Sniffing/MITM Attacks on Tor network

Tor is wonderful tool to ensure your privacy on the Internet ,Tor software is a program that you can run on your computer to helps keep you safe on the Internet.Tor prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. but if you think that this is the only role than you are wrong, since this is just one function of the main purposes of Tor, because another good role of Tor is to create a server and make it available for other users to pass through it.

By installing a sniffer on the server you will be able to see all non encrypted traffic, and you will be able to gather data and sensitive information…

To start you have to get Linux distribution like Backtrack or Ubuntu on a virtual machine it is free and available online. Next download the latest Tor version (currently O.2.1.20). After installing the packages it is better to create a new user on the system trouser: uid=111(toruser) gid=10(wheel) groups=0(wheel),10(wheel). Now Tor use to store the config file .tor in the home directory (/home/toruser) so you need to open this file on the text editor.

In the setting we customize the following:

ControlPort – this is the port used for the remote management of Tor server. Most use the value of 9051.

DirPort – Advertise the directory service on this port. The value is 9030.

ControlPort 9051
DirPort 9030

ExitPolicy – determines what traffic we will receive and forward. By default the policy is as follows:

reject *: 25 , reject *: 119 ,reject * :135-139 , reject *: 445, reject *: 563, reject *: 1214
reject * :4661-4666 ,reject * :6346-6429 ,reject *: 6699 ,reject * :6881-6999 ,accept *: *

here we need to choose the services that we need to receive on our Node and forward (HTTP,HTTPS,POP3,IMAP,IMAPS, POP3S) .so it will be as follows:


accept *: 80, accept *: 443, accept *: 110, accept *: 143,accept *: 993, accept *: 995, reject *: *

HashedControlPassword – this to configure the password for remote Tor server configuration and to not allow a malicious user control the server.

Nickname – the server name.

ORPort – port to connect with other nodes 9001.

SocksListenAddress – this will be the localhost (

Save the changes and close the file. Now the server is ready to lunch:

$ Tor-f /home/toruser/.tor/torrc

You will take approximately 20 minutes to check the system and ports. Than you can go to and you will find our server among other server names.

So Excellent our server is working and it’s time to choose the favorite sniffer Wireshark , Wireshark is already exists in the Backtrack4 select the interface and enable packets capturing. Wireshark will give you all non encrypted traffic like website browsing and other HTTP navigation while it’s in clear. Not bad so far.

Now what about the encrypted traffic, here it’s time to use SSLStrip to get it you go to the official Moxie Marlinspike website and download the last version there is already an update released 2 days ago.

Run the command:

$ Python 8080-w today.log

If we are not the last node the traffic will be transmitted in an encrypted form so to decrypt this traffic before it goes to the final destination we need to pass it over the sslstrip by adding this rule to iptable:

$ Iptables-t nat-I OUTPUT-p tcp-m owner-uid-owner 111 – dport 80-j DNAT – to-destination

This will make all outdoing HTTP-traffic from user toruser pass through sslstrip automatically, and at this point we need just to wait till that we collect some logs and check the log file.

On next post we will explain the way to perform scanning for Blackbox peneteration testing behind a Tor Proxy.

It is important to note that all programs are used just for educational purposes.

make sure you subscribe to my RSS feed!