tor... all the things
DESCRIPTION
The global Tor network and its routing protocols provide an excellent framework for online anonymity. However, the selection of Tor-friendly software for Windows is sub-par at best. Want to anonymously browse the web? You’re stuck with Firefox, and don’t even think about trying to anonymously use Flash. Want to dynamically analyze malware without letting the C2 server know your home IP address? You’re outta luck. Want to anonymously use any program that doesn’t natively support SOCKS or HTTP proxying? Not gonna happen. While some solutions currently exist for generically rerouting traffic through Tor, these solutions either don’t support Windows, or can be circumvented by malware, or require an additional network gateway device. Missed the live session at Black Hat USA 2013? Check out the slides from Jason Geffner's standing room only presentation! Jason released a free new CrowdStrike community tool to securely, anonymously, and transparently route all TCP/IP and DNS traffic through Tor, regardless of the client software, and without relying on VPNs or additional hardware or virtual machines.TRANSCRIPT
![Page 1: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/1.jpg)
![Page 2: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/2.jpg)
TOR… ALL THE THINGS! Jason Geffner
Sr. Security Researcher
CrowdStrike, Inc.
Black Hat USA 2013
![Page 3: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/3.jpg)
![Page 4: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/4.jpg)
![Page 5: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/5.jpg)
Step 1 Tor client obtains a list of Tor nodes from a Tor directory server
![Page 6: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/6.jpg)
Step 2 Tor client picks a random path to a destination server
![Page 7: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/7.jpg)
Step 3 Tor client picks another random path to connect to a different destination server
![Page 8: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/8.jpg)
Tor Browser Bundle
• Tor • Runs a SOCKS server listening on TCP port 9050
• SOCKS server routes traffic through global Tor network
• Modified Firefox ESR • Routes all web traffic through Tor’s local SOCKS server
• Disables Flash and all other plugins to deter identity leakage
![Page 9: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/9.jpg)
Problems with Tor Browser Bundle
• Firefox only • No other browsers natively supported
• No plugins allowed
• SOCKS server • Most soware does not support TCP proxying via SOCKS
• Even soware that does support TCP proxying via SOCKS usually doesn’t support DNS proxying via SOCKS
![Page 10: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/10.jpg)
Ideal Tor Solution
1. Transparently route all TCP and DNS traffic through Tor
2. Do not allow any network traffic onto the Internet unless it goes through Tor
3. Do not require typical user to install an unfamiliar OS
4. Do not allow malware to circumvent Tor tunnel and communicate directly with the Internet
5. Do not require extra hardware or extra VMs
![Page 11: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/11.jpg)
Existing Non-Ideal Solutions
• Hardware-Based Transparent Proxy • Solutions such as Onion Pi and P.O.R.T.A.L. require additional hardware
• Malware could connect to a different WiFi network and circumvent Tor tunnel
• Soware-Based Transparent Proxy • Tor does not support transparent proxying on Windows since it’s implemented
via /dev/pf • Requires non-Windows OS on a host system or additional VM such as Whonix
• Tails - Debian-based non-Windows OS
• Torcap - Malware can circumvent Winsock hooks
![Page 12: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/12.jpg)
![Page 13: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/13.jpg)
![Page 14: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/14.jpg)
![Page 15: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/15.jpg)
Networked applications are run in a VM so that malicious code can’t circumvent the Tor
tunnel to the Internet and can’t discover identifying information on the host system
![Page 16: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/16.jpg)
Tortilla is VM-platform agnostic and guest-OS agnostic
![Page 17: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/17.jpg)
Tortilla installs a virtual network device & corresponding NDIS miniport
driver, and disables all network component bindings except for
that of the Virtual Network Bridge
![Page 18: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/18.jpg)
User configures VM platform to bridge the VM’s virtual network card to the Tortilla adapter
![Page 19: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/19.jpg)
Tortilla Client receives all Layer 2 network traffic from the
VM’s virtual network card
Basic DHCP server and ARP responder give the
VM an IP address
![Page 20: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/20.jpg)
DNS server parses DNS queries, requests lookups via Tor and sends responses to VM
Open-source Lightweight IP stack proxies TCP sessions between VM and Tor
![Page 21: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/21.jpg)
No packets from the VM ever touch the host’s actual network driver
![Page 22: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/22.jpg)
Tortilla is open-source and supports
32-bit and 64-bit Windows host systems
![Page 23: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/23.jpg)
Installation and Usage
• Tortilla ships as a single executable – Tortilla.exe
• When Tortilla.exe is executed on host system: • Extracts default Tortilla.ini file if not already on disk
• Extracts 32-bit or 64-bit driver, depending on host OS
• Extracts and executes driver installer • Installs Tortilla device and driver if not already installed
• Disables all of the device’s network component bindings except for that of the Virtual Network Bridge
![Page 24: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/24.jpg)
Installation and Usage
• When Tortilla.exe is executed on host system: • Establishes secure communication channel between Tortilla
client and driver
• Begins listening for Layer 2 packets from VM
• Acts on DHCP, ARP, DNS, and TCP packets, and drops everything else
• Optionally stores all traffic to and from VM in a PCAP file on host
![Page 25: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/25.jpg)
Complete Failsafe Functionality
• User can run Tor before or aer starting Tortilla.exe
• User can run VM before or aer starting Tortilla.exe
• User can configure VM platform’s Virtual Network Bridge before or aer starting Tortilla.exe (though Tortilla device must already be installed)
![Page 26: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/26.jpg)
Minimal System Footprint
• No registry modifications (aside from Tortilla device and driver installation)
• No file system modifications (aside from Tortilla.ini and installed Tortilla driver)
• Can be uninstalled by just deleting Tortilla.exe and Tortilla.ini, and uninstalling Tortilla Adapter from Device Manager
![Page 27: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/27.jpg)
Demo
![Page 28: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/28.jpg)
Free and Open-Source
You can download Tortilla right now!
http://www.crowdstrike.com/community-tools
![Page 29: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/29.jpg)
Summary
• Tortilla is a free and open-source solution for Windows that transparently routes all TCP and DNS traffic through Tor
• Tortilla does not allow any network traffic onto the Internet unless it goes through Tor
• Tortilla does not require extra hardware or extra VMs
• The Tortilla platform does not allow malware to circumvent the Tor tunnel to communicate directly with the Internet
![Page 30: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/30.jpg)
Q & A
![Page 31: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/31.jpg)
Special Thanks
• John Costello
• Cameron Gutman
• Alex Ionescu
• Sven Krasser
• Dan Kurc
• Kyle Larsen
• Aaron Putnam
![Page 32: TOR... ALL THE THINGS](https://reader033.vdocuments.net/reader033/viewer/2022052900/555c44ffd8b42a0b038b5115/html5/thumbnails/32.jpg)
@CrowdStrike