running : watch -n 20 wget -O /dev/null http://eujuuws2nacz4xw4.onion/ I should point out that this approach should do one rendezvous with th e onion service, and then re-use that circuit for each following request , until the circuit fails at which point it builds one more and repeats. While normal Tor circuits expire 10 minutes after the activity started , circuits to onion services expire after 10 minutes of inactivity. We chose that difference because the rendezvous process is so expensive relative to normal Tor circuits. A better approach here would be to flush the circuits and hidden servi ce descriptor between fetches -- the onionperf tools that various folks are working on has code for this I think. But it would indeed be more complex than what you are doing here. :) --Roger Hi, I'm not very familiar with the server-side aspect of HS. Maybe s7r can give us details about how OnionBalance works, related to incomming circuits. So we can tell which one of the approach you describe is best for his tests. Cheers -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJVlmxuAAoJEIN/pSyBJlsRbI0H/iseVMHCRB8U7pQWKcI+Xqrt drbo8+9fA9RA8JYvPtWkYhyqLLWHPQKMxCFiFlUuyQTBtm0mvGXRYoabIwwjaKWf 3n2ICXnpRkr1x95iAxUJHje9GY4JTObqZvKNemlKewFY5wS8jg3cjBbm3z5mQSDe PIIy4VXwTJ6TH9K1bPbxEnHtLtHc6zPLPzrKfvgK+5Vy0yUyQ++j8eQLlrMxSbYx YMrm3c+dGX8oFM5iqwtDxR3a5kdBiLZPvFmx8/wq3q7uuYf37opI+UKCM4Y+mvCO crNaLNlbJSF5N2wU9WNdQ+mliPvfmI9xoUsdq4ShF0XUSej4Ow0kaMJBL7K6Hes= =0ucI -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk