Using TOR for anonymous Blackbox Penetration Testing

TOR, it's not only used for protecting your constitutional rights of privacy and freedom.

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens constitutional personal freedom and privacy, private confidential business activities, relationships, and security. TOR allows users to send traffic through its' network, thus making your Internet traffic appear to come from a Tor exit node, not your real IP. How can a Blackbox Penetration Tester utilize this network to conduct his or her Test? Here's some of my high level thoughts.

Sometimes when conducting Blackbox Web Presence Penetration Tests for a client, they may request that your test be totally dark, meaning that the client will not want to know where your attacks will originate. This will test not only their perimeter defenses but also their internal procedures. I myself like these type of Penetration Tests overall. This type of test will allow you to utilize many tools but at the same time limit legitimate locations from which to conduct tests. If you work for a larger firm your company may have a dedicated Testing network which they do not release any information to the client and you can conduct your test from that point. If you are a contractor, you may find that your test will have to be conducted from the Client Premises, your Home Office Network or creatively through another anonymous network. But you must still keep in mind that some applications and tools may leak your location by certain network traffic, for example 'DNS' requests and NMAP Pings. How can you mitigate this potential hazard?

This is a situation where the TOR network can come in handy. It is no trivial task attempting to be truly anonymous while conducting active scans of a clients network footprint to gain potential attack targets. During your reconnaissance phase you attempt to be as silent and non-intrusive as possible and of course, this will all depend on the time which you have to accomplish your goals. Let's say you opt to use your Home Office, you will have to mitigate the leaky DNS requests that are not sent via TOR as you do not want your real location being revealed and do not want to have the defensive systems of the client blocking your real IP at any time. DNS uses UDP and TCP, UDP for mostly all requests and TCP for all forwading and update information. Now, it must be noted that TOR itself does not utilize UDP which means DNS requests not specifically resolved through TOR will leak through your local gateway. NMAP will sometimes ping a target before conducting a scan in which case you need to divert these packets that will not go through TOR.

There are a number of ways to perfom tests anonymously from your Home Office Network, in this scenario you will need to confiure your own locally running DNS Server. You will need to configure the Local DNS server to forward all requests through the TOR network via a TOR client running on the DNS Server or wherever you have it running. Next, configure your Attack Machine to use the Local DNS and not any other ISP or DNS Servers. Setup your browser properly, for example if using Firefox, disable PreFetching (DNSPrefetch=False). You may also manually use a the tor command 'tor-resolve' along with a program called torify with your needed application. Remember, your NMAP network scans may be slow due to the 3-Hop nature of the TOR network, but hey, it's the cost of psuedo anonyminity, although there are ways to speed it up. Don't forget to use 'iptables' to BLOCK the ICMP and DNS traffic not going through TOR and continue to be aware of IPv6 leaks.

Of course, you can combine all this using TOR's built-in Tor-DNS Server, Tortilla, Polipo or Torsocks on your Attack Machine, making it portable. Take it to one on those anonymous networks and work creatively from there.

Just remember, "with great power comes great responsibiliy". Have fun testing!


Peace be unto you. Thank you for visiting!