TorKill – hacking onion sites

Everything is very simple here, first your data goes to the input (security or watchdog) node, then it goes to the intermediate node, and then to the output. Has anyone ever wondered why the Tor logo is an onion? Because to get to us, you first need to remove all layers of encryption. The idea itself arose in 1995 with the support of the US Navy. Then a department of the US Department of Defense joined the development. The Tor network was designed to treat nodes with minimal trust – this is achieved through encryption.

The client encrypts the data so that only the output node can decrypt it. This data is then encrypted again so that only the intermediate node can decrypt it. And then this data is again encrypted so that only the watchdog node can decrypt it.

  • Entry (or guard, or sentry) node – the place where your data enters the Tor network. Moreover, it is not the closest node that is selected, but the most reliable one, so do not be surprised if the ping turns out to be at the level of a couple of hundred milliseconds – this is all for your safety.
  • Intermediate node – created specifically so that with the help of the output node it was impossible to track the input one: the most that can be tracked is just an intermediate node. The host itself is usually a virtual server, so server operators only see encrypted traffic and nothing else.
  • The exit node is the point from where your data is sent to the desired address. Again, the most reliable server should be chosen.

Bridges are nodes that are not publicly available. Users caught behind the wall of censorship can use them to access the Tor network. This list, BridgeDB, only gives users a few bridges at a time. This is reasonable, since they do not need many bridges at once. If this list becomes publicly available, then it will be possible to block Tor. Each Tor client has information about ten powerful nodes supported by trusted people. These nodes have a special role, they monitor the state of the network. The nodes are named – directory authorities. They are responsible for distributing a constantly updated list of all known Tor relays, they are the ones who choose the time and availability of the nodes. I think I was able to briefly convey to you the principle of the network.

How the framework works

The main purpose of TorKill is to break or hack the onion site. I recommend using this tool with onionscan. There are several easy options to deanonymize a website. The first is to put it down, then we will see its real IP in the address bar. The second is to find the unsecured SSH fingerprint and use Shodan or Censys. The tool can do it all, including creating a trap site.

In order not to overload our system, the tool sends requests to the site I control. Now let’s move on to installing additional components.

If you don’t have pip installed:

apt-get install python-pip

Next, install the required components:

python -m pip install paramiko
python -m pip install pysocks
python -m pip install colorama
python -m pip install BeautifulSoup

The Beautiful Soup library is an HTML / XML parser written in the Python programming language that can convert even incorrect markup into a parse tree. It supports simple and natural ways to navigate, search, and modify the parse tree.

Launch and see:

To launch a DoS attack, just enter:

python -u -t 100

If you want to use another method, such as creating a trap site, then enter the command:

python -u -a 10

Now I will make a small digression and talk about a program like Ngrok. With a single command in the terminal, the program makes your local server available to the entire Internet at a special HTTPS address:

ngrok http 80

And here is a screenshot of the program:

If we click on the generated link, we will see:

I advise everyone to familiarize themselves with this program.

Now let’s get back to TorKill. If we follow the link generated by our program, then the javascript code will be triggered, which collects information and sends a post request to the info.php file.

{"dev":[{"platform":"Win32","browser":"Chrome\/67.0.3396.99","cores":"4","ram":"Not Available","vendor":"Google Inc.","render":"ANGLE (Intel(R) HD Graphics 4000 Direct$ect3D9Ex vs_3_0 ps_3_0)","ip":null,"ht":"768","wd":"1366","os":"Win64"}]}

Most of the scripts for deanonymization are written in Javascript and inserted into vulnerable sites, or forced under some pretext to go to a specially created site for a trap. The seeker program had this code, in the future I plan to improve this code to collect information. For the code to work, it is enough for the victim to open the site for a few seconds. You can make the site layout yourself.

When the program starts, it detects the server and determines the ip of the output node. Having learned what the site is located on, you can attack it. If it is Apache, then we are looking for exploits for it or we attack Slowloris, if nginx, then we use Nginx DoS. The program also analyzes HTTP headers, searches for an entrance to the admin panel, searches for open directories, scans ports, collects links from the page and receives a fingerprint.

Another small digression about the vulnerability in nginx. This vulnerability allows you to put a site that works in the nginx + php bundle. The vulnerability allows all resources to be exhausted by temporary files that are created when working with multipart / form-data form data.

I know that many serious onion resources have DDoS protection, but it either did not work or did not help, I ran the script on a VPS with 5 GB. Even when I attacked from my computer, many Apache sites crashed.

