Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
General Topics
»
Tor detection project
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: Tor detection project (Read 2252 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 34051
malware fighter
Tor detection project
«
on:
July 29, 2014, 02:57:42 PM »
Interesting to find and block Tor malnodes:
http://sla.ckers.org/forum/read.php?12,2984
&
https://www.dan.me.uk/tornodes
some links:
http://proxy.org/tor.shtml
& via
https://www.google.nl/search?q=tor+ip+list&rlz=1C1CHNQ_nlNL595NL595&oq=tor+ip+list&aqs=chrome..69i57j69i60.4413j0j7&sourceid=chrome&es_sm=122&ie=UTF-8
Check on some example node: htxp://dynamicip-176-212-13-30.pppoe.kirov.ertelecom.ru/
see:
http://toolbar.netcraft.com/site_report?url=http://dynamicip-176-212-13-30.pppoe.kirov.ertelecom.ru
http://myip.ms/view/dns/307877/ns8.ertelecom.ru
&
http://dnscheck.pingdom.com/?domain=ertelecom.ru
Tor nodes can be determined further by the certs and validity thereof, normally one year.
Wireshark may detect these using tshark: tshark -r tor_traffic.cap -T fields -R "ssl.handshake.certificate" -e x509af.utcTime -e x509s
at.printableString - use a script to check the cert lifetime (1 year, start: today) and the structure of the cert names (more or less random).
tor port has to be added to SSL properties. info credits Kurt Knochner on Wireshark faq
polonus
Tor node check example:
% Checking IP: 100.37.110.51
%
Status: ACK
Exit-Node: NAK
% TOR-Name: Unnamed
% TOR-Onion-Port: 9002
% TOR-Directory-Port: 9031
% TOR-Flags: Fast Guard HSDir Running Stable V2Dir Valid
% TOR-Exit-Node: NAK
% TOR-Version: Tor 0.2.4.22
% TOR-Full-Version: Tor 0.2.4.22 on Linux
% TOR-Uptime: 1143018
% TOR-Bandwidth-Average-Bytes: 1572864
% TOR-Bandwidth-Burst-Bytes: 3145728
% TOR-Bandwidth-Estimated-Bytes: 1920906
% TOR-Contact:
%
mapping example:
http://82.94.251.203/tor/server/all
D
«
Last Edit: July 29, 2014, 06:02:23 PM by polonus
»
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
General Topics
»
Tor detection project