While catching up on SANS’ Internet Storm Center Storm Cast during my drive, I heard this episode. In it Johannes Ullrich was mentioned this article about using DRM Decloaking TOR users. Short version, users running the Tor Browser Bundle click a link, and Microsoft Windows launches the media player not using the TOR network, exposing the user’s real IP address.
This attack could be mitigated by using TAILS or something else that forces all traffic through TOR. Which made me think I should share all the ways I use TOR.
Manly I use TOR to hide where I’m coming from, when I’m investigating things.
1: The Tor Browser Bundle, on the work network.
This is when I need to do something really fast, and total security / hiding my location isn’t a concern. Normally this is how I’ll track down industry related events. Things like breaches news, ransomware stories, etc. Mainly so the news organizations / blogs don’t see that I’m coming from an origination in the Industry they’re talking about and fueling speculation.
Less data leakage due to dedicated browser for accessing TOR Network
Only requires the TOR Browser Bundle
Need to know how to bypass security permissions to install (Group Polices)
Need to know how to bypass network security to install (bypass filters)
Need to know how to bypass network security to run
2: The Tor Browser Bundle, on the “dirty network”
This one isn’t used much any more. At work, there is a business cable line dropped for a test network. Where we’d run malware, and do other investigation tasks that we didn’t want getting back to the company.
Same as number 1 above
Need second network to use
Need hardware on that network to install TOR on, even if just VM.
Running TAILS on either a VM or from a live boot environment. This is a little more of a pain than it should be to set up. Mainly because of the current set-up method of TAILS, and partly because of the need to upgrade regularly.
Can have a live environment that is harder to have long term compromises to the investigation box.
Everything runs through TOR
Need to be able to bypass network security to run
Need to be able to boot off of Live media
VMs can still be compromised
4: Onion Pi
The Onion Pi is a Raspberry Pi running TOR software, and configured as a wireless access point.
Physical device to connect to the TOR network and be a proxy between you and the rest of the network
Can use any browser, not just the TOR browser
Data leakage from the browser of choice
Having someone spoof the AP’s wireless connection (evil twin attack) to get you to connect to their device instead
Wireless intrusion prevention systems jamming the device’s connection
Having to reconfigure parts of the configuration for every network it is connected to
I first came across this through my Automating Python OSINT class. Originally designed for Qubes OS, it is possible to get images for VirtualBox. This is a 2 part solution. The first VM is the gateway. This connects to the TOR network and acts as a proxy.
The second VM is the user area. It’s similar to TAILS where it is a custom built Linux environment. The VM’s network is set up to only go to the Gateway device.
Both VMs are set up with isolation too, preventing copying and pasting.
Built for use with TOR
Isolation between VMs
Should prevent some data leakage
Both the gateway and the client need to be running
Gateway going down breaks things until it’s reconnected
32 bit only environment breaking some tools
Need to know how to bypass network security
6: Whonix with different VM behind it
This is what I’m currently using on a day to day basis for investigations. It is similar to number 5, where I have the Whonix gateway setup, but I run my own VMs behind the gateway.
Pros and Cons are similar to number 5.
I could also set up a windows VM to run behind the Whonix Gateway.
There are several different ways to run TOR. They all come with their own pros and cons. I currently like running a the VM “Whonix Gateway” with investigative VMs behind it. While this blog post talked about different ways to connect to the TOR network, it didn’t talk about the security practices a user of the TOR network needs to do.
Steps like knowing that in order for TOR to hide a user on the local network lots of people need to be using it. Otherwise the TOR traffic sticks out. Don’t go to sites with normal log ins / daily use accounts. Any site and account accessed through TOR should be specific to JUST TOR.
Even though this started off about not being decloaked by some software, know that nothing is prefect.