Now let’s consider the PHP code of the program using the example of the Admin Finder function:

$host = $_GET['host'];
$requests = $_GET['req'];
$ip = gethostbyname($host);
echo '<ip>'.$ip.'</ip><br/>';
    $admin = array("admin","administrator","adm","login","loign.php","administrator.php","admins.php","logins","admincp","admincp.php","admin1.php", "admin1.html", "admin2.php", "admin2.html", "yonetim.php", "yonetim.html", "yonetici.php", "yonetici.html", "ccms/", "ccms/login.php", "ccms/index.php", "maintenance/", "webmaster/", "adm/", "configuration/", "configure/", "websvn/", "admin/", "admin/account.php", "admin/account.html". "admin/index.php", "admin/index.html", "admin/login.php","admin/login.html", "admin/home.php", "admin/controlpanel.html", "admin/controlpanel.php", "admin.php", "admin.html", "admin/cp.php", "admin/cp.html", "cp.php", "cp.html", "administrator/","administrator/index.html", "administrator/index.php", "administrator/login.html", "administrator/login.php", "administrator/account.html", "administrator/account.php", "administrator.php","administrator.html", "login.php", "login.html", "modelsearch/login.php", "moderator.php", "moderator.html", "moderator/login.php", "moderator/login.html","moderator/admin.php","moderator/admin.html", "moderator/", "account.php", "account.html", "controlpanel/", "controlpanel.php", "controlpanel.html", "admincontrol.php", "admincontrol.html", "adminpanel.php","adminpanel.html", "admin1.asp", "admin2.asp", "yonetim.asp", "yonetici.asp", "admin/account.asp", "admin/index.asp", "admin/login.asp", "admin/home.asp", "admin/controlpanel.asp", "admin.asp", "admin/cp.asp", "cp.asp", "administrator/index.asp","administrator/login.asp","administrator/account.asp","administrator.asp", "login.asp", "modelsearch/login.asp", "moderator.asp","moderator/login.asp", "moderator/admin.asp", "account.asp", "controlpanel.asp", "admincontrol.asp", "adminpanel.asp", "fileadmin/", "fileadmin.php", "fileadmin.asp", "fileadmin.html","administration/", "administration.php", "administration.html", "sysadmin.php", "sysadmin.html", "phpmyadmin/", "myadmin/", "sysadmin.asp", "sysadmin/", "ur-admin.asp", "ur-admin.php","ur-admin.html", "ur-admin/", "Server.php", "Server.html", "Server.asp", "Server/", "wp-admin/", "administr8.php", "administr8.html", "administr8/", "administr8.asp", "webadmin/", "webadmin.php","webadmin.asp", "webadmin.html", "administratie/", "admins/", "admins.php", "admins.asp", "admins.html", "administrivia/", "Database_Administration/", "WebAdmin/", "useradmin/", "sysadmins/","admin1/", "system-administration/", "administrators/", "pgadmin/", "directadmin/", "staradmin/", "ServerAdministrator/", "SysAdmin/", "administer/", "LiveUser_Admin/", "sys-admin/", "typo3/","panel/", "cpanel/", "cPanel/", "cpanel_file/", "platz_login/", "rcLogin/", "blogindex/", "formslogin/", "autologin/", "support_login/", "meta_login/", "manuallogin/", "simpleLogin/", "loginflat/","utility_login/", "showlogin/", "memlogin/", "members/", "login-redirect/", "sub-login/", "wp-login/", "login1/", "dir-login/", "login_db/", "xlogin/", "smblogin/", "customer_login/", "UserLogin/","login-us/", "acct_login/", "admin_area/", "bigadmin/", "project-admins/", "phppgadmin/", "pureadmin/", "sql-admin/", "radmind/", "openvpnadmin/", "wizmysqladmin/", "vadmind/", "ezsqliteadmin/","hpwebjetadmin/", "newsadmin/", "adminpro/", "Lotus_Domino_Admin/", "bbadmin/", "vmailadmin/", "Indy_admin/", "ccp14admin/", "irc-macadmin/","banneradmin/","sshadmin/","phpldapadmin/","macadmin/","administratoraccounts/", "admin4_account/","admin4_colon/","radmind-1/","SuperAdmin/","AdminTools/","cmsadmin/","SysAdmin2/","globes_admin/","cadmins/","phpSQLiteAdmin/", "navSiteAdmin/","server_admin_small/","logo_sysadmin/","server/","database_administration/","power_user/", "system_administration/", "ss_vms_admin_sm/");
    foreach ($admin as $shell){
        $headers = get_headers($host.$shell);
            echo "<admin><a href='$host$shell'>$host$shell</a> Founded!</admin>";

Simply Torkill sends 2 GET requests, 1 value of which is written to the $ host variable, and the second makes it clear which function we have chosen, at the moment – this is find, the request will look like this:

This is how it looks in python:

data = requests.get(host + '?find&host=' + target1, headers=headers, proxies=proxies).text

What do you think?

30 Points
Upvote Downvote
Red Hat Professional

Written by Admin

NewbieAvatar uploadFirst contentFirst commentPublishing content 3 times


Leave a Reply



Pentest GraphQL applications

Phishing attacks that bypass 2-factor authentication