While living at a halfway house, otherwise bored of being sober at the time, I decided I was going
to run a Tor exit node. The neat thing about Tor exit nodes is, if you are an operator, you control
any and all data that passes through your node, with the ability to packet sniff, or even inject
foreign code into the unencrypted data streams.
How I did it
Edit: I updated a lot of the code to how you would do it currently, as this writeup is a couple
years old and had been using older versions of software. Some things may have changed. I also
edited my configs to show comments on why some of the setup is needed the way it is.
Some of this would need to be tweaked to your specific use case scenario and server setup, but the
basic idea is to take data coming from the tor server connecting to HTTP port 80, and reroute that
traffic to a squid proxy that runs msfvenom on any exe attempted to be downloaded over the node,
tagging the Windows PE executable with your own hot-patched binary. Basically this means that the
useage of the exe will be the same for the user, but run your function code, say, on exit.
Edit: I ended up just creating my own executable, because by the time they run it, it’s too late
and because it’s faster, I feel like people would get a lil sus waiting on a tagged binary to be
generated. Also currently most msfvenom packed/obfunscated payloads are picked up by Windows
My exit node setup is a Debian 11 VPS in another country. Windows 10 was used as a test victim.
All software was updated to most recent versions with APT before setup.
Apache HTTPd 2.4.51
Perl 5.32.1 (exit node)
Strawberry Perl 5.32.1 (windows 10 par packer and test machine)
The perl code that does the actual patching (you may need to touch /var/log/patched_urls.log
logging to work):
Is called by a squid proxy with the following configuration:
Which is called to action when tor attempts to make a connection to a exe download page over HTTP.
This is accomplished through some iptables rerouting magic (take note of stuff leaving the tor
program’s uid 109 and rerouting it form dstip:80 to our squid proxy sitting on 127.0.0.1:3128:
Concerning Tor itself, it’s importnat to note that you reject all traffic other than port 80 or you’ll just run your bill up
forwarding traffic that you can’t patch. The torrc file below which tells tor how to start up:
For good measure, I’m going to include my apache2 server config below:
Now finally, the code that gets tagged as an executable:
This last bit of code uploads the users bitcoin wallet.dat to a FTP server of your choosing. Test it and get it working right
then you should pack it to an .exe with pp “PAR Packer” ex. pp btcup.pl -o f.exe. I would also modify the icon with a
resoruce editor. You also need to actually upload your par packed .exe to the exit node and put it in /var/www/html/ (or
where ever your webserver is serving, but if that is different, update frankenpatch.pl.
You’ll need to edit the [redacted] info.
You also need to create a user on the tor node you can upload to. For security make sure to chsh -s /bin/false newuser it.
Also this is the FTP server’s conf we’ll be uploading back to:
This is particularly nasty code and I do NOT recommend running any of this on your own ever.
Running this setup in your country may be illegal!
Be safe, my hacker friends, and I hope you enjoyed reading!