CryptoParty Austria

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: tor2tcp
tor2tcp

Dies ist eine alte Version des Dokuments!

Inhaltsverzeichnis

Operating publically addressable applications operated out of a hidden service

The easiest way to expose one hidden service only needs two lines of `torrc`: 

  TransPort 46.246.28.219:80
  MapAddress 46.246.28.219 duskgytldkxiuqc6.onion

You can easily add more services on top by redirecting ports: 

  $ iptables -t nat -A PREROUTING -p tcp -d 46.246.28.219 --dport 25 -j REDIRECT --to-ports 80

And if you want to make sure your ISP won't use the TransPort in the wrong way, you can add the following, just in case: 

  $ iptables -A INPUT -i eth0 -p tcp ! -d 46.246.28.219 -j REJECT

Result: 

  $ curl -I http://46.246.28.219/   
  HTTP/1.1 200 OK
  Server: thttpd/2.25b 29dec2003
  Content-Type: text/html; charset=iso-8859-1
  Date: Fri, 10 May 2013 15:09:45 GMT
  Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT
  Accept-Ranges: bytes
  Connection: close
  Content-Length: 389
  $ usewithtor curl -I http://duskgytldkxiuqc6.onion/
  [... warning messages ...]
  HTTP/1.1 200 OK
  Server: thttpd/2.25b 29dec2003
  Content-Type: text/html; charset=iso-8859-1
  Date: Fri, 10 May 2013 15:09:45 GMT
  Last-Modified: Tue, 11 Dec 2007 20:45:42 GMT
  Accept-Ranges: bytes
  Connection: close
  Content-Length: 389

Port 25 is also accepted for a connection, since we put a redirect in place but since TransPort cannot connect to ports the hidden service doesn't listen on, it will later close the connection: 

  $ telnet 46.246.28.219 25
  Trying 46.246.28.219...
  Connected to 46.246.28.219.
  Escape character is '^]'.
  Connection closed by foreign host.

Otherwise a connection would be refused: 

  $ telnet 46.246.28.219 299
  Trying 46.246.28.219...
  telnet: Unable to connect to remote host: Connection refused

This proof of concept is currently implemented on http://poum.niij.org/

Anonymity

Depending on how you look at it, the machine does not really need to be anonymous to the rendezvous point, therefore compiling tor with `–enable-tor2webmode` would speed up the connection process.

SMTP

Exposing SMTP shouldn't be a problem since it is a very fault tolerant protocol. However, sending is a problem: we do not have an MTA on the machine that is exposing port 25/489/587. We need to tunnel from the hidden service into the box that is acting as our public face. http://stackoverflow.com/questions/392034/ssh-tunnel-for-sendmail

Thanks

To Abel Luck for inspiration, and ra_ for the session resulting in the configuration on top

tor2tcp.1368466792.txt.gz · Zuletzt geändert: 2013-05-13 17:39 von m